Invalid OCSP file (for example empty one that can be used to enable
OCSP response to be set dynamically later) causes errors that are
placed on OpenSSL error stack. Those errors are not cleared so
anything that checks this stack later will fail.
Following configuration:
bind :443 ssl crt crt1.pem crt crt2.pem
With following files:
crt1.pem
crt1.pem.ocsp - empty one
crt2.pem.rsa
crt2.pem.ecdsa
Will fail to load.
---
src/ssl_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 91a15af7..f947c996 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -478,6 +478,8 @@ static int ssl_sock_load_ocsp_response(struct chunk
*ocsp_response, struct certi
ret = 0;
out:
+ ERR_clear_error();
+
if (bs)
OCSP_BASICRESP_free(bs);
--
2.11.0
