> >>I just checked. Seems that SSL_CTX_use_certificate_chain_file has a same
> >>problem. Other uses of ERR_peek_error seem to be immune to the old entries
> >>in error stack.
> >
> >
> > One theory is that applications should not call arbitrary OpenSSL
> > functions while there is stuff in the error queue.
> >
> > A second theory is that OpenSSL should always clear the error queue by
> > calling ERR_clear_error() if stuff left in the error queue might cause
> > confusion later.
> How can it cause confusion (I think I missed something here)? You should
> only look at the error stack if you got an error, surely?

There are places (three if I remember correctly) in OpenSSL that look at
the error stack and when there is something decide that something went

When the ticket was opened I proposed that one should not use the contents
of the error stack for anything else other than reporting the error. If
you must differentiate between two types of errors that may happen in some
function, add an additional parameter to the function (of type int* for
example) that can carry out the special error condition from the function.

There are actually very few places inside OpenSSL where ERR_peek_error and
ERR_get_error are used, so the required changes are not big.


OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to