Hi all,
In the test suite for some C++ classes I'm writing, I deliberately
invoke errors so I can test the error handling of my code. Doing
this means that I have also turned up an error in the OpenSSL
error handling.
The problem I was seeing was that I would invoke an error and
then in the next test, call SSL_CTX_use_certificate_chain_file
which would fail.
Tracing this into the OpenSSL code I found that the call to
SSL_CTX_use_certificate expects that some global error state
is zero before it is called. If it isn't zero,
SSL_CTX_use_certificate_chain_file will report an error even
though the read error occurred earlier and there was not valid
reason for SSL_CTX_use_certificate_chain_file to fail.
I fixed this issue with the following patch. The patch is probably
not the best way to fix this error, but solved my immediate problem.
If the OpenSSL devs can come up with a better fix I'll be happy
to go with that.
Cheers,
Erik
diff -ru openssl-0.9.8e/ssl/ssl_rsa.c openssl-0.9.8e-hacked/ssl/ssl_rsa.c
--- openssl-0.9.8e/ssl/ssl_rsa.c 2005-04-09 08:52:41.000000000 +1000
+++ openssl-0.9.8e-hacked/ssl/ssl_rsa.c 2007-03-19 09:03:15.000000000 +1100
@@ -728,6 +728,9 @@
goto end;
}
+ /* Must clear error before calling SSL_CTX_use_certificate. */
+ ERR_clear_error();
+
ret=SSL_CTX_use_certificate(ctx,x);
if (ERR_peek_error() != 0)
ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ...
*/
--
+-----------------------------------------------------------+
Erik de Castro Lopo
+-----------------------------------------------------------+
"Men who use terrorism as a means to power, rule by terror
once they are in power."
-- Helen Macinnes
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
