Attila Bukor has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/16631 )
Change subject: Fix order of clearing and printing openssl error ...................................................................... Fix order of clearing and printing openssl error When verifying the certificate chain fails with an error other than self-signed certificate, we try to get the subject and issuer to print in the error message. Unfortunately X509NameToString(), the method doing the conversion, also checks that there are no leftover OpenSSL errors, so it fails immediately on call. This commit changes the behavior to clear the errors *before* calling X509NameToString(). I ran into this problem while debugging test failures on a host where the OpenSSL was provided by CryptoComply SafeLogic: F1020 12:06:13.327023 25579 openssl_util.h:210] Check failed: ERR_peek_error() == 0 (67567722 vs. 0) Expected no pending OpenSSL errors on std::string kudu::security::X509NameToString(X509_NAME*) entry, but had: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:102 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:786 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218 Unfortunately, I couldn't reproduce it in other OpenSSL versions and distributions, so I can't add a regression test, at least for now. Change-Id: I3f78bdedce7a976a6e8117bb8683032dd917c626 Reviewed-on: http://gerrit.cloudera.org:8080/16631 Reviewed-by: Alexey Serbin <[email protected]> Tested-by: Kudu Jenkins Reviewed-by: Grant Henke <[email protected]> --- M src/kudu/security/tls_context.cc 1 file changed, 7 insertions(+), 3 deletions(-) Approvals: Alexey Serbin: Looks good to me, approved Kudu Jenkins: Verified Grant Henke: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/16631 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I3f78bdedce7a976a6e8117bb8683032dd917c626 Gerrit-Change-Number: 16631 Gerrit-PatchSet: 6 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
