[openssl.org #1088] bug: SSL_load_client_CA_file always leaves errors in the error queue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #1088] bug: SSL_load_client_CA_file always leaves errors in the error queue

Rich Salz via RT

After battling for a while why one could not configure more than one SSL
port in Squid when requesting client certificates it was found the culpit
is SSL_load_client_CA_file() which always leaves an error in the error
queue even if successful. This queued error then causes problems when
trying to load the certificate for the next SSL port etc..

OpenSSL versions tested:

   0.9.7f-6 (Fedora Core development)
   0.9.7a-35 (Fedora Core 2)
   0.9.6-19 (RedHat Linux 7.1)


Trivial test program showing the error:

#include <openssl/ssl.h>
#include <openssl/err.h>

int
main(int argc, char **argv)
{
     const char *ca;
     STACK_OF(X509_NAME) * cert_names;

     if (argc != 2) {
  fprintf(stderr, "usage: %s ca.pem\n", argv[0]);
  exit(1);
     }
     ca = argv[1];

     SSL_load_error_strings();
     SSL_library_init();

     cert_names = SSL_load_client_CA_file(ca);
     if (!cert_names) {
  ERR_print_errors_fp(stderr);
  exit(1);
     }
     printf("SSL_load_client_CA_file successful. Expeting empty error queue:\n");
     ERR_print_errors_fp(stderr);
     printf("-- END --\n");
     return 0;
}


Workaround:

call ERR_clear_error() after a successful call to
SSL_load_client_CA_file().

Regards
Henrik

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]