[openssl.org #1234] Failing to load zlib.so results in other errors later.
Since the upgrade from 0.9.7g to 0.9.8a on Debian, we're getting
alot of bug reports about applictions that give an error that
they can't load zlib.so.
When calling SSL_library_init(), it will try to load zlib.so,
which doesn't have to exist. It should try to open zlib.so.1
instead because that's the soname. The .so symlink is only
present in the development package since it should only be needed
So at this point it will call ERR_PUT_error(). Then goes on
without indicating that there is an error, and sets the method to
zlib_stateful_method. I don't think this will be a problem in
itself, since the stubs in that case will return Z_MEM_ERROR.
But then later, when for instance
SSL_CTX_use_certificate_chain_file() is called, it calls
ERR_peek_last_error(). At that point it gets back the error that
it failed to open the zlib.so, and fails saying it couldn't open
the certificate file, while there really wan't an error in the
So this looks like an error that doesn't get cleared, and I have
to wonder who should clear it. I don't think COMP_zlib() should
return that it was actually succesful in opening the library,
so it should atleast return zlib_method_nozlib in case it's
failing. And I think it would be best if it cleared the error at
that time too.
I've attached a patch which I think should solve it.
Re: [openssl.org #1234] Failing to load zlib.so results in other errors later.
On Tue, Nov 01, 2005 at 10:18:42AM +0100, Kurt Roeckx via RT wrote:
> So this looks like an error that doesn't get cleared, and I have
> to wonder who should clear it. I don't think COMP_zlib() should
> return that it was actually succesful in opening the library,
> so it should atleast return zlib_method_nozlib in case it's
> failing. And I think it would be best if it cleared the error at
> that time too.
After thinking about this some more, I think the proper place to
clear the error would be SSL_COMP_add_compression_method(). From
what I understand, you're always supposed to call that after
The openssl source always seems to check the method->type to be
!= NID_undef, but I don't think applications should do that, and
SSL_COMP_add_compression_method checks it too.
Anyway, I'm not really sure where the proper way to clear that