details: http://hg.nginx.org/nginx/rev/6c35a1f428f2
branches:
changeset: 5365:6c35a1f428f2
user: Maxim Dounin <mdounin@mdounin.ru>
date: Wed Sep 04 21:17:02 2013 +0400
description:
SSL: clear error queue after SSL_CTX_load_verify_locations().

The SSL_CTX_load_verify_locations() may leave errors in the error queue
while returning success (e.g. if there are duplicate certificates in the file
specified), resulting in "ignoring stale global SSL error" alerts later
at runtime.

diffstat:

src/event/ngx_event_openssl.c | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)

diffs (31 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -363,6 +363,13 @@ ngx_ssl_client_certificate(ngx_conf_t *c
return NGX_ERROR;
}

+ /*
+ * SSL_CTX_load_verify_locations() may leave errors in the error queue
+ * while returning success
+ */
+
+ ERR_clear_error();
+
list = SSL_load_client_CA_file((char *) cert->data);

if (list == NULL) {
@@ -407,6 +414,13 @@ ngx_ssl_trusted_certificate(ngx_conf_t *
return NGX_ERROR;
}

+ /*
+ * SSL_CTX_load_verify_locations() may leave errors in the error queue
+ * while returning success
+ */
+
+ ERR_clear_error();
+
return NGX_OK;
}


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel