BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err
When using ca_ignore_err/crt_ignore_err, a connection to an untrusted
server raises an error which is ignored. But the next SSL_read() that
encounters EAGAIN raises the error again, breaking the connection.
Subsequent connections don't have this problem because the session has
been stored and is correctly reused without performing a verify again.
The solution consists in correctly flushing the SSL error stack when
ignoring the crt/ca error.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 35c7bd9..8ee7eb7 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -127,8 +127,10 @@
conn->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
}
- if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err))
+ if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
+ ERR_clear_error();
return 1;
+ }
conn->err_code = CO_ER_SSL_CA_FAIL;
return 0;
@@ -138,8 +140,10 @@
conn->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
/* check if certificate error needs to be ignored */
- if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err))
+ if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
+ ERR_clear_error();
return 1;
+ }
conn->err_code = CO_ER_SSL_CRT_FAIL;
return 0;