You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 lines
1.1 KiB
44 lines
1.1 KiB
From 821d3a9f513a63b06f1696352392996391807c16 Mon Sep 17 00:00:00 2001
|
|
From: Janusz Dziemidowicz <rraptorr@nails.eu.org>
|
|
Date: Wed, 8 Mar 2017 16:59:41 +0100
|
|
Subject: [PATCH 4/7] BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying
|
|
to parse OCSP file
|
|
|
|
Invalid OCSP file (for example empty one that can be used to enable
|
|
OCSP response to be set dynamically later) causes errors that are
|
|
placed on OpenSSL error stack. Those errors are not cleared so
|
|
anything that checks this stack later will fail.
|
|
|
|
Following configuration:
|
|
bind :443 ssl crt crt1.pem crt crt2.pem
|
|
|
|
With following files:
|
|
crt1.pem
|
|
crt1.pem.ocsp - empty one
|
|
crt2.pem.rsa
|
|
crt2.pem.ecdsa
|
|
|
|
Will fail to load.
|
|
|
|
This patch should be backported to 1.7.
|
|
(cherry picked from commit 8d7104982e1c41f7dc4d75ae7f7d2bbb96052d40)
|
|
---
|
|
src/ssl_sock.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
|
index cc2dc12..daa584c 100644
|
|
--- a/src/ssl_sock.c
|
|
+++ b/src/ssl_sock.c
|
|
@@ -433,6 +433,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
|
|
|
|
ret = 0;
|
|
out:
|
|
+ ERR_clear_error();
|
|
+
|
|
if (bs)
|
|
OCSP_BASICRESP_free(bs);
|
|
|
|
--
|
|
2.10.2
|
|
|