Mercurial > dovecot > core-2.2
changeset 21282:f1164511f6e5
openssl: Clear error queue after an incomplete SSL_shutdown
If the SSL_shutdown-call fails (e.g. because the underlaying socket has
already been closed) OpenSSL puts the corresponding error into the
queue. We don't care about details so we need to clear the queue.
Otherwise the error will be pulled while error checking the next OpenSSL
call of an unrelated connection.
author | manuel <manuel@mausz.at> |
---|---|
date | Wed, 07 Dec 2016 14:23:12 +0100 |
parents | 1ba00e3ae6cd |
children | 16869cca53ce |
files | src/lib-ssl-iostream/iostream-openssl.c src/login-common/ssl-proxy-openssl.c |
diffstat | 2 files changed, 10 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-ssl-iostream/iostream-openssl.c Fri Dec 09 15:06:05 2016 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl.c Wed Dec 07 14:23:12 2016 +0100 @@ -299,7 +299,11 @@ static void openssl_iostream_destroy(struct ssl_iostream *ssl_io) { - (void)SSL_shutdown(ssl_io->ssl); + if (SSL_shutdown(ssl_io->ssl) != 1) { + /* if bidirectional shutdown fails we need to clear + the error queue */ + openssl_iostream_clear_errors(); + } (void)openssl_iostream_more(ssl_io); (void)o_stream_flush(ssl_io->plain_output); /* close the plain i/o streams, because their fd may be closed soon,
--- a/src/login-common/ssl-proxy-openssl.c Fri Dec 09 15:06:05 2016 +0200 +++ b/src/login-common/ssl-proxy-openssl.c Wed Dec 07 14:23:12 2016 +0100 @@ -813,7 +813,11 @@ if (proxy->io_plain_write != NULL) io_remove(&proxy->io_plain_write); - (void)SSL_shutdown(proxy->ssl); + if (SSL_shutdown(proxy->ssl) != 1) { + /* if bidirectional shutdown fails we need to clear + the error queue. */ + openssl_iostream_clear_errors(); + } net_disconnect(proxy->fd_ssl); net_disconnect(proxy->fd_plain);