From: lars@... Date: 2018-05-19T05:27:49+00:00 Subject: [ruby-core:87188] [Ruby trunk Bug#7215] Remaining messages on OpenSSL error queue after Certificate#verify Issue #7215 has been updated by larskanis (Lars Kanis). Thanks for fixing this issue! It has been resolved on the PostgreSQL side as well: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a3c17b2af89cd46b47df3483bb693312d7521795 ---------------------------------------- Bug #7215: Remaining messages on OpenSSL error queue after Certificate#verify https://bugs.ruby-lang.org/issues/7215#change-72179 * Author: larskanis1 (Lars Kanis) * Status: Closed * Priority: Normal * Assignee: openssl * Target version: * ruby -v: ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux] * Backport: ---------------------------------------- While investigating a ruby-pg issue [1], we noticed that a SSL connection with PostgreSQL can fail, after a call to OpenSSL::X509::Certificate#verify with result 'false'. Root cause is the thread local error queue of OpenSSL, that is used to transmit textual error messages to the application after a failed crypto operation. A failure in Certificate#verify leaves some messages on the error queue, which can lead to errors in a SSL communication of other parts of the application. According to the comment on OpenSSL.errors [2], remaining messages on the error queue are probably due to a bug. So the queue should become somehow cleared. I currently see these variants: * Return the OpenSSL error list in Certificate#verify instead of true/false - This will change the API in an incompatible way, so it will probably be no real option. * Drop the error list at the end of Certificate#verify - So there will be no way to get the particular error text. Maybe add another method in the way as 1. * Add a note in the documentation that suggest the user should call OpenSSL.errors after a failed call to Certificate#verify. A patch for the postgresql side of the issue is already inserted into the patch list for the next commit fest [3]. [1] https://bitbucket.org/ged/ruby-pg/issue/142/async_exec-over-ssl-connection-can-fail-on [2] https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L349 [3] https://commitfest.postgresql.org/action/patch_view?id=961 -- https://bugs.ruby-lang.org/ Unsubscribe: