ruby-core

Issue #7215 has been updated by Zachary Scott.

Assignee changed from Martin Bosslet to openssl

----------------------------------------
Bug #7215: Remaining messages on OpenSSL error queue after Certificate#verify
https://bugs.ruby-lang.org/issues/7215#change-54133

* Author: Lars Kanis
* Status: Assigned
* Priority: Normal
* Assignee: openssl
* ruby -v: ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux]
* Backport: 
----------------------------------------
While investigating a ruby-pg issue [1], we noticed that a SSL connection with PostgreSQL can fail, after a call to OpenSSL::X509::Certificate#verify with result 'false'. Root cause is the thread local error queue of OpenSSL, that is used to transmit textual error messages to the application after a failed crypto operation. A failure in Certificate#verify leaves some messages on the error queue, which can lead to errors in a SSL communication of other parts of the application.

According to the comment on OpenSSL.errors [2], remaining messages on the error queue are probably due to a bug. So the queue should become somehow cleared. I currently see these variants:

* Return the OpenSSL error list in Certificate#verify instead of true/false - This will change the API in an incompatible way, so it will probably be no real option.
* Drop the error list at the end of Certificate#verify - So there will be no way to get the particular error text. Maybe add another method in the way as 1.
* Add a note in the documentation that suggest the user should call OpenSSL.errors after a failed call to Certificate#verify.

A patch for the postgresql side of the issue is already inserted into the patch list for the next commit fest [3].


[1] https://bitbucket.org/ged/ruby-pg/issue/142/async_exec-over-ssl-connection-can-fail-on
[2] https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L349
[3] https://commitfest.postgresql.org/action/patch_view?id=961




-- 
https://bugs.ruby-lang.org/