Skip Menu |

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 123980
Status: resolved
Priority: 0/
Queue: Net-SSLeay
People
Owner: MIKEM [...] cpan.org
Requestors: Steffen_Ullrich [...] genua.de
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in:
  • 1.59
  • 1.60
  • 1.61
  • 1.62
  • 1.63
  • 1.64
  • 1.65
  • 1.66
  • 1.67
  • 1.68
  • 1.69
  • 1.70
  • 1.71
  • 1.72
  • 1.73
  • 1.74
  • 1.75
  • 1.76
  • 1.77
  • 1.78
  • 1.79
  • 1.80
  • 1.81
  • 1.82
Fixed in: 1.83

History Show all quoted text
  Sun Dec 31 11:44:18 2017 Steffen_Ullrich [...] genua.de - Ticket created
Subject: clear error inside SSL_OCSP_response_verify before reattempting OCSP_basic_verify
OCSP_basic_verify adds an error to the error queue if it fails. If the first OCSP_basic_verify fails inside SSL_OCSP_response_verify but the second attempt (with the intermediate certificate) succeeds SSL_OCSP_response_verify will return success but the error from the first OCSP_basic_verify is still in the OpenSSL error queue which causes the next call to fail. In case of LWP accessing a site supporting OCSP stapling this next failing call will be the syswrite of the HTTP request, which makes the request fail. The fix is simple: just clear the error queue. Fix attached.
Subject: SSLeay.diff
Index: SSLeay.xs =================================================================== --- SSLeay.xs (revision 512) +++ SSLeay.xs (working copy) @@ -6693,6 +6693,7 @@ * So find this CA ourself and retry verification. */ X509 *issuer; X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1); + ERR_clear_error(); /* clear error from last OCSP_basic_verify */ if (last && (issuer = find_issuer(last,store,chain))) { OCSP_basic_add1_cert(bsr, issuer); TRACE(1,"run OCSP_basic_verify with issuer for last chain element");
  Wed Jan 03 16:47:44 2018 mikem [...] airspayce.com - Correspondence added
Subject: Re: [rt.cpan.org #123980] clear error inside SSL_OCSP_response_verify before reattempting OCSP_basic_verify
Date: Thu, 04 Jan 2018 07:47:22 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] airspayce.com>
Thanks Stefan, Your patch is now in SVN 513. Cheers. On Monday, 1 January 2018 02:44:20 AEST you wrote: Show quoted text
> Sun Dec 31 11:44:18 2017: Request 123980 was acted upon. > Transaction: Ticket created by SULLR > Queue: Net-SSLeay > Subject: clear error inside SSL_OCSP_response_verify before > reattempting OCSP_basic_verify > Broken in: 1.59, 1.60, 1.61, 1.62, 1.63, 1.64, 1.65, 1.66, 1.67, 1.68, > 1.69, 1.70, 1.71, 1.72, 1.73, 1.74, 1.75, 1.76, 1.77, 1.78, 1.79, 1.80, > 1.81, 1.82 Severity: (no value) > Owner: Nobody > Requestors: Steffen_Ullrich@genua.de > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=123980 > > > > OCSP_basic_verify adds an error to the error queue if it fails. If the first > OCSP_basic_verify fails inside SSL_OCSP_response_verify but the second > attempt (with the intermediate certificate) succeeds > SSL_OCSP_response_verify will return success but the error from the first > OCSP_basic_verify is still in the OpenSSL error queue which causes the next > call to fail. > > In case of LWP accessing a site supporting OCSP stapling this next failing > call will be the syswrite of the HTTP request, which makes the request > fail. The fix is simple: just clear the error queue. Fix attached.
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474
  Wed Jan 03 16:47:45 2018 The RT System itself - Status changed from 'new' to 'open'
  Sun Jul 08 20:41:44 2018 chrisn [...] cpan.org - Status changed from 'open' to 'resolved'
  Sun Jul 08 20:41:44 2018 chrisn [...] cpan.org - Given to MIKEM
  Sun Jul 08 20:41:45 2018 chrisn [...] cpan.org - Fixed in 1.83 added