Ruby Issue Tracking System: Issueshttps://redmine.ruby-lang.org/https://redmine.ruby-lang.org/favicon.ico?17113305112012-10-25T23:52:22ZRuby Issue Tracking System
Redmine Ruby master - Bug #7215 (Closed): Remaining messages on OpenSSL error queue after Certificate#verifyhttps://redmine.ruby-lang.org/issues/72152012-10-25T23:52:22Zlarskanis1 (Lars Kanis)larskanis@googlemail.com
<p>While investigating a ruby-pg issue [1], we noticed that a SSL connection with PostgreSQL can fail, after a call to OpenSSL::X509::Certificate#verify with result 'false'. Root cause is the thread local error queue of OpenSSL, that is used to transmit textual error messages to the application after a failed crypto operation. A failure in Certificate#verify leaves some messages on the error queue, which can lead to errors in a SSL communication of other parts of the application.</p>
<p>According to the comment on OpenSSL.errors [2], remaining messages on the error queue are probably due to a bug. So the queue should become somehow cleared. I currently see these variants:</p>
<ul>
<li>Return the OpenSSL error list in Certificate#verify instead of true/false - This will change the API in an incompatible way, so it will probably be no real option.</li>
<li>Drop the error list at the end of Certificate#verify - So there will be no way to get the particular error text. Maybe add another method in the way as 1.</li>
<li>Add a note in the documentation that suggest the user should call OpenSSL.errors after a failed call to Certificate#verify.</li>
</ul>
<p>A patch for the postgresql side of the issue is already inserted into the patch list for the next commit fest [3].</p>
<p>[1] <a href="https://bitbucket.org/ged/ruby-pg/issue/142/async_exec-over-ssl-connection-can-fail-on" class="external">https://bitbucket.org/ged/ruby-pg/issue/142/async_exec-over-ssl-connection-can-fail-on</a><br>
[2] <a href="https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L349" class="external">https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L349</a><br>
[3] <a href="https://commitfest.postgresql.org/action/patch_view?id=961" class="external">https://commitfest.postgresql.org/action/patch_view?id=961</a></p>