Project

General

Profile

Actions

Bug #7215

closed

Remaining messages on OpenSSL error queue after Certificate#verify

Added by larskanis1 (Lars Kanis) about 12 years ago. Updated over 6 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux]
Backport:
[ruby-core:48284]

Description

While investigating a ruby-pg issue [1], we noticed that a SSL connection with PostgreSQL can fail, after a call to OpenSSL::X509::Certificate#verify with result 'false'. Root cause is the thread local error queue of OpenSSL, that is used to transmit textual error messages to the application after a failed crypto operation. A failure in Certificate#verify leaves some messages on the error queue, which can lead to errors in a SSL communication of other parts of the application.

According to the comment on OpenSSL.errors [2], remaining messages on the error queue are probably due to a bug. So the queue should become somehow cleared. I currently see these variants:

  • Return the OpenSSL error list in Certificate#verify instead of true/false - This will change the API in an incompatible way, so it will probably be no real option.
  • Drop the error list at the end of Certificate#verify - So there will be no way to get the particular error text. Maybe add another method in the way as 1.
  • Add a note in the documentation that suggest the user should call OpenSSL.errors after a failed call to Certificate#verify.

A patch for the postgresql side of the issue is already inserted into the patch list for the next commit fest [3].

[1] https://bitbucket.org/ged/ruby-pg/issue/142/async_exec-over-ssl-connection-can-fail-on
[2] https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L349
[3] https://commitfest.postgresql.org/action/patch_view?id=961

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0