[nginx] SSL: clear error queue after SSL_CTX_load_verify_locatio...

[Maxim Dounin]

details:   http://hg.nginx.org/nginx/rev/6c35a1f428f2
branches:  
changeset: 5365:6c35a1f428f2
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Wed Sep 04 21:17:02 2013 +0400
description:
SSL: clear error queue after SSL_CTX_load_verify_locations().

The SSL_CTX_load_verify_locations() may leave errors in the error queue
while returning success (e.g. if there are duplicate certificates in the file
specified), resulting in "ignoring stale global SSL error" alerts later
at runtime.

diffstat:

 src/event/ngx_event_openssl.c |  14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

diffs (31 lines):

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -363,6 +363,13 @@ ngx_ssl_client_certificate(ngx_conf_t *c
         return NGX_ERROR;
     }
 
+    /*
+     * SSL_CTX_load_verify_locations() may leave errors in the error queue
+     * while returning success
+     */
+
+    ERR_clear_error();
+
     list = SSL_load_client_CA_file((char *) cert->data);
 
     if (list == NULL) {
@@ -407,6 +414,13 @@ ngx_ssl_trusted_certificate(ngx_conf_t *
         return NGX_ERROR;
     }
 
+    /*
+     * SSL_CTX_load_verify_locations() may leave errors in the error queue
+     * while returning success
+     */
+
+    ERR_clear_error();
+
     return NGX_OK;
 }