From 9e0ccd7ea6b8748476057cd8f193271dca7343d7 Mon Sep 17 00:00:00 2001 From: manuel Date: Wed, 7 Dec 2016 14:23:12 +0100 Subject: [PATCH] openssl: Clear error queue after an incomplete SSL_shutdown If the SSL_shutdown-call fails (e.g. because the underlaying socket has already been closed) OpenSSL puts the corresponding error into the queue. We don't care about details so we need to clear the queue. Otherwise the error will be pulled while error checking the next OpenSSL call of an unrelated connection. --- src/lib-ssl-iostream/iostream-openssl.c | 6 +++++- src/login-common/ssl-proxy-openssl.c | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 1e8417dcda4..b22d746c678 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -299,7 +299,11 @@ static void openssl_iostream_unref(struct ssl_iostream *ssl_io) static void openssl_iostream_destroy(struct ssl_iostream *ssl_io) { - (void)SSL_shutdown(ssl_io->ssl); + if (SSL_shutdown(ssl_io->ssl) != 1) { + /* if bidirectional shutdown fails we need to clear + the error queue */ + openssl_iostream_clear_errors(); + } (void)openssl_iostream_more(ssl_io); (void)o_stream_flush(ssl_io->plain_output); /* close the plain i/o streams, because their fd may be closed soon, diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c index a17ce662909..c6bbb78e2fe 100644 --- a/src/login-common/ssl-proxy-openssl.c +++ b/src/login-common/ssl-proxy-openssl.c @@ -716,7 +716,11 @@ void ssl_proxy_destroy(struct ssl_proxy *proxy) if (proxy->io_plain_write != NULL) io_remove(&proxy->io_plain_write); - (void)SSL_shutdown(proxy->ssl); + if (SSL_shutdown(proxy->ssl) != 1) { + /* if bidirectional shutdown fails we need to clear + the error queue. */ + openssl_iostream_clear_errors(); + } net_disconnect(proxy->fd_ssl); net_disconnect(proxy->fd_plain);