@@ -630,6 +630,7 @@ private int pendingReadableBytesInSSL()
630630 // NOTE: Calling a fake read is necessary before calling pendingReadableBytesInSSL because
631631 // SSL_pending will return 0 if OpenSSL has not started the current TLS record
632632 // See https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html
633+ clearLastError ();
633634 int lastPrimingReadResult = SSL .readFromSSL (ssl , EMPTY_ADDR , 0 ); // priming read
634635 // check if SSL_read returned <= 0. In this case we need to check the error and see if it was something
635636 // fatal.
@@ -884,6 +885,7 @@ private void beginHandshakeImplicitly() throws SSLException {
884885
885886 private void handshake () throws SSLException {
886887 currentHandshake = SSL .getHandshakeCount (ssl );
888+ clearLastError ();
887889 int code = SSL .doHandshake (ssl );
888890 if (code <= 0 ) {
889891 checkLastError ();
@@ -902,6 +904,7 @@ private void handshake() throws SSLException {
902904 }
903905
904906 private synchronized void renegotiate () throws SSLException {
907+ clearLastError ();
905908 int code = SSL .renegotiate (ssl );
906909 if (code <= 0 ) {
907910 checkLastError ();
@@ -932,6 +935,20 @@ private void checkLastError() throws SSLException {
932935 }
933936 }
934937
938+
939+ /*
940+ * Many calls to SSL methods do not check the last error. Those that do
941+ * check the last error need to ensure that any previously ignored error is
942+ * cleared prior to the method call else errors may be falsely reported.
943+ *
944+ * TODO: Check last error after every call to an SSL method and respond
945+ * appropriately.
946+ */
947+ private void clearLastError () {
948+ SSL .getLastErrorNumber ();
949+ }
950+
951+
935952 private static long memoryAddress (ByteBuffer buf ) {
936953 return Buffer .address (buf );
937954 }
0 commit comments