From c927f013b17df637831eda48d200ccfdb4e0588a Mon Sep 17 00:00:00 2001 From: manuel Date: Wed, 7 Dec 2016 14:23:12 +0100 Subject: [PATCH] openssl: Clear error queue after an incomplete SSL_shutdown If the SSL_shutdown-call fails (e.g. because the underlaying socket has already been closed) OpenSSL puts the corresponding error into the queue. We don't care about details so we need to clear the queue. Otherwise the error will be pulled while error checking the next OpenSSL call of an unrelated connection. --- src/lib-ssl-iostream/iostream-openssl.c | 6 +++++- src/login-common/ssl-proxy-openssl.c | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index e59bc545c7..df9af384df 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -299,7 +299,11 @@ static void openssl_iostream_unref(struct ssl_iostream *ssl_io) static void openssl_iostream_destroy(struct ssl_iostream *ssl_io) { - (void)SSL_shutdown(ssl_io->ssl); + if (SSL_shutdown(ssl_io->ssl) != 1) { + /* if bidirectional shutdown fails we need to clear + the error queue */ + openssl_iostream_clear_errors(); + } (void)openssl_iostream_more(ssl_io); (void)o_stream_flush(ssl_io->plain_output); /* close the plain i/o streams, because their fd may be closed soon, diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c index 577053f308..6e529d7c24 100644 --- a/src/login-common/ssl-proxy-openssl.c +++ b/src/login-common/ssl-proxy-openssl.c @@ -813,7 +813,11 @@ void ssl_proxy_destroy(struct ssl_proxy *proxy) if (proxy->io_plain_write != NULL) io_remove(&proxy->io_plain_write); - (void)SSL_shutdown(proxy->ssl); + if (SSL_shutdown(proxy->ssl) != 1) { + /* if bidirectional shutdown fails we need to clear + the error queue. */ + openssl_iostream_clear_errors(); + } net_disconnect(proxy->fd_ssl); net_disconnect(proxy->fd_plain);