From: s6numid@... Date: 2014-07-17T09:16:47+00:00 Subject: [ruby-core:63796] [ruby-trunk - Bug #7215] Remaining messages on OpenSSL error queue after Certificate#verify Issue #7215 has been updated by Vladimir Krylov. Any changes here? Can confirm that problem persists in newer versions of ruby (i.e. 2.1.0p0 (2013-12-25 revision 44422) [x86_64-linux] and 2.1.2p95 (2014-05-08 revision 45877) [x86_64-linux]). ---------------------------------------- Bug #7215: Remaining messages on OpenSSL error queue after Certificate#verify https://bugs.ruby-lang.org/issues/7215#change-47828 * Author: Lars Kanis * Status: Assigned * Priority: Normal * Assignee: Martin Bosslet * Category: ext * Target version: * ruby -v: ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux] * Backport: ---------------------------------------- While investigating a ruby-pg issue [1], we noticed that a SSL connection with PostgreSQL can fail, after a call to OpenSSL::X509::Certificate#verify with result 'false'. Root cause is the thread local error queue of OpenSSL, that is used to transmit textual error messages to the application after a failed crypto operation. A failure in Certificate#verify leaves some messages on the error queue, which can lead to errors in a SSL communication of other parts of the application. According to the comment on OpenSSL.errors [2], remaining messages on the error queue are probably due to a bug. So the queue should become somehow cleared. I currently see these variants: * Return the OpenSSL error list in Certificate#verify instead of true/false - This will change the API in an incompatible way, so it will probably be no real option. * Drop the error list at the end of Certificate#verify - So there will be no way to get the particular error text. Maybe add another method in the way as 1. * Add a note in the documentation that suggest the user should call OpenSSL.errors after a failed call to Certificate#verify. A patch for the postgresql side of the issue is already inserted into the patch list for the next commit fest [3]. [1] https://bitbucket.org/ged/ruby-pg/issue/142/async_exec-over-ssl-connection-can-fail-on [2] https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L349 [3] https://commitfest.postgresql.org/action/patch_view?id=961 -- https://bugs.ruby-lang.org/