Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 610
    • Issues 610
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 87
    • Merge requests 87
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Merge requests
  • !6896

[Backport to v9.18] TLS: clear error queue before doing IO or calling SSL_get_error()

  • Review changes

  • Download
  • Email patches
  • Plain diff
Merged Artem Boldariev requested to merge artem-clear-ssl-error-queue-for-dns-transports-v9-18 into v9_18 Oct 12, 2022
  • Overview 1
  • Commits 2
  • Pipelines 1
  • Changes 3

Ensure that TLS error is empty before calling SSL_get_error() or doing SSL I/O so that the result will not get affected by prior error statuses.

In particular, the improper error handling led to intermittent unit test failure and, thus, could be responsible for some of the system test failures and other intermittent TLS-related issues.

See here for more details:

https://www.openssl.org/docs/man3.0/man3/SSL_get_error.html

In particular, it mentions the following:

The current thread's error queue must be empty before the TLS/SSL I/O operation is attempted, or SSL_get_error() will not work reliably.

As we use the result of SSL_get_error() to decide on I/O operations, we need to ensure that it works reliably by cleaning the error queue.

Backport of !6892 (merged).

Edited Oct 12, 2022 by Artem Boldariev
Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: artem-clear-ssl-error-queue-for-dns-transports-v9-18