Issue #7215 has been reported by larskanis1 (Lars Kanis).

----------------------------------------
Bug #7215: Remaining messages on OpenSSL error queue after Certificate#verify
https://bugs.ruby-lang.org/issues/7215

Author: larskanis1 (Lars Kanis)
Status: Open
Priority: Normal
Assignee: 
Category: ext
Target version: 
ruby -v: ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux]


While investigating a ruby-pg issue [1], we noticed that a SSL connection with PostgreSQL can fail, after a call to OpenSSL::X509::Certificate#verify with result 'false'. Root cause is the thread local error queue of OpenSSL, that is used to transmit textual error messages to the application after a failed crypto operation. A failure in Certificate#verify leaves some messages on the error queue, which can lead to errors in a SSL communication of other parts of the application.

According to the comment on OpenSSL.errors [2], remaining messages on the error queue are probably due to a bug. So the queue should become somehow cleared. I currently see these variants:

* Return the OpenSSL error list in Certificate#verify instead of true/false - This will change the API in an incompatible way, so it will probably be no real option.
* Drop the error list at the end of Certificate#verify - So there will be no way to get the particular error text. Maybe add another method in the way as 1.
* Add a note in the documentation that suggest the user should call OpenSSL.errors after a failed call to Certificate#verify.

A patch for the postgresql side of the issue is already inserted into the patch list for the next commit fest [3].


[1] https://bitbucket.org/ged/ruby-pg/issue/142/async_exec-over-ssl-connection-can-fail-on
[2] https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L349
[3] https://commitfest.postgresql.org/action/patch_view?id=961



-- 
http://bugs.ruby-lang.org/