{"author":"Viktor Szakats","author_email":"commit@vsz.me","author_time":1754651254,"commit_time":1754676511,"committer":"Viktor Szakats","committer_email":"commit@vsz.me","hash":"8ec241bc990bc88c4f4f7275d81f9fb75b562a7a","message":"openssl: clear errors after a failed `d2i_X509()`\n\nWithout it, subsequent OpenSSL API calls may fail with an error caught\nwithin the OpenSSL `d2i_X509()` (decode) call.\n\nIt was seen to happen when importing from the Windows certificate store\n(e.g. with `--ca-native`), and any one of the certificates failed while\ndecoding, then skipped.\n\nBehind the scene (and undocumented), the failed decode call is adding\nan error to an internal OpenSSL error queue. This error is picked up\nlater, at the connect phase, by another OpenSSL API call, which happens\nto check the error queue, without clearing it first. It made the connect\nfail with the error collected earlier, while decoding the malformed and\ndiscarded certificate.\n\nFix by explicitly clearing the error queue if the decode call fails.\n\nRef: https://docs.openssl.org/3.5/man3/d2i_X509/\n\n`-vvvv` output before this patch:\n```\n[0-0] == Info: successfully imported Windows ROOT store\n[0-0] == Info: successfully imported Windows CA store\n[0-0] == Info: [SSL] SSL_connect() -> err=-1, detail=1\n[0-0] == Info: TLS connect error: error:068000DD:asn1 encoding routines::illegal padding\n[0-0] == Info: [SSL] cf_connect() -> 35, done=0\n```\n\nMainline OpenSSL (as of 3.5.2) and quictls (as of 3.3.0) are affected.\n\nLibreSSL is not affected. (I did not test BoringSSL and AWS-LC)\n\nAssisted-by: Stefan Eissing\nReported-by: Michał Petryka\nFixes #18190\n\nCloses #18228\n","parents":["b823966d66c9aec9000d7493cfaf5eb9224567cc"],"tree_hash":"81593f0c974d5e69b36501ac55e63e8b677f8e3d"}