Issue #7215 has been reported by larskanis1 (Lars Kanis). ---------------------------------------- Bug #7215: Remaining messages on OpenSSL error queue after Certificate#verify https://bugs.ruby-lang.org/issues/7215 Author: larskanis1 (Lars Kanis) Status: Open Priority: Normal Assignee: Category: ext Target version: ruby -v: ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux] While investigating a ruby-pg issue [1], we noticed that a SSL connection with PostgreSQL can fail, after a call to OpenSSL::X509::Certificate#verify with result 'false'. Root cause is the thread local error queue of OpenSSL, that is used to transmit textual error messages to the application after a failed crypto operation. A failure in Certificate#verify leaves some messages on the error queue, which can lead to errors in a SSL communication of other parts of the application. According to the comment on OpenSSL.errors [2], remaining messages on the error queue are probably due to a bug. So the queue should become somehow cleared. I currently see these variants: * Return the OpenSSL error list in Certificate#verify instead of true/false - This will change the API in an incompatible way, so it will probably be no real option. * Drop the error list at the end of Certificate#verify - So there will be no way to get the particular error text. Maybe add another method in the way as 1. * Add a note in the documentation that suggest the user should call OpenSSL.errors after a failed call to Certificate#verify. A patch for the postgresql side of the issue is already inserted into the patch list for the next commit fest [3]. [1] https://bitbucket.org/ged/ruby-pg/issue/142/async_... [2] https://github.com/ruby/ruby/blob/trunk/ext/openss... [3] https://commitfest.postgresql.org/action/patch_view?id=961
on 2012-10-25 16:53
[ruby-trunk - Bug #7215][Assigned] Remaining messages on OpenSSL error queue after Certificate#verif
on 2012-10-25 17:10
Issue #7215 has been updated by MartinBosslet (Martin Bosslet). Status changed from Open to Assigned Assignee set to MartinBosslet (Martin Bosslet) ---------------------------------------- Bug #7215: Remaining messages on OpenSSL error queue after Certificate#verify https://bugs.ruby-lang.org/issues/7215#change-31576 Author: larskanis1 (Lars Kanis) Status: Assigned Priority: Normal Assignee: MartinBosslet (Martin Bosslet) Category: ext Target version: ruby -v: ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux] While investigating a ruby-pg issue [1], we noticed that a SSL connection with PostgreSQL can fail, after a call to OpenSSL::X509::Certificate#verify with result 'false'. Root cause is the thread local error queue of OpenSSL, that is used to transmit textual error messages to the application after a failed crypto operation. A failure in Certificate#verify leaves some messages on the error queue, which can lead to errors in a SSL communication of other parts of the application. According to the comment on OpenSSL.errors [2], remaining messages on the error queue are probably due to a bug. So the queue should become somehow cleared. I currently see these variants: * Return the OpenSSL error list in Certificate#verify instead of true/false - This will change the API in an incompatible way, so it will probably be no real option. * Drop the error list at the end of Certificate#verify - So there will be no way to get the particular error text. Maybe add another method in the way as 1. * Add a note in the documentation that suggest the user should call OpenSSL.errors after a failed call to Certificate#verify. A patch for the postgresql side of the issue is already inserted into the patch list for the next commit fest [3]. [1] https://bitbucket.org/ged/ruby-pg/issue/142/async_... [2] https://github.com/ruby/ruby/blob/trunk/ext/openss... [3] https://commitfest.postgresql.org/action/patch_view?id=961
on 2013-01-15 20:11
Issue #7215 has been updated by deafbybeheading (Maciek Sakrejda). Hi, Any progress on this? Postgres has rejected the patch that was submitted on the grounds that this is an OpenSSL client issue and libpq has no business clearing the error queue. It seems like clearing the error queue but giving some side channel to access the errors from the last Certifivate#verify call would still make the errors available for interested clients, without forcing a byzantine API requiring a separate step to clear the error queue (something that would likely be missed by many clients). Thanks! ---------------------------------------- Bug #7215: Remaining messages on OpenSSL error queue after Certificate#verify https://bugs.ruby-lang.org/issues/7215#change-35436 Author: larskanis1 (Lars Kanis) Status: Assigned Priority: Normal Assignee: MartinBosslet (Martin Bosslet) Category: ext Target version: ruby -v: ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-linux] While investigating a ruby-pg issue [1], we noticed that a SSL connection with PostgreSQL can fail, after a call to OpenSSL::X509::Certificate#verify with result 'false'. Root cause is the thread local error queue of OpenSSL, that is used to transmit textual error messages to the application after a failed crypto operation. A failure in Certificate#verify leaves some messages on the error queue, which can lead to errors in a SSL communication of other parts of the application. According to the comment on OpenSSL.errors [2], remaining messages on the error queue are probably due to a bug. So the queue should become somehow cleared. I currently see these variants: * Return the OpenSSL error list in Certificate#verify instead of true/false - This will change the API in an incompatible way, so it will probably be no real option. * Drop the error list at the end of Certificate#verify - So there will be no way to get the particular error text. Maybe add another method in the way as 1. * Add a note in the documentation that suggest the user should call OpenSSL.errors after a failed call to Certificate#verify. A patch for the postgresql side of the issue is already inserted into the patch list for the next commit fest [3]. [1] https://bitbucket.org/ged/ruby-pg/issue/142/async_... [2] https://github.com/ruby/ruby/blob/trunk/ext/openss... [3] https://commitfest.postgresql.org/action/patch_view?id=961
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.