OpenSSL: fix spurious SSL connection aborts

Was seeing spurious SSL connection aborts using libcurl and
OpenSSL. I tracked it down to uncleared error state on the
OpenSSL error stack - patch attached deals with that.

Rough idea of problem:

Code that uses libcurl calls some library that uses OpenSSL but
don't clear the OpenSSL error stack after an error.

ssluse.c calls SSL_read which eventually gets an EWOULDBLOCK from
the OS. Returns -1 to indicate an error

ssluse.c calls SSL_get_error. First thing, SSL_get_error calls
ERR_get_error to check the OpenSSL error stack, finds an old
error and returns SSL_ERROR_SSL instead of SSL_ERROR_WANT_READ or
SSL_ERROR_WANT_WRITE.

ssluse.c returns an error and aborts the connection

Solution:

Clear the openssl error stack before calling SSL_* operation if
we're going to call SSL_get_error afterwards.

Notes:

This is much more likely to happen with multi because it's easier
to intersperse other calls to the OpenSSL library in the same
thread.

1 files changed, 2 insertions, 1 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 63860cd19..d95991984 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -37,6 +37,7 @@ This release includes the following bugfixes:
  o TFTP block id wrap
  o curl_multi_socket_action() timeout handles inaccuracy in timers better
  o SCP/SFTP failure to respect the timeout
+ o spurious SSL connection aborts with OpenSSL
 
 This release includes the following known bugs:
 
@@ -49,7 +50,7 @@ advice from friends like these:
  Kamil Dudka, Alex Bligh, Ben Greear, Hoi-Ho Chan, Howard Chu, Dirk Manske,
  Pavel Raiskup, John-Mark Bell, Eric Mertens, Tor Arntsen, Douglas Kilpatrick,
  Igor Novoseltsev, Jason McDonald, Dan Fandrich, Tanguy Fautre, Guenter Knauf,
- Julien Chaffraix, Kalle Vahlman, Frank Meier
+ Julien Chaffraix, Kalle Vahlman, Frank Meier, Constantine Sapuntzakis
 
 
         Thanks! (and sorry if I forgot to mention someone)