From b0661ed680ecd557f510f8191e89ce436ddec933 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Sat, 9 Aug 2025 02:49:18 +0200
Subject: [PATCH] save and restore openssl error queue in connect step 2

---
 lib/vtls/openssl.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index c7efbe778e..041a67618e 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -4534,15 +4534,17 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
   DEBUGASSERT(octx);
 
   connssl->io_need = CURL_SSL_IO_NEED_NONE;
-
   ERR_clear_error();
 
   err = SSL_connect(octx->ssl);
 
   if(!octx->x509_store_setup) {
+    CURLcode result;
     /* After having send off the ClientHello, we prepare the x509
      * store to verify the coming certificate from the server */
-    CURLcode result = Curl_ssl_setup_x509_store(cf, data, octx->ssl_ctx);
+    ERR_set_mark();
+    result = Curl_ssl_setup_x509_store(cf, data, octx->ssl_ctx);
+    ERR_pop_to_mark();
     if(result)
       return result;
     octx->x509_store_setup = TRUE;
@@ -4552,8 +4554,11 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
   /* If key logging is enabled, wait for the handshake to complete and then
    * proceed with logging secrets (for TLS 1.2 or older).
    */
-  if(Curl_tls_keylog_enabled() && !octx->keylog_done)
+  if(Curl_tls_keylog_enabled() && !octx->keylog_done) {
+    ERR_set_mark();
     ossl_log_tls12_secret(octx->ssl, &octx->keylog_done);
+    ERR_pop_to_mark();
+  }
 #endif
 
   /* 1  is fine