Viktor Szakats 8ec241bc99 openssl: clear errors after a failed d2i_X509() ... Without it, subsequent OpenSSL API calls may fail with an error caught within the OpenSSL `d2i_X509()` (decode) call. It was seen to happen when importing from the Windows certificate store (e.g. with `--ca-native`), and any one of the certificates failed while decoding, then skipped. Behind the scene (and undocumented), the failed decode call is adding an error to an internal OpenSSL error queue. This error is picked up later, at the connect phase, by another OpenSSL API call, which happens to check the error queue, without clearing it first. It made the connect fail with the error collected earlier, while decoding the malformed and discarded certificate. Fix by explicitly clearing the error queue if the decode call fails. Ref: https://docs.openssl.org/3.5/man3/d2i_X509/ `-vvvv` output before this patch: ``` [0-0] == Info: successfully imported Windows ROOT store [0-0] == Info: successfully imported Windows CA store [0-0] == Info: [SSL] SSL_connect() -> err=-1, detail=1 [0-0] == Info: TLS connect error: error:068000DD:asn1 encoding routines::illegal padding [0-0] == Info: [SSL] cf_connect() -> 35, done=0 ``` Mainline OpenSSL (as of 3.5.2) and quictls (as of 3.3.0) are affected. LibreSSL is not affected. (I did not test BoringSSL and AWS-LC) Assisted-by: Stefan Eissing Reported-by: Michał Petryka Fixes #18190 Closes #18228		2025-08-08 20:08:31 +02:00
..
.checksrc	checksrc: reduce exceptions, apply again to curlx	2025-06-27 17:33:35 +02:00
cipher_suite.c	tidy-up: prefer ifdef/ifndef for single checks	2025-07-27 22:35:17 +02:00
cipher_suite.h	TLS: remove support for Secure Transport and BearSSL	2025-06-11 07:54:19 +02:00
gtls.c	tidy-up: prefer ifdef/ifndef for single checks	2025-07-27 22:35:17 +02:00
gtls.h	http/3: report handshake with version and cipher as for TCP connections	2025-07-14 14:08:32 +02:00
hostcheck.c	tidy-up: more whitespace/indent, comments	2025-07-25 11:47:51 +02:00
hostcheck.h	openssl: some small cleanups	2025-07-18 00:40:26 +02:00
keylog.c	urlapi: use uppercase hex encoding	2025-06-25 11:44:13 +02:00
keylog.h	spelling: 'a' vs 'an'	2025-05-30 11:38:35 +02:00
mbedtls.c	tidy-up: prefer ifdef/ifndef for single checks	2025-07-27 22:35:17 +02:00
mbedtls.h	lib: include files using known path	2025-04-08 17:00:00 +02:00
mbedtls_threadlock.c	lib: include files using known path	2025-04-08 17:00:00 +02:00
mbedtls_threadlock.h	lib: include files using known path	2025-04-08 17:00:00 +02:00
openssl.c	openssl: clear errors after a failed d2i_X509()	2025-08-08 20:08:31 +02:00
openssl.h	openssl: check SSL_write() length on retries	2025-08-01 17:54:05 +02:00
rustls.c	tls: CURLINFO_TLS_SSL_PTR testing	2025-08-01 09:37:36 +02:00
rustls.h	lib: include files using known path	2025-04-08 17:00:00 +02:00
schannel.c	schannel: add an error message for client cert not found	2025-08-08 03:43:54 -04:00
schannel.h	tidy-up: prefer ifdef/ifndef for single checks	2025-07-27 22:35:17 +02:00
schannel_int.h	schannel: not supported with UWP, drop redundant code	2025-07-31 20:05:32 +02:00
schannel_verify.c	windows: document toolchain support for CERT_NAME_SEARCH_ALL_NAMES_FLAG	2025-07-31 20:43:21 +02:00
vtls.c	vtls: set seen http version on successful ALPN	2025-08-05 16:01:39 +02:00
vtls.h	tidy-up: whitespace	2025-07-11 13:32:54 +02:00
vtls_int.h	lib: replace getsock() logic with pollsets	2025-08-04 23:43:13 +02:00
vtls_scache.c	tidy-up: whitespace	2025-07-11 13:32:54 +02:00
vtls_scache.h	lib: replace scache no-op macros with #ifdef	2025-06-27 17:33:34 +02:00
vtls_spack.c	build: fix build errors/warnings in rare configurations	2025-07-23 22:17:03 +02:00
vtls_spack.h	build: fix build errors/warnings in rare configurations	2025-07-23 22:17:03 +02:00
wolfssl.c	wolfssl: rename ML-KEM hybrids to match IETF draft	2025-08-05 08:58:19 +02:00
wolfssl.h	GHA/checksrc: expand spellcheck, fix issues found	2025-07-21 16:09:01 +02:00
x509asn1.c	misc: fix typos	2025-07-12 08:59:44 +02:00
x509asn1.h	TLS: remove support for Secure Transport and BearSSL	2025-06-11 07:54:19 +02:00