8ec241bc99
Without it, subsequent OpenSSL API calls may fail with an error caught within the OpenSSL `d2i_X509()` (decode) call. It was seen to happen when importing from the Windows certificate store (e.g. with `--ca-native`), and any one of the certificates failed while decoding, then skipped. Behind the scene (and undocumented), the failed decode call is adding an error to an internal OpenSSL error queue. This error is picked up later, at the connect phase, by another OpenSSL API call, which happens to check the error queue, without clearing it first. It made the connect fail with the error collected earlier, while decoding the malformed and discarded certificate. Fix by explicitly clearing the error queue if the decode call fails. Ref: https://docs.openssl.org/3.5/man3/d2i_X509/ `-vvvv` output before this patch: ``` [0-0] == Info: successfully imported Windows ROOT store [0-0] == Info: successfully imported Windows CA store [0-0] == Info: [SSL] SSL_connect() -> err=-1, detail=1 [0-0] == Info: TLS connect error: error:068000DD:asn1 encoding routines::illegal padding [0-0] == Info: [SSL] cf_connect() -> 35, done=0 ``` Mainline OpenSSL (as of 3.5.2) and quictls (as of 3.3.0) are affected. LibreSSL is not affected. (I did not test BoringSSL and AWS-LC) Assisted-by: Stefan Eissing Reported-by: Michał Petryka Fixes #18190 Closes #18228 |
||
|---|---|---|
| .circleci | ||
| .github | ||
| CMake | ||
| docs | ||
| include | ||
| lib | ||
| LICENSES | ||
| m4 | ||
| packages | ||
| plan9 | ||
| projects | ||
| scripts | ||
| src | ||
| tests | ||
| winbuild | ||
| .dir-locals.el | ||
| .git-blame-ignore-revs | ||
| .gitattributes | ||
| .gitignore | ||
| .mailmap | ||
| acinclude.m4 | ||
| appveyor.sh | ||
| appveyor.yml | ||
| buildconf | ||
| CHANGES.md | ||
| CMakeLists.txt | ||
| configure.ac | ||
| COPYING | ||
| curl-config.in | ||
| Dockerfile | ||
| GIT-INFO.md | ||
| libcurl.pc.in | ||
| Makefile.am | ||
| README | ||
| README.md | ||
| RELEASE-NOTES | ||
| renovate.json | ||
| REUSE.toml | ||
| SECURITY.md | ||
curl is a command-line tool for transferring data specified with URL syntax. Learn how to use curl by reading the manpage or everything curl.
Find out how to install curl by reading the INSTALL document.
libcurl is the library curl is using to do its job. It is readily available to be used by your software. Read the libcurl manpage to learn how.
Open Source
curl is Open Source and is distributed under an MIT-like license.
Contact
Contact us on a suitable mailing list or use GitHub issues/ pull requests/ discussions.
All contributors to the project are listed in the THANKS document.
Commercial support
For commercial support, maybe private and dedicated help with your problems or applications using (lib)curl visit the support page.
Website
Visit the curl website for the latest news and downloads.
Source code
Download the latest source from the Git server:
git clone https://github.com/curl/curl.git
Security problems
Report suspected security problems via our HackerOne page and not in public.
Notice
curl contains pieces of source code that is Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan. This notice is included here to comply with the distribution terms.
Backers
Thank you to all our backers 🙏 Become a backer.
Sponsors
Support this project by becoming a sponsor.