diff options
author | Mikkel Krautz <mikkel@krautz.dk> | 2016-04-29 11:59:35 +0300 |
---|---|---|
committer | Mikkel Krautz <mikkel@krautz.dk> | 2016-06-06 22:42:59 +0300 |
commit | 18e801431b376f85fbf80f0b505680a11c6dd783 (patch) | |
tree | 9013ca848922087d97b14994b32b5bbbaec5a9ad /src/murmur/Cert.cpp | |
parent | 0a5b68c4d05ad69d452588202c24b9c0a35ba7e4 (diff) |
Cert: add ERR_clear_error() to the end of initializeCert().
Diffstat (limited to 'src/murmur/Cert.cpp')
-rw-r--r-- | src/murmur/Cert.cpp | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/src/murmur/Cert.cpp b/src/murmur/Cert.cpp index 36219efe3..d39b62afd 100644 --- a/src/murmur/Cert.cpp +++ b/src/murmur/Cert.cpp @@ -254,6 +254,33 @@ void Server::initializeCert() { DH_free(dh); } #endif + + // Drain OpenSSL's per-thread error queue + // to ensure that errors from the operations + // we've done in here do not leak out into + // Qt's SSL module. + // + // If an error leaks, it can break all connections + // to the server because each invocation of Qt's SSL + // read callback checks OpenSSL's per-thread error + // queue (albeit indirectly, via SSL_get_error()). + // Qt expects any errors returned from SSL_get_error() + // to be related to the QSslSocket it is currently + // processing -- which is the obvious thing to expect: + // SSL_get_error() takes a pointer to an SSL object + // and the return code of the failed operation. + // However, it is also documented as: + // + // "In addition to ssl and ret, SSL_get_error() + // inspects the current thread's OpenSSL error + // queue." + // + // So, if any OpenSSL operation on the main thread + // forgets to clear the error queue, those errors + // *will* leak into other things that *do* error + // checking. In our case, into Qt's SSL read callback, + // resulting in all clients being disconnected. + ERR_clear_error(); } const QString Server::getDigest() const { |