[Libwebsockets] OpenSSL error queue handling issues

Andrey H. ahanins at gmail.com
Thu Jul 11 09:56:35 CEST 2019



On 7/10/19 10:46 PM, Andy Green wrote:
> Thanks for reporting it, but well... that is not what I would call a 
> "catastrophe".  It does sound like it isn't how it should be though.
It's subjective indeed, but in my world it's a catastrophe when an error 
generated by one connection leads to a disconnect of other arbitrary 
connection.

> 
> The right thing seems to be to change the diagnostic api to use 
> ERR_peek_... 
For diagnostics - yes. But just for you to know - the SSL_get_error() 
used from lws_ssl_get_error() does not modify the error queue whereas 
ERR_get_error() does remove the earliest error from the queue. Ideally, 
each failed OpenSSL API call should be followed by ERR_get_error() to 
clear the queue, but that's a slightly bigger change, because all 
invocations of OpenSSL API should be inspected. Not all of them push 
errors to the queue. Now after we've added (see my PR) hopefully all 
missing ERR_clear_error() the libwebsockets is guaranteed to get the 
right error code where it really matters but as we don't always clear 
the queue after us, some other code in the same thread may not be ready 
for such situations. The simplest solution could be to clear the error 
queue by ERR_clear_error() right before exiting from libwebsockets entry 
points like lws_service_fd(). What do you think about it?

> If you had joined me at 
> the grindstone before imagine how much better and further along 
> everything would be.
Andy, I truly value your and others work put into libwebsockets which
successfully served our project for years, but I was genuinely surprised 
how that error queue handling issue survived for so long.

> I pushed patches on v3.1-stable and master, please take a look.
I've created a pull request for v3.1-stable which adds more 
ERR_clear_error() before important calls. Also fixed a few places where 
lws_ssl_get_error() was used incorrectly.

> 
> -Andy
> 
>>
>> BR, Andrey
>>
>> _______________________________________________
>> Libwebsockets mailing list
>> Libwebsockets at ml.libwebsockets.org
>> https://libwebsockets.org/mailman/listinfo/libwebsockets


More information about the Libwebsockets mailing list