From owner-freebsd-ports-bugs@FreeBSD.ORG  Mon Apr  7 13:15:58 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F3B081065670;
	Mon,  7 Apr 2008 13:15:57 +0000 (UTC)
	(envelope-from h.schmalzbauer@omnisec.de)
Received: from host.omnisec.de (host.omnisec.de [62.245.232.135])
	by mx1.freebsd.org (Postfix) with ESMTP id 6F7838FC13;
	Mon,  7 Apr 2008 13:15:56 +0000 (UTC)
	(envelope-from h.schmalzbauer@omnisec.de)
Received: from titan.flintsbach.schmalzbauer.de
	(titan.flintsbach.schmalzbauer.de [172.21.1.150])
	(authenticated bits=0)
	by host.omnisec.de (8.13.8/8.13.8) with ESMTP id m37CcKxS017689
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 7 Apr 2008 14:38:20 +0200 (CEST)
	(envelope-from h.schmalzbauer@omnisec.de)
Message-ID: <47FA15BC.8080706@omnisec.de>
Date: Mon, 07 Apr 2008 14:38:20 +0200
From: Harald Schmalzbauer <h.schmalzbauer@omnisec.de>
Organization: OmniSEC
User-Agent: Thunderbird 2.0.0.12 (X11/20080308)
MIME-Version: 1.0
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org
References: <200804071120.m37BK0s7053011@freefall.freebsd.org>
In-Reply-To: <200804071120.m37BK0s7053011@freefall.freebsd.org>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Harald Schmalzbauer <harry@omnisec.de>
Subject: Re: ports/122526: lighttpd active SSL connection loss
 (SSL3_WRITE_PENDING:bad write retry)
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2008 13:15:58 -0000

FreeBSD-gnats-submit@FreeBSD.org wrote am 07.04.2008 13:20 (localtime):

Sorry, there as a select'n'paste error, here is the correct patch:

--- src/connections.c (revision 2103)
+++ src/connections.c (revision 2136)
@@ -200,4 +200,5 @@
  	/* don't resize the buffer if we were in SSL_ERROR_WANT_* */

+	ERR_clear_error();
  	do {
  		if (!con->ssl_error_want_reuse_buffer) {
@@ -1670,4 +1671,5 @@
  			if (srv_sock->is_ssl) {
  				int ret;
+				ERR_clear_error();
  				switch ((ret = SSL_shutdown(con->ssl))) {
  				case 1:
@@ -1675,6 +1677,8 @@
  					break;
  				case 0:
-					SSL_shutdown(con->ssl);
-					break;
+					ERR_clear_error();
+					if ((ret = SSL_shutdown(con->ssl)) == 1) break;
+
+					// fall through
  				default:
  					log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
--- src/network_openssl.c (revision 2084)
+++ src/network_openssl.c (revision 2136)
@@ -86,4 +86,5 @@
  			 */

+			ERR_clear_error();
  			if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
  				unsigned long err;
@@ -188,4 +189,5 @@
  				close(ifd);

+				ERR_clear_error();
  				if ((r = SSL_write(ssl, s, toSend)) <= 0) {
  					unsigned long err;
--- NEWS (revision 2130)
+++ NEWS (revision 2136)
@@ -9,4 +9,5 @@
    * Fix mod_extforward to compile with old gcc version (#1591)
    * Update documentation for #1587
+  * Fix #285 again: read error after SSL_shutdown (thx 
marton.illes@balabit.com) and clear the error queue before some other calls

  - 1.4.19 - 2008-03-10
--- src/connections.c (revision 2136)
+++ src/connections.c (revision 2139)
@@ -1670,5 +1670,6 @@
  #ifdef USE_OPENSSL
  			if (srv_sock->is_ssl) {
-				int ret;
+				int ret, ssl_r;
+				unsigned long err;
  				ERR_clear_error();
  				switch ((ret = SSL_shutdown(con->ssl))) {
@@ -1678,14 +1679,40 @@
  				case 0:
  					ERR_clear_error();
-					if ((ret = SSL_shutdown(con->ssl)) == 1) break;
+					if (-1 != (ret = SSL_shutdown(con->ssl))) break;

  					// fall through
  				default:
-					log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
-							SSL_get_error(con->ssl, ret),
-							ERR_error_string(ERR_get_error(), NULL));
-					return -1;
+
+					switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
+					case SSL_ERROR_WANT_WRITE:
+					case SSL_ERROR_WANT_READ:
+						break;
+					case SSL_ERROR_SYSCALL:
+						/* perhaps we have error waiting in our error-queue */
+						if (0 != (err = ERR_get_error())) {
+							do {
+								log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
+										ssl_r, ret,
+										ERR_error_string(err, NULL));
+							} while((err = ERR_get_error()));
+						} else {
+							log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
+									ssl_r, r, errno,
+									strerror(errno));
+						}
+	
+						break;
+					default:
+						while((err = ERR_get_error())) {
+							log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
+									ssl_r, ret,
+									ERR_error_string(err, NULL));
+						}
+	
+						break;
+					}
  				}
  			}
+			ERR_clear_error();
  #endif