-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCSP signature verification discards OpenSSL error information #395
Comments
Somewhat related: #312 |
This is expected because OpenSSL.errors is meant for debugging this library, for issues like https://bugs.ruby-lang.org/issues/7215. If it ever returns a non-empty array, then there is a missing ossl_clear_error() call somewhere which is a bug that needs to be fixed.
Actually, all I don't like the name |
What is preventing adding new methods that raise exceptions? |
Nothing. It is just that we can't change the behavior of existing methods and Two other easy ways I can think of:
|
I am happy to contribute an implementation. I don't understand what the conclusion/decision is in this ticket, if that is clarified I can look into typing the code up. |
In https://github.com/ruby/openssl/blob/master/ext/openssl/ossl_ocsp.c#L428-L429, ossl_ocspreq_verify does:
If the result is not successful, the error information is cleared. This makes it not available in OpenSSL.errors for inspection by the caller.
Response verification has the same issue.
To get this information, one needs to enable
OpenSSL.debug
prior to calling the verify method.Example missing information:
Without the debug information, figuring out why verification failed is impractical.
One way of solving this is to provide a method like
verify!
which would raise an exception if verification fails, including the openssl error information into the method.The text was updated successfully, but these errors were encountered: