diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c index c772bdc17..3fe923fcb 100644 --- a/lib/tls/openssl/openssl-client.c +++ b/lib/tls/openssl/openssl-client.c @@ -279,8 +279,11 @@ lws_tls_client_connect(struct lws *wsi) char a[32]; unsigned int len; #endif - int m, n = SSL_connect(wsi->tls.ssl); + int m, n; + errno = 0; + ERR_clear_error(); + n = SSL_connect(wsi->tls.ssl); if (n == 1) { #if defined(LWS_HAVE_SSL_set_alpn_protos) && \ defined(LWS_HAVE_SSL_get0_alpn_selected) @@ -325,6 +328,8 @@ lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len) int n; lws_latency_pre(wsi->context, wsi); + errno = 0; + ERR_clear_error(); n = SSL_get_verify_result(wsi->tls.ssl); lws_latency(wsi->context, wsi, "SSL_get_verify_result LWS_CONNMODE..HANDSHAKE", n, n > 0); @@ -496,6 +501,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, /* no existing one the same... create new client SSL_CTX */ + errno = 0; + ERR_clear_error(); vh->tls.ssl_client_ctx = SSL_CTX_new(method); if (!vh->tls.ssl_client_ctx) { error = ERR_get_error(); diff --git a/lib/tls/openssl/openssl-server.c b/lib/tls/openssl/openssl-server.c index cf296cf6c..5464fd8b1 100644 --- a/lib/tls/openssl/openssl-server.c +++ b/lib/tls/openssl/openssl-server.c @@ -557,6 +557,7 @@ lws_tls_server_new_nonblocking(struct lws *wsi, lws_sockfd_type accept_fd) #endif errno = 0; + ERR_clear_error(); wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_ctx); if (wsi->tls.ssl == NULL) { lwsl_err("SSL_new failed: %d (errno %d)\n", @@ -611,9 +612,13 @@ lws_tls_server_abort_connection(struct lws *wsi) enum lws_ssl_capable_status lws_tls_server_accept(struct lws *wsi) { - union lws_tls_cert_info_results ir; - int m, n = SSL_accept(wsi->tls.ssl); struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi]; + union lws_tls_cert_info_results ir; + int m, n; + + errno = 0; + ERR_clear_error(); + n = SSL_accept(wsi->tls.ssl); if (n == 1) { n = lws_tls_peer_cert_info(wsi, LWS_TLS_CERT_INFO_COMMON_NAME, &ir, diff --git a/lib/tls/openssl/ssl.c b/lib/tls/openssl/ssl.c index c160acad7..c5203b4be 100644 --- a/lib/tls/openssl/ssl.c +++ b/lib/tls/openssl/ssl.c @@ -181,6 +181,7 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len) lws_stats_atomic_bump(context, pt, LWSSTATS_C_API_READ, 1); errno = 0; + ERR_clear_error(); n = SSL_read(wsi->tls.ssl, buf, len); #if defined(LWS_WITH_ESP32) if (!n && errno == LWS_ENOTCONN) { @@ -307,6 +308,8 @@ lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len) if (!wsi->tls.ssl) return lws_ssl_capable_write_no_ssl(wsi, buf, len); + errno = 0; + ERR_clear_error(); n = SSL_write(wsi->tls.ssl, buf, len); if (n > 0) return n; @@ -380,7 +383,7 @@ lws_ssl_close(struct lws *wsi) return 0; /* not handled */ #if defined (LWS_HAVE_SSL_SET_INFO_CALLBACK) - /* kill ssl callbacks, becausse we will remove the fd from the + /* kill ssl callbacks, because we will remove the fd from the * table linking it to the wsi */ if (wsi->vhost->tls.ssl_info_event_mask) @@ -465,6 +468,8 @@ __lws_tls_shutdown(struct lws *wsi) { int n; + errno = 0; + ERR_clear_error(); n = SSL_shutdown(wsi->tls.ssl); lwsl_debug("SSL_shutdown=%d for fd %d\n", n, wsi->desc.sockfd); switch (n) { diff --git a/lib/tls/openssl/tls.c b/lib/tls/openssl/tls.c index f0e9048cd..b568e2af0 100644 --- a/lib/tls/openssl/tls.c +++ b/lib/tls/openssl/tls.c @@ -71,7 +71,7 @@ lws_tls_err_describe(void) unsigned long l; do { - l = ERR_get_error(); + l = ERR_peek_error(); if (!l) break; ERR_error_string_n(l, buf, sizeof(buf));