Ticket #285: fix-ssl-again-1.4.19.patch

a/NEWS

@@ -8 +8 @@
-  * added support for If-Range: <date> (#1346)
-  * added support for matching $HTTP["scheme"] in configs
-  * fixed initgroups() called after chroot (#1384)
+  * Fix #285 again: read error after SSL_shutdown (thx marton.illes@balabit.com) and clear the error queue before some other calls
-  * fixed case-sensitive check for Auth-Method (#1456)
-  * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
-  * fixed a bug that made /-prefixed extensions being handled also when

a/src/connections.c

@@ -199 +199 @@
-
-        /* don't resize the buffer if we were in SSL_ERROR_WANT_* */
-
+        ERR_clear_error();
-        do {
-                if (!con->ssl_error_want_reuse_buffer) {
-                        b = buffer_init();
@@ -1668 +1669 @@
-                        }
-#ifdef USE_OPENSSL
-                        if (srv_sock->is_ssl) {
-
+
+
+
-                                switch ((ret = SSL_shutdown(con->ssl))) {
-                                case 1:
-                                        /* ok */
-                                        break;
-                                case 0:
-
-
+
+
+
-                                default:
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-                                }
-                        }
+                        ERR_clear_error();
-#endif
-
-                        switch(con->mode) {

a/src/network_openssl.c

@@ -85 +85 @@
-                         *
-                         */
-
+                        ERR_clear_error();
-                        if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
-                                unsigned long err;
-
@@ -187 +188 @@
-
-                                close(ifd);
-
+                                ERR_clear_error();
-                                if ((r = SSL_write(ssl, s, toSend)) <= 0) {
-                                        unsigned long err;
-