From 821d3a9f513a63b06f1696352392996391807c16 Mon Sep 17 00:00:00 2001
From: Janusz Dziemidowicz <rraptorr@nails.eu.org>
Date: Wed, 8 Mar 2017 16:59:41 +0100
Subject: [PATCH 4/7] BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying
 to parse OCSP file

Invalid OCSP file (for example empty one that can be used to enable
OCSP response to be set dynamically later) causes errors that are
placed on OpenSSL error stack. Those errors are not cleared so
anything that checks this stack later will fail.

Following configuration:
  bind :443 ssl crt crt1.pem crt crt2.pem

With following files:
  crt1.pem
  crt1.pem.ocsp - empty one
  crt2.pem.rsa
  crt2.pem.ecdsa

Will fail to load.

This patch should be backported to 1.7.
(cherry picked from commit 8d7104982e1c41f7dc4d75ae7f7d2bbb96052d40)
---
 src/ssl_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cc2dc12..daa584c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -433,6 +433,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
 
 	ret = 0;
 out:
+	ERR_clear_error();
+
 	if (bs)
 		 OCSP_BASICRESP_free(bs);
 
-- 
2.10.2