Commit a91e844d7a for openssl.org
commit a91e844d7a4fd472eb8f013afd84f23ef59c520e
Author: Richard Levitte <levitte@openssl.org>
Date: Thu Aug 14 14:44:40 2025 +0200
Add explicit error queue instructions in d2i_X509(3) and SSL_get_error(3)
Co-authored-by: Tomáš Mráz <tm@t8m.info>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28264)
diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod
index a599a9eee6..db750cc37f 100644
--- a/doc/man3/SSL_get_error.pod
+++ b/doc/man3/SSL_get_error.pod
@@ -23,7 +23,8 @@ current thread's OpenSSL error queue. Thus, SSL_get_error() must be
used in the same thread that performed the TLS/SSL I/O operation, and no
other OpenSSL function calls should appear in between. The current
thread's error queue must be empty before the TLS/SSL I/O operation is
-attempted, or SSL_get_error() will not work reliably.
+attempted, or SSL_get_error() will not work reliably. Emptying the
+current thread's error queue is done with L<ERR_clear_error(3)>.
=head1 NOTES
@@ -181,9 +182,13 @@ connection and SSL_shutdown() must not be called.
=back
+The OpenSSL error queue can be inspected with the B<ERR> family of functions,
+such as L<ERR_print_errors(3)> and L<ERR_peek_last_error_all(3)>.
+
=head1 SEE ALSO
-L<ssl(7)>
+L<ssl(7)>,
+L<ERR_clear_error(3)>, ERR_print_errors(3), ERR_peek_last_error_all(3)
=head1 HISTORY
diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index 8e04c2286c..41e76ae837 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -592,6 +592,10 @@ B<i2d_I<TYPE>_bio>() and B<i2d_I<TYPE>_fp>(),
as well as i2d_ASN1_bio_stream(),
return 1 for success and 0 if an error occurs.
+On error, these functions may record the error in the OpenSSL error queue.
+That error queue can be inspected with the B<ERR> family of functions, such as
+L<ERR_print_errors(3)> and L<ERR_peek_last_error_all(3)>.
+
=head1 EXAMPLES
Allocate and encode the DER encoding of an X509 structure:
@@ -704,6 +708,10 @@ structure has been modified after deserialization or previous
serialization. This is because some objects cache the encoding for
efficiency reasons.
+=head1 SEE ALSO
+
+ERR_print_errors(3), ERR_peek_last_error_all(3)
+
=head1 HISTORY
d2i_OSSL_ATTRIBUTES_SYNTAX(), d2i_OSSL_BASIC_ATTR_CONSTRAINTS(),