Dev news

Commit f60c9d1448 for openssl.org

commit f60c9d1448b11f486a45d569ed3ac682623d3b79
Author: Gellért Peresztegi-Nagy <gellert.nagy@redpanda.com>
Date:   Fri Apr 10 17:45:55 2026 +0100

    ssl: Fix ssl_do_config to clean up errors on success with ERR_set_mark

    ssl_do_config() could leave stale errors on the error stack even on
    success, so that later error checking operations could mistakenly
    surface these errors. Use ERR_set_mark()/ERR_pop_to_mark() to cleanly
    discard errors when the function succeeds or when system config errors
    are non-fatal.

    Fixes #30760

    Co-authored-by: Brandon Allard <brandon@redpanda.com>

    Reviewed-by: Matt Caswell <matt@openssl.foundation>
    Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
    MergeDate: Thu Apr 16 11:24:56 2026
    (Merged from https://github.com/openssl/openssl/pull/30765)

diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index 74f07cd945..2480f527ce 100644
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -45,6 +45,8 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
     OSSL_LIB_CTX *libctx = NULL, *prev_libctx = NULL;
     CONF_IMODULE *imod = NULL;

+    ERR_set_mark();
+
     if (s == NULL && ctx == NULL) {
         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
         goto err;
@@ -113,7 +115,20 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
 err:
     OSSL_LIB_CTX_set0_default(prev_libctx);
     SSL_CONF_CTX_free(cctx);
-    return err == 0 || (system && !conf_diagnostics);
+    if (err == 0) {
+        ERR_pop_to_mark();
+        return 1;
+    }
+    if (system && !conf_diagnostics) {
+        /*
+         * Discard errors so that SSL_CTX_new does not return
+         * success with stale errors on the error stack.
+         */
+        ERR_pop_to_mark();
+        return 1;
+    }
+    ERR_clear_last_mark();
+    return 0;
 }

 int SSL_config(SSL *s, const char *name)
diff --git a/test/recipes/90-test_sysdefault_data/sysdefault-ignore.cnf b/test/recipes/90-test_sysdefault_data/sysdefault-ignore.cnf
index 2b04caf83f..e2b845021a 100644
--- a/test/recipes/90-test_sysdefault_data/sysdefault-ignore.cnf
+++ b/test/recipes/90-test_sysdefault_data/sysdefault-ignore.cnf
@@ -19,5 +19,6 @@ system_default = ssl_default_sect

 [ssl_default_sect]
 SignatureAlgorithms = RSA+SHA256:nonex
+Ciphersuites = INVALID_CIPHERSUITE
 MaxProtocol = TLSv1.2
 MinProtocol = TLSv1.2
diff --git a/test/sysdefaulttest.c b/test/sysdefaulttest.c
index a2354c6331..6e3b53e3b9 100644
--- a/test/sysdefaulttest.c
+++ b/test/sysdefaulttest.c
@@ -11,6 +11,7 @@
 #include <openssl/opensslconf.h>

 #include <string.h>
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/ssl.h>
 #include <openssl/tls1.h>
@@ -35,6 +36,8 @@ static int test_func(void)
             TEST_info("min/max version setting incorrect");
             goto err;
         }
+        if (!TEST_long_eq(ERR_peek_error(), 0))
+            goto err;
     }
     ret = 1;
 err: