Improve OpenSSL integration

Ensure the error stack is cleared after errors are processed.

Also handle NULL returns safely.

Makes the debug mode spew more data, though almost none of
the contexts is in reaction to network peer data.

1 files changed, 4 insertions, 4 deletions

diff --git a/degesch.c b/degesch.c
index ac9cd8a..6d120c2 100644
--- a/degesch.c
+++ b/degesch.c
@@ -5320,13 +5320,13 @@ transport_tls_init_ca_set (SSL_CTX *ssl_ctx, const char *file, const char *path,
 
 		return error_set (e, "%s: %s",
 			"Failed to set locations for the CA certificate bundle",
-			ERR_reason_error_string (ERR_get_error ()));
+			xerr_describe_error ());
 	}
 
 	if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
 		return error_set (e, "%s: %s",
 			"Couldn't load the default CA certificate bundle",
-			ERR_reason_error_string (ERR_get_error ()));
+			xerr_describe_error ());
 	return true;
 }
 
@@ -5416,7 +5416,7 @@ transport_tls_init_cert (struct server *s, SSL *ssl, struct error **e)
 	else if (!SSL_use_certificate_file (ssl, path, SSL_FILETYPE_PEM)
 		|| !SSL_use_PrivateKey_file (ssl, path, SSL_FILETYPE_PEM))
 		error_set (e, "%s: %s", "Setting the TLS client certificate failed",
-			ERR_reason_error_string (ERR_get_error ()));
+			xerr_describe_error ());
 	else
 		result = true;
 	free (path);
@@ -5474,7 +5474,7 @@ error_ssl_2:
 error_ssl_1:
 	if (!error)
 		error_set (&error, "%s: %s", "Could not initialize TLS",
-			ERR_reason_error_string (ERR_get_error ()));
+			xerr_describe_error ());
 
 	error_propagate (e, error);
 	return false;