From 4dd145a888c7679812664bf2f246fa8199e94ab0 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 5 Feb 2020 11:46:33 +0100
Subject: [PATCH] BUG/MINOR: ssl: clear the SSL errors on DH loading failure

In ssl_sock_load_dh_params(), if haproxy failed to apply the dhparam
with SSL_CTX_set_tmp_dh(), it will apply the DH with
SSL_CTX_set_dh_auto().

The problem is that we don't clean the OpenSSL errors when leaving this
function so it could fail to load the certificate, even if it's only a
warning.

Fixes bug #483.

Must be backported in 2.1.
---
 src/ssl_sock.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e00dafaa0..7698eec7f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3094,6 +3094,7 @@ static int ssl_sock_load_dh_params(SSL_CTX *ctx, const struct cert_key_and_chain
 	}
 
 end:
+	ERR_clear_error();
 	return ret;
 }
 #endif