From 987cfa227d740ae07ca0c092ebefeb425c8af957 Mon Sep 17 00:00:00 2001
From: Vladislav Vaintroub <wlad@mariadb.com>
Date: Mon, 12 Oct 2020 21:15:24 +0200
Subject: MDEV-23740 -  X509_R_CERT_ALREADY_IN_HASH_TABLE  when establishing
 SSL connection connection.

Ignore harmless X509_R_CERT_ALREADY_IN_HASH_TABLE, similar to how Curl or
other projects treat it.
---
 vio/viossl.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'vio')

diff --git a/vio/viossl.c b/vio/viossl.c
index 30946d3261c..8fdc8a3d68c 100644
--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -109,6 +109,21 @@ static my_bool ssl_should_retry(Vio *vio, int ret, enum enum_vio_io_event *event
   SSL *ssl= vio->ssl_arg;
   my_bool should_retry= TRUE;
 
+#if defined(ERR_LIB_X509) && defined(X509_R_CERT_ALREADY_IN_HASH_TABLE)
+  /*
+    Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE.
+    This is a workaround for an OpenSSL bug in an older (< 1.1.1)
+    OpenSSL version.
+  */
+  unsigned long err = ERR_peek_error();
+  if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+      ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE)
+  {
+    ERR_clear_error();
+    return TRUE;
+  }
+#endif
+
   /* Retrieve the result for the SSL I/O operation. */
   ssl_error= SSL_get_error(ssl, ret);
 
-- 
cgit v1.2.1