From: Rafael Sadowski <rafael@sizeofvoid.org>
Subject: relayd: drain OpenSSL error queue on TLS failures
To: tech@openbsd.org
Date: Fri, 12 Jun 2026 12:05:27 +0200

OK?

commit da7fd92671762573d155d71235757af16ea6e647
Author: Rafael Sadowski <rafael@sizeofvoid.org>
Date:   Thu Jun 11 21:30:22 2026 +0200

    relayd: drain OpenSSL error queue on TLS failures
    
    Borrowed from smtpd. Without draining we just log "RSA_meth_dup failed"
    and lose the actual reason.
    
    Wire ssl_error() into ca_engine_init(), which also kills a dead
    RSA_meth_free() on a NULL pointer there, and into ssl_load_key()s fail
    path.

diff --git a/ca.c b/ca.c
index c4f527f..292d744 100644
--- a/ca.c
+++ b/ca.c
@@ -474,6 +474,6 @@ ca_engine_init(struct relayd *x_env)
 	return;
 
  fail:
-	RSA_meth_free(rsae_method);
+	ssl_error(errstr);
 	fatalx("%s: %s", __func__, errstr);
 }
diff --git a/relayd.h b/relayd.h
index 5536b47..8f06085 100644
--- a/relayd.h
+++ b/relayd.h
@@ -1292,6 +1292,7 @@ void	 script_done(struct relayd *, struct ctl_script *);
 int	 script_exec(struct relayd *, struct ctl_script *);
 
 /* ssl.c */
+void	 ssl_error(const char *);
 char	*ssl_load_key(struct relayd *, const char *, off_t *, char *);
 uint8_t *ssl_update_certificate(const uint8_t *, size_t, EVP_PKEY *,
 	    EVP_PKEY *, X509 *, size_t *);
diff --git a/ssl.c b/ssl.c
index b6ab383..97bf9b4 100644
--- a/ssl.c
+++ b/ssl.c
@@ -88,6 +88,7 @@ ssl_load_key(struct relayd *env, const char *name, off_t *len, char *pass)
 	return (buf);
 
  fail:
+	ssl_error("ssl_load_key");
 	free(buf);
 	if (bio != NULL)
 		BIO_free_all(bio);
@@ -237,3 +238,15 @@ ssl_load_pkey(char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr)
 
 	return (0);
 }
+
+void
+ssl_error(const char *where)
+{
+	unsigned long	code;
+	char		errbuf[128];
+
+	for (; (code = ERR_get_error()) != 0 ;) {
+		ERR_error_string_n(code, errbuf, sizeof(errbuf));
+		log_warnx("SSL library error: %s: %s", where, errbuf);
+	}
+}