Clear the error queue when dropping a bad DTLS packet.

This regressed in e95d20dcb80523bf9bc6a9c5682856c8371e0a96. EVP_AEAD will push
errors on the error queue (unlike the EVP_CIPHER codepath which checked
everything internally to ssl/ and didn't bother pushing anything). This meant
that a dropped packet would leave junk in the error queue.

Later, when SSL_read returns <= 0 (EOF or EWOULDBLOCK), the non-empty error
queue check in SSL_get_error kicks in and SSL_read looks to have failed.


Change-Id: I1e5e41c77a3e5b71e9eb0c72294abf0da677f840
Reviewed-by: Adam Langley <>
3 files changed