(tomcat) branch 11.0.x updated: Free CA certificate after calling SSL_CTX_add_client_CA

Thu, 12 Mar 2026 03:29:20 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 727bb75cd9 Free CA certificate after calling SSL_CTX_add_client_CA
727bb75cd9 is described below

commit 727bb75cd964f989d48745d110e3a10280fa0be5
Author: remm <[email protected]>
AuthorDate: Thu Mar 12 11:27:07 2026 +0100

    Free CA certificate after calling SSL_CTX_add_client_CA
    
    Note: X509_free handles NULL
---
 java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 1 +
 webapps/docs/changelog.xml                                         | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index fcdd12afa2..d1f65c1ed3 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -599,6 +599,7 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                     } else if (log.isDebugEnabled()) {
                         log.debug(sm.getString("openssl.addedClientCaCert", 
caCert.toString()));
                     }
+                    X509_free(x509CACert);
                 }
             } else if (sslHostConfig.getCaCertificateFile() != null || 
sslHostConfig.getCaCertificatePath() != null) {
                 // Client certificate verification based on trusted CA files 
and dirs
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index fdab1dc5d9..e87ea54e09 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -206,6 +206,10 @@
         Align the FFM handling of OCSP <code>TRY_LATER</code> responses with
         Tomcat Native. (remm)
       </fix>
+      <fix>
+        Free CA certificate after calling <code>SSL_CTX_add_client_CA</code>
+        in the FFM code. Based on code from PR 44 from tomcat-native. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to