(tomcat) branch 10.1.x updated: Free CA certificate after calling SSL_CTX_add_client_CA

Thu, 12 Mar 2026 03:29:41 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new 9ab1e874c3 Free CA certificate after calling SSL_CTX_add_client_CA
9ab1e874c3 is described below

commit 9ab1e874c350cb238eb0ae74f46f8c1d319edc20
Author: remm <[email protected]>
AuthorDate: Thu Mar 12 11:27:07 2026 +0100

    Free CA certificate after calling SSL_CTX_add_client_CA
    
    Note: X509_free handles NULL
---
 java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 1 +
 webapps/docs/changelog.xml                                         | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index fcdd12afa2..d1f65c1ed3 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -599,6 +599,7 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                     } else if (log.isDebugEnabled()) {
                         log.debug(sm.getString("openssl.addedClientCaCert", 
caCert.toString()));
                     }
+                    X509_free(x509CACert);
                 }
             } else if (sslHostConfig.getCaCertificateFile() != null || 
sslHostConfig.getCaCertificatePath() != null) {
                 // Client certificate verification based on trusted CA files 
and dirs
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index aef4e737ec..0053517871 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -206,6 +206,10 @@
         Align the FFM handling of OCSP <code>TRY_LATER</code> responses with
         Tomcat Native. (remm)
       </fix>
+      <fix>
+        Free CA certificate after calling <code>SSL_CTX_add_client_CA</code>
+        in the FFM code. Based on code from PR 44 from tomcat-native. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to