maskit commented on code in PR #9840:
URL: https://github.com/apache/trafficserver/pull/9840#discussion_r1231171028
##########
iocore/net/SSLConfig.cc:
##########
@@ -952,7 +952,8 @@ SSLConfigParams::getCTX(const std::string &client_cert,
const std::string &key_f
SSLError("failed to attach client chain certificate from %s",
client_cert.c_str());
goto fail;
}
- X509_free(cert);
+ // Do not free cert becasue SSL_CTX_add_extra_chain_cert takes
ownership of cert if it succeeds, unlike
+ // SSL_CTX_use_certificate.
Review Comment:
I'm not sure if I understand your comment correctly.
If `SSL_CTX_add_extra_chain_cert` succeeds, `PEM_read_bio_X509` will be
called. And if that fails, `cert` is `nullptr` and we leave this `while` loop.
Since `cert` is `nullptr`, it won't be freed even if we go to `fail` label
later.
If `SSL_CTX_add_extra_chain_cert ` fails, `SSL_CTX` doesn't have ownership,
so the `cert` has to be freed. We jump to `fail` label, and the `cert` will be
freed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
