(tomcat) branch 9.0.x updated: Free CA certificate after calling SSL_CTX_add_client_CA

Thu, 12 Mar 2026 03:29:45 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 1eab7f3a92 Free CA certificate after calling SSL_CTX_add_client_CA
1eab7f3a92 is described below

commit 1eab7f3a92f84d20a21f78d56251c1c95645a38b
Author: remm <[email protected]>
AuthorDate: Thu Mar 12 11:27:07 2026 +0100

    Free CA certificate after calling SSL_CTX_add_client_CA
    
    Note: X509_free handles NULL
---
 java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 1 +
 webapps/docs/changelog.xml                                         | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index fcdd12afa2..d1f65c1ed3 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -599,6 +599,7 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                     } else if (log.isDebugEnabled()) {
                         log.debug(sm.getString("openssl.addedClientCaCert", 
caCert.toString()));
                     }
+                    X509_free(x509CACert);
                 }
             } else if (sslHostConfig.getCaCertificateFile() != null || 
sslHostConfig.getCaCertificatePath() != null) {
                 // Client certificate verification based on trusted CA files 
and dirs
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7f34eb998a..ce7358fee5 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -210,6 +210,10 @@
         Align the FFM handling of OCSP <code>TRY_LATER</code> responses with
         Tomcat Native. (remm)
       </fix>
+      <fix>
+        Free CA certificate after calling <code>SSL_CTX_add_client_CA</code>
+        in the FFM code. Based on code from PR 44 from tomcat-native. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to