(tomcat) branch 10.1.x updated: Free server certificate (x509cert) after SSL_CTX_use_certificate in OpenSSLContext

Thu, 02 Apr 2026 09:18:11 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new 68b33ca91f Free server certificate (x509cert) after 
SSL_CTX_use_certificate in OpenSSLContext
68b33ca91f is described below

commit 68b33ca91fd3327c7ee391493afcfb1de12d4c55
Author: copilot-swe-agent[bot] <[email protected]>
AuthorDate: Thu Apr 2 14:16:33 2026 +0000

    Free server certificate (x509cert) after SSL_CTX_use_certificate in 
OpenSSLContext
    
    SSL_CTX_use_certificate makes an internal copy, so the caller should free
    the original. This is the same class of bug fixed by commit 8ef5efce for
    client CA certificates after SSL_CTX_add_client_CA.
    
    X509_free is added on:
    - early return when private key parsing fails (x509cert already allocated)
    - error path when SSL_CTX_use_certificate fails
    - success path after SSL_CTX_use_certificate (copy already made internally)
    
    Co-authored-by: markt-asf <[email protected]>
---
 java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 28818a7ba9..934d1e5f74 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -1248,12 +1248,15 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                         PEM_read_bio_PrivateKey(keyBIO, MemorySegment.NULL, 
MemorySegment.NULL, MemorySegment.NULL);
                 if (MemorySegment.NULL.equals(privateKeyAddress)) {
                     logLastError("openssl.errorLoadingPrivateKey");
+                    X509_free(x509cert);
                     return false;
                 }
                 if (SSL_CTX_use_certificate(state.sslCtx, x509cert) <= 0) {
                     logLastError("openssl.errorLoadingCertificate");
+                    X509_free(x509cert);
                     return false;
                 }
+                X509_free(x509cert);
                 if (SSL_CTX_use_PrivateKey(state.sslCtx, privateKeyAddress) <= 
0) {
                     logLastError("openssl.errorLoadingPrivateKey");
                     return false;


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to