From 2ca55723ced8e77a45201d877e3186571ae27d8f Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Wed, 15 Jul 2026 18:01:46 +0200 Subject: [PATCH] BUG/MEDIUM: ssl-gencert: Don't forget to free memory when done In ssl_sock_do_create_cert(), don't forget to free ctmp and tmp_ssl once we're done creating the certificate, otherwise we will get a memory leak each time we have to create a new certificate, which will happen each time a new SNI is used. This should be backported as far as 2.6 (though on older releases, ssl_gencert.c doesn't exist, and that function is found in ssl_sock.c). This patch was submitted by Red Hat and AISLE Research --- src/ssl_gencert.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c index c201e0c7b..7dafaa053 100644 --- a/src/ssl_gencert.c +++ b/src/ssl_gencert.c @@ -299,6 +299,8 @@ static SSL_CTX *ssl_sock_do_create_cert(const char *servername, struct bind_conf #endif /* defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH) */ #endif /* HA_OPENSSL_VERSION_NUMBER >= 0x10101000L */ end: + if (ctmp) NCONF_free(ctmp); + if (tmp_ssl) SSL_free(tmp_ssl); return ssl_ctx; mkcert_error: -- 2.47.3