BUG/MINOR: ssl: Fix memory leak of find_chain in ssl_sock_load_cert_chain
The certificate chain that gets passed in the SSL_CTX through
SSL_CTX_set1_chain has its reference counter increased by OpenSSL
itself. But since the ssl_sock_load_cert_chain function might create a
brand new certificate chain if none exists in the ckch_data
(sk_X509_new_null), then we ended up returning a new certificate chain
to the caller that was never destroyed.
This patch can be backported to all stable branches but it might need to
be reworked for branches older than 2.4 because of commit ec805a32b9
that refactorized the modified code.
(cherry picked from commit 4cf0d3f1e8e2ffc6901dc36644efa31b67d172f1)
[wla: struct member data was called ckch before]
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
(cherry picked from commit 3fc061bf30b45bbcab66b8bd8b38ce7578bc9ae6)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit efde502b97cf2f99495525ecde138928c973c139)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 796435f97d38899b6bdc0440ae18df413c2bd085)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
1 file changed