Free certificate chain in case of error

rmaucher · rmaucher · commit e854af75a45d · 2026-03-12T13:56:34.000+01:00
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -1295,6 +1295,7 @@ public boolean addCertificate(SSLHostConfigCertificate certificate, Arena localA
                     }
                     if (SSL_CTX_add0_chain_cert(state.sslCtx, x509certChain) <= 0) {
                         logLastError("openssl.errorAddingCertificate");
+                        X509_free(x509certChain);
                         return false;
                     }
                 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -312,6 +312,9 @@
         Free CA certificate after calling <code>SSL_CTX_add_client_CA</code>
         in the FFM code. Based on code from PR 44 from tomcat-native. (remm)
       </fix>
+      <fix>
+        Free certificate chain if an error occurs, in the FFM code. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Original file line number	Diff line number	Diff line change
`@@ -1295,6 +1295,7 @@ public boolean addCertificate(SSLHostConfigCertificate certificate, Arena localA`
`1295`	`1295`	`}`
`1296`	`1296`	`if (SSL_CTX_add0_chain_cert(state.sslCtx, x509certChain) <= 0) {`
`1297`	`1297`	`logLastError("openssl.errorAddingCertificate");`
	`1298`	`+ X509_free(x509certChain);`
`1298`	`1299`	`return false;`
`1299`	`1300`	`}`
`1300`	`1301`	`}`