On Wed, May 20, 2026 at 11:01:23PM +0200, Marc Jorge wrote:
> Hello,
> 
> In ssl_update_certificate, X509_dup was called on the same cert variable,
> causing a leak of the initial certificate.

While this seems correct, I wonder: should this X509_dup() not simply be
deleted? This looks like a leftover from older code prior to the libtls
rewrite. The cert is freshly deserialized from the PEM held in oldcert,
so round tripping it through DER (which is what the X509_dup() does)
doesn't really change anything.

Error checking X509_set_pubkey and X509_set_issuer name wouldn't hurt
either.