From: Theo Buehler Subject: Re: relayd: free original cert after X509_dup in ssl_update_certificate To: Marc Jorge Cc: tech@openbsd.org Date: Thu, 21 May 2026 00:08:07 +0200 On Wed, May 20, 2026 at 11:01:23PM +0200, Marc Jorge wrote: > Hello, > > In ssl_update_certificate, X509_dup was called on the same cert variable, > causing a leak of the initial certificate. While this seems correct, I wonder: should this X509_dup() not simply be deleted? This looks like a leftover from older code prior to the libtls rewrite. The cert is freshly deserialized from the PEM held in oldcert, so round tripping it through DER (which is what the X509_dup() does) doesn't really change anything. Error checking X509_set_pubkey and X509_set_issuer name wouldn't hurt either.