Ensure DER decoded certificates are cleared up on error

diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c
index d8948f6e1d90c681ee2a3ad68cd660507442ad35..a5dd8a1f5dcb78b09f127b963b424dc1e511f9d8 100644 (file)
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -268,6 +268,9 @@ int fr_tls_verify_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
                if (fr_tls_session_pairs_from_x509_cert(&container->vp_group, container,
                                                        request, cert, conf->verify.der_decode) < 0) {
                        fr_pair_delete_by_da(&request->session_state_pairs, attr_tls_certificate);
+                       if (conf->verify.der_decode) {
+                               fr_pair_delete_by_da(&request->session_state_pairs, attr_der_certificate);
+                       }
                        my_ok = 0;
                        goto done;
                }