From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 23 Jan 2026 09:12:03 +0000 (+0000)
Subject: Ensure DER decoded certificates are cleared up on error
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa4825f77751fd6d1b369b540b7822f5d6c897f3;p=thirdparty%2Ffreeradius-server.git

Ensure DER decoded certificates are cleared up on error
---

diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c
index d8948f6e1d9..a5dd8a1f5dc 100644
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -268,6 +268,9 @@ int fr_tls_verify_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
 		if (fr_tls_session_pairs_from_x509_cert(&container->vp_group, container,
 							request, cert, conf->verify.der_decode) < 0) {
 			fr_pair_delete_by_da(&request->session_state_pairs, attr_tls_certificate);
+			if (conf->verify.der_decode) {
+				fr_pair_delete_by_da(&request->session_state_pairs, attr_der_certificate);
+			}
 			my_ok = 0;
 			goto done;
 		}