From: Christopher Faulet Date: Fri, 22 May 2026 09:36:59 +0000 (+0200) Subject: BUG/MEDIUM: ssl-gencert: Unlock LRU cache if failing to generate certificate X-Git-Tag: v3.4-dev14~66 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=04b9215a2ecf3a7bec33438920eb8cc1ae7eb28e;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl-gencert: Unlock LRU cache if failing to generate certificate In ssl_sock_generate_certificate(), if the LRU cache for generated certificates is used, the LRU tree is not unlocked on cache miss if the certificate generation failed. So let's unlock it on error path. The bug was introduced by the commit fbc98ebcd ("BUG/MEDIUM: ssl: fix error path on generate-certificates"). So this patch must be backported with the commit above, so to all stable versions. --- diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c index 5ee9b8bcd..459c0bafd 100644 --- a/src/ssl_gencert.c +++ b/src/ssl_gencert.c @@ -356,8 +356,10 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind ssl_ctx = (SSL_CTX *)lru->data; if (!ssl_ctx && lru) { ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl); - if (!ssl_ctx) + if (!ssl_ctx) { + HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); goto error; + } lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free); } SSL_set_SSL_CTX(ssl, ssl_ctx);