From 6e07cc19cc1bcca9617c2b63c05f368c70bde67c Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Thu, 12 Mar 2026 13:10:38 +0000
Subject: [PATCH] OpenSSL 4 compatibility fix

Starting from OpenSSL 4 the the X509_get_subject_name() function
returns a 'const' pointer to a name instead of a regular pointer.
Duplicate the name before operating on it, then free it.

(cherry picked from commit 336c523b7980895c8f43cbb758dd21d2176650f8)
---
 lib/isc/tls.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 237f1dd52d..a8be0ac3f2 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -462,7 +462,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 
 		X509_set_pubkey(cert, pkey);
 
-		X509_NAME *name = X509_get_subject_name(cert);
+		X509_NAME *name = X509_NAME_dup(X509_get_subject_name(cert));
 
 		X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
 					   (const unsigned char *)"AQ", -1, -1,
@@ -477,6 +477,9 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 					   -1, -1, 0);
 
 		X509_set_issuer_name(cert, name);
+
+		X509_NAME_free(name);
+
 		X509_sign(cert, pkey, EVP_sha256());
 		rv = SSL_CTX_use_certificate(ctx, cert);
 		if (rv != 1) {