From 04b9215a2ecf3a7bec33438920eb8cc1ae7eb28e Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 22 May 2026 11:36:59 +0200 Subject: [PATCH] BUG/MEDIUM: ssl-gencert: Unlock LRU cache if failing to generate certificate In ssl_sock_generate_certificate(), if the LRU cache for generated certificates is used, the LRU tree is not unlocked on cache miss if the certificate generation failed. So let's unlock it on error path. The bug was introduced by the commit fbc98ebcd ("BUG/MEDIUM: ssl: fix error path on generate-certificates"). So this patch must be backported with the commit above, so to all stable versions. --- src/ssl_gencert.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c index 5ee9b8bcd..459c0bafd 100644 --- a/src/ssl_gencert.c +++ b/src/ssl_gencert.c @@ -356,8 +356,10 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind ssl_ctx = (SSL_CTX *)lru->data; if (!ssl_ctx && lru) { ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl); - if (!ssl_ctx) + if (!ssl_ctx) { + HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); goto error; + } lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free); } SSL_set_SSL_CTX(ssl, ssl_ctx);