simonmichal commented on this pull request. > @@ -1045,6 +1045,7 @@ int XrdCryptosslX509SignProxyReq(XrdCryptoX509 *xcpi, XrdCryptoRSA *kcpi, // Notify what we added int crit = X509_EXTENSION_get_critical(xpiextdup); DEBUG("added extension '"<<s<<"', critical: " << crit); + X509_EXTENSION_free( xpiextdup ); My reasoning here was following: - X509_add_ext() is just a wrapper around X509v3_add_ext() (https://www.openssl.org/docs/man1.1.0/crypto/X509_add_ext.html) - from X509v3_add_ext() man: > X509v3_add_ext() adds extension ex to stack *x at position loc. If loc is -1 the new extension is added to the end. If *x is NULL a new stack will be allocated. The passed extension ex is duplicated internally so it must be freed after use. (https://www.openssl.org/docs/man1.1.0/crypto/X509v3_add_ext.html) - I also checked the source code of X509v3_add_ext() and indeed it does duplicate the extension Question: maybe in this case it does not make sense to duplicate the object with X509_EXTENSION_dup on our side? (line 1040) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/pull/862#discussion_r234915828 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1