Follow-up to PR #912

Author: markt-asf

java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java

@@ -28,7 +28,7 @@
 public class OpenSSLCertificateVerifier implements CertificateVerifier {
 
     private static final Log log = LogFactory.getLog(OpenSSLCertificateVerifier.class);
-    private static final StringManager sm = StringManager.getManager(OpenSSLContext.class);
+    private static final StringManager sm = StringManager.getManager(OpenSSLCertificateVerifier.class);
 
     private final X509TrustManager x509TrustManager;
 
@@ -43,7 +43,9 @@ public boolean verify(long ssl, byte[][] chain, String auth) {
             x509TrustManager.checkClientTrusted(peerCerts, auth);
             return true;
         } catch (Exception e) {
-            log.debug(sm.getString("openssl.certificateVerificationFailed"), e);
+            if (log.isDebugEnabled()) {
+                log.debug(sm.getString("openssl.certificateVerificationFailed"), e);
+            }
         }
         return false;
     }

webapps/docs/changelog.xml

@@ -218,6 +218,10 @@
       <fix>
         Graceful failure for OCSP on BoringSSL in the FFM code. (remm)
       </fix>
+      <fix>
+        <bug>69866</bug>: Fix a memory leak when using a trust store with the
+        OpenSSL provider. Pull request <pr>912</pr> by aogburn. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">