Fix unauthenticated TLS connections

refs #7244

lib/base/tlsstream.cpp

@@ -36,7 +36,7 @@ bool I2_EXPORT TlsStream::m_SSLIndexInitialized = false;
  * @param sslContext The SSL context for the client.
  */
 TlsStream::TlsStream(const Socket::Ptr& socket, ConnectionRole role, const shared_ptr<SSL_CTX>& sslContext)
-	: m_Eof(false), m_Socket(socket), m_Role(role), m_VerifyOK(false)
+	: m_Eof(false), m_Socket(socket), m_Role(role), m_VerifyOK(true)
 {
 	std::ostringstream msgbuf;
 	char errbuf[120];
@@ -75,7 +75,8 @@ int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx)
 {
 	SSL *ssl = static_cast<SSL *>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
 	TlsStream *stream = static_cast<TlsStream *>(SSL_get_ex_data(ssl, m_SSLIndex));
-	stream->m_VerifyOK = preverify_ok;
+	if (!preverify_ok)
+		stream->m_VerifyOK = false;
 	return 1;
 }
 

lib/cli/pkisigncsrcommand.cpp

@@ -119,16 +119,21 @@ int PKISignCSRCommand::Run(const boost::program_options::variables_map& vm, cons
 
 	X509 *cert = CreateCert(pubkey, X509_REQ_get_subject_name(req), X509_get_subject_name(cacert), privkey, false);
 
+	EVP_PKEY_free(pubkey);
 	X509_free(cacert);
 
 	BIO *certbio = BIO_new_fp(stdout, BIO_NOCLOSE);
 
 	if (!PEM_write_bio_X509(certbio, cert)) {
+		BIO_free(certbio);
+
 		msgbuf << "Could not write X509 certificate: " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
 		Log(LogCritical, "SSL", msgbuf.str());
 		return 1;
 	}
 
+	X509_free(cert);
+
 	BIO_free(certbio);
 
 	return 0;