squid-cache · MegaManSec · Sep 9, 2025 · Sep 10, 2025 · rousskov · Sep 11, 2025
diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc
@@ -209,8 +209,14 @@ Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession)
             serverBump->attachServerSession(serverSession);
             // store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE
             if (X509 *peeked_cert = serverBump->serverCert.get()) {
-                X509_up_ref(peeked_cert);
-                SSL_set_ex_data(serverSession.get(), ssl_ex_index_ssl_peeked_cert, peeked_cert);
+                if (!X509_up_ref(peeked_cert)) {
+                    debugs(83, DBG_IMPORTANT, "WARNING: X509_up_ref(peeked_cert) failed on server certificate");
+                } else if (!SSL_set_ex_data(serverSession.get(),
+                                            ssl_ex_index_ssl_peeked_cert,
+                                            peeked_cert)) {
+                    debugs(83, DBG_IMPORTANT, "WARNING: SSL_set_ex_data(ssl_ex_index_ssl_peeked_cert) failed; dropping extra X509 ref");
-                    debugs(83, DBG_IMPORTANT, "WARNING: SSL_set_ex_data(ssl_ex_index_ssl_peeked_cert) failed; dropping extra X509 ref");
+                    debugs(83, 3, "SSL_set_ex_data(ssl_ex_index_ssl_peeked_cert) failed" << Ssl::ReportAndForgetErrors);
+                    const auto err = ErrorState::NewForwarding(ERR_SECURE_CONNECT_FAIL, request, al);
+                    static const auto d = MakeNamedErrorDetail("TLS_SET_EX_PEEKED_CERT");
+                    err->detailError(d);
+                    noteNegotiationDone(err);
+                    bail(err);
+                    return false;
-                    debugs(83, DBG_IMPORTANT, "WARNING: SSL_set_ex_data(ssl_ex_index_ssl_peeked_cert) failed; dropping extra X509 ref");
+                    debugs(83, 3, "SSL_set_ex_data(ssl_ex_index_ssl_peeked_cert) failed" << Ssl::ReportAndForgetErrors);
+                    const auto err = ErrorState::NewForwarding(ERR_SECURE_CONNECT_FAIL, request, al);
+                    static const auto d = MakeNamedErrorDetail("TLS_SET_EX_PEEKED_CERT");
+                    err->detailError(d);
+                    noteNegotiationDone(err);
+                    bail(err);
+                    return false;
+                    X509_free(peeked_cert);
+                }
             }
         }
     }