2 files changed, 24 insertions, 0 deletions

diff --git a/src/core/capsicum.c b/src/core/capsicum.c
index 79db780a..3b0708cb 100644
--- a/src/core/capsicum.c
+++ b/src/core/capsicum.c
@@ -403,6 +403,13 @@ static void cmd_capsicum_enter(void)
 		return;
 	}
 
+	/*
+	 * XXX: We should use pdwait(2) to wait for children.  Unfortunately
+	 *      it's not implemented yet.  Thus the workaround, to get rid
+	 *      of the zombies at least.
+	 */
+	signal(SIGCHLD, SIG_IGN);
+
 	error = cap_enter();
 	if (error != 0) {
 		signal_emit("capability mode failed", 1, strerror(errno));
diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c
index 2054f28a..7ec902fb 100644
--- a/src/core/network-openssl.c
+++ b/src/core/network-openssl.c
@@ -45,6 +45,19 @@
 #define ASN1_STRING_data(x)       ASN1_STRING_get0_data(x)
 #endif
 
+/* OpenSSL 1.1.0 also introduced some useful additions to the api */
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined (LIBRESSL_VERSION_NUMBER)
+static int X509_STORE_up_ref(X509_STORE *vfy)
+{
+    int n;
+
+    n = CRYPTO_add(&vfy->references, 1, CRYPTO_LOCK_X509_STORE);
+    g_assert(n > 1);
+
+    return (n > 1) ? 1 : 0;
+}
+#endif
+
 /* ssl i/o channel object */
 typedef struct
 {
@@ -510,6 +523,10 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_
 		g_free(scapath);
 		verify = TRUE;
 	} else if (store != NULL) {
+		/* Make sure to increment the refcount every time the store is
+		 * used, that's essential not to get it free'd by OpenSSL when
+		 * the SSL_CTX is destroyed. */
+		X509_STORE_up_ref(store);
 		SSL_CTX_set_cert_store(ctx, store);
 	}