From 402cc31039f9612519468b76645edca9c063984b Mon Sep 17 00:00:00 2001
From: Fabian Mauchle <fabian.mauchle@switch.ch>
Date: Fri, 24 Mar 2017 11:05:18 +0100
Subject: [PATCH] create new cert_store before reloading CAs and CRLs

---
 ChangeLog   | 1 +
 tlscommon.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 3195603..d4be0e1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,7 @@ Changes between 1.6.8 and the master branch
 	- Don't use a smaller pthread stack size than what's allowed.
 	- Don't follow NULL the pointer at debug level 5 (RADSECPROXY-68).
 	- Avoid a deadlock situation with dynamic servers (RADSECPROXY-73).
+	- Completely reload CAs and CRLs with cacheExpiry (RADSECPROXY-50).
 
 2016-09-21 1.6.8
 	Bug fixes:
diff --git a/tlscommon.c b/tlscommon.c
index f71cc11..842b955 100644
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -153,6 +153,7 @@ static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
     X509_STORE *x509_s;
     unsigned long error;
 
+    SSL_CTX_set_cert_store(ctx, X509_STORE_new());
     if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
 	while ((error = ERR_get_error()))
 	    debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));