[XrdHttp] The server certificate is renewed by the Refresh thread of …

…the XrdTlsContext object

src/XrdTls/XrdTlsContext.cc

@@ -864,12 +864,24 @@ void *XrdTlsContext::Session()
 // magic. For OpenSSL < 1.1, Two stores need to be set with the "set1" variant.
 // Newer version only require SSL_CTX_set1_cert_store() to be used.
 //
-   X509_STORE *newX509 = SSL_CTX_get_cert_store(pImpl->ctx);
+   //We have a new context generated by Refresh, so we must use it.
+   XrdTlsContext * ctxnew = pImpl->ctxnew;
 
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
+   /*X509_STORE *newX509 = SSL_CTX_get_cert_store(ctxnew->pImpl->ctx);
    SSL_CTX_set1_verify_cert_store(pImpl->ctx, newX509);
-   SSL_CTX_set1_chain_cert_store(pImpl->ctx, newX509);
+   SSL_CTX_set1_chain_cert_store(pImpl->ctx, newX509);*/
+   //The above two macros actually do not replace the certificate that has
+   //to be used for that SSL session, so we will generate the session with the SSL_CTX * of
+   //the TlsContext created by Refresh()
+   pImpl->ctx = ctxnew->pImpl->ctx;
+   //In the destructor of XrdTlsContextImpl, SSL_CTX_Free() is
+   //called if ctx is != 0. As this new ctx is used by the session
+   //we just created, we don't want that to happen. We therefore set it to 0.
+   //The SSL_free called on the session will cleanup the context for us.
+   ctxnew->pImpl->ctx = 0;
 #else
+   X509_STORE *newX509 = SSL_CTX_get_cert_store(ctxnew->pImpl->ctx);
    SSL_CTX_set1_cert_store(pImpl->ctx, newX509);
 #endif