3 files changed, 5 insertions, 3 deletions

diff --git a/src/bun.js/webcore/response.zig b/src/bun.js/webcore/response.zig
index 364a593c1..70a44fd60 100644
--- a/src/bun.js/webcore/response.zig
+++ b/src/bun.js/webcore/response.zig
@@ -1020,6 +1020,7 @@ pub const Fetch = struct {
 
         pub fn checkServerIdentity(this: *FetchTasklet, certificate_info: HTTPClient.CertificateInfo) bool {
             if (this.check_server_identity.get()) |check_server_identity| {
+                check_server_identity.ensureStillAlive();
                 if (certificate_info.cert.len > 0) {
                     var cert = certificate_info.cert;
                     var cert_ptr = cert.ptr;
@@ -1029,6 +1030,8 @@ pub const Fetch = struct {
                         const js_cert = X509.toJS(x509, globalObject);
                         var hostname: bun.String = bun.String.create(certificate_info.hostname);
                         const js_hostname = hostname.toJS(globalObject);
+                        js_hostname.ensureStillAlive();
+                        js_cert.ensureStillAlive();
                         const check_result = check_server_identity.callWithThis(globalObject, JSC.JSValue.jsUndefined(), &[_]JSC.JSValue{ js_hostname, js_cert });
                         // if check failed abort the request
                         if (check_result.isAnyError()) {
diff --git a/src/deps/c_ares.zig b/src/deps/c_ares.zig
index 5098f4e19..457fcef0e 100644
--- a/src/deps/c_ares.zig
+++ b/src/deps/c_ares.zig
@@ -1439,7 +1439,6 @@ pub export fn Bun__canonicalizeIP(
 
     if (bun.String.tryFromJS(addr_arg, globalThis)) |addr| {
         const addr_slice = addr.toSlice(bun.default_allocator);
-        defer addr_slice.deinit();
         const addr_str = addr_slice.slice();
         if (addr_str.len >= INET6_ADDRSTRLEN) {
             return JSC.JSValue.jsUndefined();
diff --git a/src/http_client_async.zig b/src/http_client_async.zig
index 74457da14..f06474219 100644
--- a/src/http_client_async.zig
+++ b/src/http_client_async.zig
@@ -937,7 +937,7 @@ pub fn onCertError(
                         if (BoringSSL.X509_get_ext(x509, index)) |ext| {
                             const method = BoringSSL.X509V3_EXT_get(ext);
                             if (method != BoringSSL.X509V3_EXT_get_nid(BoringSSL.NID_subject_alt_name)) {
-                                client.fail(error.ERR_TLS_CERT_ALTNAME_INVALID);
+                                client.closeAndFail(error.ERR_TLS_CERT_ALTNAME_INVALID, is_ssl, socket);
                                 return false;
                             }
                             var hostname = client.hostname orelse client.url.hostname;
@@ -994,7 +994,7 @@ pub fn onCertError(
             }
         }
         // SSL error so we fail the connection
-        client.fail(error.ERR_TLS_CERT_ALTNAME_INVALID);
+        client.closeAndFail(error.ERR_TLS_CERT_ALTNAME_INVALID, is_ssl, socket);
         return false;
     }
     // we allow the connection to continue anyway