an attempt at plugging some holes reported by leak(1). for me this does not break anything, and my 802.1x ttls-pap thingy now runs without leaks, as far as leak(1) tells me. there may be more leaks-- I did not exercise the code of x509.c:/^verify_signature beyond the "expected 1" message. Axel.