Open Radar

 
It appears there is a memory leak in the Security framework (at least) when using TLS1 mutual authentication (or NSURLAuthenticationMethodServerTrust).  Every connection, a CFArray gets leaked, usually containing a SecCertificateRef.  The Leaks instrument reported the memory was originally allocated by SSLProcessCertificate().  It seems to be the peer certificate which gets leaked.

Judging by the opensource version at http://opensource.apple.com/source/Security/Security-55179.1/libsecurity_ssl/lib/sslCert.c , it seems to be the peerCert member of the SSLContext structure which gets leaked.  The problem seems to be in the SSLInstallSessionFromData() function (http://opensource.apple.com/source/Security/Security-55179.1/libsecurity_ssl/lib/sslSession.c ), which gets called later in the handshake process and replaces the peerCert array without first checking to see if there was an existing value, and releasing it if so.

The structure headers do not match up with iPad reality, but I could see a CFArrayRef member of the structure (which contained a SecCertificateRef) getting changed during SSLInstallSessionFromData(), and the retain count was still 1 following the handshake.

This is with iOS 6.0.   I did see similar leaks with iOS 5.x as well, though the behavior seemed to be a little different.