commit 35a63cc1c78411c65d83b995d1fbd3d73d6bf020
author Olivier Houchard <ohouchard@haproxy.com> Thu Nov 02 19:04:38 2017 +0100
committer Willy Tarreau <w@1wt.eu> Wed Nov 08 14:08:07 2017 +0100
tree 1586e0c9d92515c03aeaa7bd5577b124eace2e20
parent 9e45b33f7ee78953d3ec6ad32d4d9eed3bfc897a

BUG/MINOR; ssl: Don't assume we have a ssl_bind_conf because a SNI is matched.

We only have a ssl_bind_conf if crt-list is used, however we can still
match a certificate SNI, so don't assume we have a ssl_bind_conf.

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 597a479..628f4ca 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2267,11 +2267,13 @@
 		/* switch ctx */
 		struct ssl_bind_conf *conf = container_of(node, struct sni_ctx, name)->conf;
 		ssl_sock_switchctx_set(ssl, container_of(node, struct sni_ctx, name)->ctx);
-		methodVersions[conf->ssl_methods.min].ssl_set_version(ssl, SET_MIN);
-		methodVersions[conf->ssl_methods.max].ssl_set_version(ssl, SET_MAX);
-		if (conf->early_data)
-			allow_early = 1;
-		goto allow_early;
+			if (conf) {
+				methodVersions[conf->ssl_methods.min].ssl_set_version(ssl, SET_MIN);
+				methodVersions[conf->ssl_methods.max].ssl_set_version(ssl, SET_MAX);
+				if (conf->early_data)
+					allow_early = 1;
+			}
+			goto allow_early;
 	}
 #if (!defined SSL_NO_GENERATE_CERTIFICATES)
 	if (s->generate_certs && ssl_sock_generate_certificate(trash.str, s, ssl)) {