this will be useful if we want to be able to call it at runtime through the CLI. Not 100% mandatory but might be a good protection for future use.
Signed-off-by: William Dauchy <w.dau...@criteo.com> --- src/ssl_sock.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index aa9061a6b..0ef7a912b 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4408,6 +4408,10 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) if (srv->use_ssl == 1) srv->xprt = &ssl_sock; + /* avoid to leak another ctx if ctx is already allocated */ + if (srv->ssl_ctx.ctx) + return cfgerr; + ctx = SSL_CTX_new(SSLv23_client_method()); if (!ctx) { ha_alert("config : %s '%s', server '%s': unable to allocate ssl context.\n", @@ -4714,15 +4718,21 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf) void ssl_sock_free_srv_ctx(struct server *srv) { #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation - if (srv->ssl_ctx.alpn_str) + if (srv->ssl_ctx.alpn_str) { free(srv->ssl_ctx.alpn_str); + srv->ssl_ctx.alpn_str = NULL; + } #endif #ifdef OPENSSL_NPN_NEGOTIATED - if (srv->ssl_ctx.npn_str) + if (srv->ssl_ctx.npn_str) { free(srv->ssl_ctx.npn_str); + srv->ssl_ctx.npn_str = NULL; + } #endif - if (srv->ssl_ctx.ctx) + if (srv->ssl_ctx.ctx) { SSL_CTX_free(srv->ssl_ctx.ctx); + srv->ssl_ctx.ctx = NULL; + } } /* Walks down the two trees in bind_conf and frees all the certs. The pointer may -- 2.28.0