Use existing session context if new is actually NULL (#2946)

torben-hansen · web-flow · commit 7487ad1dcd83 · 2026-01-20T15:17:07.000-05:00
SSL_set_SSL_CTX() doesn't currently tolerate the ctx argument being NULL (it would just crash in some cases). I was pondering handling this by just explicitly error out if it was NULL. But I realised upstream OpenSSL has a different behaviour: falls back to existing session context from ssl.

This is unnecessary complexity, but in the name of interoperability I did that instead of flipping to an error state.
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
@@ -2856,7 +2856,8 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
   if (!ssl->config) {
     return NULL;
   }
-  if (ssl->ctx.get() == ctx) {
+
+  if (!ctx || ssl->ctx.get() == ctx) {
     return ssl->ctx.get();
   }
 

Original file line number	Diff line number	Diff line change
`@@ -2856,7 +2856,8 @@ SSL_CTX SSL_set_SSL_CTX(SSL ssl, SSL_CTX *ctx) {`
`2856`	`2856`	`if (!ssl->config) {`
`2857`	`2857`	`return NULL;`
`2858`	`2858`	`}`
`2859`		`- if (ssl->ctx.get() == ctx) {`
	`2859`	`+`
	`2860`	`+ if (!ctx \|\| ssl->ctx.get() == ctx) {`
`2860`	`2861`	`return ssl->ctx.get();`
`2861`	`2862`	`}`
`2862`	`2863`