diff --git a/lib/tls/mbedtls/mbedtls-server.c b/lib/tls/mbedtls/mbedtls-server.c index d369ea4b3..331561aa8 100644 --- a/lib/tls/mbedtls/mbedtls-server.c +++ b/lib/tls/mbedtls/mbedtls-server.c @@ -92,6 +92,13 @@ lws_mbedtls_sni_cb(void *arg, mbedtls_ssl_context *mbedtls_ctx, lwsl_info("SNI: Found: %s:%d at vhost '%s'\n", servername, vh->listen_port, vhost->name); + if (!vhost->tls.ssl_ctx) { + lwsl_err("%s: vhost %s matches SNI but no valid cert\n", + __func__, vh->name); + + return 1; + } + /* select the ssl ctx from the selected vhost for this conn */ SSL_set_SSL_CTX(ssl, vhost->tls.ssl_ctx); diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c index 917c6bd07..dea689493 100755 --- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c +++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c @@ -890,18 +890,35 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) struct ssl_pm *ssl_pm = ssl->ssl_pm; #endif #if defined(LWS_HAVE_mbedtls_ssl_set_hs_own_cert) - struct x509_pm *x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm; + struct x509_pm *x509_pm; #endif #if defined(LWS_HAVE_mbedtls_ssl_set_hs_ca_chain) - struct x509_pm *x509_pm_ca = (struct x509_pm *)ctx->client_CA->x509_pm; + struct x509_pm *x509_pm_ca; #endif #if defined(LWS_HAVE_mbedtls_ssl_set_hs_own_cert) - struct pkey_pm *pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm; + struct pkey_pm *pkey_pm; #endif #if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode) int mode; #endif +#if defined(LWS_HAVE_mbedtls_ssl_set_hs_own_cert) + if (!ctx->cert || !ctx->cert->x509) + return; + x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm; +#endif +#if defined(LWS_HAVE_mbedtls_ssl_set_hs_ca_chain) + if (!ctx->client_CA) + return; + x509_pm_ca = (struct x509_pm *)ctx->client_CA->x509_pm; +#endif +#if defined(LWS_HAVE_mbedtls_ssl_set_hs_own_cert) + if (!ctx->cert || !ctx->cert->pkey) + return; + pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm; +#endif + + if (ssl->cert) ssl_cert_free(ssl->cert); ssl->ctx = ctx;