From 702a485fceffb43814f7247b8556fa67ffb0e775 Mon Sep 17 00:00:00 2001
From: Alain Spineux <alain@baculasystems.com>
Date: Mon, 23 Nov 2020 13:21:40 +0100
Subject: [PATCH] Tweak openssl initialisation order

- We must test the result of SSL_CTX_new() ( and exit if there is an error)
  BEFORE to do the SSL_CTX_set_options
---
 bacula/src/lib/tls.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/bacula/src/lib/tls.c b/bacula/src/lib/tls.c
index f412ee68a..a112c1542 100644
--- a/bacula/src/lib/tls.c
+++ b/bacula/src/lib/tls.c
@@ -270,6 +270,11 @@ TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir,
 
 #endif
 
+   if (!ctx->openssl) {
+      openssl_post_errors(M_FATAL, _("Error initializing SSL context"));
+      goto err;
+   }
+
    /* Use SSL_OP_ALL to turn on all "rather harmless" workarounds that
     * OpenSSL offers 
     */
@@ -278,11 +283,6 @@ TLS_CONTEXT *new_tls_context(const char *ca_certfile, const char *ca_certdir,
    /* Now disable old broken SSLv3 and SSLv2 protocols */
    SSL_CTX_set_options(ctx->openssl, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
-   if (!ctx->openssl) {
-      openssl_post_errors(M_FATAL, _("Error initializing SSL context"));
-      goto err;
-   }
-
    /* Set up pem encryption callback */
    if (pem_callback) {
       ctx->pem_callback = pem_callback;
-- 
2.47.3