- Fix setup of ssl context copy, to check for the tls service

  pem option for stat calls.

diff --git a/daemon/daemon.c b/daemon/daemon.c
index 286e6a9c245a7638b1268f6d4487897fd3395559..8678aa1246adb8750ef6c829ec77a1dbfd0eee0e 100644 (file)
--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -336,11 +336,16 @@ daemon_setup_sslctxs(struct daemon* daemon, struct config_file* cfg)
                        &daemon->mtime_ns_ssl_service_key, NULL))
                        log_err("Could not stat(%s): %s",
                                key, strerror(errno));
-               if(!file_get_mtime(pem,
-                       &daemon->mtime_ssl_service_pem,
-                       &daemon->mtime_ns_ssl_service_pem, NULL))
-                       log_err("Could not stat(%s): %s",
-                               pem, strerror(errno));
+               if(pem) {
+                       if(!file_get_mtime(pem,
+                               &daemon->mtime_ssl_service_pem,
+                               &daemon->mtime_ns_ssl_service_pem, NULL))
+                               log_err("Could not stat(%s): %s",
+                                       pem, strerror(errno));
+               } else {
+                       daemon->mtime_ssl_service_pem = 0;
+                       daemon->mtime_ns_ssl_service_pem = 0;
+               }
        }
        daemon->connect_dot_sslctx = daemon_setup_connect_dot_sslctx(
                daemon, cfg);
@@ -403,16 +408,18 @@ ssl_cert_changed(struct daemon* daemon, struct config_file* cfg)
        if(mtime != daemon->mtime_ssl_service_key ||
                ns != daemon->mtime_ns_ssl_service_key)
                return 1;
-       if(!file_get_mtime(pem, &mtime, &ns, NULL)) {
-               log_err("Could not stat(%s): %s",
-                       pem, strerror(errno));
-               /* It has probably changed, but file read is likely going to
-                * fail. */
-               return 0;
+       if(pem) {
+               if(!file_get_mtime(pem, &mtime, &ns, NULL)) {
+                       log_err("Could not stat(%s): %s",
+                               pem, strerror(errno));
+                       /* It has probably changed, but file read is likely going to
+                        * fail. */
+                       return 0;
+               }
+               if(mtime != daemon->mtime_ssl_service_pem ||
+                       ns != daemon->mtime_ns_ssl_service_pem)
+                       return 1;
        }
-       if(mtime != daemon->mtime_ssl_service_pem ||
-               ns != daemon->mtime_ns_ssl_service_pem)
-               return 1;
        return 0;
 }
 

diff --git a/doc/Changelog b/doc/Changelog
index 51cfab93afd714072c17e33bfd5846e888dc4468..478a549cd2fb974eca6e077df287e1e4fa44f6ce 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 17 April 2026: Wouter
        - Fix setup of ssl context copy of the tls service pem option,
          from a clang analyzer warning.
+       - Fix setup of ssl context copy, to check for the tls service
+         pem option for stat calls.
 
 16 April 2026: Yorgos
        - Merge #1406: Introduce new 'tls-protocols' configuration option.