diff --git a/ChangeLog.txt b/ChangeLog.txt
index 4ce9123a..13a6a615 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -8,6 +8,8 @@ Broker:
   Closes #948.
 - Fix for bridge connections when using WITH_ADNS=yes.
 - Fix round_robin false behaviour. Closes #481.
+- Fix segfault on HUP when bridges and security options are configured.
+  Closes #965.
 
 Library:
 - Fix situation where username and password is used with SOCKS5 proxy. Closes
diff --git a/src/security_default.c b/src/security_default.c
index 73d20f81..26d8b59e 100644
--- a/src/security_default.c
+++ b/src/security_default.c
@@ -786,6 +786,7 @@ int mosquitto_unpwd_check_default(struct mosquitto_db *db, struct mosquitto *con
 	if(!db) return MOSQ_ERR_INVAL;
 
 	if(db->config->per_listener_settings){
+		if(context->bridge) return MOSQ_ERR_SUCCESS;
 		if(!context->listener) return MOSQ_ERR_INVAL;
 		if(!context->listener->unpwd) return MOSQ_ERR_PLUGIN_DEFER;
 		unpwd_ref = context->listener->unpwd;
@@ -867,7 +868,12 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
 	HASH_ITER(hh_id, db->contexts_by_id, context, ctxt_tmp){
 		/* Check for anonymous clients when allow_anonymous is false */
 		if(db->config->per_listener_settings){
-			allow_anonymous = context->listener->security_options.allow_anonymous;
+			if(context->listener){
+				allow_anonymous = context->listener->security_options.allow_anonymous;
+			}else{
+				/* Client not currently connected, so defer judgement until it does connect */
+				allow_anonymous = true;
+			}
 		}else{
 			allow_anonymous = db->config->security_options.allow_anonymous;
 		}