From d09591d92e243c496f6d5021c77c87fece647a97 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Tue, 31 Aug 2021 15:59:40 +0100
Subject: [PATCH] Fix reconnecting in some cases when using
 MOSQ_OPT_TLS_USE_OS_CERTS.

Fix reconnecting failing when MOSQ_OPT_TLS_USE_OS_CERTS was in use, but none
of capath, cafile, psk, nor MOSQ_OPT_SSL_CTX were set, and
MOSQ_OPT_SSL_CTX_WITH_DEFAULTS was set to the default value of true.

Closes #2288. Thanks to Poltorak Serguei.
---
 ChangeLog.txt            | 4 ++++
 lib/mosquitto_internal.h | 3 +++
 lib/net_mosq.c           | 9 ++++++---
 lib/options.c            | 8 ++++----
 4 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 3889adcd..3ce349ad 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -52,6 +52,10 @@ Client library:
 - Threaded mode is deconfigured when the mosquitto_loop_start() thread ends,
   which allows mosquitto_loop_start() to be called again. Closes #2242.
 - Fix MOSQ_OPT_SSL_CTX not being able to be set to NULL. Closes #2289.
+- Fix reconnecting failing when MOSQ_OPT_TLS_USE_OS_CERTS was in use, but none
+  of capath, cafile, psk, nor MOSQ_OPT_SSL_CTX were set, and
+  MOSQ_OPT_SSL_CTX_WITH_DEFAULTS was set to the default value of true.
+  Closes #2288.
 
 Apps:
 - Fix `mosquitto_ctrl dynsec setDefaultACLAccess` command not working.
diff --git a/lib/mosquitto_internal.h b/lib/mosquitto_internal.h
index 64468a39..e7880b31 100644
--- a/lib/mosquitto_internal.h
+++ b/lib/mosquitto_internal.h
@@ -243,6 +243,9 @@ struct mosquitto {
 #ifdef WITH_TLS
 	SSL *ssl;
 	SSL_CTX *ssl_ctx;
+#ifndef WITH_BROKER
+	SSL_CTX *user_ssl_ctx;
+#endif
 	char *tls_cafile;
 	char *tls_capath;
 	char *tls_certfile;
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index ce1bda71..bd927191 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -668,15 +668,18 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #if !defined(OPENSSL_NO_ENGINE)
 	EVP_PKEY *pkey;
 #endif
-
-	if(mosq->ssl_ctx){
+ 
+#ifndef WITH_BROKER
+	if(mosq->user_ssl_ctx){
+		mosq->ssl_ctx = mosq->user_ssl_ctx;
 		if(!mosq->ssl_ctx_defaults){
 			return MOSQ_ERR_SUCCESS;
 		}else if(!mosq->tls_cafile && !mosq->tls_capath && !mosq->tls_psk){
-			log__printf(mosq, MOSQ_LOG_ERR, "Error: MOSQ_OPT_SSL_CTX_WITH_DEFAULTS used without specifying cafile, capath or psk.");
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: If you use MOSQ_OPT_SSL_CTX then MOSQ_OPT_SSL_CTX_WITH_DEFAULTS must be true, or at least one of cafile, capath or psk must be specified.");
 			return MOSQ_ERR_INVAL;
 		}
 	}
+#endif
 
 	/* Apply default SSL_CTX settings. This is only used if MOSQ_OPT_SSL_CTX
 	 * has not been set, or if both of MOSQ_OPT_SSL_CTX and
diff --git a/lib/options.c b/lib/options.c
index c78aa479..b734f13f 100644
--- a/lib/options.c
+++ b/lib/options.c
@@ -508,12 +508,12 @@ int mosquitto_void_option(struct mosquitto *mosq, enum mosq_opt_t option, void *
 	switch(option){
 		case MOSQ_OPT_SSL_CTX:
 #ifdef WITH_TLS
-			mosq->ssl_ctx = (SSL_CTX *)value;
-			if(mosq->ssl_ctx){
+			mosq->user_ssl_ctx = (SSL_CTX *)value;
+			if(mosq->user_ssl_ctx){
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
-				SSL_CTX_up_ref(mosq->ssl_ctx);
+				SSL_CTX_up_ref(mosq->user_ssl_ctx);
 #else
-				CRYPTO_add(&(mosq->ssl_ctx)->references, 1, CRYPTO_LOCK_SSL_CTX);
+				CRYPTO_add(&(mosq->user_ssl_ctx)->references, 1, CRYPTO_LOCK_SSL_CTX);
 #endif
 			}
 			break;