haproxy/haproxy-1.6.0-ssl.crash.patch

diff --git a/include/types/connection.h b/include/types/connection.h
index dfbff6a..070d779 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -122,7 +122,10 @@ enum {
 	/* This connection may not be shared between clients */
 	CO_FL_PRIVATE       = 0x10000000,
 
-	/* unused : 0x20000000, 0x40000000 */
+	/* A dynamically generated SSL certificate was used for this connection */
+	CO_FL_DYN_SSL_CTX   = 0x20000000,
+
+	/* unused : 0x40000000 */
 
 	/* This last flag indicates that the transport layer is used (for instance
 	 * by logs) and must not be cleared yet. The last call to conn_xprt_close()
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5319532..2829af8 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1232,6 +1232,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
 				ctx = ssl_sock_get_generated_cert(serial, s);
 				if (ctx) {
 					/* switch ctx */
+					conn->flags |= CO_FL_DYN_SSL_CTX;
 					SSL_set_SSL_CTX(ssl, ctx);
 					return SSL_TLSEXT_ERR_OK;
 				}
@@ -1271,6 +1272,9 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
 		if (s->generate_certs &&
 		    (ctx = ssl_sock_generate_certificate(servername, s, ssl))) {
 			/* switch ctx */
+			struct connection *conn = (struct connection *)SSL_get_app_data(ssl);
+
+			conn->flags |= CO_FL_DYN_SSL_CTX;
 			SSL_set_SSL_CTX(ssl, ctx);
 			return SSL_TLSEXT_ERR_OK;
 		}
@@ -3124,11 +3128,11 @@ static void ssl_sock_close(struct connection *conn) {
 
 	if (conn->xprt_ctx) {
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-		if (!ssl_ctx_lru_tree && objt_listener(conn->target)) {
+		if ((conn->flags & CO_FL_DYN_SSL_CTX) && !ssl_ctx_lru_tree) {
 			SSL_CTX *ctx = SSL_get_SSL_CTX(conn->xprt_ctx);
-			if (ctx != objt_listener(conn->target)->bind_conf->default_ctx)
-				SSL_CTX_free(ctx);
+			SSL_CTX_free(ctx);
 		}
+		conn->flags &= ~CO_FL_DYN_SSL_CTX,
 #endif
 		SSL_free(conn->xprt_ctx);
 		conn->xprt_ctx = NULL;