1 files changed, 6 insertions, 5 deletions

diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index a9e2910089..dec23305a7 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.214 2020/01/06 19:39:58 bluhm Exp $ */
+/* $OpenBSD: netcat.c,v 1.215 2020/01/07 17:36:04 bluhm Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -835,8 +835,8 @@ tls_setup_client(struct tls *tls_ctx, int s, char *host)
         }
         if (vflag)
                 report_tls(tls_ctx, host);
-        if (tls_expecthash && tls_peer_cert_hash(tls_ctx) &&
-            strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)
+        if (tls_expecthash && (tls_peer_cert_hash(tls_ctx) == NULL ||
+            strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0))
                 errx(1, "peer certificate is not %s", tls_expecthash);
         if (Zflag) {
                 save_peer_cert(tls_ctx, Zflag);
@@ -864,8 +864,9 @@ tls_setup_server(struct tls *tls_ctx, int connfd, char *host)
                         report_tls(tls_cctx, host);
                 if ((TLSopt & TLS_CCERT) && !gotcert)
                         warnx("No client certificate provided");
-                else if (gotcert && tls_peer_cert_hash(tls_ctx) && tls_expecthash &&
-                    strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)
+                else if (gotcert && tls_expecthash &&
+                    (tls_peer_cert_hash(tls_cctx) == NULL ||
+                    strcmp(tls_expecthash, tls_peer_cert_hash(tls_cctx)) != 0))
                         warnx("peer certificate is not %s", tls_expecthash);
                 else if (gotcert && tls_expectname &&
                     (!tls_peer_cert_contains_name(tls_cctx, tls_expectname)))