Bug fix: sslpassword_program for ssl-bump http ports

Currently the sslpassword_program configuration parameter does not work
for encrypted certificate keys on ssl-bump enabled http ports, and user
always asked to give the SSL key password.

This patch fixes this problem.

This is a Measurement Factory project.

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 5b7709a32b60130981c7621b45347815bc372c16..248be513434493eb20b5115648054de689ac29ba 100644 (file)
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -236,7 +236,7 @@ static X509 * readSslX509Certificate(char const * certFilename)
     return certificate;
 }
 
-EVP_PKEY * Ssl::readSslPrivateKey(char const * keyFilename)
+EVP_PKEY * Ssl::readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback)
 {
     if (!keyFilename)
         return NULL;
@@ -245,7 +245,7 @@ EVP_PKEY * Ssl::readSslPrivateKey(char const * keyFilename)
         return NULL;
     if (!BIO_read_filename(bio.get(), keyFilename))
         return NULL;
-    EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL);
+    EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio.get(), NULL, passwd_callback, NULL);
     return pkey;
 }
 

diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h
index f19a2170a37e0e8d5628840a855f8909034e64b4..7e82f56fca5f3bafe765fb4f1eec862b97004b58 100644 (file)
--- a/src/ssl/gadgets.h
+++ b/src/ssl/gadgets.h
@@ -123,7 +123,7 @@ bool generateSslCertificateAndPrivateKey(char const *host, X509_Pointer const &
  \ingroup SslCrtdSslAPI
  * Read private key from file. Make sure that this is not encrypted file.
  */
-EVP_PKEY * readSslPrivateKey(char const * keyFilename);
+EVP_PKEY * readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback = NULL);
 
 /**
  \ingroup SslCrtdSslAPI

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index b01888a9b0fa7b92030938394fde3b98a4100d00..e075480c8d38addef8c6ae1aeb6a6b0569b7d6b2 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1318,7 +1318,7 @@ void Ssl::readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Poin
         chain.reset(sk_X509_new_null());
     if (!chain)
         debugs(83, DBG_IMPORTANT, "WARNING: unable to allocate memory for cert chain");
-    pkey.reset(readSslPrivateKey(keyFilename));
+    pkey.reset(readSslPrivateKey(keyFilename, ssl_ask_password_cb));
     cert.reset(readSslX509CertificatesChain(certFilename, chain.get()));
     if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
         pkey.reset(NULL);