Bug fix: sslpassword_program for ssl-bump http ports

Currently the sslpassword_program configuration parameter does not work
for encrypted certificate keys on ssl-bump enabled http ports, and user
always asked to give the SSL key password.

This patch fixes this problem.

This is a Measurement Factory project.

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 7be9cb07025930ce55c600c4cd15a0da0b75b9f3..fd7427e62b1dce29fa71a613f00c1feb7b0fceec 100644 (file)
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -355,7 +355,7 @@ static X509 * readSslX509Certificate(char const * certFilename)
     return certificate;
 }
 
-EVP_PKEY * Ssl::readSslPrivateKey(char const * keyFilename)
+EVP_PKEY * Ssl::readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback)
 {
     if (!keyFilename)
         return NULL;
@@ -364,7 +364,7 @@ EVP_PKEY * Ssl::readSslPrivateKey(char const * keyFilename)
         return NULL;
     if (!BIO_read_filename(bio.get(), keyFilename))
         return NULL;
-    EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL);
+    EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio.get(), NULL, passwd_callback, NULL);
     return pkey;
 }
 

diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h
index 5d7f032cc59a4689a6bb25145fff8b487a3942f1..f041796b6c5ff5b3ef7c615cb10a28a7710a16de 100644 (file)
--- a/src/ssl/gadgets.h
+++ b/src/ssl/gadgets.h
@@ -231,7 +231,7 @@ bool generateSslCertificate(X509_Pointer & cert, EVP_PKEY_Pointer & pkey, Certif
  \ingroup SslCrtdSslAPI
  * Read private key from file. Make sure that this is not encrypted file.
  */
-EVP_PKEY * readSslPrivateKey(char const * keyFilename);
+EVP_PKEY * readSslPrivateKey(char const * keyFilename, pem_password_cb *passwd_callback = NULL);
 
 /**
  \ingroup SslCrtdSslAPI

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 32f78038aeae836fcc3e77b2ad2cab05f4da5dac..e17119ccd0d29ca2aaa6f68b114facd55ae3a314 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1373,7 +1373,7 @@ void Ssl::readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Poin
         chain.reset(sk_X509_new_null());
     if (!chain)
         debugs(83, DBG_IMPORTANT, "WARNING: unable to allocate memory for cert chain");
-    pkey.reset(readSslPrivateKey(keyFilename));
+    pkey.reset(readSslPrivateKey(keyFilename, ssl_ask_password_cb));
     cert.reset(readSslX509CertificatesChain(certFilename, chain.get()));
     if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
         pkey.reset(NULL);