From: Alex Rousskov Date: Sun, 2 Jun 2013 16:01:18 +0000 (-0600) Subject: Ask for SSL key password when started with -N but without sslpassword_program. X-Git-Tag: SQUID_3_3_6~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0fe14e0cd8c6c61f69a8bbdf2eb61e1b855e2de;p=thirdparty%2Fsquid.git Ask for SSL key password when started with -N but without sslpassword_program. Do not give SSL a password-asking callback if sslpassword_program is not configured. Without a callback, OpenSSL itself asks for the password (which works if Squid runs in foreground because of -N). The fix applies to Ssl::readCertChainAndPrivateKeyFromFiles() context only. This is not the only place where we read private keys. Some other places are working correctly, but others may need more work. Also, Ssl::readCertChainAndPrivateKeyFromFiles() may not really work if sslpassword_program _is_ configured because "user data" pointer will be nil. --- diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 1ac30b9edf..0611e6d38a 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1521,7 +1521,10 @@ void Ssl::readCertChainAndPrivateKeyFromFiles(X509_Pointer & cert, EVP_PKEY_Poin chain.reset(sk_X509_new_null()); if (!chain) debugs(83, DBG_IMPORTANT, "WARNING: unable to allocate memory for cert chain"); - pkey.reset(readSslPrivateKey(keyFilename, ssl_ask_password_cb)); + // XXX: ssl_ask_password_cb needs SSL_CTX_set_default_passwd_cb_userdata() + // so this may not fully work iff Config.Program.ssl_password is set. + pem_password_cb *cb = ::Config.Program.ssl_password ? &ssl_ask_password_cb : NULL; + pkey.reset(readSslPrivateKey(keyFilename, cb)); cert.reset(readSslX509CertificatesChain(certFilename, chain.get())); if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) { pkey.reset(NULL);