You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2018/07/05 17:10:50 UTC
[trafficserver] branch 8.0.x updated: Recognize openssl engines for
key loading.
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/8.0.x by this push:
new 270f805 Recognize openssl engines for key loading.
270f805 is described below
commit 270f8051153cbd81889b65d3db93643652cae50c
Author: Susan Hinrichs <sh...@oath.com>
AuthorDate: Fri Jun 29 16:11:59 2018 +0000
Recognize openssl engines for key loading.
(cherry picked from commit 8e97714f49a30d7ba7575c6a78d3111fd73b80f9)
---
iocore/net/SSLUtils.cc | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 3d3fe3f..acc8d57 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1336,7 +1336,13 @@ SSLDefaultServerContext()
static bool
SSLPrivateKeyHandler(SSL_CTX *ctx, const SSLConfigParams *params, const ats_scoped_str &completeServerCertPath, const char *keyPath)
{
- if (!keyPath) {
+ ENGINE *e = ENGINE_get_default_RSA();
+ if (e != nullptr) {
+ const char *argkey = (keyPath == nullptr || keyPath[0] == '\0') ? completeServerCertPath : keyPath;
+ if (!SSL_CTX_use_PrivateKey(ctx, ENGINE_load_private_key(e, argkey, nullptr, nullptr))) {
+ SSLError("failed to load server private key from engine");
+ }
+ } else if (!keyPath) {
// assume private key is contained in cert obtained from multicert file.
if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
SSLError("failed to load server private key from %s", (const char *)completeServerCertPath);
@@ -1356,7 +1362,7 @@ SSLPrivateKeyHandler(SSL_CTX *ctx, const SSLConfigParams *params, const ats_scop
return false;
}
- if (!SSL_CTX_check_private_key(ctx)) {
+ if (e == nullptr && !SSL_CTX_check_private_key(ctx)) {
SSLError("server private key does not match the certificate public key");
return false;
}