aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configure.ac1
-rw-r--r--lib/vtls/gtls.c45
2 files changed, 37 insertions, 9 deletions
diff --git a/configure.ac b/configure.ac
index 843a3badf..26d77eb87 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1836,6 +1836,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then
AC_MSG_NOTICE([Added $gtlslib to LD_LIBRARY_PATH])
fi
fi
+ AC_CHECK_FUNCS(gnutls_certificate_set_x509_key_file2)
fi
fi
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 5f7041a30..1a41c05d7 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -656,15 +656,42 @@ gtls_connect_step1(struct connectdata *conn,
#endif
if(data->set.str[STRING_CERT]) {
- if(gnutls_certificate_set_x509_key_file(
- conn->ssl[sockindex].cred,
- data->set.str[STRING_CERT],
- data->set.str[STRING_KEY] ?
- data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
- do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
- GNUTLS_E_SUCCESS) {
- failf(data, "error reading X.509 key or certificate file");
- return CURLE_SSL_CONNECT_ERROR;
+ if(data->set.str[STRING_KEY_PASSWD]) {
+#if HAVE_GNUTLS_CERTIFICATE_SET_X509_KEY_FILE2
+ const unsigned int supported_key_encryption_algorithms =
+ GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
+ GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
+ GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
+ GNUTLS_PKCS_USE_PBES2_AES_256;
+ if(gnutls_certificate_set_x509_key_file2(
+ conn->ssl[sockindex].cred,
+ data->set.str[STRING_CERT],
+ data->set.str[STRING_KEY] ?
+ data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
+ do_file_type(data->set.str[STRING_CERT_TYPE]),
+ data->set.str[STRING_KEY_PASSWD],
+ supported_key_encryption_algorithms) !=
+ GNUTLS_E_SUCCESS) {
+ failf(data,
+ "error reading X.509 potentially-encrypted key file");
+ return CURLE_SSL_CONNECT_ERROR;
+#else
+ failf(data, "gnutls lacks support for encrypted key files");
+ return CURLE_SSL_CONNECT_ERROR;
+#endif
+ }
+ }
+ else {
+ if(gnutls_certificate_set_x509_key_file(
+ conn->ssl[sockindex].cred,
+ data->set.str[STRING_CERT],
+ data->set.str[STRING_KEY] ?
+ data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
+ do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
+ GNUTLS_E_SUCCESS) {
+ failf(data, "error reading X.509 key or certificate file");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
}
}