3 files changed, 20 insertions, 1 deletions

diff --git a/radsecproxy.c b/radsecproxy.c
index 0efb1a8..cbabf03 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -82,6 +82,14 @@ void ssl_locking_callback(int mode, int type, const char *file, int line) {
 	pthread_mutex_unlock(&ssl_locks[type]);
 }
 
+static int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
+    int pwdlen = strlen(userdata);
+    if (rwflag != 0 || pwdlen > size) /* not for decryption or too large */
+	return 0;
+    memcpy(buf, userdata, pwdlen);
+    return pwdlen;
+}
+
 static int verify_cb(int ok, X509_STORE_CTX *ctx) {
   char buf[256];
   X509 *err_cert;
@@ -156,6 +164,10 @@ SSL_CTX *ssl_init() {
     }
 
     ctx = SSL_CTX_new(TLSv1_method());
+    if (options.tlscertificatekeypassword) {
+	SSL_CTX_set_default_passwd_cb_userdata(ctx, options.tlscertificatekeypassword);
+	SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
+    }
     if (SSL_CTX_use_certificate_chain_file(ctx, options.tlscertificatefile) &&
 	SSL_CTX_use_PrivateKey_file(ctx, options.tlscertificatekeyfile, SSL_FILETYPE_PEM) &&
 	SSL_CTX_check_private_key(ctx) &&
@@ -1805,6 +1817,10 @@ void getmainconfig(const char *configfile) {
 	    options.tlscertificatekeyfile = stringcopy(val, 0);
 	    continue;
 	}
+	if (!strcasecmp(opt, "TLSCertificateKeyPassword")) {
+	    options.tlscertificatekeypassword = stringcopy(val, 0);
+	    continue;
+	}
 	if (!strcasecmp(opt, "UDPServerPort")) {
 	    options.udpserverport = stringcopy(val, 0);
 	    continue;
diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example
index bde62e3..94321c0 100644
--- a/radsecproxy.conf-example
+++ b/radsecproxy.conf-example
@@ -9,6 +9,8 @@ TLSCACertificatePath	/etc/cacerts
 # You must specify the below for TLS, we will always present our certificate
 TLSCertificateFile	/etc/hostcertkey/host.example.com.pem
 TLSCertificateKeyFile	/etc/hostcertkey/host.example.com.key.pem
+# Optionally specify password if key is encrypted (not very secure)
+TLSCertificateKeyPassword	follow the white rabbit
 
 # You can optionally specify a non-standard UDP port to listen
 #UDPServerPort		1814
diff --git a/radsecproxy.h b/radsecproxy.h
index ac5ec56..9a71de3 100644
--- a/radsecproxy.h
+++ b/radsecproxy.h
@@ -52,9 +52,10 @@ struct options {
     char *tlscacertificatepath;
     char *tlscertificatefile;
     char *tlscertificatekeyfile;
+    char *tlscertificatekeypassword;
     char *udpserverport;
 };
-    
+
 /* requests that our client will send */
 struct request {
     unsigned char *buf;