Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the callback from the SSL object instead of the one from the CTX, so let's set the callback on both SSL and CTX. Note that SSL_set_default_passwd_cb*() is available only in 1.1.0. Signed-off-by: Beniamino Galvani <bgalvani@xxxxxxxxxx> --- src/crypto/tls_openssl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 07c6119..7b7dc50 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data, } else passwd = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* + * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback + * from the SSL object. See OpenSSL commit d61461a75253. + */ + SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb); + SSL_set_default_passwd_cb_userdata(conn->ssl, passwd); +#endif /* >= 1.1.0f && !LibreSSL */ + /* Keep these for OpenSSL < 1.1.0f */ SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); @@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data, return -1; } ERR_clear_error(); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_set_default_passwd_cb(conn->ssl, NULL); +#endif /* >= 1.1.0f && !LibreSSL */ SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); os_free(passwd); -- 2.9.3 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap