fs: tls: add --client-pass support for encrypted --client-key files

This also widens the supported types - Unencrypted PKCS#1 ("BEGIN RSA PRIVATE KEY") - Unencrypted PKCS#8 ("BEGIN PRIVATE KEY") - Encrypted PKCS#8 ("BEGIN ENCRYPTED PRIVATE KEY") - Legacy PEM encryption (e.g., DEK-Info headers), which are automatically detected.
2025-12-16 00:04:40 +00:00 · 2025-08-20 16:27:42 +01:00
parent e7a2b322ec
commit cfd0d28742
4 changed files with 303 additions and 29 deletions
--- a/fs/config.go
+++ b/fs/config.go
@@ -438,6 +438,12 @@ var ConfigOptionsInfo = Options{{
 	Default: "",
 	Help:    "Client SSL private key (PEM) for mutual TLS auth",
 	Groups:  "Networking",
+}, {
+	Name:       "client_pass",
+	Default:    "",
+	Help:       "Password for client SSL private key (PEM) for mutual TLS auth (obscured)",
+	Groups:     "Networking",
+	IsPassword: true,
 }, {
 	Name:    "multi_thread_cutoff",
 	Default: SizeSuffix(256 * 1024 * 1024),
@@ -644,6 +650,7 @@ type ConfigInfo struct {
 	CaCert                     []string          `config:"ca_cert"`     // Client Side CA
 	ClientCert                 string            `config:"client_cert"` // Client Side Cert
 	ClientKey                  string            `config:"client_key"`  // Client Side Key
+	ClientPass                 string            `config:"client_pass"` // Client Side Key Password (obscured)
 	MultiThreadCutoff          SizeSuffix        `config:"multi_thread_cutoff"`
 	MultiThreadStreams         int               `config:"multi_thread_streams"`
 	MultiThreadSet             bool              `config:"multi_thread_set"`        // whether MultiThreadStreams was set (set in fs/config/configflags)