Add support for ssl_key_file (as required for client certificate auth)

jmguzman · jmguzman · commit adbc50ed2303 · 2025-11-18T02:16:09.000-03:00
diff --git a/lib/GLPI/Agent/Config.pm b/lib/GLPI/Agent/Config.pm
@@ -55,6 +55,7 @@ my $default = {
     'scan-profiles'           => undef,
     'server'                  => undef,
     'ssl-cert-file'           => undef,
+    'ssl-key-file'            => undef,
     'ssl-fingerprint'         => undef,
     'ssl-keystore'            => undef,
     'tag'                     => undef,
diff --git a/lib/GLPI/Agent/HTTP/Client.pm b/lib/GLPI/Agent/HTTP/Client.pm
@@ -43,6 +43,10 @@ sub new {
     die "non-existing client certificate file $ssl_cert_file"
         if $ssl_cert_file && ! -f $ssl_cert_file;
 
+    my $ssl_key_file = $params{ssl_key_file} || $config->{'ssl-key-file'};
+    die "non-existing client certificate file $ssl_key_file"
+        if $ssl_key_file && ! -f $ssl_key_file;
+
     # We should still keep SSL certs cache if running in long running netdiscovery
     # or netinventory task with expiration set in a dedicated thread
     $_SSL_ca->{_expiration} = getExpirationTime()
@@ -60,6 +64,7 @@ sub new {
         ca_cert_dir     => $ca_cert_dir,
         ca_cert_file    => $ca_cert_file,
         ssl_cert_file   => $ssl_cert_file,
+        ssl_key_file    => $ssl_key_file,
         ssl_fingerprint => $params{ssl_fingerprint} || $config->{'ssl-fingerprint'},
         ssl_keystore    => $params{ssl_keystore} || $config->{'ssl-keystore'},
         _vardir         => $config->{'vardir'},
@@ -514,6 +519,9 @@ sub _setSSLOptions {
                 if $self->{ca_cert_dir};
             $self->{ua}->ssl_opts(SSL_cert_file => $self->{ssl_cert_file})
                 if $self->{ssl_cert_file};
+            $self->{ua}->ssl_opts(SSL_key_file => $self->{ssl_key_file})
+                if $self->{ssl_key_file};
+
             $self->{ua}->ssl_opts(SSL_fingerprint => $self->{ssl_fingerprint})
                 if $self->{ssl_fingerprint} && $IO::Socket::SSL::VERSION >= 1.967;
             # Use SSL_ca option to support system keychain or keystore to add
diff --git a/lib/GLPI/Agent/HTTP/Protocol/https.pm b/lib/GLPI/Agent/HTTP/Protocol/https.pm
@@ -16,6 +16,8 @@ sub import {
         if $params{ca_cert_dir};
     IO::Socket::SSL::set_ctx_defaults(ssl_cert_file => $params{ssl_cert_file})
         if $params{ssl_cert_file};
+    IO::Socket::SSL::set_ctx_defaults(ssl_key_file => $params{ssl_key_file})
+        if $params{ssl_key_file};
     IO::Socket::SSL::set_ctx_defaults(ssl_ca => $params{ssl_ca})
         if $params{ssl_ca};
     IO::Socket::SSL::set_ctx_defaults(ssl_fingerprint => $params{ssl_fingerprint})
