Skip to content

Commit

Permalink
Add support for TLS mutual auth
Browse files Browse the repository at this point in the history
  • Loading branch information
martinssipenko committed Feb 19, 2018
1 parent 32ab58f commit d20d686
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
5 changes: 5 additions & 0 deletions lib/fluent/plugin_helper/cert_option.rb
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@ def cert_option_create_context(version, insecure, ciphers, conf)
ctx.ciphers = ciphers
end

if conf.client_cert_auth
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
end

ctx.ca_file = conf.ca_path
ctx.cert = cert
ctx.key = key
if extra && !extra.empty?
Expand Down
4 changes: 3 additions & 1 deletion lib/fluent/plugin_helper/server.rb
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@ def server_create_for_tls_connection(shared, bind, port, conf, backlog, socket_o

SERVER_TRANSPORT_PARAMS = [
:protocol, :version, :ciphers, :insecure,
:cert_path, :private_key_path, :private_key_passphrase,
:ca_path, :cert_path, :private_key_path, :private_key_passphrase, :client_cert_auth,
:ca_cert_path, :ca_private_key_path, :ca_private_key_passphrase,
:generate_private_key_length,
:generate_cert_country, :generate_cert_state, :generate_cert_state,
Expand Down Expand Up @@ -271,9 +271,11 @@ module ServerTransportParams
config_param :insecure, :bool, default: false

# Cert signed by public CA
config_param :ca_path, :string, default: nil
config_param :cert_path, :string, default: nil
config_param :private_key_path, :string, default: nil
config_param :private_key_passphrase, :string, default: nil, secret: true
config_param :client_cert_auth, :bool, default: false

# Cert generated and signed by private CA Certificate
config_param :ca_cert_path, :string, default: nil
Expand Down

0 comments on commit d20d686

Please sign in to comment.