add client certificate verify (#1169)

infra/conf/transport_internet.go

@@ -318,6 +318,7 @@ type TLSConfig struct {
 	EnableSessionResumption          bool                  `json:"enableSessionResumption"`
 	DisableSystemRoot                bool                  `json:"disableSystemRoot"`
 	PinnedPeerCertificateChainSha256 *[]string             `json:"pinnedPeerCertificateChainSha256"`
+	ClientVerify                     bool                  `json:"clientVerify"`
 }
 
 // Build implements Buildable.
@@ -333,6 +334,7 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 	}
 	serverName := c.ServerName
 	config.AllowInsecure = c.Insecure
+	config.ClientVerify = c.ClientVerify
 	if len(c.ServerName) > 0 {
 		config.ServerName = serverName
 	}

transport/internet/tls/config.go

@@ -211,20 +211,22 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 			SessionTicketsDisabled: true,
 		}
 	}
-
 	config := &tls.Config{
 		ClientSessionCache:     globalSessionCache,
 		RootCAs:                root,
 		InsecureSkipVerify:     c.AllowInsecure,
 		NextProtos:             c.NextProtocol,
 		SessionTicketsDisabled: !c.EnableSessionResumption,
 		VerifyPeerCertificate:  c.verifyPeerCert,
+		ClientCAs:              root,
 	}
 
 	for _, opt := range opts {
 		opt(config)
 	}
-
+	if c.ClientVerify {
+		config.ClientAuth = tls.RequireAndVerifyClientCert
+	}
 	config.Certificates = c.BuildCertificates()
 	config.BuildNameToCertificate()
 

transport/internet/tls/config.proto

@@ -48,4 +48,7 @@ message Config {
      @Critical
   */
   repeated bytes pinned_peer_certificate_chain_sha256 = 7;
+
+  // Whether or not server verify client cert
+  bool client_verify = 8;
 }