From d20d68657943e7a0b5179a5612234afbb8738176 Mon Sep 17 00:00:00 2001
From: Martins Sipenko <martins.sipenko@gmail.com>
Date: Mon, 19 Feb 2018 19:47:03 +0200
Subject: [PATCH] Add support for TLS mutual auth

---
 lib/fluent/plugin_helper/cert_option.rb | 5 +++++
 lib/fluent/plugin_helper/server.rb      | 4 +++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/fluent/plugin_helper/cert_option.rb b/lib/fluent/plugin_helper/cert_option.rb
index a85401faea..cb153038c7 100644
--- a/lib/fluent/plugin_helper/cert_option.rb
+++ b/lib/fluent/plugin_helper/cert_option.rb
@@ -33,6 +33,11 @@ def cert_option_create_context(version, insecure, ciphers, conf)
           ctx.ciphers = ciphers
         end
 
+        if conf.client_cert_auth
+            ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+        end
+
+        ctx.ca_file = conf.ca_path
         ctx.cert = cert
         ctx.key = key
         if extra && !extra.empty?
diff --git a/lib/fluent/plugin_helper/server.rb b/lib/fluent/plugin_helper/server.rb
index 9e6d85b519..a5cdc1fc96 100644
--- a/lib/fluent/plugin_helper/server.rb
+++ b/lib/fluent/plugin_helper/server.rb
@@ -237,7 +237,7 @@ def server_create_for_tls_connection(shared, bind, port, conf, backlog, socket_o
 
       SERVER_TRANSPORT_PARAMS = [
         :protocol, :version, :ciphers, :insecure,
-        :cert_path, :private_key_path, :private_key_passphrase,
+        :ca_path, :cert_path, :private_key_path, :private_key_passphrase, :client_cert_auth,
         :ca_cert_path, :ca_private_key_path, :ca_private_key_passphrase,
         :generate_private_key_length,
         :generate_cert_country, :generate_cert_state, :generate_cert_state,
@@ -271,9 +271,11 @@ module ServerTransportParams
           config_param :insecure, :bool, default: false
 
           # Cert signed by public CA
+          config_param :ca_path, :string, default: nil
           config_param :cert_path, :string, default: nil
           config_param :private_key_path, :string, default: nil
           config_param :private_key_passphrase, :string, default: nil, secret: true
+          config_param :client_cert_auth, :bool, default: false
 
           # Cert generated and signed by private CA Certificate
           config_param :ca_cert_path, :string, default: nil