Merge pull request #2187 from fluent/support-mutual-auth-out-forward

out_forward: Support mutual TLS. fix #1879
fluent · Dec 11, 2018 · e4182d1 · e4182d1
2 parents c037e41 + 487a97e
commit e4182d1
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/lib/fluent/plugin/out_forward.rb b/lib/fluent/plugin/out_forward.rb
@@ -97,6 +97,12 @@ class ConnectionClosedError < Error; end
     config_param :tls_ca_cert_path, :array, value_type: :string, default: nil
     desc 'The additional certificate path for TLS.'
     config_param :tls_cert_path, :array, value_type: :string, default: nil
+    desc 'The client certificate path for TLS.'
+    config_param :tls_client_cert_path, :string, default: nil
+    desc 'The client private key path for TLS.'
+    config_param :tls_client_private_key_path, :string, default: nil
+    desc 'The client private key passphrase for TLS.'
+    config_param :tls_client_private_key_passphrase, :string, default: nil
 
     config_section :security, required: false, multi: false do
       desc 'The hostname'
@@ -345,6 +351,9 @@ def create_transfer_socket(host, port, hostname, &block)
           fqdn: hostname,
           allow_self_signed_cert: @tls_allow_self_signed_cert,
           cert_paths: @tls_ca_cert_path,
+          cert_path: @tls_client_cert_path,
+          private_key_path: @tls_client_private_key_path,
+          private_key_passphrase: @tls_client_private_key_passphrase,
           linger_timeout: @send_timeout,
           send_timeout: @send_timeout,
           recv_timeout: @ack_response_timeout,

diff --git a/lib/fluent/plugin_helper/socket.rb b/lib/fluent/plugin_helper/socket.rb
@@ -89,7 +89,8 @@ def socket_create_udp(host, port, resolve_name: false, connect: false, **kwargs,
       def socket_create_tls(
           host, port,
           version: TLS_DEFAULT_VERSION, ciphers: CIPHERS_DEFAULT, insecure: false, verify_fqdn: true, fqdn: nil,
-          enable_system_cert_store: true, allow_self_signed_cert: false, cert_paths: nil, **kwargs, &block)
+          enable_system_cert_store: true, allow_self_signed_cert: false, cert_paths: nil,
+          cert_path: nil, private_key_path: nil, private_key_passphrase: nil, **kwargs, &block)
 
         host_is_ipaddress = IPAddr.new(host) rescue false
         fqdn ||= host unless host_is_ipaddress
@@ -131,6 +132,8 @@ def socket_create_tls(
           context.verify_mode = OpenSSL::SSL::VERIFY_PEER
           context.cert_store = cert_store
           context.verify_hostname = true if verify_fqdn && fqdn && context.respond_to?(:verify_hostname=)
+          context.cert = OpenSSL::X509::Certificate.new(File.read(cert_path)) if cert_path
+          context.key = OpenSSL::PKey::RSA.new(File.read(private_key_path), private_key_passphrase) if private_key_path
         end
 
         tcpsock = socket_create_tcp(host, port, **kwargs)