tls: openssl: add support for client certificate verification

edbingo · edbingo · commit 70d4849353db · 2026-02-11T12:27:32.000+01:00
Signed-off-by: Edward Lancaster &lt;edward.lancaster@siemens.com&gt;
diff --git a/include/fluent-bit/tls/flb_tls.h b/include/fluent-bit/tls/flb_tls.h
@@ -76,6 +76,7 @@ struct flb_tls_backend {
 
     /* Additional settings */
     int (*context_alpn_set) (void *, const char *);
+    int (*context_set_verify_client) (void *, int);
 
     /* TLS Protocol version */
     int (*set_minmax_proto) (struct flb_tls *tls, const char *, const char *);
@@ -104,6 +105,7 @@ struct flb_tls_backend {
 /* Main TLS context */
 struct flb_tls {
     int verify;                       /* FLB_TRUE | FLB_FALSE      */
+    int verify_client;                /* Verify client certificate */
     int debug;                        /* Debug level               */
     char *vhost;                      /* Virtual hostname for SNI  */
     int mode;                         /* Client or Server          */
@@ -131,6 +133,7 @@ struct flb_tls *flb_tls_create(int mode,
 int flb_tls_destroy(struct flb_tls *tls);
 
 int flb_tls_set_alpn(struct flb_tls *tls, const char *alpn);
+int flb_tls_set_verify_client(struct flb_tls *tls, int verify_client);
 
 int flb_tls_set_verify_hostname(struct flb_tls *tls, int verify_hostname);
 #if defined(FLB_SYSTEM_WINDOWS)
diff --git a/src/tls/flb_tls.c b/src/tls/flb_tls.c
@@ -35,6 +35,11 @@ struct flb_config_map tls_configmap[] = {
      0, FLB_FALSE, 0,
      "Force certificate validation",
     },
+    {
+     FLB_CONFIG_MAP_BOOL, "tls.verify_client_cert", "off",
+     0, FLB_FALSE, 0,
+     "Enable or disable client certificate verification",
+    },
     {
      FLB_CONFIG_MAP_INT, "tls.debug", "1",
      0, FLB_FALSE, 0,
@@ -285,6 +290,21 @@ int flb_tls_set_alpn(struct flb_tls *tls, const char *alpn)
     return 0;
 }
 
+int flb_tls_set_verify_client(struct flb_tls *tls, int verify_client)
+{
+    if (!tls) {
+        return -1;
+    }
+
+    tls->verify_client = verify_client;
+
+    if (tls->ctx && tls->api->context_set_verify_client) {
+        return tls->api->context_set_verify_client(tls->ctx, verify_client);
+    }
+
+    return 0;
+}
+
 int flb_tls_set_verify_hostname(struct flb_tls *tls, int verify_hostname)
 {
     if (!tls) {
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -301,6 +301,20 @@ int tls_context_alpn_set(void *ctx_backend, const char *alpn)
     return result;
 }
 
+static int tls_context_set_verify_client(void *ctx_backend, int verify_client)
+{
+    struct tls_context *ctx = ctx_backend;
+    int mode;
+
+    if (ctx->mode == FLB_TLS_SERVER_MODE && verify_client == FLB_TRUE) {
+        mode = SSL_CTX_get_verify_mode(ctx->ctx);
+        mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+        SSL_CTX_set_verify(ctx->ctx, mode, NULL);
+    }
+
+    return 0;
+}
+
 #ifdef _MSC_VER
 /* Parse certstore_name prefix like
  *
@@ -801,7 +815,8 @@ static void *tls_context_create(int verify,
         SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, NULL);
     }
     else {
-        SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+        int verify_flags = SSL_VERIFY_PEER;
+        SSL_CTX_set_verify(ssl_ctx, verify_flags, NULL);
     }
 
     /* ca_path | ca_file */
@@ -1574,6 +1589,7 @@ static struct flb_tls_backend tls_openssl = {
     .context_create       = tls_context_create,
     .context_destroy      = tls_context_destroy,
     .context_alpn_set     = tls_context_alpn_set,
+    .context_set_verify_client = tls_context_set_verify_client,
     .session_alpn_get     = tls_session_alpn_get,
     .set_minmax_proto     = tls_set_minmax_proto,
     .set_ciphers          = tls_set_ciphers,
