TUN-6780: Add support for certReload to also include support for client certificates

2025-07-27 22:49:58 +00:00 · 2022-09-19 12:47:18 +01:00
parent a0b6ba9b8d
commit b457cca1e5
2 changed files with 24 additions and 9 deletions
--- a/tlsconfig/tlsconfig.go
+++ b/tlsconfig/tlsconfig.go
@@ -12,15 +12,16 @@ import (

 // Config is the user provided parameters to create a tls.Config
 type TLSParameters struct {
-	Cert             string
-	Key              string
-	GetCertificate   *CertReloader
-	ClientCAs        []string
-	RootCAs          []string
-	ServerName       string
-	CurvePreferences []tls.CurveID
-	MinVersion       uint16 // min tls version. If zero, TLS1.0 is defined as minimum.
-	MaxVersion       uint16 // max tls version. If zero, last TLS version is used defined as limit (currently TLS1.3)
+	Cert                 string
+	Key                  string
+	GetCertificate       *CertReloader
+	GetClientCertificate *CertReloader
+	ClientCAs            []string
+	RootCAs              []string
+	ServerName           string
+	CurvePreferences     []tls.CurveID
+	MinVersion           uint16 // min tls version. If zero, TLS1.0 is defined as minimum.
+	MaxVersion           uint16 // max tls version. If zero, last TLS version is used defined as limit (currently TLS1.3)
 }

 // GetConfig returns a TLS configuration according to the Config set by the user.
@@ -43,6 +44,11 @@ func GetConfig(p *TLSParameters) (*tls.Config, error) {
 		tlsconfig.GetCertificate = p.GetCertificate.Cert
 	}

+	if p.GetClientCertificate != nil {
+		// GetClientCertificate is called when using an HTTP client library and mTLS is required.
+		tlsconfig.GetClientCertificate = p.GetClientCertificate.ClientCert
+	}
+
 	if len(p.ClientCAs) > 0 {
 		// set of root certificate authorities that servers use if required to verify a client certificate
 		// by the policy in ClientAuth