@@ -3,6 +3,7 @@ package gateway
33import (
44 "context"
55 "crypto/tls"
6+ "crypto/x509"
67 "errors"
78 "fmt"
89 "net"
@@ -37,8 +38,10 @@ type GatewayRelayConfig struct {
3738 RelayMaxPort uint16 `yaml:"relay_max_port"`
3839 TlsCertPath string `yaml:"tls_cert_path"`
3940 TlsPrivateKeyPath string `yaml:"tls_private_key_path"`
41+ TlsCaPath string `yaml:"tls_ca_path"`
4042
4143 tls tls.Certificate
44+ tlsCa string
4245 isTlsEnabled bool
4346}
4447
@@ -79,19 +82,19 @@ func NewGatewayRelay(configFilePath string) (*GatewayRelay, error) {
7982 return nil , errMissingTlsCert
8083 }
8184
82- tlsCertFile , err := os . ReadFile (cfg .TlsCertPath )
85+ cert , err := tls . LoadX509KeyPair (cfg .TlsCertPath , cfg . TlsPrivateKeyPath )
8386 if err != nil {
84- return nil , err
85- }
86- tlsPrivateKeyFile , err := os .ReadFile (cfg .TlsPrivateKeyPath )
87- if err != nil {
88- return nil , err
87+ return nil , fmt .Errorf ("Failed to read load server tls key pair: %w" , err )
8988 }
9089
91- cert , err := tls .LoadX509KeyPair (string (tlsCertFile ), string (tlsPrivateKeyFile ))
92- if err != nil {
93- return nil , err
90+ if cfg .TlsCaPath != "" {
91+ ca , err := os .ReadFile (cfg .TlsCaPath )
92+ if err != nil {
93+ return nil , fmt .Errorf ("Failed to read tls ca: %w" , err )
94+ }
95+ cfg .tlsCa = string (ca )
9496 }
97+
9598 cfg .tls = cert
9699 cfg .isTlsEnabled = true
97100 }
@@ -140,8 +143,12 @@ func (g *GatewayRelay) Run() error {
140143 }
141144
142145 if g .Config .isTlsEnabled {
146+ caCertPool := x509 .NewCertPool ()
147+ caCertPool .AppendCertsFromPEM ([]byte (g .Config .tlsCa ))
148+
143149 listenerConfigs [i ].Listener = tls .NewListener (conn , & tls.Config {
144150 Certificates : []tls.Certificate {g .Config .tls },
151+ ClientCAs : caCertPool ,
145152 })
146153 } else {
147154 listenerConfigs [i ].Listener = conn
0 commit comments