diff --git a/falco.yaml b/falco.yaml index 2a9769cf..97ceb8b5 100644 --- a/falco.yaml +++ b/falco.yaml @@ -359,6 +359,12 @@ http_output: # Path to a folder that will be used as the CA certificate store. CA certificate need to be # stored as indivitual PEM files in this directory. ca_path: "/etc/ssl/certs" + # Tell Falco to use mTLS + mtls: false + # Path to the client cert. + client_cert: "/etc/ssl/certs/client.crt" + # Path to the client key. + client_key: "/etc/ssl/certs/client.key" # [Stable] `program_output` # diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index a059d321..d55dde7d 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -194,7 +194,7 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h bool insecure; insecure = config.get_scalar("http_output.insecure", false); http_output.options["insecure"] = insecure? std::string("true") : std::string("false"); - + std::string ca_cert; ca_cert = config.get_scalar("http_output.ca_cert", ""); http_output.options["ca_cert"] = ca_cert; @@ -207,6 +207,18 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h ca_path = config.get_scalar("http_output.ca_path", "/etc/ssl/certs"); http_output.options["ca_path"] = ca_path; + bool mtls; + mtls = config.get_scalar("http_output.mtls", false); + http_output.options["mtls"] = mtls? std::string("true") : std::string("false"); + + std::string client_cert; + client_cert = config.get_scalar("http_output.client_cert", "/etc/ssl/certs/client.crt"); + http_output.options["client_cert"] = client_cert; + + std::string client_key; + client_key = config.get_scalar("http_output.client_key", "/etc/ssl/certs/client.key"); + http_output.options["client_key"] = client_key; + m_outputs.push_back(http_output); } diff --git a/userspace/falco/outputs_http.cpp b/userspace/falco/outputs_http.cpp index d0a32434..00f784a0 100644 --- a/userspace/falco/outputs_http.cpp +++ b/userspace/falco/outputs_http.cpp @@ -62,14 +62,14 @@ void falco::outputs::output_http::output(const message *msg) if(res == CURLE_OK) { - res = curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L); + res = curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L); } if(res == CURLE_OK) { if(m_oc.options["insecure"] == std::string("true")) { - res = curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0L); + res = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); if(res == CURLE_OK) { @@ -78,6 +78,19 @@ void falco::outputs::output_http::output(const message *msg) } } + if(res == CURLE_OK) + { + if(m_oc.options["mtls"] == std::string("true")) + { + res = curl_easy_setopt(curl, CURLOPT_SSLCERT, m_oc.options["client_cert"].c_str()); + + if(res == CURLE_OK) + { + res = curl_easy_setopt(curl, CURLOPT_SSLKEY, m_oc.options["client_key"].c_str()); + } + } + } + if(res == CURLE_OK) { if (!m_oc.options["ca_cert"].empty())