From 7348165c5024771af1758fdb1bfc222e9277f4bb Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <mail@michael-kaufmann.ch>
Date: Mon, 21 Jan 2019 15:58:54 +0100
Subject: [PATCH] Support client certificates with TLS 1.3

Enable post-handshake authentication with OpenSSL 1.1.1

Fixes #237
---
 ext/openssl/extconf.rb | 1 +
 ext/openssl/ossl_ssl.c | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 4f218562b..b5cd540b3 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -165,6 +165,7 @@ def find_openssl_library
 have_func("X509_get0_notBefore")
 have_func("SSL_SESSION_get_protocol_version")
 have_func("EVP_PBE_scrypt")
+have_func("SSL_CTX_set_post_handshake_auth")
 
 Logging::message "=== Checking done. ===\n"
 
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index 7996f227b..8a8d8e4b0 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -810,6 +810,10 @@ ossl_sslctx_setup(VALUE self)
     }
 #endif /* OPENSSL_NO_EC */
 
+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
+    SSL_CTX_set_post_handshake_auth(ctx, 1);
+#endif
+
     val = rb_attr_get(self, id_i_cert_store);
     if (!NIL_P(val)) {
 	X509_STORE *store = GetX509StorePtr(val); /* NO NEED TO DUP */