3 files changed, 20 insertions, 7 deletions

diff --git a/src/Bindings/LuaTCPLink.cpp b/src/Bindings/LuaTCPLink.cpp
index 14ea5c905..883361abb 100644
--- a/src/Bindings/LuaTCPLink.cpp
+++ b/src/Bindings/LuaTCPLink.cpp
@@ -166,7 +166,8 @@ void cLuaTCPLink::Close(void)
 AString cLuaTCPLink::StartTLSClient(
 	const AString & a_OwnCertData,
 	const AString & a_OwnPrivKeyData,
-	const AString & a_OwnPrivKeyPassword
+	const AString & a_OwnPrivKeyPassword,
+	const AString & a_TrustedRootCAs
 )
 {
 	auto link = m_Link;
@@ -193,7 +194,17 @@ AString cLuaTCPLink::StartTLSClient(
 			}
 		}
 
-		return link->StartTLSClient(ownCert, ownPrivKey);
+		cX509CertPtr trustedRootCAs;
+		if (!a_TrustedRootCAs.empty())
+		{
+			trustedRootCAs = std::make_shared<cX509Cert>();
+			auto res = trustedRootCAs->Parse(a_TrustedRootCAs.data(), a_TrustedRootCAs.size());
+			if (res != 0)
+			{
+				return fmt::format("Cannot parse trusted root CAs: {}", res);
+			}
+		}
+		return link->StartTLSClient(ownCert, ownPrivKey, trustedRootCAs);
 	}
 	return "";
 }
diff --git a/src/Bindings/LuaTCPLink.h b/src/Bindings/LuaTCPLink.h
index 6e5a78b4d..e5618f838 100644
--- a/src/Bindings/LuaTCPLink.h
+++ b/src/Bindings/LuaTCPLink.h
@@ -66,11 +66,13 @@ public:
 	If a client certificate should be used for the connection, set the certificate into a_OwnCertData and
 	its corresponding private key to a_OwnPrivKeyData. If both are empty, no client cert is presented.
 	a_OwnPrivKeyPassword is the password to be used for decoding PrivKey, empty if not passworded.
+	a_TrustedRootCAs is a \n-delimited concatenation of trusted root CAs' certificates in PEM format
 	Returns empty string on success, non-empty error description on failure. */
 	AString StartTLSClient(
 		const AString & a_OwnCertData,
 		const AString & a_OwnPrivKeyData,
-		const AString & a_OwnPrivKeyPassword
+		const AString & a_OwnPrivKeyPassword,
+		const AString & a_TrustedRootCAs
 	);
 
 	/** Starts a TLS handshake as a server connection.
diff --git a/src/Bindings/ManualBindings_Network.cpp b/src/Bindings/ManualBindings_Network.cpp
index 67385cce6..c184821e9 100644
--- a/src/Bindings/ManualBindings_Network.cpp
+++ b/src/Bindings/ManualBindings_Network.cpp
@@ -546,7 +546,7 @@ static int tolua_cTCPLink_Shutdown(lua_State * L)
 static int tolua_cTCPLink_StartTLSClient(lua_State * L)
 {
 	// Function signature:
-	// LinkInstance:StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword) -> [true] or [nil, ErrMsg]
+	// LinkInstance:StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword, TrustedRootCAs) -> [true] or [nil, ErrMsg]
 
 	// Get the link:
 	cLuaState S(L);
@@ -558,11 +558,11 @@ static int tolua_cTCPLink_StartTLSClient(lua_State * L)
 	ASSERT(Link != nullptr);  // Checked by CheckParamSelf()
 
 	// Read the (optional) params:
-	AString OwnCert, OwnPrivKey, OwnPrivKeyPassword;
-	S.GetStackValues(2, OwnCert, OwnPrivKey, OwnPrivKeyPassword);
+	AString OwnCert, OwnPrivKey, OwnPrivKeyPassword, TrustedRootCAs;
+	S.GetStackValues(2, OwnCert, OwnPrivKey, OwnPrivKeyPassword, cLuaState::cOptionalParam<std::string>(TrustedRootCAs));
 
 	// Start the TLS handshake:
-	AString res = Link->StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword);
+	AString res = Link->StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword, TrustedRootCAs);
 	if (!res.empty())
 	{
 		S.Push(cLuaState::Nil, fmt::format(