Step 1 is enable server-only TLS handshake, with the chaincode process being the client and the peer process being the server. the chaincode process needs to have access to the peer's ca root cert so as to validate the server cert during TLS handshake.
Step 2, add mutual TLS support, if that is included in the fabric for v1.1 (
FAB-5406). the CRs for this have been merged to master, but there are questions on whether they should be included in v1.1