chore: unify all psk cipher suites
This commit is contained in:
JianBo He
parent
f1ff80fc16
commit
024c7c59b7
|
|
@ -129,7 +129,7 @@ bridge.mqtt.aws.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHAC
|
||||||
## Note that 'bridge.${BridgeName}.ciphers' and 'bridge.${BridgeName}.psk_ciphers' cannot
|
## Note that 'bridge.${BridgeName}.ciphers' and 'bridge.${BridgeName}.psk_ciphers' cannot
|
||||||
## be configured at the same time.
|
## be configured at the same time.
|
||||||
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
|
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
|
||||||
#bridge.mqtt.aws.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
|
#bridge.mqtt.aws.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
|
||||||
|
|
||||||
## Ping interval of a down bridge.
|
## Ping interval of a down bridge.
|
||||||
##
|
##
|
||||||
|
|
|
||||||
|
|
@ -134,13 +134,29 @@
|
||||||
]}.
|
]}.
|
||||||
|
|
||||||
{translation, "emqx_bridge_mqtt.bridges", fun(Conf) ->
|
{translation, "emqx_bridge_mqtt.bridges", fun(Conf) ->
|
||||||
|
AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
|
||||||
|
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
|
||||||
|
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
|
||||||
|
],
|
||||||
|
%% Compatible with legacy PSK Cipher strings
|
||||||
|
PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
|
||||||
|
("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
|
||||||
|
("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
|
||||||
|
("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
|
||||||
|
(C) -> case lists:member(C, AvaiableCiphers) of
|
||||||
|
true -> {true, C};
|
||||||
|
false -> false
|
||||||
|
end
|
||||||
|
end,
|
||||||
MapPSKCiphers = fun(PSKCiphers) ->
|
MapPSKCiphers = fun(PSKCiphers) ->
|
||||||
lists:map(
|
lists:filtermap(fun(C0) ->
|
||||||
fun("PSK-AES128-CBC-SHA") -> {psk, aes_128_cbc, sha};
|
case PskMapping(C0) of
|
||||||
("PSK-AES256-CBC-SHA") -> {psk, aes_256_cbc, sha};
|
false ->
|
||||||
("PSK-3DES-EDE-CBC-SHA") -> {psk, '3des_ede_cbc', sha};
|
cuttlefish:invalid(
|
||||||
("PSK-RC4-SHA") -> {psk, rc4_128, sha}
|
io_lib:format("psk_ciphers: not support ~s", [C0]));
|
||||||
|
{true, C} ->
|
||||||
|
{true, C}
|
||||||
|
end
|
||||||
end, PSKCiphers)
|
end, PSKCiphers)
|
||||||
end,
|
end,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -224,7 +224,7 @@ exproto.listener.protoname.reuseaddr = true
|
||||||
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
|
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
|
||||||
## be configured at the same time.
|
## be configured at the same time.
|
||||||
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
|
## See 'https://tools.ietf.org/html/rfc4279#section-2'.
|
||||||
#exproto.listener.protoname.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
|
#exproto.listener.protoname.psk_ciphers = RSA-PSK-AES256-GCM-SHA384,RSA-PSK-AES256-CBC-SHA384,RSA-PSK-AES128-GCM-SHA256,RSA-PSK-AES128-CBC-SHA256,RSA-PSK-AES256-CBC-SHA,RSA-PSK-AES128-CBC-SHA
|
||||||
|
|
||||||
## SSL parameter renegotiation is a feature that allows a client and a server
|
## SSL parameter renegotiation is a feature that allows a client and a server
|
||||||
## to renegotiate the parameters of the SSL connection on the fly.
|
## to renegotiate the parameters of the SSL connection on the fly.
|
||||||
|
|
|
||||||
|
|
@ -274,12 +274,29 @@ end}.
|
||||||
{reuseaddr, cuttlefish:conf_get(Prefix ++ ".reuseaddr", Conf, undefined)}])
|
{reuseaddr, cuttlefish:conf_get(Prefix ++ ".reuseaddr", Conf, undefined)}])
|
||||||
end,
|
end,
|
||||||
SplitFun = fun(undefined) -> undefined; (S) -> string:tokens(S, ",") end,
|
SplitFun = fun(undefined) -> undefined; (S) -> string:tokens(S, ",") end,
|
||||||
|
AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
|
||||||
|
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
|
||||||
|
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
|
||||||
|
],
|
||||||
|
%% Compatible with legacy PSK Cipher strings
|
||||||
|
PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
|
||||||
|
("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
|
||||||
|
("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
|
||||||
|
("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
|
||||||
|
(C) -> case lists:member(C, AvaiableCiphers) of
|
||||||
|
true -> {true, C};
|
||||||
|
false -> false
|
||||||
|
end
|
||||||
|
end,
|
||||||
MapPSKCiphers = fun(PSKCiphers) ->
|
MapPSKCiphers = fun(PSKCiphers) ->
|
||||||
lists:map(
|
lists:filtermap(fun(C0) ->
|
||||||
fun("PSK-AES128-CBC-SHA") -> {psk, aes_128_cbc, sha};
|
case PskMapping(C0) of
|
||||||
("PSK-AES256-CBC-SHA") -> {psk, aes_256_cbc, sha};
|
false ->
|
||||||
("PSK-3DES-EDE-CBC-SHA") -> {psk, '3des_ede_cbc', sha};
|
cuttlefish:invalid(
|
||||||
("PSK-RC4-SHA") -> {psk, rc4_128, sha}
|
io_lib:format("psk_ciphers: not support ~s", [C0]));
|
||||||
|
{true, C} ->
|
||||||
|
{true, C}
|
||||||
|
end
|
||||||
end, PSKCiphers)
|
end, PSKCiphers)
|
||||||
end,
|
end,
|
||||||
SslOpts = fun(Prefix) ->
|
SslOpts = fun(Prefix) ->
|
||||||
|
|
|
||||||
|
|
@ -190,21 +190,41 @@ end}.
|
||||||
case cuttlefish:conf_get("lwm2m.dtls.ciphers", Conf, undefined) of
|
case cuttlefish:conf_get("lwm2m.dtls.ciphers", Conf, undefined) of
|
||||||
undefined ->
|
undefined ->
|
||||||
[];
|
[];
|
||||||
C ->
|
Ciphers0 ->
|
||||||
[{ciphers, SplitFun(C)}]
|
[{ciphers, SplitFun(Ciphers0)}]
|
||||||
end,
|
end,
|
||||||
PskCiphers =
|
PskCiphers =
|
||||||
case cuttlefish:conf_get("lwm2m.dtls.psk_ciphers", Conf, undefined) of
|
case cuttlefish:conf_get("lwm2m.dtls.psk_ciphers", Conf, undefined) of
|
||||||
undefined ->
|
undefined ->
|
||||||
[];
|
[];
|
||||||
C2 ->
|
C2 ->
|
||||||
Psk = lists:map(fun("PSK-AES128-CBC-SHA") -> "RSA-PSK-AES128-CBC-SHA";
|
AvaiableCiphers = ["RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
|
||||||
("PSK-AES256-CBC-SHA") -> "RSA-PSK-AES256-CBC-SHA";
|
"RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
|
||||||
("PSK-3DES-EDE-CBC-SHA") -> "RSA-PSK-3DES-EDE-CBC-SHA";
|
"RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
|
||||||
("PSK-RC4-SHA") -> "RSA-PSK-RC4-SHA";
|
],
|
||||||
(Suite) -> Suite
|
%% Compatible with legacy PSK Cipher strings
|
||||||
end, SplitFun(C2)),
|
PskMapping = fun("PSK-AES128-CBC-SHA") -> {true, "RSA-PSK-AES128-CBC-SHA"};
|
||||||
[{ciphers, Psk}, {user_lookup_fun, {fun emqx_psk:lookup/3, <<>>}}]
|
("PSK-AES256-CBC-SHA") -> {true, "RSA-PSK-AES256-CBC-SHA"};
|
||||||
|
("PSK-3DES-EDE-CBC-SHA") -> {true, "PSK-3DES-EDE-CBC-SHA"};
|
||||||
|
("PSK-RC4-SHA") -> {true, "PSK-RC4-SHA"};
|
||||||
|
(C) -> case lists:member(C, AvaiableCiphers) of
|
||||||
|
true -> {true, C};
|
||||||
|
false -> false
|
||||||
|
end
|
||||||
|
end,
|
||||||
|
MapPSKCiphers = fun(PSKCiphers) ->
|
||||||
|
lists:filtermap(fun(C0) ->
|
||||||
|
case PskMapping(C0) of
|
||||||
|
false ->
|
||||||
|
cuttlefish:invalid(
|
||||||
|
io_lib:format("psk_ciphers: not support ~s", [C0]));
|
||||||
|
{true, C} ->
|
||||||
|
{true, C}
|
||||||
|
end
|
||||||
|
end, PSKCiphers)
|
||||||
|
end,
|
||||||
|
[{ciphers, MapPSKCiphers(SplitFun(C2))},
|
||||||
|
{user_lookup_fun, {fun emqx_psk:lookup/3, <<>>}}]
|
||||||
end,
|
end,
|
||||||
Ciphers /= []
|
Ciphers /= []
|
||||||
andalso PskCiphers /= []
|
andalso PskCiphers /= []
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue