feat(quic): support mTLS with 'verify' and 'cacertfile'

2023-02-03 11:36:31 +01:00 · 2023-02-03 11:36:31 +01:00 · 04f502fb54
parent c7efccb996
commit 04f502fb54
2 changed files with 33 additions and 12 deletions
--- a/apps/emqx/src/emqx_listeners.erl
+++ b/apps/emqx/src/emqx_listeners.erl
@ -370,17 +370,22 @@ do_start_listener(quic, ListenerName, #{bind := Bind} = Opts) ->
    case [A || {quicer, _, _} = A <- application:which_applications()] of
        [_] ->
            DefAcceptors = erlang:system_info(schedulers_online) * 8,
-            ListenOpts = [
-                {cert, maps:get(certfile, Opts)},
-                {key, maps:get(keyfile, Opts)},
-                {alpn, ["mqtt"]},
-                {conn_acceptors, lists:max([DefAcceptors, maps:get(acceptors, Opts, 0)])},
-                {keep_alive_interval_ms, maps:get(keep_alive_interval, Opts, 0)},
-                {idle_timeout_ms, maps:get(idle_timeout, Opts, 0)},
-                {handshake_idle_timeout_ms, maps:get(handshake_idle_timeout, Opts, 10000)},
-                {server_resumption_level, 2},
-                {verify, none}
-            ],
+            ListenOpts =
+                [
+                    {cert, maps:get(certfile, Opts)},
+                    {key, maps:get(keyfile, Opts)},
+                    {alpn, ["mqtt"]},
+                    {conn_acceptors, lists:max([DefAcceptors, maps:get(acceptors, Opts, 0)])},
+                    {keep_alive_interval_ms, maps:get(keep_alive_interval, Opts, 0)},
+                    {idle_timeout_ms, maps:get(idle_timeout, Opts, 0)},
+                    {handshake_idle_timeout_ms, maps:get(handshake_idle_timeout, Opts, 10000)},
+                    {server_resumption_level, 2},
+                    {verify, maps:get(verify, Opts, verify_none)}
+                ] ++
+                    case maps:get(cacertfile, Opts, undefined) of
+                        undefined -> [];
+                        CaCertFile -> [{cacertfile, binary_to_list(CaCertFile)}]
+                    end,
            ConnectionOpts = #{
                conn_callback => emqx_quic_connection,
                peer_unidi_stream_count => 1,
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@ -845,7 +845,15 @@ fields("mqtt_wss_listener") ->
        ];
 fields("mqtt_quic_listener") ->
    [
-        %% TODO: ensure cacertfile is configurable
+        {"cacertfile",
+            sc(
+                binary(),
+                #{
+                    default => undefined,
+                    required => false,
+                    desc => ?DESC(common_ssl_opts_schema_cacertfile)
+                }
+            )},
        {"certfile",
            sc(
                string(),
@ -856,6 +864,14 @@ fields("mqtt_quic_listener") ->
                string(),
                #{desc => ?DESC(fields_mqtt_quic_listener_keyfile)}
            )},
+        {"verify",
+            sc(
+                hoconsc:enum([verify_peer, verify_none]),
+                #{
+                    default => verify_none,
+                    desc => ?DESC(common_ssl_opts_schema_verify)
+                }
+            )},
        {"ciphers", ciphers_schema(quic)},
        {"idle_timeout",
            sc(