feat(quic): support mTLS with 'verify' and 'cacertfile'
This commit is contained in:
William Yang
parent
c7efccb996
commit
04f502fb54
|
|
@ -370,17 +370,22 @@ do_start_listener(quic, ListenerName, #{bind := Bind} = Opts) ->
|
||||||
case [A || {quicer, _, _} = A <- application:which_applications()] of
|
case [A || {quicer, _, _} = A <- application:which_applications()] of
|
||||||
[_] ->
|
[_] ->
|
||||||
DefAcceptors = erlang:system_info(schedulers_online) * 8,
|
DefAcceptors = erlang:system_info(schedulers_online) * 8,
|
||||||
ListenOpts = [
|
ListenOpts =
|
||||||
{cert, maps:get(certfile, Opts)},
|
[
|
||||||
{key, maps:get(keyfile, Opts)},
|
{cert, maps:get(certfile, Opts)},
|
||||||
{alpn, ["mqtt"]},
|
{key, maps:get(keyfile, Opts)},
|
||||||
{conn_acceptors, lists:max([DefAcceptors, maps:get(acceptors, Opts, 0)])},
|
{alpn, ["mqtt"]},
|
||||||
{keep_alive_interval_ms, maps:get(keep_alive_interval, Opts, 0)},
|
{conn_acceptors, lists:max([DefAcceptors, maps:get(acceptors, Opts, 0)])},
|
||||||
{idle_timeout_ms, maps:get(idle_timeout, Opts, 0)},
|
{keep_alive_interval_ms, maps:get(keep_alive_interval, Opts, 0)},
|
||||||
{handshake_idle_timeout_ms, maps:get(handshake_idle_timeout, Opts, 10000)},
|
{idle_timeout_ms, maps:get(idle_timeout, Opts, 0)},
|
||||||
{server_resumption_level, 2},
|
{handshake_idle_timeout_ms, maps:get(handshake_idle_timeout, Opts, 10000)},
|
||||||
{verify, none}
|
{server_resumption_level, 2},
|
||||||
],
|
{verify, maps:get(verify, Opts, verify_none)}
|
||||||
|
] ++
|
||||||
|
case maps:get(cacertfile, Opts, undefined) of
|
||||||
|
undefined -> [];
|
||||||
|
CaCertFile -> [{cacertfile, binary_to_list(CaCertFile)}]
|
||||||
|
end,
|
||||||
ConnectionOpts = #{
|
ConnectionOpts = #{
|
||||||
conn_callback => emqx_quic_connection,
|
conn_callback => emqx_quic_connection,
|
||||||
peer_unidi_stream_count => 1,
|
peer_unidi_stream_count => 1,
|
||||||
|
|
|
||||||
|
|
@ -845,7 +845,15 @@ fields("mqtt_wss_listener") ->
|
||||||
];
|
];
|
||||||
fields("mqtt_quic_listener") ->
|
fields("mqtt_quic_listener") ->
|
||||||
[
|
[
|
||||||
%% TODO: ensure cacertfile is configurable
|
{"cacertfile",
|
||||||
|
sc(
|
||||||
|
binary(),
|
||||||
|
#{
|
||||||
|
default => undefined,
|
||||||
|
required => false,
|
||||||
|
desc => ?DESC(common_ssl_opts_schema_cacertfile)
|
||||||
|
}
|
||||||
|
)},
|
||||||
{"certfile",
|
{"certfile",
|
||||||
sc(
|
sc(
|
||||||
string(),
|
string(),
|
||||||
|
|
@ -856,6 +864,14 @@ fields("mqtt_quic_listener") ->
|
||||||
string(),
|
string(),
|
||||||
#{desc => ?DESC(fields_mqtt_quic_listener_keyfile)}
|
#{desc => ?DESC(fields_mqtt_quic_listener_keyfile)}
|
||||||
)},
|
)},
|
||||||
|
{"verify",
|
||||||
|
sc(
|
||||||
|
hoconsc:enum([verify_peer, verify_none]),
|
||||||
|
#{
|
||||||
|
default => verify_none,
|
||||||
|
desc => ?DESC(common_ssl_opts_schema_verify)
|
||||||
|
}
|
||||||
|
)},
|
||||||
{"ciphers", ciphers_schema(quic)},
|
{"ciphers", ciphers_schema(quic)},
|
||||||
{"idle_timeout",
|
{"idle_timeout",
|
||||||
sc(
|
sc(
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue