From 0aa3ccdd655cb2035abe741ed1b63be0593f1e91 Mon Sep 17 00:00:00 2001
From: ieQu1 <99872536+ieQu1@users.noreply.github.com>
Date: Thu, 28 Sep 2023 00:30:36 +0200
Subject: [PATCH] feat(gen_rpc): Add schema for the TLS versions and cipher
 suites

---
 apps/emqx/src/emqx_schema.erl           | 29 +++++++++++++++----------
 apps/emqx_conf/src/emqx_conf_schema.erl | 15 +++++++++++--
 changes/ce/fix-11697.en.md              |  8 +++++--
 3 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl
index 04bd397ec..beb8c2567 100644
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -168,7 +168,9 @@
 
 -export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]).
 -export([conf_get/2, conf_get/3, keys/2, filter/1]).
--export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]).
+-export([
+    server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1, tls_versions_schema/1
+]).
 -export([password_converter/2, bin_str_converter/2]).
 -export([authz_fields/0]).
 -export([sc/2, map/2]).
@@ -2019,7 +2021,6 @@ common_ssl_opts_schema(Defaults, Type) ->
     D = fun(Field) -> maps:get(Field, Defaults, undefined) end,
     Df = fun(Field, Default) -> maps:get(Field, Defaults, Default) end,
     Collection = maps:get(versions, Defaults, tls_all_available),
-    DefaultVersions = default_tls_vsns(Collection),
     [
         {"cacertfile",
             sc(
@@ -2093,16 +2094,7 @@ common_ssl_opts_schema(Defaults, Type) ->
                     converter => fun password_converter/2
                 }
             )},
-        {"versions",
-            sc(
-                hoconsc:array(typerefl:atom()),
-                #{
-                    default => DefaultVersions,
-                    desc => ?DESC(common_ssl_opts_schema_versions),
-                    importance => ?IMPORTANCE_HIGH,
-                    validator => fun(Input) -> validate_tls_versions(Collection, Input) end
-                }
-            )},
+        {"versions", tls_versions_schema(Collection)},
         {"ciphers", ciphers_schema(D(ciphers))},
         {"user_lookup_fun",
             sc(
@@ -2319,6 +2311,19 @@ outdated_tls_vsn(tls_all_available) -> ['tlsv1.1', tlsv1].
 default_tls_vsns(Key) ->
     available_tls_vsns(Key) -- outdated_tls_vsn(Key).
 
+-spec tls_versions_schema(tls_all_available | dtls_all_available) -> hocon_schema:field_schema().
+tls_versions_schema(Collection) ->
+    DefaultVersions = default_tls_vsns(Collection),
+    sc(
+        hoconsc:array(typerefl:atom()),
+        #{
+            default => DefaultVersions,
+            desc => ?DESC(common_ssl_opts_schema_versions),
+            importance => ?IMPORTANCE_HIGH,
+            validator => fun(Input) -> validate_tls_versions(Collection, Input) end
+        }
+    ).
+
 -spec ciphers_schema(quic | dtls_all_available | tls_all_available | undefined) ->
     hocon_schema:field_schema().
 ciphers_schema(Default) ->
diff --git a/apps/emqx_conf/src/emqx_conf_schema.erl b/apps/emqx_conf/src/emqx_conf_schema.erl
index f1bfc3d31..e87c3c898 100644
--- a/apps/emqx_conf/src/emqx_conf_schema.erl
+++ b/apps/emqx_conf/src/emqx_conf_schema.erl
@@ -940,7 +940,9 @@ fields("rpc") ->
                     default => true,
                     desc => ?DESC(rpc_insecure_fallback)
                 }
-            )}
+            )},
+        {"ciphers", emqx_schema:ciphers_schema(tls_all_available)},
+        {"tls_versions", emqx_schema:tls_versions_schema(tls_all_available)}
     ];
 fields("log") ->
     [
@@ -1176,7 +1178,11 @@ translation("emqx") ->
         {"cluster_hocon_file", fun tr_cluster_hocon_file/1}
     ];
 translation("gen_rpc") ->
-    [{"default_client_driver", fun tr_default_config_driver/1}];
+    [
+        {"default_client_driver", fun tr_default_config_driver/1},
+        {"ssl_client_options", fun tr_gen_rpc_ssl_options/1},
+        {"ssl_server_options", fun tr_gen_rpc_ssl_options/1}
+    ];
 translation("prometheus") ->
     [
         {"collectors", fun tr_prometheus_collectors/1}
@@ -1240,6 +1246,11 @@ collector_enabled(disabled, _) -> [].
 tr_default_config_driver(Conf) ->
     conf_get("rpc.driver", Conf).
 
+tr_gen_rpc_ssl_options(Conf) ->
+    Ciphers = conf_get("rpc.ciphers", Conf),
+    Versions = conf_get("rpc.tls_versions", Conf),
+    [{ciphers, Ciphers}, {versions, Versions}].
+
 tr_config_files(_Conf) ->
     case os:getenv("EMQX_ETC_DIR") of
         false ->
diff --git a/changes/ce/fix-11697.en.md b/changes/ce/fix-11697.en.md
index 453b0113b..d4931539f 100644
--- a/changes/ce/fix-11697.en.md
+++ b/changes/ce/fix-11697.en.md
@@ -1,2 +1,6 @@
-Use default TLS options for the EMQX backplane communications via gen_rpc.
-The corresponding PR: https://github.com/emqx/gen_rpc/pull/36
+Disable outdated TLS versions and ciphersuites in the EMQX backplane network (`gen_rpc`).
+Allow using tlsv1.3 on the backplane.
+
+Add new configuration parameters: `EMQX_RPC__TLS_VERSIONS` and `EMQX_RPC__CIPHERS`.
+
+The corresponding `gen_rpc` PR: https://github.com/emqx/gen_rpc/pull/36