yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(gen_rpc): Add schema for the TLS versions and cipher suites

This commit is contained in:
ieQu1 2023-09-28 00:30:36 +02:00
parent 3c37f19105
commit 0aa3ccdd65
3 changed files with 36 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
apps/emqx/src/emqx_schema.erl
View File

@ -168,7 +168,9 @@
-export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]). -export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]).
-export([conf_get/2, conf_get/3, keys/2, filter/1]). -export([conf_get/2, conf_get/3, keys/2, filter/1]).
-export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]). -export([
server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1, tls_versions_schema/1
]).
-export([password_converter/2, bin_str_converter/2]). -export([password_converter/2, bin_str_converter/2]).
-export([authz_fields/0]). -export([authz_fields/0]).
-export([sc/2, map/2]). -export([sc/2, map/2]).
@ -2019,7 +2021,6 @@ common_ssl_opts_schema(Defaults, Type) ->
D = fun(Field) -> maps:get(Field, Defaults, undefined) end, D = fun(Field) -> maps:get(Field, Defaults, undefined) end,
Df = fun(Field, Default) -> maps:get(Field, Defaults, Default) end, Df = fun(Field, Default) -> maps:get(Field, Defaults, Default) end,
Collection = maps:get(versions, Defaults, tls_all_available), Collection = maps:get(versions, Defaults, tls_all_available),
DefaultVersions = default_tls_vsns(Collection),
[ [
{"cacertfile", {"cacertfile",
sc( sc(
@ -2093,16 +2094,7 @@ common_ssl_opts_schema(Defaults, Type) ->
converter => fun password_converter/2 converter => fun password_converter/2
} }
)}, )},
{"versions", {"versions", tls_versions_schema(Collection)},
sc(
hoconsc:array(typerefl:atom()),
#{
default => DefaultVersions,
desc => ?DESC(common_ssl_opts_schema_versions),
importance => ?IMPORTANCE_HIGH,
validator => fun(Input) -> validate_tls_versions(Collection, Input) end
}
)},
{"ciphers", ciphers_schema(D(ciphers))}, {"ciphers", ciphers_schema(D(ciphers))},
{"user_lookup_fun", {"user_lookup_fun",
sc( sc(
@ -2319,6 +2311,19 @@ outdated_tls_vsn(tls_all_available) -> ['tlsv1.1', tlsv1].
default_tls_vsns(Key) -> default_tls_vsns(Key) ->
available_tls_vsns(Key) -- outdated_tls_vsn(Key). available_tls_vsns(Key) -- outdated_tls_vsn(Key).
-spec tls_versions_schema(tls_all_available | dtls_all_available) -> hocon_schema:field_schema().
tls_versions_schema(Collection) ->
DefaultVersions = default_tls_vsns(Collection),
sc(
hoconsc:array(typerefl:atom()),
#{
default => DefaultVersions,
desc => ?DESC(common_ssl_opts_schema_versions),
importance => ?IMPORTANCE_HIGH,
validator => fun(Input) -> validate_tls_versions(Collection, Input) end
}
).
-spec ciphers_schema(quic | dtls_all_available | tls_all_available | undefined) -> -spec ciphers_schema(quic | dtls_all_available | tls_all_available | undefined) ->
hocon_schema:field_schema(). hocon_schema:field_schema().
ciphers_schema(Default) -> ciphers_schema(Default) ->

15
apps/emqx_conf/src/emqx_conf_schema.erl
View File

@ -940,7 +940,9 @@ fields("rpc") ->
default => true, default => true,
desc => ?DESC(rpc_insecure_fallback) desc => ?DESC(rpc_insecure_fallback)
} }
)} )},
{"ciphers", emqx_schema:ciphers_schema(tls_all_available)},
{"tls_versions", emqx_schema:tls_versions_schema(tls_all_available)}
]; ];
fields("log") -> fields("log") ->
[ [
@ -1176,7 +1178,11 @@ translation("emqx") ->
{"cluster_hocon_file", fun tr_cluster_hocon_file/1} {"cluster_hocon_file", fun tr_cluster_hocon_file/1}
]; ];
translation("gen_rpc") -> translation("gen_rpc") ->
[{"default_client_driver", fun tr_default_config_driver/1}]; [
{"default_client_driver", fun tr_default_config_driver/1},
{"ssl_client_options", fun tr_gen_rpc_ssl_options/1},
{"ssl_server_options", fun tr_gen_rpc_ssl_options/1}
];
translation("prometheus") -> translation("prometheus") ->
[ [
{"collectors", fun tr_prometheus_collectors/1} {"collectors", fun tr_prometheus_collectors/1}
@ -1240,6 +1246,11 @@ collector_enabled(disabled, _) -> [].
tr_default_config_driver(Conf) -> tr_default_config_driver(Conf) ->
conf_get("rpc.driver", Conf). conf_get("rpc.driver", Conf).
tr_gen_rpc_ssl_options(Conf) ->
Ciphers = conf_get("rpc.ciphers", Conf),
Versions = conf_get("rpc.tls_versions", Conf),
[{ciphers, Ciphers}, {versions, Versions}].
tr_config_files(_Conf) -> tr_config_files(_Conf) ->
case os:getenv("EMQX_ETC_DIR") of case os:getenv("EMQX_ETC_DIR") of
false -> false ->

8
changes/ce/fix-11697.en.md
View File

@ -1,2 +1,6 @@
Use default TLS options for the EMQX backplane communications via gen_rpc. Disable outdated TLS versions and ciphersuites in the EMQX backplane network (`gen_rpc`).
The corresponding PR: https://github.com/emqx/gen_rpc/pull/36 Allow using tlsv1.3 on the backplane.
Add new configuration parameters: `EMQX_RPC__TLS_VERSIONS` and `EMQX_RPC__CIPHERS`.
The corresponding `gen_rpc` PR: https://github.com/emqx/gen_rpc/pull/36