From baf01617cdf6e39c81c7f33757c485536e99ef14 Mon Sep 17 00:00:00 2001
From: William Yang <mscame@gmail.com>
Date: Thu, 2 Mar 2023 14:03:44 +0100
Subject: [PATCH 1/2] fix(quic): mark unsupp TLS options deprecated

---
 apps/emqx/src/emqx_schema.erl | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl
index bb4520aa9..a673fa898 100644
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -1280,7 +1280,18 @@ fields("listener_wss_opts") ->
         true
     );
 fields("listener_quic_ssl_opts") ->
-    server_ssl_opts_schema(#{}, false);
+    %% Mark unsupported TLS options deprecated.
+    lists:map(
+        fun({Name, Schema}) ->
+            case is_quic_ssl_opts(Name) of
+                true ->
+                    {Name, Schema};
+                false ->
+                    {Name, Schema#{deprecated => {since, "5.0.20"}}}
+            end
+        end,
+        server_ssl_opts_schema(#{}, false)
+    );
 fields("ssl_client_opts") ->
     client_ssl_opts_schema(#{});
 fields("deflate_opts") ->
@@ -2841,3 +2852,18 @@ quic_lowlevel_settings_uint(Low, High, Desc) ->
             desc => Desc
         }
     ).
+
+-spec is_quic_ssl_opts(string()) -> boolean().
+is_quic_ssl_opts(Name) ->
+    lists:member(Name, [
+        "cacertfile",
+        "certfile",
+        "keyfile",
+        "verify"
+        %% Followings are planned
+        %% , "password"
+        %% , "hibernate_after"
+        %% , "fail_if_no_peer_cert"
+        %% , "handshake_timeout"
+        %% , "gc_after_handshake"
+    ]).

From 6649a4f7d16dd73492db6ccf06df5d1a413e4eee Mon Sep 17 00:00:00 2001
From: William Yang <mscame@gmail.com>
Date: Thu, 2 Mar 2023 15:51:12 +0100
Subject: [PATCH 2/2] docs: add change logs

---
 changes/ce/fix-10058.en.md | 7 +++++++
 changes/ce/fix-10058.zh.md | 8 ++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 changes/ce/fix-10058.en.md
 create mode 100644 changes/ce/fix-10058.zh.md

diff --git a/changes/ce/fix-10058.en.md b/changes/ce/fix-10058.en.md
new file mode 100644
index 000000000..337ac5d47
--- /dev/null
+++ b/changes/ce/fix-10058.en.md
@@ -0,0 +1,7 @@
+Deprecate unused QUIC TLS options.
+Only following TLS options are kept for the QUIC listeners: 
+
+- cacertfile
+- certfile
+- keyfile
+- verify
diff --git a/changes/ce/fix-10058.zh.md b/changes/ce/fix-10058.zh.md
new file mode 100644
index 000000000..d1dea37c3
--- /dev/null
+++ b/changes/ce/fix-10058.zh.md
@@ -0,0 +1,8 @@
+废弃未使用的 QUIC TLS 选项。
+QUIC 监听器只保留以下 TLS 选项:
+
+- cacertfile
+- certfile
+- keyfile
+- verify
+