From 2b6be02485dbb0764779bc643ecc3ac8a2da84dd Mon Sep 17 00:00:00 2001
From: zhongwencool <zhongwencool@gmail.com>
Date: Fri, 11 Nov 2022 18:05:31 +0800
Subject: [PATCH] feat: validate tls_versions value

---
 changes/v4.3.22-en.md |  2 ++
 changes/v4.3.22-zh.md |  2 ++
 priv/emqx.schema      | 11 ++++++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/changes/v4.3.22-en.md b/changes/v4.3.22-en.md
index 48177dc19..c11ea3718 100644
--- a/changes/v4.3.22-en.md
+++ b/changes/v4.3.22-en.md
@@ -3,6 +3,8 @@
 ## Enhancements
 
 
+- Make sure listener's tls_versions is `[tlsv1,tlsv1.1,tlsv1.2,tlsv1.3]` [#9260](https://github.com/emqx/emqx/pull/9260).
+
 - Remove useless information from the dashboard listener failure log [#9260](https://github.com/emqx/emqx/pull/9260).
 
 - We now trigger the `'message.acked'` hook after the CoAP gateway sends a message to the device and receives the ACK from the device [#9264](https://github.com/emqx/emqx/pull/9264).
diff --git a/changes/v4.3.22-zh.md b/changes/v4.3.22-zh.md
index e5ee67942..fc78c6985 100644
--- a/changes/v4.3.22-zh.md
+++ b/changes/v4.3.22-zh.md
@@ -2,6 +2,8 @@
 
 ## 增强
 
+- 确证监听器的 tls_versions 为 `[tlsv1,tlsv1.1,tlsv1.2,tlsv1.3]` [#9260](https://github.com/emqx/emqx/pull/9260).
+
 - 删除 Dashboard 监听器失败时日志中的无用信息 [#9260](https://github.com/emqx/emqx/pull/9260).
 
 - 当 CoAP 网关给设备投递消息并收到设备发来的确认之后，回调 `'message.acked'` 钩子 [#9264](https://github.com/emqx/emqx/pull/9264)。
diff --git a/priv/emqx.schema b/priv/emqx.schema
index 61808dfa4..60cb85ae2 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -2203,7 +2203,16 @@ end}.
     SslOpts = fun(Prefix) ->
                   Versions = case SplitFun(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf, undefined)) of
                                 undefined -> undefined;
-                                L -> [list_to_atom(V) || V <- L]
+                                L ->
+                                  Versions0 = [list_to_atom(V) || V <- L],
+                                  SupportVersions = ['tlsv1', 'tlsv1.1', 'tlsv1.2', 'tlsv1.3'],
+                                  case lists:all(fun(V) -> lists:member(V, SupportVersions) end, Versions0) of
+                                     false ->
+                                        cuttlefish:invalid(
+                                        lists:flatten(io_lib:format("tls_versions: only support ~p", [SupportVersions])));
+                                      true ->
+                                        Versions0
+                                  end
                             end,
                   TLSCiphers = cuttlefish:conf_get(Prefix++".ciphers", Conf, undefined),
                   PSKCiphers = cuttlefish:conf_get(Prefix++".psk_ciphers", Conf, undefined),