diff --git a/apps/emqx/src/emqx_tls_lib.erl b/apps/emqx/src/emqx_tls_lib.erl index 4bc18f1e0..85c4396ab 100644 --- a/apps/emqx/src/emqx_tls_lib.erl +++ b/apps/emqx/src/emqx_tls_lib.erl @@ -166,7 +166,20 @@ all_ciphers(['tlsv1.3']) -> all_ciphers(Versions) -> %% assert non-empty List = lists:append([ssl:cipher_suites(all, V, openssl) || V <- Versions]), - [_ | _] = dedup(List). + + %% Some PSK ciphers are both supported by OpenSSL and Erlang, but they need manual add here. + %% Found by this cmd + %% openssl ciphers -v|grep ^PSK| awk '{print $1}'| sed "s/^/\"/;s/$/\"/" | tr "\n" "," + %% Then remove the ciphers that aren't supported by Erlang + PSK = [ + "PSK-AES256-GCM-SHA384", + "PSK-AES128-GCM-SHA256", + "PSK-AES256-CBC-SHA384", + "PSK-AES256-CBC-SHA", + "PSK-AES128-CBC-SHA256", + "PSK-AES128-CBC-SHA" + ], + [_ | _] = dedup(List ++ PSK). %% @doc All Pre-selected TLS ciphers. default_ciphers() -> diff --git a/apps/emqx_psk/test/emqx_psk_SUITE.erl b/apps/emqx_psk/test/emqx_psk_SUITE.erl index 816562a26..af19cae38 100644 --- a/apps/emqx_psk/test/emqx_psk_SUITE.erl +++ b/apps/emqx_psk/test/emqx_psk_SUITE.erl @@ -24,8 +24,13 @@ -define(CR, 13). -define(LF, 10). -all() -> - emqx_common_test_helpers:all(?MODULE). +all() -> [{group, normal}, {group, ciphers}]. + +groups() -> + [ + {normal, [], emqx_common_test_helpers:all(?MODULE)}, + {ciphers, [], [ciphers_test]} + ]. init_per_suite(Config) -> meck:new(emqx_config, [non_strict, passthrough, no_history, no_link]), @@ -128,3 +133,47 @@ t_trim_crlf(_) -> ?assertEqual(Bin, emqx_psk:trim_crlf(Bin)), ?assertEqual(Bin, emqx_psk:trim_crlf(<>)), ?assertEqual(Bin, emqx_psk:trim_crlf(<>)). + +ciphers_test(Config) -> + Ciphers = [ + "PSK-AES256-GCM-SHA384", + "PSK-AES128-GCM-SHA256", + "PSK-AES256-CBC-SHA384", + "PSK-AES256-CBC-SHA", + "PSK-AES128-CBC-SHA256", + "PSK-AES128-CBC-SHA" + ], + lists:foreach(fun(Cipher) -> cipher_test(Cipher, Config) end, Ciphers). + +cipher_test(Cipher, _) -> + ct:pal("Test PSK with Cipher:~p~n", [Cipher]), + PSKIdentity1 = "myclient1", + SharedSecret1 = <<"8c701116e9127c57a99d5563709af3deaca75563e2c4dd0865701ae839fb6d79">>, + + ClientLookup = fun + (psk, undefined, _) -> {ok, SharedSecret1}; + (psk, _, _) -> error + end, + + ClientTLSOpts = #{ + versions => ['tlsv1.2'], + ciphers => [Cipher], + psk_identity => PSKIdentity1, + verify => verify_none, + user_lookup_fun => {ClientLookup, undefined} + }, + + ServerTLSOpts = #{ + versions => ['tlsv1.2'], + ciphers => [Cipher], + verify => verify_none, + reuseaddr => true, + user_lookup_fun => {fun emqx_tls_psk:lookup/3, undefined} + }, + emqx_config:put([listeners, ssl, default, ssl_options], ServerTLSOpts), + emqx_listeners:restart_listener('ssl:default'), + + {ok, Socket} = ssl:connect("127.0.0.1", 8883, maps:to_list(ClientTLSOpts)), + ssl:close(Socket), + + ok. diff --git a/changes/v5.0.12-en.md b/changes/v5.0.12-en.md index 7388e1e02..f8950976d 100644 --- a/changes/v5.0.12-en.md +++ b/changes/v5.0.12-en.md @@ -16,6 +16,8 @@ - Redesign `/rules` API to make `metrics` a dedicated resources rather than being included with every response [#9461](https://github.com/emqx/emqx/pull/9461). +- Add more PSK ciphers support [#9505](https://github.com/emqx/emqx/pull/9505). + ## Bug fixes - Fix that the obsolete SSL files aren't deleted after the ExHook config update [#9432](https://github.com/emqx/emqx/pull/9432). diff --git a/changes/v5.0.12-zh.md b/changes/v5.0.12-zh.md index b1e487131..c5c12040c 100644 --- a/changes/v5.0.12-zh.md +++ b/changes/v5.0.12-zh.md @@ -16,6 +16,8 @@ - 重新设计了 `/rules` API,将 `metrics` 改为专用资源,而不再是包含在每个响应中 [#9461](https://github.com/emqx/emqx/pull/9461)。 +- 支持更多的 PSK 密码套件[#9505](https://github.com/emqx/emqx/pull/9505)。 + ## 修复 - 修复 ExHook 更新 SSL 相关配置后,过时的 SSL 文件没有被删除的问题 [#9432](https://github.com/emqx/emqx/pull/9432)。