Merge pull request #9505 from lafirest/fix/psk_r50
fix(psk): Add more PSK ciphers support
This commit is contained in:
commit
3705d5bc73
|
@ -166,7 +166,20 @@ all_ciphers(['tlsv1.3']) ->
|
||||||
all_ciphers(Versions) ->
|
all_ciphers(Versions) ->
|
||||||
%% assert non-empty
|
%% assert non-empty
|
||||||
List = lists:append([ssl:cipher_suites(all, V, openssl) || V <- Versions]),
|
List = lists:append([ssl:cipher_suites(all, V, openssl) || V <- Versions]),
|
||||||
[_ | _] = dedup(List).
|
|
||||||
|
%% Some PSK ciphers are both supported by OpenSSL and Erlang, but they need manual add here.
|
||||||
|
%% Found by this cmd
|
||||||
|
%% openssl ciphers -v|grep ^PSK| awk '{print $1}'| sed "s/^/\"/;s/$/\"/" | tr "\n" ","
|
||||||
|
%% Then remove the ciphers that aren't supported by Erlang
|
||||||
|
PSK = [
|
||||||
|
"PSK-AES256-GCM-SHA384",
|
||||||
|
"PSK-AES128-GCM-SHA256",
|
||||||
|
"PSK-AES256-CBC-SHA384",
|
||||||
|
"PSK-AES256-CBC-SHA",
|
||||||
|
"PSK-AES128-CBC-SHA256",
|
||||||
|
"PSK-AES128-CBC-SHA"
|
||||||
|
],
|
||||||
|
[_ | _] = dedup(List ++ PSK).
|
||||||
|
|
||||||
%% @doc All Pre-selected TLS ciphers.
|
%% @doc All Pre-selected TLS ciphers.
|
||||||
default_ciphers() ->
|
default_ciphers() ->
|
||||||
|
|
|
@ -24,8 +24,13 @@
|
||||||
-define(CR, 13).
|
-define(CR, 13).
|
||||||
-define(LF, 10).
|
-define(LF, 10).
|
||||||
|
|
||||||
all() ->
|
all() -> [{group, normal}, {group, ciphers}].
|
||||||
emqx_common_test_helpers:all(?MODULE).
|
|
||||||
|
groups() ->
|
||||||
|
[
|
||||||
|
{normal, [], emqx_common_test_helpers:all(?MODULE)},
|
||||||
|
{ciphers, [], [ciphers_test]}
|
||||||
|
].
|
||||||
|
|
||||||
init_per_suite(Config) ->
|
init_per_suite(Config) ->
|
||||||
meck:new(emqx_config, [non_strict, passthrough, no_history, no_link]),
|
meck:new(emqx_config, [non_strict, passthrough, no_history, no_link]),
|
||||||
|
@ -128,3 +133,47 @@ t_trim_crlf(_) ->
|
||||||
?assertEqual(Bin, emqx_psk:trim_crlf(Bin)),
|
?assertEqual(Bin, emqx_psk:trim_crlf(Bin)),
|
||||||
?assertEqual(Bin, emqx_psk:trim_crlf(<<Bin/binary, ?LF>>)),
|
?assertEqual(Bin, emqx_psk:trim_crlf(<<Bin/binary, ?LF>>)),
|
||||||
?assertEqual(Bin, emqx_psk:trim_crlf(<<Bin/binary, ?CR, ?LF>>)).
|
?assertEqual(Bin, emqx_psk:trim_crlf(<<Bin/binary, ?CR, ?LF>>)).
|
||||||
|
|
||||||
|
ciphers_test(Config) ->
|
||||||
|
Ciphers = [
|
||||||
|
"PSK-AES256-GCM-SHA384",
|
||||||
|
"PSK-AES128-GCM-SHA256",
|
||||||
|
"PSK-AES256-CBC-SHA384",
|
||||||
|
"PSK-AES256-CBC-SHA",
|
||||||
|
"PSK-AES128-CBC-SHA256",
|
||||||
|
"PSK-AES128-CBC-SHA"
|
||||||
|
],
|
||||||
|
lists:foreach(fun(Cipher) -> cipher_test(Cipher, Config) end, Ciphers).
|
||||||
|
|
||||||
|
cipher_test(Cipher, _) ->
|
||||||
|
ct:pal("Test PSK with Cipher:~p~n", [Cipher]),
|
||||||
|
PSKIdentity1 = "myclient1",
|
||||||
|
SharedSecret1 = <<"8c701116e9127c57a99d5563709af3deaca75563e2c4dd0865701ae839fb6d79">>,
|
||||||
|
|
||||||
|
ClientLookup = fun
|
||||||
|
(psk, undefined, _) -> {ok, SharedSecret1};
|
||||||
|
(psk, _, _) -> error
|
||||||
|
end,
|
||||||
|
|
||||||
|
ClientTLSOpts = #{
|
||||||
|
versions => ['tlsv1.2'],
|
||||||
|
ciphers => [Cipher],
|
||||||
|
psk_identity => PSKIdentity1,
|
||||||
|
verify => verify_none,
|
||||||
|
user_lookup_fun => {ClientLookup, undefined}
|
||||||
|
},
|
||||||
|
|
||||||
|
ServerTLSOpts = #{
|
||||||
|
versions => ['tlsv1.2'],
|
||||||
|
ciphers => [Cipher],
|
||||||
|
verify => verify_none,
|
||||||
|
reuseaddr => true,
|
||||||
|
user_lookup_fun => {fun emqx_tls_psk:lookup/3, undefined}
|
||||||
|
},
|
||||||
|
emqx_config:put([listeners, ssl, default, ssl_options], ServerTLSOpts),
|
||||||
|
emqx_listeners:restart_listener('ssl:default'),
|
||||||
|
|
||||||
|
{ok, Socket} = ssl:connect("127.0.0.1", 8883, maps:to_list(ClientTLSOpts)),
|
||||||
|
ssl:close(Socket),
|
||||||
|
|
||||||
|
ok.
|
||||||
|
|
|
@ -16,6 +16,8 @@
|
||||||
|
|
||||||
- Redesign `/rules` API to make `metrics` a dedicated resources rather than being included with every response [#9461](https://github.com/emqx/emqx/pull/9461).
|
- Redesign `/rules` API to make `metrics` a dedicated resources rather than being included with every response [#9461](https://github.com/emqx/emqx/pull/9461).
|
||||||
|
|
||||||
|
- Add more PSK ciphers support [#9505](https://github.com/emqx/emqx/pull/9505).
|
||||||
|
|
||||||
## Bug fixes
|
## Bug fixes
|
||||||
|
|
||||||
- Fix that the obsolete SSL files aren't deleted after the ExHook config update [#9432](https://github.com/emqx/emqx/pull/9432).
|
- Fix that the obsolete SSL files aren't deleted after the ExHook config update [#9432](https://github.com/emqx/emqx/pull/9432).
|
||||||
|
|
|
@ -16,6 +16,8 @@
|
||||||
|
|
||||||
- 重新设计了 `/rules` API,将 `metrics` 改为专用资源,而不再是包含在每个响应中 [#9461](https://github.com/emqx/emqx/pull/9461)。
|
- 重新设计了 `/rules` API,将 `metrics` 改为专用资源,而不再是包含在每个响应中 [#9461](https://github.com/emqx/emqx/pull/9461)。
|
||||||
|
|
||||||
|
- 支持更多的 PSK 密码套件[#9505](https://github.com/emqx/emqx/pull/9505)。
|
||||||
|
|
||||||
## 修复
|
## 修复
|
||||||
|
|
||||||
- 修复 ExHook 更新 SSL 相关配置后,过时的 SSL 文件没有被删除的问题 [#9432](https://github.com/emqx/emqx/pull/9432)。
|
- 修复 ExHook 更新 SSL 相关配置后,过时的 SSL 文件没有被删除的问题 [#9432](https://github.com/emqx/emqx/pull/9432)。
|
||||||
|
|
Loading…
Reference in New Issue