yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(ssl-clients): allow wildcard certificates by default

This commit is contained in:
zmstone 2024-05-02 14:34:57 +02:00
parent 3064a1cbae
commit 37d66e90fb
3 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apps/emqx/src/emqx_tls_lib.erl
View File

@ -542,13 +542,19 @@ to_client_opts(Type, Opts) ->
{depth, Get(depth)}, {depth, Get(depth)},
{password, ensure_str(Get(password))}, {password, ensure_str(Get(password))},
{secure_renegotiate, Get(secure_renegotiate)} {secure_renegotiate, Get(secure_renegotiate)}
], ] ++ hostname_check(Verify),
Versions Versions
); );
false -> false ->
[] []
end. end.
hostname_check(verify_none) ->
[];
hostname_check(verify_peer) ->
%% allow wildcard certificates
[{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}].
resolve_cert_path_for_read_strict(Path) -> resolve_cert_path_for_read_strict(Path) ->
case resolve_cert_path_for_read(Path) of case resolve_cert_path_for_read(Path) of
undefined -> undefined ->

13
apps/emqx/test/emqx_tls_lib_tests.erl
View File

@ -240,7 +240,7 @@ to_client_opts_test() ->
Versions13Only = ['tlsv1.3'], Versions13Only = ['tlsv1.3'],
Options = #{ Options = #{
enable => true, enable => true,
verify => "Verify", verify => verify_none,
server_name_indication => "SNI", server_name_indication => "SNI",
ciphers => "Ciphers", ciphers => "Ciphers",
depth => "depth", depth => "depth",
@ -249,9 +249,16 @@ to_client_opts_test() ->
secure_renegotiate => "secure_renegotiate", secure_renegotiate => "secure_renegotiate",
reuse_sessions => "reuse_sessions" reuse_sessions => "reuse_sessions"
}, },
Expected1 = lists:usort(maps:keys(Options) -- [enable]), Expected0 = lists:usort(maps:keys(Options) -- [enable]),
Expected1 = lists:sort(Expected0 ++ [customize_hostname_check]),
?assertEqual( ?assertEqual(
Expected1, lists:usort(proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options))) Expected0, lists:usort(proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options)))
),
?assertEqual(
Expected1,
lists:usort(
proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options#{verify => verify_peer}))
)
), ),
Expected2 = Expected2 =
lists:usort( lists:usort(

4
changes/ce/fix-12962.en.md Normal file
View File

@ -0,0 +1,4 @@
TLS clients can now verify server hostname against wildcard certificate.
For example, if a certificate is issued for host `*.example.com`,
TLS clients is able to verify server hostnames like `srv1.example.com`.