fix(ssl-clients): allow wildcard certificates by default

2024-05-02 14:34:57 +02:00 · 2024-05-02 14:34:57 +02:00 · 37d66e90fb
parent 3064a1cbae
commit 37d66e90fb
3 changed files with 21 additions and 4 deletions
--- a/apps/emqx/src/emqx_tls_lib.erl
+++ b/apps/emqx/src/emqx_tls_lib.erl
@ -542,13 +542,19 @@ to_client_opts(Type, Opts) ->
                    {depth, Get(depth)},
                    {password, ensure_str(Get(password))},
                    {secure_renegotiate, Get(secure_renegotiate)}
-                ],
+                ] ++ hostname_check(Verify),
                Versions
            );
        false ->
            []
    end.

+hostname_check(verify_none) ->
+    [];
+hostname_check(verify_peer) ->
+    %% allow wildcard certificates
+    [{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}].
+
 resolve_cert_path_for_read_strict(Path) ->
    case resolve_cert_path_for_read(Path) of
        undefined ->
--- a/apps/emqx/test/emqx_tls_lib_tests.erl
+++ b/apps/emqx/test/emqx_tls_lib_tests.erl
@ -240,7 +240,7 @@ to_client_opts_test() ->
    Versions13Only = ['tlsv1.3'],
    Options = #{
        enable => true,
-        verify => "Verify",
+        verify => verify_none,
        server_name_indication => "SNI",
        ciphers => "Ciphers",
        depth => "depth",
@ -249,9 +249,16 @@ to_client_opts_test() ->
        secure_renegotiate => "secure_renegotiate",
        reuse_sessions => "reuse_sessions"
    },
-    Expected1 = lists:usort(maps:keys(Options) -- [enable]),
+    Expected0 = lists:usort(maps:keys(Options) -- [enable]),
+    Expected1 = lists:sort(Expected0 ++ [customize_hostname_check]),
    ?assertEqual(
-        Expected1, lists:usort(proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options)))
+        Expected0, lists:usort(proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options)))
+    ),
+    ?assertEqual(
+        Expected1,
+        lists:usort(
+            proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options#{verify => verify_peer}))
+        )
    ),
    Expected2 =
        lists:usort(
--- a/changes/ce/fix-12962.en.md
+++ b/changes/ce/fix-12962.en.md
@ -0,0 +1,4 @@
+TLS clients can now verify server hostname against wildcard certificate.
+
+For example, if a certificate is issued for host `*.example.com`,
+TLS clients is able to verify server hostnames like `srv1.example.com`.