From 830326178bc01febb8f7ddd043988a11a07e12ec Mon Sep 17 00:00:00 2001 From: turtled Date: Mon, 31 Oct 2016 15:23:59 +0800 Subject: [PATCH 1/3] rm file --- etc/certs/make_certs | 24 ------------------- etc/certs/openssl.cnf | 54 ------------------------------------------- 2 files changed, 78 deletions(-) delete mode 100755 etc/certs/make_certs delete mode 100644 etc/certs/openssl.cnf diff --git a/etc/certs/make_certs b/etc/certs/make_certs deleted file mode 100755 index d7c0594b4..000000000 --- a/etc/certs/make_certs +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh - -rm -rf temp - -mkdir temp - -echo 01 > temp/serial -touch temp/index.txt - -## create ca certificate -openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes -openssl x509 -in cacert.pem -out temp/cacert.cer -outform DER - -## create server certificate -openssl genrsa -out server-key.pem 2048 -openssl req -new -key server-key.pem -out temp/server-req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes -openssl ca -config openssl.cnf -in temp/server-req.pem -out server-cert.pem -notext -batch -extensions server_ca_extensions - -## create client certificate -openssl genrsa -out client-key.pem 2048 -openssl req -new -key client-key.pem -out temp/client-req.pem -outform PEM -subj /CN=$(hostname)/O=client/ -nodes -openssl ca -config openssl.cnf -in temp/client-req.pem -out client-cert.pem -notext -batch -extensions client_ca_extensions - -rm -rf temp \ No newline at end of file diff --git a/etc/certs/openssl.cnf b/etc/certs/openssl.cnf deleted file mode 100644 index b12569a91..000000000 --- a/etc/certs/openssl.cnf +++ /dev/null @@ -1,54 +0,0 @@ -[ ca ] -default_ca = testca - -[ testca ] -dir = . -certificate = $dir/cacert.pem -database = $dir/temp/index.txt -new_certs_dir = $dir/temp -private_key = $dir/temp/cakey.pem -serial = $dir/temp/serial - -default_crl_days = 7 -default_days = 365 -default_md = sha256 - -policy = testca_policy -x509_extensions = certificate_extensions - -[ testca_policy ] -commonName = supplied -stateOrProvinceName = optional -countryName = optional -emailAddress = optional -organizationName = optional -organizationalUnitName = optional -domainComponent = optional - -[ certificate_extensions ] -basicConstraints = CA:false - -[ req ] -default_bits = 2048 -default_keyfile = ./temp/cakey.pem -default_md = sha256 -prompt = yes -distinguished_name = root_ca_distinguished_name -x509_extensions = root_ca_extensions - -[ root_ca_distinguished_name ] -commonName = hostname - -[ root_ca_extensions ] -basicConstraints = CA:true -keyUsage = keyCertSign, cRLSign - -[ client_ca_extensions ] -basicConstraints = CA:false -keyUsage = digitalSignature -extendedKeyUsage = 1.3.6.1.5.5.7.3.2 - -[ server_ca_extensions ] -basicConstraints = CA:false -keyUsage = keyEncipherment -extendedKeyUsage = 1.3.6.1.5.5.7.3.1 From ccfabcfd0dda4454277b416763e0265031a74b2a Mon Sep 17 00:00:00 2001 From: turtled Date: Mon, 31 Oct 2016 16:49:37 +0800 Subject: [PATCH 2/3] ssl handshake_timeout --- etc/emq.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/emq.conf b/etc/emq.conf index 9509bcc4d..dcf7d1d2d 100644 --- a/etc/emq.conf +++ b/etc/emq.conf @@ -237,7 +237,7 @@ mqtt.listener.ssl.max_clients = 512 ## Configuring SSL Options ## See http://erlang.org/doc/man/ssl.html -mqtt.listener.ssl.handshake_timeout = 15 +mqtt.listener.ssl.handshake_timeout = 2000 mqtt.listener.ssl.keyfile = etc/certs/key.pem mqtt.listener.ssl.certfile = etc/certs/cert.pem ## mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem From 7bd7b6199d431248ea8e5e5d034e6236152fa8ae Mon Sep 17 00:00:00 2001 From: huangdan Date: Mon, 31 Oct 2016 17:47:12 +0800 Subject: [PATCH 3/3] ct emqttd --- test/emqttd_SUITE_data/emqttd.conf | 34 +++++++++++++++------------- test/emqttd_SUITE_data/emqttd.schema | 16 +++++++++---- 2 files changed, 29 insertions(+), 21 deletions(-) diff --git a/test/emqttd_SUITE_data/emqttd.conf b/test/emqttd_SUITE_data/emqttd.conf index 4710ef909..9509bcc4d 100644 --- a/test/emqttd_SUITE_data/emqttd.conf +++ b/test/emqttd_SUITE_data/emqttd.conf @@ -80,6 +80,9 @@ mqtt.client_idle_timeout = 30 ## Allow Anonymous authentication mqtt.allow_anonymous = true +## Default ACL File +mqtt.acl_file = etc/acl.conf + ##-------------------------------------------------------------------- ## MQTT Session ##-------------------------------------------------------------------- @@ -161,10 +164,10 @@ mqtt.bridge.ping_down_interval = 1 ##------------------------------------------------------------------- ## Dir of plugins' config -##mqtt.plugins.etc_dir = etc/plugins/ +mqtt.plugins.etc_dir = etc/plugins/ ## File to store loaded plugin names. -##mqtt.plugins.loaded_file = data/loaded_plugins +mqtt.plugins.loaded_file = data/loaded_plugins ##------------------------------------------------------------------- ## MQTT Modules @@ -186,8 +189,7 @@ mqtt.module.retainer.max_payload_size = 64KB mqtt.module.retainer.expired_after = 0 ## Enable presence module -## Client presence management module. Publish presence messages when -## client connected or disconnected. +## Publish presence messages when client connected or disconnected. mqtt.module.presence = on mqtt.module.presence.qos = 0 @@ -235,26 +237,26 @@ mqtt.listener.ssl.max_clients = 512 ## Configuring SSL Options ## See http://erlang.org/doc/man/ssl.html -mqtt.listener.ssl.handshake_timeout = 15 #seconds -mqtt.listener.ssl.keyfile = etc/ssl/key.pem -mqtt.listener.ssl.certfile = etc/ssl/cert.pem -mqtt.listener.ssl.cacertfile = etc/ssl/cacert.pem +mqtt.listener.ssl.handshake_timeout = 15 +mqtt.listener.ssl.keyfile = etc/certs/key.pem +mqtt.listener.ssl.certfile = etc/certs/cert.pem +## mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem ## mqtt.listener.ssl.verify = verify_peer ## mqtt.listener.ssl.failed_if_no_peer_cert = true -## HTTP Listener +## HTTP and WebSocket Listener mqtt.listener.http = 8083 mqtt.listener.http.acceptors = 4 mqtt.listener.http.max_clients = 64 ## HTTP(SSL) Listener -mqtt.listener.https = 8084 -mqtt.listener.https.acceptors = 4 -mqtt.listener.https.max_clients = 64 -mqtt.listener.https.handshake_timeout = 10 #seconds -mqtt.listener.https.certfile = etc/ssl/cert.pem -mqtt.listener.https.keyfile = etc/ssl/key.pem -mqtt.listener.https.cacertfile = etc/ssl/cacert.pem +## mqtt.listener.https = 8084 +## mqtt.listener.https.acceptors = 4 +## mqtt.listener.https.max_clients = 64 +## mqtt.listener.https.handshake_timeout = 10 +## mqtt.listener.https.certfile = etc/certs/cert.pem +## mqtt.listener.https.keyfile = etc/certs/key.pem +## mqtt.listener.https.cacertfile = etc/certs/cacert.pem ## mqtt.listener.https.verify = verify_peer ## mqtt.listener.https.failed_if_no_peer_cert = true diff --git a/test/emqttd_SUITE_data/emqttd.schema b/test/emqttd_SUITE_data/emqttd.schema index 8ad4eb187..c33858565 100644 --- a/test/emqttd_SUITE_data/emqttd.schema +++ b/test/emqttd_SUITE_data/emqttd.schema @@ -261,6 +261,12 @@ end}. hidden ]}. +%% @doc Default ACL File +{mapping, "mqtt.acl_file", "emqttd.acl_file", [ + {datatype, string}, + hidden +]}. + %%-------------------------------------------------------------------- %% MQTT Session %%-------------------------------------------------------------------- @@ -527,7 +533,7 @@ end}. ]}. {mapping, "mqtt.listener.ssl.verify", "emqttd.listeners", [ - {datatype, string} + {datatype, atom} ]}. {mapping, "mqtt.listener.ssl.failed_if_no_peer_cert", "emqttd.listeners", [ @@ -583,7 +589,7 @@ end}. ]}. {mapping, "mqtt.listener.https.verify", "emqttd.listeners", [ - {datatype, string} + {datatype, atom} ]}. {mapping, "mqtt.listener.https.failed_if_no_peer_cert", "emqttd.listeners", [ @@ -609,8 +615,8 @@ end}. {keyfile, cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)}, {certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)}, {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}, - {verify, cuttlefish:conf_get(Prefix ++ ".verify_peer", Conf, undefined)}, - {failed_if_no_peer_cert, cuttlefish:conf_get(Prefix ++ "failed_if_no_peer_cert", Conf, undefined)}]) + {verify, cuttlefish:conf_get(Prefix ++ ".verify", Conf, undefined)}, + {failed_if_no_peer_cert, cuttlefish:conf_get(Prefix ++ ".failed_if_no_peer_cert", Conf, undefined)}]) end, Listeners = fun(Name) when is_atom(Name) -> @@ -703,7 +709,7 @@ end}. {list_to_binary(Topic), list_to_integer(Qos)} end || S <- string:tokens(Topics, ",")] end, - SubOpts = fun(Prefix) -> [{topics, ParseFun(cuttlefish:conf_get(Prefix ++ ".topics", Conf))}] end, + SubOpts = fun(Prefix) -> ParseFun(cuttlefish:conf_get(Prefix ++ ".topics", Conf)) end, lists:append([WithMod(retainer, RetainOpts), WithMod(presence, PresOpts), WithMod(subscription, SubOpts)]) end}.