yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(tls): disable partial_chain in hot config

This commit is contained in:
William Yang 2024-06-19 17:03:05 +02:00
parent 02a6ee1ef4
commit 41239ae766
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl
View File

@ -13,10 +13,13 @@
-include_lib("emqx/include/logger.hrl"). -include_lib("emqx/include/logger.hrl").
-define(CONST_MOD_V1, emqx_auth_ext_tls_const_v1). -define(CONST_MOD_V1, emqx_auth_ext_tls_const_v1).
%% @doc enable TLS partial_chain validation if set. -define(unknown_ca, unknown_ca).
%% @doc enable TLS partial_chain validation
-spec opt_partial_chain(SslOpts :: map()) -> NewSslOpts :: map(). -spec opt_partial_chain(SslOpts :: map()) -> NewSslOpts :: map().
opt_partial_chain(#{partial_chain := false} = SslOpts) -> opt_partial_chain(#{partial_chain := false} = SslOpts) ->
maps:remove(partial_chain, SslOpts); %% For config update scenario, we must set it to override
%% the 'existing' partial_chain in the listener
SslOpts#{partial_chain := fun(_) -> ?unknown_ca end};
opt_partial_chain(#{partial_chain := true} = SslOpts) -> opt_partial_chain(#{partial_chain := true} = SslOpts) ->
SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)}; SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)};
opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) -> opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) ->