Merge pull request #4178 from zmstone/resolve-conflict-v4.3.0-to-v5.0

Resolve conflict v4.3.0 to v5.0

.ci/compatibility_tests/docker-compose-pgsql-tls.yaml

@@ -24,9 +24,9 @@ services:
     image: emqx_pgsql:${PGSQL_TAG}
     restart: always
     environment:
-      POSTGRES_DB: postgres
+      POSTGRES_DB: mqtt
-      POSTGRES_USER: postgres
+      POSTGRES_USER: root
-      POSTGRES_PASSWORD: postgres
+      POSTGRES_PASSWORD: public
     ports:
       - "5432:5432"
     command:

.github/workflows/run_cts_tests.yaml

@@ -194,15 +194,9 @@ jobs:
         run: |
           docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml build --no-cache
           docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml up -d
-          if [ "$PGSQL_TAG" = "12" ] || [ "$PGSQL_TAG" = "13" ]; then
+          sed -i 's|^[#[:space:]]*auth.pgsql.username[ \t]*=.*|auth.pgsql.username = root|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-              sed -i 's|^[#[:space:]]*auth.pgsql.ssl.tls_versions[ \t]*=.*|auth.pgsql.ssl.tls_versions = "tlsv1.3,tlsv1.2"|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+          sed -i 's|^[#[:space:]]*auth.pgsql.password[ \t]*=.*|auth.pgsql.password = public|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          else
+          sed -i 's|^[#[:space:]]*auth.pgsql.database[ \t]*=.*|auth.pgsql.database = mqtt|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-              sed -i 's|^[#[:space:]]*auth.pgsql.ssl.tls_versions[ \t]*=.*|auth.pgsql.ssl.tls_versions = "tlsv1.2,tlsv1.1"|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          fi
-
-          sed -i 's|^[#[:space:]]*auth.pgsql.username[ \t]*=.*|auth.pgsql.username = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          sed -i 's|^[#[:space:]]*auth.pgsql.password[ \t]*=.*|auth.pgsql.password = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          sed -i 's|^[#[:space:]]*auth.pgsql.database[ \t]*=.*|auth.pgsql.database = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
           sed -i 's|^[#[:space:]]*auth.pgsql.ssl.enable[ \t]*=.*|auth.pgsql.ssl.enable = on|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
           sed -i 's|^[#[:space:]]*auth.pgsql.cacertfile[ \t]*=.*|auth.pgsql.cacertfile = /emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/root.crt|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
       - name: setup

.gitignore

@@ -41,5 +41,5 @@ tmp/
 _packages
 elvis
 emqx_dialyzer_*_plt
-apps/emqx_dashboard/priv/www
+*/emqx_dashboard/priv/www
 dist.zip

Makefile

@@ -2,6 +2,7 @@ REBAR_VERSION = 3.14.3-emqx-4
 DASHBOARD_VERSION = v4.3.0
 REBAR = $(CURDIR)/rebar3
 BUILD = $(CURDIR)/build
+export EMQX_ENTERPRISE=false
 export PKG_VSN ?= $(shell $(CURDIR)/pkg-vsn.sh)
 
 PROFILE ?= emqx

apps/emqx_auth_http/src/emqx_auth_http_app.erl

@@ -74,11 +74,10 @@ translate_env(EnvName) ->
                                                         (_) ->
                                                         true
                                                     end, [{keyfile, KeyFile}, {certfile, CertFile}, {cacertfile, CACertFile}]),
-                            TlsVers = ['tlsv1.2','tlsv1.1',tlsv1],
+                            NTLSOpts = [ {versions, emqx_tls_lib:default_versions()}
-                            NTLSOpts = [{versions, TlsVers},
+                                       , {ciphers, emqx_tls_lib:default_ciphers()}
-                                        {ciphers, lists:foldl(fun(TlsVer, Ciphers) ->
+                                       | TLSOpts
-                                                                    Ciphers ++ ssl:cipher_suites(all, TlsVer)
+                                       ],
-                                                                end, [], TlsVers)} | TLSOpts],
                             [{transport, ssl}, {transport_opts, [Inet | NTLSOpts]}]
                         end,
             PoolOpts = [{host, Host},

apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf

@@ -39,13 +39,13 @@ auth.pgsql.encoding = utf8
 ## Value: on | off
 auth.pgsql.ssl.enable = off
 
-## TLS version
+## TLS version.
-## You can configure multi-version use "," split,
-## default value is :tlsv1.2
-## Example:
-##    tlsv1.1,tlsv1.2,tlsv1.3
 ##
-#auth.pgsql.ssl.tls_versions = tlsv1.2
+## Available enum values:
+##    tlsv1.3,tlsv1.2,tlsv1.1,tlsv1
+##
+## Value: String, seperated by ','
+#auth.pgsql.ssl.tls_versions = tlsv1.3,tlsv1.2,tlsv1.1
 
 ## SSL keyfile.
 ##

apps/emqx_auth_pgsql/priv/emqx_auth_pgsql.schema

@@ -36,7 +36,7 @@
 ]}.
 
 {mapping, "auth.pgsql.ssl.tls_versions", "emqx_auth_pgsql.server", [
-  {default, "tlsv1.2"},
+  {default, "tlsv1.3,tlsv1.2,tlsv1.1"},
   {datatype, string}
 ]}.
 
@@ -92,9 +92,9 @@
   SslOpts = fun(Prefix) ->
                 Filter([{keyfile,    cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
                         {certfile,   cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
-                        {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined),
+                        {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)},
                         {versions, [list_to_existing_atom(Value)
-                                    ||Value <- string:tokens(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf), " ,")]}}])
+                                    || Value <- string:tokens(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf), " ,")]}])
             end,
 
   %% FIXME: compatible with 4.0-4.2 version format, plan to delete in 5.0

apps/emqx_bridge_mqtt/README.md

@@ -53,13 +53,13 @@ The following is the basic configuration of RPC bridging. A simplest RPC bridgin
 
 ```
 ## Bridge Address: Use node name (nodename@host) for rpc bridging, and host:port for mqtt connection
-bridge.mqtt.emqx2.address = emqx2@192.168.1.2
+bridge.mqtt.emqx2.address = "emqx2@192.168.1.2"
 
 ## Forwarding topics of the message
-bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#
+bridge.mqtt.emqx2.forwards = "sensor1/#,sensor2/#"
 
 ## bridged mountpoint
-bridge.mqtt.emqx2.mountpoint = bridge/emqx2/${node}/
+bridge.mqtt.emqx2.mountpoint = "bridge/emqx2/${node}/"
 ```
 
 If the messages received by the local node emqx1 matches the topic `sersor1/#` or `sensor2/#`, these messages will be forwarded to the `sensor1/#` or `sensor2/#` topic of the remote node emqx2.
@@ -82,66 +82,66 @@ EMQ X MQTT bridging principle: Create an MQTT client on the EMQ X broker, and co
 
 ```
 ## Bridge Address: Use node name for rpc bridging, use host:port for mqtt connection
-bridge.mqtt.emqx2.address = 192.168.1.2:1883
+bridge.mqtt.emqx2.address = "192.168.1.2:1883"
 
 ## Bridged Protocol Version
 ## Enumeration value: mqttv3 | mqttv4 | mqttv5
-bridge.mqtt.emqx2.proto_ver = mqttv4
+bridge.mqtt.emqx2.proto_ver = "mqttv4"
 
 ## mqtt client's clientid
-bridge.mqtt.emqx2.clientid = bridge_emq
+bridge.mqtt.emqx2.clientid = "bridge_emq"
 
 ## mqtt client's clean_start field
 ## Note: Some MQTT Brokers need to set the clean_start value as `true`
 bridge.mqtt.emqx2.clean_start = true
 
 ##  mqtt client's username field
-bridge.mqtt.emqx2.username = user
+bridge.mqtt.emqx2.username = "user"
 
 ## mqtt client's password field
-bridge.mqtt.emqx2.password = passwd
+bridge.mqtt.emqx2.password = "passwd"
 
 ## Whether the mqtt client uses ssl to connect to a remote serve or not
 bridge.mqtt.emqx2.ssl = off
 
 ## CA Certificate of Client SSL Connection (PEM format)
-bridge.mqtt.emqx2.cacertfile = etc/certs/cacert.pem
+bridge.mqtt.emqx2.cacertfile = "etc/certs/cacert.pem"
 
 ## SSL certificate of Client SSL connection 
-bridge.mqtt.emqx2.certfile = etc/certs/client-cert.pem
+bridge.mqtt.emqx2.certfile = "etc/certs/client-cert.pem"
 
 ## Key file of Client SSL connection 
-bridge.mqtt.emqx2.keyfile = etc/certs/client-key.pem
+bridge.mqtt.emqx2.keyfile = "etc/certs/client-key.pem"
 
 ## SSL encryption
-bridge.mqtt.emqx2.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384
+bridge.mqtt.emqx2.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384"
 
 ## TTLS PSK password
 ## Note 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot be configured at the same time
 ##
 ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-## bridge.mqtt.emqx2.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+## bridge.mqtt.emqx2.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA"
 
 ## Client's heartbeat interval
 bridge.mqtt.emqx2.keepalive = 60s
 
 ## Supported TLS version
-bridge.mqtt.emqx2.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+bridge.mqtt.emqx2.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 
 ## Forwarding topics of the message
-bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#
+bridge.mqtt.emqx2.forwards = "sensor1/#,sensor2/#"
 
 ## Bridged mountpoint
-bridge.mqtt.emqx2.mountpoint = bridge/emqx2/${node}/
+bridge.mqtt.emqx2.mountpoint = "bridge/emqx2/${node}/"
 
 ## Subscription topic for bridging
-bridge.mqtt.emqx2.subscription.1.topic = cmd/topic1
+bridge.mqtt.emqx2.subscription.1.topic = "cmd/topic1"
 
 ## Subscription qos for bridging
 bridge.mqtt.emqx2.subscription.1.qos = 1
 
 ## Subscription topic for bridging
-bridge.mqtt.emqx2.subscription.2.topic = cmd/topic2
+bridge.mqtt.emqx2.subscription.2.topic = "cmd/topic2"
 
 ## Subscription qos for bridging
 bridge.mqtt.emqx2.subscription.2.qos = 1

apps/emqx_bridge_mqtt/docs/guide.rst

@@ -39,7 +39,7 @@ In EMQ X, bridge is configured by modifying ``etc/emqx.conf``. EMQ X distinguish
 .. code-block::
 
    ## Bridge address: node name for local bridge, host:port for remote.
-   bridge.mqtt.aws.address = 127.0.0.1:1883
+   bridge.mqtt.aws.address = "127.0.0.1:1883"
 
 This configuration declares a bridge named ``aws`` and specifies that it is bridged to the MQTT broker of 127.0.0.1:1883 by MQTT mode.
 
@@ -69,13 +69,13 @@ The following is the basic configuration of RPC bridging. A simplest RPC bridgin
 .. code-block::
 
    ## Bridge Address: Use node name (nodename@host) for rpc bridging, and host:port for mqtt connection
-   bridge.mqtt.emqx2.address = emqx2@192.168.1.2
+   bridge.mqtt.emqx2.address = "emqx2@192.168.1.2"
 
    ## Forwarding topics of the message
-   bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#
+   bridge.mqtt.emqx2.forwards = "sensor1/#,sensor2/#"
 
    ## bridged mountpoint
-   bridge.mqtt.emqx2.mountpoint = bridge/emqx2/${node}/
+   bridge.mqtt.emqx2.mountpoint = "bridge/emqx2/${node}/"
 
 If the messages received by the local node emqx1 matches the topic ``sersor1/#`` or ``sensor2/#``\ , these messages will be forwarded to the ``sensor1/#`` or ``sensor2/#`` topic of the remote node emqx2.
 
@@ -102,66 +102,66 @@ EMQ X MQTT bridging principle: Create an MQTT client on the EMQ X broker, and co
 .. code-block::
 
    ## Bridge Address: Use node name for rpc bridging, use host:port for mqtt connection
-   bridge.mqtt.emqx2.address = 192.168.1.2:1883
+   bridge.mqtt.emqx2.address = "192.168.1.2:1883"
 
    ## Bridged Protocol Version
    ## Enumeration value: mqttv3 | mqttv4 | mqttv5
-   bridge.mqtt.emqx2.proto_ver = mqttv4
+   bridge.mqtt.emqx2.proto_ver = "mqttv4"
 
    ## mqtt client's clientid
-   bridge.mqtt.emqx2.clientid = bridge_emq
+   bridge.mqtt.emqx2.clientid = "bridge_emq"
 
    ## mqtt client's clean_start field
    ## Note: Some MQTT Brokers need to set the clean_start value as `true`
    bridge.mqtt.emqx2.clean_start = true
 
    ##  mqtt client's username field
-   bridge.mqtt.emqx2.username = user
+   bridge.mqtt.emqx2.username = "user"
 
    ## mqtt client's password field
-   bridge.mqtt.emqx2.password = passwd
+   bridge.mqtt.emqx2.password = "passwd"
 
    ## Whether the mqtt client uses ssl to connect to a remote serve or not
    bridge.mqtt.emqx2.ssl = off
 
    ## CA Certificate of Client SSL Connection (PEM format)
-   bridge.mqtt.emqx2.cacertfile = etc/certs/cacert.pem
+   bridge.mqtt.emqx2.cacertfile = "etc/certs/cacert.pem"
 
    ## SSL certificate of Client SSL connection 
-   bridge.mqtt.emqx2.certfile = etc/certs/client-cert.pem
+   bridge.mqtt.emqx2.certfile = "etc/certs/client-cert.pem"
 
    ## Key file of Client SSL connection 
-   bridge.mqtt.emqx2.keyfile = etc/certs/client-key.pem
+   bridge.mqtt.emqx2.keyfile = "etc/certs/client-key.pem"
-
-   ## SSL encryption
-   bridge.mqtt.emqx2.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384
 
    ## TTLS PSK password
    ## Note 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot be configured at the same time
    ##
    ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-   ## bridge.mqtt.emqx2.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+   ## bridge.mqtt.emqx2.psk_ciphers = "PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA"
 
    ## Client's heartbeat interval
    bridge.mqtt.emqx2.keepalive = 60s
 
    ## Supported TLS version
-   bridge.mqtt.emqx2.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+   bridge.mqtt.emqx2.tls_versions = "tlsv1.2"
+
+   ## SSL encryption
+   bridge.mqtt.emqx2.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384"
 
    ## Forwarding topics of the message
-   bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#
+   bridge.mqtt.emqx2.forwards = "sensor1/#,sensor2/#"
 
    ## Bridged mountpoint
-   bridge.mqtt.emqx2.mountpoint = bridge/emqx2/${node}/
+   bridge.mqtt.emqx2.mountpoint = "bridge/emqx2/${node}/"
 
    ## Subscription topic for bridging
-   bridge.mqtt.emqx2.subscription.1.topic = cmd/topic1
+   bridge.mqtt.emqx2.subscription.1.topic = "cmd/topic1"
 
    ## Subscription qos for bridging
    bridge.mqtt.emqx2.subscription.1.qos = 1
 
    ## Subscription topic for bridging
-   bridge.mqtt.emqx2.subscription.2.topic = cmd/topic2
+   bridge.mqtt.emqx2.subscription.2.topic = "cmd/topic2"
 
    ## Subscription qos for bridging
    bridge.mqtt.emqx2.subscription.2.qos = 1
@@ -190,7 +190,7 @@ The bridge of EMQ X has a message caching mechanism. The caching mechanism is ap
    bridge.mqtt.emqx2.queue.batch_bytes_limit = 1000MB
 
    ## The path for placing replayq queue. If it is not specified, then replayq will run in `mem-only` mode and messages will not be cached on disk.
-   bridge.mqtt.emqx2.queue.replayq_dir = data/emqx_emqx2_bridge/
+   bridge.mqtt.emqx2.queue.replayq_dir = "data/emqx_emqx2_bridge/"
 
    ## Replayq data segment size
    bridge.mqtt.emqx2.queue.replayq_seg_bytes = 10MB

apps/emqx_bridge_mqtt/etc/emqx_bridge_mqtt.conf

@@ -128,6 +128,7 @@ bridge.mqtt.aws.keepalive = 60s
 
 ## TLS versions used by the bridge.
 ##
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
 ## Value: String
 bridge.mqtt.aws.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 

apps/emqx_bridge_mqtt/priv/emqx_bridge_mqtt.schema

@@ -90,7 +90,7 @@
 
 {mapping, "bridge.mqtt.$name.tls_versions", "emqx_bridge_mqtt.bridges", [
   {datatype, string},
-  {default, "tlsv1,tlsv1.1,tlsv1.2"}
+  {default, "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"}
 ]}.
 
 {mapping, "bridge.mqtt.$name.reconnect_interval", "emqx_bridge_mqtt.bridges", [

apps/emqx_bridge_mqtt/src/emqx_bridge_mqtt_actions.erl

@@ -671,12 +671,6 @@ format_data([], Msg) ->
 format_data(Tokens, Msg) ->
     emqx_rule_utils:proc_tmpl(Tokens, Msg).
 
-tls_versions() ->
-    ['tlsv1.2','tlsv1.1', tlsv1].
-
-ciphers(Ciphers) ->
-    string:tokens(str(Ciphers), ", ").
-
 subscriptions(Subscriptions) ->
     scan_binary(<<"[", Subscriptions/binary, "].">>).
 
@@ -749,6 +743,8 @@ options(Options, PoolName) ->
                      Topic ->
                          [{subscriptions, [{Topic, Get(<<"qos">>)}]} | Subscriptions]
                  end,
+                 %% TODO check why only ciphers are configurable but not versions
+                 TlsVersions = emqx_tls_lib:default_versions(),
                  [{address, binary_to_list(Address)},
                   {bridge_mode, GetD(<<"bridge_mode">>, true)},
                   {clean_start, true},
@@ -761,12 +757,13 @@ options(Options, PoolName) ->
                   {proto_ver, mqtt_ver(Get(<<"proto_ver">>))},
                   {retry_interval, cuttlefish_duration:parse(str(GetD(<<"retry_interval">>, "30s")), s)},
                   {ssl, cuttlefish_flag:parse(str(Get(<<"ssl">>)))},
-                  {ssl_opts, [{versions, tls_versions()},
+                  {ssl_opts, [ {keyfile, str(Get(<<"keyfile">>))}
-                              {ciphers, ciphers(Get(<<"ciphers">>))},
+                             , {certfile, str(Get(<<"certfile">>))}
-                              {keyfile, str(Get(<<"keyfile">>))},
+                             , {cacertfile, str(Get(<<"cacertfile">>))}
-                              {certfile, str(Get(<<"certfile">>))},
+                             , {versions, TlsVersions}
-                              {cacertfile, str(Get(<<"cacertfile">>))}
+                             , {ciphers, emqx_tls_lib:integral_ciphers(TlsVersions, Get(<<"ciphers">>))}
-                             ]}] ++ Subscriptions1
+                             ]}
+                 ] ++ Subscriptions1
          end.
 
 

apps/emqx_coap/priv/emqx_coap.schema

@@ -75,10 +75,7 @@ end}.
   Ciphers =
       case cuttlefish:conf_get("coap.dtls.ciphers", Conf, undefined) of
           undefined ->
-              lists:foldl(
+              lists:append([ssl:cipher_suites(all, V, openssl) || V <- ['dtlsv1.2', 'dtlsv1']]);
-                  fun(TlsVer, Ciphers) ->
-                      Ciphers ++ ssl:cipher_suites(all, TlsVer)
-                  end, [], ['dtlsv1', 'dtlsv1.2']);
           C ->
               SplitFun(C)
       end,

apps/emqx_exproto/test/emqx_exproto_SUITE.erl

@@ -425,8 +425,8 @@ udp_opts() ->
 
 ssl_opts() ->
     Certs = certs("key.pem", "cert.pem", "cacert.pem"),
-    [{versions, ['tlsv1.2','tlsv1.1',tlsv1]},
+    [{versions, emqx_tls_lib:default_versions()},
-     {ciphers, ciphers('tlsv1.2')},
+     {ciphers, emqx_tls_lib:default_ciphers()},
      {verify, verify_peer},
      {fail_if_no_peer_cert, true},
      {secure_renegotiate, false},
@@ -437,9 +437,6 @@ dtls_opts() ->
     Opts = ssl_opts(),
     lists:keyreplace(versions, 1, Opts, {versions, ['dtlsv1.2', 'dtlsv1']}).
 
-ciphers(Version) ->
-    proplists:get_value(ciphers, emqx_ct_helpers:client_ssl(Version)).
-
 %%--------------------------------------------------------------------
 %% Client-Opts
 

apps/emqx_stomp/etc/emqx_stomp.conf

@@ -58,6 +58,7 @@ stomp.listener.max_connections = 512
 ## TLS versions only to protect from POODLE attack.
 ##
 ## Value: String, seperated by ','
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
 ## stomp.listener.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 
 ## SSL Handshake timeout.

apps/emqx_web_hook/src/emqx_web_hook_actions.erl

@@ -354,12 +354,11 @@ pool_opts(Params = #{<<"url">> := URL}) ->
                                                  (_) ->
                                                   true
                                               end, [{keyfile, KeyFile}, {certfile, CertFile}, {cacertfile, CACertFile}]),
-                       TlsVers = ['tlsv1.2', 'tlsv1.1', tlsv1],
+                       NTLSOpts = [ {verify, VerifyType}
-                       NTLSOpts = [{verify, VerifyType},
+                                  , {versions, emqx_tls_lib:default_versions()}
-                                   {versions, TlsVers},
+                                  , {ciphers, emqx_tls_lib:default_ciphers()}
-                                   {ciphers, lists:foldl(fun(TlsVer, Ciphers) ->
+                                  | TLSOpts
-                                                             Ciphers ++ ssl:cipher_suites(all, TlsVer)
+                                  ],
-                                                         end, [], TlsVers)} | TLSOpts],
                        [{transport, ssl}, {transport_opts, [Inet | NTLSOpts]}]
               end,
     [{host, Host},

apps/emqx_web_hook/src/emqx_web_hook_app.erl

@@ -75,12 +75,11 @@ translate_env() ->
                        TLSOpts = lists:filter(fun({_K, V}) ->
                                                 V /= <<>> andalso V /= undefined andalso V /= "" andalso true
                                               end, [{keyfile, KeyFile}, {certfile, CertFile}, {cacertfile, CACertFile}]),
-                       TlsVers = ['tlsv1.2','tlsv1.1',tlsv1],
+                       NTLSOpts = [ {verify, VerifyType}
-                       NTLSOpts = [{verify, VerifyType},
+                                  , {versions, emqx_tls_lib:default_versions()}
-                                   {versions, TlsVers},
+                                  , {ciphers, emqx_tls_lib:default_ciphers()}
-                                   {ciphers, lists:foldl(fun(TlsVer, Ciphers) ->
+                                  | TLSOpts
-                                                               Ciphers ++ ssl:cipher_suites(all, TlsVer)
+                                  ],
-                                                           end, [], TlsVers)} | TLSOpts],
                        [{transport, ssl}, {transport_opts, [Inet | NTLSOpts]}]
                 end,
     PoolOpts = [{host, Host},

bin/emqx

@@ -255,7 +255,7 @@ if [ -z "$NAME_ARG" ]; then
     # check if there is a node running, inspect its name
     # shellcheck disable=SC2009 # pgrep does not support Extended Regular Expressions
     [ -z "$NODENAME" ] && NODENAME=$(ps -ef | grep -E '\-progname\s.*emqx\s' | grep -o -E '\-name (\S*)' | awk '{print $2}')
-    [ -z "$NODENAME" ] && NODENAME=$(grep -E '^[ \t]*node.name[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2-)
+    [ -z "$NODENAME" ] && NODENAME=$(grep -E '^[ \t]*node.name[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2- | tr -d '"')
     if [ -z "$NODENAME" ]; then
         echoerr "vm.args needs to have a -name parameter."
         echoerr "  -sname is not supported."
@@ -280,7 +280,7 @@ if [ -z "$COOKIE_ARG" ]; then
     # check if there is a node running, steal its cookie
     # shellcheck disable=SC2009 # pgrep does not support Extended Regular Expressions
     [ -z "$COOKIE" ] && COOKIE=$(ps -ef | grep -E '\-progname\s.*emqx\s' | grep -o -E '\-setcookie (\S*)' | awk '{print $2}')
-    [ -z "$COOKIE" ] && COOKIE=$(grep -E '^[ \t]*node.cookie[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2-)
+    [ -z "$COOKIE" ] && COOKIE=$(grep -E '^[ \t]*node.cookie[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2- | tr -d '"')
     if [ -z "$COOKIE" ]; then
         echoerr "vm.args needs to have a -setcookie parameter."
         echoerr "please check $RUNNER_ETC_DIR/emqx.conf"

bin/emqx_ctl

@@ -37,7 +37,7 @@ if [ -z "$NAME_ARG" ]; then
     # check if there is a node running, inspect its name
     # shellcheck disable=SC2009 # pgrep does not support Extended Regular Expressions
     [ -z "$NODENAME" ] && NODENAME=$(ps -ef | grep -E '\progname\s.*emqx\s' | grep -o -E '\-name (\S*)' | awk '{print $2}')
-    [ -z "$NODENAME" ] && NODENAME=$(grep -E '^[ \t]*node.name[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2-)
+    [ -z "$NODENAME" ] && NODENAME=$(grep -E '^[ \t]*node.name[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2- | tr -d '"')
     if [ -z "$NODENAME" ]; then
         echoerr "vm.args needs to have a -name parameter."
         echoerr "  -sname is not supported."
@@ -58,7 +58,7 @@ if [ -z "$COOKIE_ARG" ]; then
     # check if there is a node running, steal its cookie
     # shellcheck disable=SC2009 # pgrep does not support Extended Regular Expressions
     [ -z "$COOKIE" ] && COOKIE=$(ps -ef | grep -E '\-progname\s.*emqx\s' | grep -o -E '\-setcookie (\S*)' | awk '{print $2}')
-    [ -z "$COOKIE" ] && COOKIE=$(grep -E '^[ \t]*node.cookie[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2-)
+    [ -z "$COOKIE" ] && COOKIE=$(grep -E '^[ \t]*node.cookie[ \t]*=[ \t]*' "$RUNNER_ETC_DIR/emqx.conf" 2> /dev/null | tail -1 | cut -d = -f 2- | tr -d '"')
     if [ -z "$COOKIE" ]; then
         echoerr "vm.args needs to have a -setcookie parameter."
         echoerr "please check $RUNNER_ETC_DIR/emqx.conf"

elvis.config

@@ -5,7 +5,7 @@
    [
     {config,
      [
-      #{dirs => ["apps/**/src", "src"],
+      #{dirs => ["src", "apps/**/src", "lib-opensource/**/src"],
         filter => "*.erl",
         ruleset => erl_files,
         rules => [
@@ -16,7 +16,7 @@
                                                                ]}}
            ]
         },
-      #{dirs => ["apps/**/test", "test"],
+      #{dirs => ["test", "apps/**/test", "lib-opensource/**/src"],
         filter => "*.erl",
         rules => [
            {elvis_text_style, line_length, #{ limit => 100

etc/emqx.conf

@@ -184,12 +184,12 @@ cluster.autoclean = 5m
 ## Value: <name>@<host>
 ##
 ## Default: emqx@127.0.0.1
-node.name = emqx@127.0.0.1
+node.name = "emqx@127.0.0.1"
 
 ## Cookie for distributed node communication.
 ##
 ## Value: String
-node.cookie = emqxsecretcookie
+node.cookie = "emqxsecretcookie"
 
 ## Data dir for the node
 ##
@@ -1317,7 +1317,8 @@ listener.ssl.external.access.1 = "allow all"
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: String, seperated by ','
-## listener.ssl.external.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
+## listener.ssl.external.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 
 ## TLS Handshake timeout.
 ##
@@ -1563,7 +1564,7 @@ listener.ws.external.access.1 = "allow all"
 ## Supported subprotocols
 ##
 ## Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
-## listener.ws.external.supported_protocols = mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
+## listener.ws.external.supported_protocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
 
 ## Enable the Proxy Protocol V1/2 if the EMQ cluster is deployed behind
 ## HAProxy or Nginx.
@@ -1784,7 +1785,7 @@ listener.wss.external.access.1 = "allow all"
 ## Supported subprotocols
 ##
 ## Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
-## listener.ws.external.supported_protocols = mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
+## listener.wss.external.supported_protocols = "mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5"
 
 ## Enable the Proxy Protocol V1/2 support.
 ##
@@ -1805,7 +1806,8 @@ listener.wss.external.access.1 = "allow all"
 ## See: listener.ssl.$name.tls_versions
 ##
 ## Value: String, seperated by ','
-## listener.wss.external.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
+## listener.wss.external.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 
 ## Path to the file containing the user's private PEM-encoded key.
 ##

get-dashboard.sh

@@ -1,6 +1,5 @@
-#!/bin/sh
+#!/bin/bash
 
-#set -euo pipefail
 set -eu
 
 VERSION="$1"
@@ -10,7 +9,11 @@ cd -P -- "$(dirname -- "$0")"
 
 DOWNLOAD_URL='https://github.com/emqx/emqx-dashboard-frontend/releases/download'
 
-DASHBOARD_PATH='apps/emqx_dashboard/priv'
+if [ "$EMQX_ENTERPRISE" = 'true' ] || [ "$EMQX_ENTERPRISE" == '1' ]; then
+    DASHBOARD_PATH='lib-enterprise/emqx_dashboard/priv'
+else
+    DASHBOARD_PATH='lib-opensource/emqx_dashboard/priv'
+fi
 
 case $(uname) in
     *Darwin*) SED="sed -E";;

lib-opensource/emqx_dashboard/etc/emqx_dashboard.conf

@@ -105,7 +105,8 @@ dashboard.listener.http.ipv6_v6only = false
 ## TLS versions only to protect from POODLE attack.
 ##
 ## Value: String, seperated by ','
-## dashboard.listener.https.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
+## dashboard.listener.https.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 
 ## See: 'listener.ssl.<name>.ciphers' in emq.conf
 ##

lib-opensource/emqx_management/etc/emqx_management.conf

@@ -45,6 +45,7 @@ management.listener.http.ipv6_v6only = false
 ## management.listener.https.keyfile = "etc/certs/key.pem"
 ## management.listener.https.cacertfile = "etc/certs/cacert.pem"
 ## management.listener.https.verify = verify_peer
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
 ## management.listener.https.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 ## management.listener.https.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## management.listener.https.fail_if_no_peer_cert = true