Merge pull request #5876 from zmstone/fix-ssl-config-validation

fix(ssl): config validation
2021-10-05 21:02:12 +02:00 · 2021-10-05 21:02:12 +02:00 · 5369eb231b
parent af36e1a791 ce486e5540
commit 5369eb231b
2 changed files with 9 additions and 14 deletions
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@ -1290,10 +1290,7 @@ parse_user_lookup_fun(StrConf) ->
    {fun Mod:Fun/3, undefined}.

 validate_ciphers(Ciphers) ->
-    All = case is_tlsv13_available() of
-              true -> ssl:cipher_suites(all, 'tlsv1.3', openssl);
-              false -> []
-          end ++ ssl:cipher_suites(all, 'tlsv1.2', openssl),
+    All = emqx_tls_lib:all_ciphers(),
    case lists:filter(fun(Cipher) -> not lists:member(Cipher, All) end, Ciphers) of
        [] -> ok;
        Bad -> {error, {bad_ciphers, Bad}}
@ -1306,6 +1303,3 @@ validate_tls_versions(Versions) ->
        [] -> ok;
        Vs -> {error, {unsupported_ssl_versions, Vs}}
    end.
-
-is_tlsv13_available() ->
-    lists:member('tlsv1.3', proplists:get_value(available, ssl:versions())).
--- a/apps/emqx/src/emqx_tls_lib.erl
+++ b/apps/emqx/src/emqx_tls_lib.erl
@ -22,6 +22,7 @@
        , selected_ciphers/1
        , integral_ciphers/2
        , drop_tls13_for_old_otp/1
+        , all_ciphers/0
        ]).

 %% non-empty string
@ -59,6 +60,9 @@ integral_versions(Desired) ->
            Filtered
    end.

+%% @doc Return a list of all supported ciphers.
+all_ciphers() -> all_ciphers(default_versions()).
+
 %% @doc Return a list of (openssl string format) cipher suites.
 -spec all_ciphers([ssl:tls_version()]) -> [string()].
 all_ciphers(['tlsv1.3']) ->
@ -90,7 +94,7 @@ do_selected_ciphers('tlsv1.3') ->
 do_selected_ciphers(_) ->
    [ "ECDHE-ECDSA-AES256-GCM-SHA384",
      "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384",
-      "ECDHE-ECDSA-DES-CBC3-SHA", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384",
+      "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384",
      "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384",
      "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256",
      "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256",
@ -98,15 +102,14 @@ do_selected_ciphers(_) ->
      "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256",
      "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256",
      "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA",
-      "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "AES256-SHA", "ECDHE-ECDSA-AES128-SHA",
+      "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA",
      "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA",
-      "ECDH-RSA-AES128-SHA", "AES128-SHA",
+      "ECDH-RSA-AES128-SHA",

      %% psk
      "RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
      "RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
-      "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA",
-      "RSA-PSK-DES-CBC3-SHA","RSA-PSK-RC4-SHA"
+      "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
    ].

 %% @doc Ensure version & cipher-suites integrity.
@ -213,8 +216,6 @@ drop_tls13(SslOpts0) ->
 -ifdef(TEST).
 -include_lib("eunit/include/eunit.hrl").

-all_ciphers() -> all_ciphers(default_versions()).
-
 drop_tls13_test() ->
    Versions = default_versions(),
    ?assert(lists:member('tlsv1.3', Versions)),