From b42a2f2bc24c13d26fc342be197f929d996bd30b Mon Sep 17 00:00:00 2001
From: Zaiming Shi <zmstone@gmail.com>
Date: Tue, 5 Oct 2021 15:11:06 +0200
Subject: [PATCH 1/2] fix(ssl): delete some weak cipher suites from the default
 list

---
 apps/emqx/src/emqx_tls_lib.erl | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/apps/emqx/src/emqx_tls_lib.erl b/apps/emqx/src/emqx_tls_lib.erl
index 11145f684..6a05274a6 100644
--- a/apps/emqx/src/emqx_tls_lib.erl
+++ b/apps/emqx/src/emqx_tls_lib.erl
@@ -90,7 +90,7 @@ do_selected_ciphers('tlsv1.3') ->
 do_selected_ciphers(_) ->
     [ "ECDHE-ECDSA-AES256-GCM-SHA384",
       "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384",
-      "ECDHE-ECDSA-DES-CBC3-SHA", "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384",
+      "ECDH-ECDSA-AES256-GCM-SHA384", "ECDH-RSA-AES256-GCM-SHA384",
       "ECDH-ECDSA-AES256-SHA384", "ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384",
       "DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384", "AES256-SHA256",
       "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256",
@@ -98,15 +98,14 @@ do_selected_ciphers(_) ->
       "ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256", "ECDH-RSA-AES128-SHA256",
       "DHE-DSS-AES128-GCM-SHA256", "DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256", "AES128-SHA256",
       "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA",
-      "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "AES256-SHA", "ECDHE-ECDSA-AES128-SHA",
+      "ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA", "ECDHE-ECDSA-AES128-SHA",
       "ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA", "ECDH-ECDSA-AES128-SHA",
-      "ECDH-RSA-AES128-SHA", "AES128-SHA",
+      "ECDH-RSA-AES128-SHA",
 
       %% psk
       "RSA-PSK-AES256-GCM-SHA384","RSA-PSK-AES256-CBC-SHA384",
       "RSA-PSK-AES128-GCM-SHA256","RSA-PSK-AES128-CBC-SHA256",
-      "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA",
-      "RSA-PSK-DES-CBC3-SHA","RSA-PSK-RC4-SHA"
+      "RSA-PSK-AES256-CBC-SHA","RSA-PSK-AES128-CBC-SHA"
     ].
 
 %% @doc Ensure version & cipher-suites integrity.

From ce486e55405d85a0a534122199c41401e1065347 Mon Sep 17 00:00:00 2001
From: Zaiming Shi <zmstone@gmail.com>
Date: Tue, 5 Oct 2021 15:25:56 +0200
Subject: [PATCH 2/2] fix(ssl): verify ciphers list against all available
 ciphers

Prior to this change the ciphers are only checked against
the list returned from from
`ssl:cipher_suites(all, 'tlsv1.2', openssl)`
which may cause some (weak) ciphers missing in certain
otp + openssl installation
---
 apps/emqx/src/emqx_schema.erl  | 8 +-------
 apps/emqx/src/emqx_tls_lib.erl | 6 ++++--
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl
index 31f973421..a2fb13bab 100644
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -1290,10 +1290,7 @@ parse_user_lookup_fun(StrConf) ->
     {fun Mod:Fun/3, undefined}.
 
 validate_ciphers(Ciphers) ->
-    All = case is_tlsv13_available() of
-              true -> ssl:cipher_suites(all, 'tlsv1.3', openssl);
-              false -> []
-          end ++ ssl:cipher_suites(all, 'tlsv1.2', openssl),
+    All = emqx_tls_lib:all_ciphers(),
     case lists:filter(fun(Cipher) -> not lists:member(Cipher, All) end, Ciphers) of
         [] -> ok;
         Bad -> {error, {bad_ciphers, Bad}}
@@ -1306,6 +1303,3 @@ validate_tls_versions(Versions) ->
         [] -> ok;
         Vs -> {error, {unsupported_ssl_versions, Vs}}
     end.
-
-is_tlsv13_available() ->
-    lists:member('tlsv1.3', proplists:get_value(available, ssl:versions())).
diff --git a/apps/emqx/src/emqx_tls_lib.erl b/apps/emqx/src/emqx_tls_lib.erl
index 6a05274a6..3b3953b83 100644
--- a/apps/emqx/src/emqx_tls_lib.erl
+++ b/apps/emqx/src/emqx_tls_lib.erl
@@ -22,6 +22,7 @@
         , selected_ciphers/1
         , integral_ciphers/2
         , drop_tls13_for_old_otp/1
+        , all_ciphers/0
         ]).
 
 %% non-empty string
@@ -59,6 +60,9 @@ integral_versions(Desired) ->
             Filtered
     end.
 
+%% @doc Return a list of all supported ciphers.
+all_ciphers() -> all_ciphers(default_versions()).
+
 %% @doc Return a list of (openssl string format) cipher suites.
 -spec all_ciphers([ssl:tls_version()]) -> [string()].
 all_ciphers(['tlsv1.3']) ->
@@ -212,8 +216,6 @@ drop_tls13(SslOpts0) ->
 -ifdef(TEST).
 -include_lib("eunit/include/eunit.hrl").
 
-all_ciphers() -> all_ciphers(default_versions()).
-
 drop_tls13_test() ->
     Versions = default_versions(),
     ?assert(lists:member('tlsv1.3', Versions)),