diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl
index dcce6e438..a50f3a5f6 100644
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -88,23 +88,26 @@ roots(high) ->
}
, {"zones",
sc(map("name", ref("zone")),
- #{ desc => "A zone is a set of configs grouped by the zone name.
"
- "For flexible configuration mapping, the name "
- "can be set to a listener's zone config.
"
- "NOTE: A builtin zone named default is auto created "
- "and can not be deleted."
+ #{ desc =>
+"""A zone is a set of configs grouped by the zone name.
+For flexible configuration mapping, the name
+can be set to a listener's zone config.
+NOTE: A builtin zone named default is auto created
+and can not be deleted."""
})}
, {"mqtt",
sc(ref("mqtt"),
- #{ desc => "Global MQTT configuration.
"
- "The configs here work as default values which can be overriden "
- "in zone configs"
+ #{ desc =>
+"""Global MQTT configuration.
+The configs here work as default values which can be overriden
+in zone configs"""
})}
, {"authentication",
sc(hoconsc:lazy(hoconsc:array(map())),
- #{ desc => "Default authentication configs for all MQTT listeners.
"
- "For per-listener overrides see authentication "
- "in listener configs"
+ #{ desc =>
+"""Default authentication configs for all MQTT listeners.
+For per-listener overrides see authentication
+in listener configs"""
})}
, {"authorization",
sc(ref("authorization"),
@@ -956,7 +959,7 @@ common_ssl_opts_schema(Defaults) ->
#{ sensitive => true
, nullable => true
, desc =>
-"""String containing the user's password. Only used if the private
+"""String containing the user's password. Only used if the private
keyfile is password-protected."""
})
}
@@ -967,7 +970,7 @@ keyfile is password-protected."""
"""All TLS/DTLS versions to be supported.
NOTE: PSK ciphers are suppresed by 'tlsv1.3' version config
In case PSK cipher suites are intended, make sure to configured
-['tlsv1.2', 'tlsv1.1'] here
.
+['tlsv1.2', 'tlsv1.1'] here.
"""
})
}
@@ -982,9 +985,9 @@ In case PSK cipher suites are intended, make sure to configured
sc(boolean(),
#{ default => Df("secure_renegotiate", true)
, desc => """
-SSL parameter renegotiation is a feature that allows a client and a server
-to renegotiate the parameters of the SSL connection on the fly.
-RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
+SSL parameter renegotiation is a feature that allows a client and a server
+to renegotiate the parameters of the SSL connection on the fly.
+RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation,
you drop support for the insecure renegotiation, prone to MitM attacks.
"""
})
@@ -1003,9 +1006,9 @@ server_ssl_opts_schema(Defaults, IsRanchListener) ->
#{ default => D("dhfile")
, nullable => true
, desc =>
-"""Path to a file containing PEM-encoded Diffie Hellman parameters
-to be used by the server if a cipher suite using Diffie Hellman
-key exchange is negotiated. If not specified, default parameters
+"""Path to a file containing PEM-encoded Diffie Hellman parameters
+to be used by the server if a cipher suite using Diffie Hellman
+key exchange is negotiated. If not specified, default parameters
are used.
NOTE: The dhfile option is not supported by TLS 1.3."""
})
@@ -1015,10 +1018,10 @@ NOTE: The dhfile option is not supported by TLS 1.3."""
#{ default => Df("fail_if_no_peer_cert", false)
, desc =>
"""
-Used together with {verify, verify_peer} by an TLS/DTLS server.
-If set to true, the server fails if the client does not have a
-certificate to send, that is, sends an empty certificate.
-If set to false, it fails only if the client sends an invalid
+Used together with {verify, verify_peer} by an TLS/DTLS server.
+If set to true, the server fails if the client does not have a
+certificate to send, that is, sends an empty certificate.
+If set to false, it fails only if the client sends an invalid
certificate (an empty certificate is considered valid).
"""
})
@@ -1032,13 +1035,13 @@ certificate (an empty certificate is considered valid).
sc(boolean(),
#{ default => Df("client_renegotiation", true)
, desc => """
-In protocols that support client-initiated renegotiation,
-the cost of resources of such an operation is higher for the server than the client.
-This can act as a vector for denial of service attacks.
-The SSL application already takes measures to counter-act such attempts,
-but client-initiated renegotiation can be strictly disabled by setting this option to false.
-The default value is true. Note that disabling renegotiation can result in
-long-lived connections becoming unusable due to limits on
+In protocols that support client-initiated renegotiation,
+the cost of resources of such an operation is higher for the server than the client.
+This can act as a vector for denial of service attacks.
+The SSL application already takes measures to counter-act such attempts,
+but client-initiated renegotiation can be strictly disabled by setting this option to false.
+The default value is true. Note that disabling renegotiation can result in
+long-lived connections becoming unusable due to limits on
the number of messages the underlying cipher suite can encipher.
"""
})
@@ -1060,15 +1063,15 @@ client_ssl_opts_schema(Defaults) ->
#{ default => disable
, desc =>
"""Specify the host name to be used in TLS Server Name Indication extension.
-For instance, when connecting to \"server.example.net\", the genuine server
-which accedpts the connection and performs TSL handshake may differ from the
-host the TLS client initially connects to, e.g. when connecting to an IP address
+For instance, when connecting to \"server.example.net\", the genuine server
+which accedpts the connection and performs TSL handshake may differ from the
+host the TLS client initially connects to, e.g. when connecting to an IP address
or when the host has multiple resolvable DNS records
-If not specified, it will default to the host name string which is used
+If not specified, it will default to the host name string which is used
to establish the connection, unless it is IP addressed used.
-The host name is then also used in the host name verification of the peer
+The host name is then also used in the host name verification of the peer
certificate.
The special value 'disable' prevents the Server Name
-Indication extension from being sent and disables the hostname
+Indication extension from being sent and disables the hostname
verification check."""
})}
].
@@ -1090,22 +1093,22 @@ ciphers_schema(Default) ->
end
, validator => fun validate_ciphers/1
, desc =>
-"""TLS cipher suite names separated by comma, or as an array of strings
-\"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256\" or
+"""TLS cipher suite names separated by comma, or as an array of strings
+\"TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256\" or
[\"TLS_AES_256_GCM_SHA384\",\"TLS_AES_128_GCM_SHA256\"]
-Ciphers (and their ordering) define the way in which the
-client and server encrypts information over the wire.
-Selecting a good cipher suite is critical for the
-application's data security, confidentiality and performance.
-The names should be in OpenSSL sting format (not RFC format).
-Default values and examples proveded by EMQ X config
+Ciphers (and their ordering) define the way in which the
+client and server encrypts information over the wire.
+Selecting a good cipher suite is critical for the
+application's data security, confidentiality and performance.
+The names should be in OpenSSL sting format (not RFC format).
+Default values and examples proveded by EMQ X config
documentation are all in OpenSSL format.
-NOTE: Certain cipher suites are only compatible with
-specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
-incompatible cipher suites will be silently dropped.
-For instance, if only 'tlsv1.3' is given in the versions,
+NOTE: Certain cipher suites are only compatible with
+specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3')
+incompatible cipher suites will be silently dropped.
+For instance, if only 'tlsv1.3' is given in the versions,
configuring cipher suites for other versions will have no effect.