diff --git a/apps/emqx/src/emqx_const_v2.erl b/apps/emqx/src/emqx_const_v2.erl index a4c321b4c..a3b7980ff 100644 --- a/apps/emqx/src/emqx_const_v2.erl +++ b/apps/emqx/src/emqx_const_v2.erl @@ -1,5 +1,5 @@ %%-------------------------------------------------------------------- -%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. +%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. diff --git a/apps/emqx/test/emqx_listener_tls_verify_chain_SUITE.erl b/apps/emqx/test/emqx_listener_tls_verify_chain_SUITE.erl index a0d4ab9d1..0b445c939 100644 --- a/apps/emqx/test/emqx_listener_tls_verify_chain_SUITE.erl +++ b/apps/emqx/test/emqx_listener_tls_verify_chain_SUITE.erl @@ -1,5 +1,5 @@ %%-------------------------------------------------------------------- -%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. +%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -58,7 +58,8 @@ t_conn_fail_with_intermediate_ca_cert(Config) -> Port, [ {keyfile, filename:join(DataDir, "client1.key")}, - {certfile, filename:join(DataDir, "client1.pem")} + {certfile, filename:join(DataDir, "client1.pem")}, + {verify, verify_none} ], 1000 ), @@ -83,7 +84,8 @@ t_conn_fail_with_other_intermediate_ca_cert(Config) -> Port, [ {keyfile, filename:join(DataDir, "client2.key")}, - {certfile, filename:join(DataDir, "client2.pem")} + {certfile, filename:join(DataDir, "client2.pem")}, + {verify, verify_none} ], 1000 ), @@ -110,7 +112,8 @@ t_conn_success_with_server_client_composed_complete_chain(Config) -> Port, [ {keyfile, filename:join(DataDir, "client2.key")}, - {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")} + {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}, + {verify, verify_none} ], 1000 ), @@ -136,7 +139,8 @@ t_conn_success_with_other_signed_client_composed_complete_chain(Config) -> Port, [ {keyfile, filename:join(DataDir, "client2.key")}, - {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")} + {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}, + {verify, verify_none} ], 1000 ), @@ -161,7 +165,8 @@ t_conn_success_with_renewed_intermediate_root_bundle(Config) -> Port, [ {keyfile, filename:join(DataDir, "client1.key")}, - {certfile, filename:join(DataDir, "client1.pem")} + {certfile, filename:join(DataDir, "client1.pem")}, + {verify, verify_none} ], 1000 ), @@ -185,7 +190,8 @@ t_conn_success_with_client_complete_cert_chain(Config) -> Port, [ {keyfile, filename:join(DataDir, "client2.key")}, - {certfile, filename:join(DataDir, "client2-complete-bundle.pem")} + {certfile, filename:join(DataDir, "client2-complete-bundle.pem")}, + {verify, verify_none} ], 1000 ), @@ -237,7 +243,8 @@ t_conn_fail_without_root_cacert(Config) -> {keyfile, filename:join(DataDir, "client2.key")}, {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}, %% stick to tlsv1.2 for consistent error message - {versions, ['tlsv1.2']} + {versions, ['tlsv1.2']}, + {cacertfile, filename:join(DataDir, "intermediate2.pem")} ], 1000 ), diff --git a/apps/emqx/test/emqx_listener_tls_verify_keyusage_SUITE.erl b/apps/emqx/test/emqx_listener_tls_verify_keyusage_SUITE.erl index 54ef07be0..8265a7492 100644 --- a/apps/emqx/test/emqx_listener_tls_verify_keyusage_SUITE.erl +++ b/apps/emqx/test/emqx_listener_tls_verify_keyusage_SUITE.erl @@ -1,5 +1,5 @@ %%-------------------------------------------------------------------- -%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. +%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -77,7 +77,8 @@ t_conn_success_verify_peer_ext_key_usage_unset(Config) -> Port, [ {keyfile, filename:join(DataDir, "client1.key")}, - {certfile, filename:join(DataDir, "client1.pem")} + {certfile, filename:join(DataDir, "client1.pem")}, + {verify, verify_none} ], 1000 ), @@ -102,7 +103,8 @@ t_conn_success_verify_peer_ext_key_usage_undefined(Config) -> Port, [ {keyfile, filename:join(DataDir, "client1.key")}, - {certfile, filename:join(DataDir, "client1.pem")} + {certfile, filename:join(DataDir, "client1.pem")}, + {verify, verify_none} ], 1000 ), @@ -129,7 +131,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_predefined(Config) -> Port, [ {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, - {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} + {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}, + {verify, verify_none} ], 1000 ), @@ -157,7 +160,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_raw_oid(Config) -> Port, [ {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, - {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} + {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}, + {verify, verify_none} ], 1000 ), @@ -184,7 +188,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_ordered_list(Config) -> Port, [ {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, - {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} + {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}, + {verify, verify_none} ], 1000 ), @@ -210,7 +215,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_unordered_list(Config) -> Port, [ {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, - {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} + {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}, + {verify, verify_none} ], 1000 ), @@ -237,7 +243,8 @@ t_conn_fail_verify_peer_ext_key_usage_unmatched_raw_oid(Config) -> Port, [ {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, - {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} + {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}, + {verify, verify_none} ], 1000 ), @@ -263,7 +270,8 @@ t_conn_fail_verify_peer_ext_key_usage_empty_str(Config) -> Port, [ {keyfile, filename:join(DataDir, "client1.key")}, - {certfile, filename:join(DataDir, "client1.pem")} + {certfile, filename:join(DataDir, "client1.pem")}, + {verify, verify_none} ], 1000 ), @@ -290,7 +298,8 @@ t_conn_fail_client_keyusage_unmatch(Config) -> Port, [ {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)}, - {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)} + {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}, + {verify, verify_none} ], 1000 ), @@ -317,7 +326,8 @@ t_conn_fail_client_keyusage_incomplete(Config) -> Port, [ {keyfile, filename:join(DataDir, "client1.key")}, - {certfile, filename:join(DataDir, "client1.pem")} + {certfile, filename:join(DataDir, "client1.pem")}, + {verify, verify_none} ], 1000 ), diff --git a/apps/emqx/test/emqx_listener_tls_verify_partial_chain_SUITE.erl b/apps/emqx/test/emqx_listener_tls_verify_partial_chain_SUITE.erl index 7c5f471b9..1a1963dc9 100644 --- a/apps/emqx/test/emqx_listener_tls_verify_partial_chain_SUITE.erl +++ b/apps/emqx/test/emqx_listener_tls_verify_partial_chain_SUITE.erl @@ -1,5 +1,5 @@ %%-------------------------------------------------------------------- -%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. +%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -702,4 +702,7 @@ ssl_config_verify_partial_chain() -> ]. client_default_tls_opts() -> - [{versions, ['tlsv1.2']}]. + [ + {versions, ['tlsv1.2']}, + {verify, verify_none} + ]. diff --git a/apps/emqx/test/emqx_test_tls_certs_helper.erl b/apps/emqx/test/emqx_test_tls_certs_helper.erl index 880dc6bfd..759b42821 100644 --- a/apps/emqx/test/emqx_test_tls_certs_helper.erl +++ b/apps/emqx/test/emqx_test_tls_certs_helper.erl @@ -1,5 +1,5 @@ %%-------------------------------------------------------------------- -%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved. +%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -40,6 +40,7 @@ emqx_start_listener(Name, Type, Port, Opts) when is_list(Opts) -> emqx_start_listener(Name, Type, Port, maps:from_list(Opts)); emqx_start_listener(Name, ssl, Port, #{ssl_options := SslOptions} = Opts0) -> Opts = Opts0#{ + enable => true, bind => {{127, 0, 0, 1}, Port}, mountpoint => <<>>, zone => default, diff --git a/changes/ce/feat-11721.zh.md b/changes/ce/feat-11721.zh.md deleted file mode 100644 index e448f0953..000000000 --- a/changes/ce/feat-11721.zh.md +++ /dev/null @@ -1,4 +0,0 @@ - 移植 emqx 4.4 中的两项 TLS 握手验证功能 - -- 支持部分链 ( partial_chain ) -- 证书密钥使用验证