fix(tls): remove `cacerts` config for now
Fixes https://github.com/emqx/emqx/issues/11370 Related: https://github.com/emqx/emqx/pull/11371
This commit is contained in:
Thales Macedo Garitezi
parent
b24e7e2559
commit
7687770821
|
|
@ -2017,14 +2017,6 @@ common_ssl_opts_schema(Defaults, Type) ->
|
|||
desc => ?DESC(common_ssl_opts_schema_cacertfile)
|
||||
}
|
||||
)},
|
||||
{"cacerts",
|
||||
sc(
|
||||
boolean(),
|
||||
#{
|
||||
default => false,
|
||||
desc => ?DESC(common_ssl_opts_schema_cacerts)
|
||||
}
|
||||
)},
|
||||
{"certfile",
|
||||
sc(
|
||||
binary(),
|
||||
|
|
|
|||
|
|
@ -478,13 +478,11 @@ to_server_opts(Type, Opts) ->
|
|||
Versions = integral_versions(Type, maps:get(versions, Opts, undefined)),
|
||||
Ciphers = integral_ciphers(Versions, maps:get(ciphers, Opts, undefined)),
|
||||
Path = fun(Key) -> resolve_cert_path_for_read_strict(maps:get(Key, Opts, undefined)) end,
|
||||
CACerts = get_cacerts(maps:get(cacerts, Opts, false)),
|
||||
ensure_valid_options(
|
||||
maps:to_list(Opts#{
|
||||
keyfile => Path(keyfile),
|
||||
certfile => Path(certfile),
|
||||
cacertfile => Path(cacertfile),
|
||||
cacerts => CACerts,
|
||||
ciphers => Ciphers,
|
||||
versions => Versions
|
||||
}),
|
||||
|
|
@ -513,13 +511,11 @@ to_client_opts(Type, Opts) ->
|
|||
SNI = ensure_sni(Get(server_name_indication)),
|
||||
Versions = integral_versions(Type, Get(versions)),
|
||||
Ciphers = integral_ciphers(Versions, Get(ciphers)),
|
||||
CACerts = get_cacerts(GetD(cacerts, false)),
|
||||
ensure_valid_options(
|
||||
[
|
||||
{keyfile, KeyFile},
|
||||
{certfile, CertFile},
|
||||
{cacertfile, CAFile},
|
||||
{cacerts, CACerts},
|
||||
{verify, Verify},
|
||||
{server_name_indication, SNI},
|
||||
{versions, Versions},
|
||||
|
|
@ -665,13 +661,3 @@ ensure_ssl_file_key(SSL, RequiredKeyPaths) ->
|
|||
[] -> ok;
|
||||
Miss -> {error, #{reason => ssl_file_option_not_found, which_options => Miss}}
|
||||
end.
|
||||
|
||||
get_cacerts(true = _UseSystemCACerts) ->
|
||||
try
|
||||
public_key:cacerts_get()
|
||||
catch
|
||||
_:_ ->
|
||||
undefined
|
||||
end;
|
||||
get_cacerts(false = _UseSystemCACerts) ->
|
||||
undefined.
|
||||
|
|
|
|||
|
|
@ -229,7 +229,6 @@ to_client_opts_test() ->
|
|||
Versions13Only = ['tlsv1.3'],
|
||||
Options = #{
|
||||
enable => true,
|
||||
cacerts => true,
|
||||
verify => "Verify",
|
||||
server_name_indication => "SNI",
|
||||
ciphers => "Ciphers",
|
||||
|
|
@ -265,28 +264,7 @@ to_client_opts_test() ->
|
|||
)
|
||||
)
|
||||
),
|
||||
Expected4 = lists:usort(maps:keys(Options) -- [enable, cacerts]),
|
||||
?assertEqual(
|
||||
Expected4,
|
||||
lists:usort(
|
||||
proplists:get_keys(
|
||||
emqx_tls_lib:to_client_opts(tls, Options#{cacerts := false})
|
||||
)
|
||||
)
|
||||
),
|
||||
emqx_common_test_helpers:with_mock(
|
||||
public_key,
|
||||
cacerts_get,
|
||||
fun() -> ok = {error, enoent} end,
|
||||
fun() ->
|
||||
?assertNot(
|
||||
lists:member(
|
||||
cacerts,
|
||||
proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options))
|
||||
)
|
||||
)
|
||||
end
|
||||
).
|
||||
ok.
|
||||
|
||||
to_server_opts_test() ->
|
||||
VersionsAll = [tlsv1, 'tlsv1.1', 'tlsv1.2', 'tlsv1.3'],
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{application, emqx_bridge_azure_event_hub, [
|
||||
{description, "EMQX Enterprise Azure Event Hub Bridge"},
|
||||
{vsn, "0.1.0"},
|
||||
{vsn, "0.1.1"},
|
||||
{registered, []},
|
||||
{applications, [
|
||||
kernel,
|
||||
|
|
|
|||
|
|
@ -200,7 +200,8 @@ auth_overrides() ->
|
|||
|
||||
ssl_overrides() ->
|
||||
#{
|
||||
"cacerts" => mk(boolean(), #{default => true}),
|
||||
%% FIXME: change this once the config option is defined
|
||||
%% "cacerts" => mk(boolean(), #{default => true}),
|
||||
"enable" => mk(true, #{default => true}),
|
||||
"server_name_indication" =>
|
||||
mk(
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
Removed the recently introduced `cacerts` option from TLS client schema due to incompatibilities with some cluster discovery mechanisms.
|
||||
Loading…
Reference in New Issue