fix(tls): remove `cacerts` config for now
Fixes https://github.com/emqx/emqx/issues/11370 Related: https://github.com/emqx/emqx/pull/11371
This commit is contained in:
Thales Macedo Garitezi
parent
b24e7e2559
commit
7687770821
|
|
@ -2017,14 +2017,6 @@ common_ssl_opts_schema(Defaults, Type) ->
|
||||||
desc => ?DESC(common_ssl_opts_schema_cacertfile)
|
desc => ?DESC(common_ssl_opts_schema_cacertfile)
|
||||||
}
|
}
|
||||||
)},
|
)},
|
||||||
{"cacerts",
|
|
||||||
sc(
|
|
||||||
boolean(),
|
|
||||||
#{
|
|
||||||
default => false,
|
|
||||||
desc => ?DESC(common_ssl_opts_schema_cacerts)
|
|
||||||
}
|
|
||||||
)},
|
|
||||||
{"certfile",
|
{"certfile",
|
||||||
sc(
|
sc(
|
||||||
binary(),
|
binary(),
|
||||||
|
|
|
||||||
|
|
@ -478,13 +478,11 @@ to_server_opts(Type, Opts) ->
|
||||||
Versions = integral_versions(Type, maps:get(versions, Opts, undefined)),
|
Versions = integral_versions(Type, maps:get(versions, Opts, undefined)),
|
||||||
Ciphers = integral_ciphers(Versions, maps:get(ciphers, Opts, undefined)),
|
Ciphers = integral_ciphers(Versions, maps:get(ciphers, Opts, undefined)),
|
||||||
Path = fun(Key) -> resolve_cert_path_for_read_strict(maps:get(Key, Opts, undefined)) end,
|
Path = fun(Key) -> resolve_cert_path_for_read_strict(maps:get(Key, Opts, undefined)) end,
|
||||||
CACerts = get_cacerts(maps:get(cacerts, Opts, false)),
|
|
||||||
ensure_valid_options(
|
ensure_valid_options(
|
||||||
maps:to_list(Opts#{
|
maps:to_list(Opts#{
|
||||||
keyfile => Path(keyfile),
|
keyfile => Path(keyfile),
|
||||||
certfile => Path(certfile),
|
certfile => Path(certfile),
|
||||||
cacertfile => Path(cacertfile),
|
cacertfile => Path(cacertfile),
|
||||||
cacerts => CACerts,
|
|
||||||
ciphers => Ciphers,
|
ciphers => Ciphers,
|
||||||
versions => Versions
|
versions => Versions
|
||||||
}),
|
}),
|
||||||
|
|
@ -513,13 +511,11 @@ to_client_opts(Type, Opts) ->
|
||||||
SNI = ensure_sni(Get(server_name_indication)),
|
SNI = ensure_sni(Get(server_name_indication)),
|
||||||
Versions = integral_versions(Type, Get(versions)),
|
Versions = integral_versions(Type, Get(versions)),
|
||||||
Ciphers = integral_ciphers(Versions, Get(ciphers)),
|
Ciphers = integral_ciphers(Versions, Get(ciphers)),
|
||||||
CACerts = get_cacerts(GetD(cacerts, false)),
|
|
||||||
ensure_valid_options(
|
ensure_valid_options(
|
||||||
[
|
[
|
||||||
{keyfile, KeyFile},
|
{keyfile, KeyFile},
|
||||||
{certfile, CertFile},
|
{certfile, CertFile},
|
||||||
{cacertfile, CAFile},
|
{cacertfile, CAFile},
|
||||||
{cacerts, CACerts},
|
|
||||||
{verify, Verify},
|
{verify, Verify},
|
||||||
{server_name_indication, SNI},
|
{server_name_indication, SNI},
|
||||||
{versions, Versions},
|
{versions, Versions},
|
||||||
|
|
@ -665,13 +661,3 @@ ensure_ssl_file_key(SSL, RequiredKeyPaths) ->
|
||||||
[] -> ok;
|
[] -> ok;
|
||||||
Miss -> {error, #{reason => ssl_file_option_not_found, which_options => Miss}}
|
Miss -> {error, #{reason => ssl_file_option_not_found, which_options => Miss}}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
get_cacerts(true = _UseSystemCACerts) ->
|
|
||||||
try
|
|
||||||
public_key:cacerts_get()
|
|
||||||
catch
|
|
||||||
_:_ ->
|
|
||||||
undefined
|
|
||||||
end;
|
|
||||||
get_cacerts(false = _UseSystemCACerts) ->
|
|
||||||
undefined.
|
|
||||||
|
|
|
||||||
|
|
@ -229,7 +229,6 @@ to_client_opts_test() ->
|
||||||
Versions13Only = ['tlsv1.3'],
|
Versions13Only = ['tlsv1.3'],
|
||||||
Options = #{
|
Options = #{
|
||||||
enable => true,
|
enable => true,
|
||||||
cacerts => true,
|
|
||||||
verify => "Verify",
|
verify => "Verify",
|
||||||
server_name_indication => "SNI",
|
server_name_indication => "SNI",
|
||||||
ciphers => "Ciphers",
|
ciphers => "Ciphers",
|
||||||
|
|
@ -265,28 +264,7 @@ to_client_opts_test() ->
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
),
|
),
|
||||||
Expected4 = lists:usort(maps:keys(Options) -- [enable, cacerts]),
|
ok.
|
||||||
?assertEqual(
|
|
||||||
Expected4,
|
|
||||||
lists:usort(
|
|
||||||
proplists:get_keys(
|
|
||||||
emqx_tls_lib:to_client_opts(tls, Options#{cacerts := false})
|
|
||||||
)
|
|
||||||
)
|
|
||||||
),
|
|
||||||
emqx_common_test_helpers:with_mock(
|
|
||||||
public_key,
|
|
||||||
cacerts_get,
|
|
||||||
fun() -> ok = {error, enoent} end,
|
|
||||||
fun() ->
|
|
||||||
?assertNot(
|
|
||||||
lists:member(
|
|
||||||
cacerts,
|
|
||||||
proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options))
|
|
||||||
)
|
|
||||||
)
|
|
||||||
end
|
|
||||||
).
|
|
||||||
|
|
||||||
to_server_opts_test() ->
|
to_server_opts_test() ->
|
||||||
VersionsAll = [tlsv1, 'tlsv1.1', 'tlsv1.2', 'tlsv1.3'],
|
VersionsAll = [tlsv1, 'tlsv1.1', 'tlsv1.2', 'tlsv1.3'],
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{application, emqx_bridge_azure_event_hub, [
|
{application, emqx_bridge_azure_event_hub, [
|
||||||
{description, "EMQX Enterprise Azure Event Hub Bridge"},
|
{description, "EMQX Enterprise Azure Event Hub Bridge"},
|
||||||
{vsn, "0.1.0"},
|
{vsn, "0.1.1"},
|
||||||
{registered, []},
|
{registered, []},
|
||||||
{applications, [
|
{applications, [
|
||||||
kernel,
|
kernel,
|
||||||
|
|
|
||||||
|
|
@ -200,7 +200,8 @@ auth_overrides() ->
|
||||||
|
|
||||||
ssl_overrides() ->
|
ssl_overrides() ->
|
||||||
#{
|
#{
|
||||||
"cacerts" => mk(boolean(), #{default => true}),
|
%% FIXME: change this once the config option is defined
|
||||||
|
%% "cacerts" => mk(boolean(), #{default => true}),
|
||||||
"enable" => mk(true, #{default => true}),
|
"enable" => mk(true, #{default => true}),
|
||||||
"server_name_indication" =>
|
"server_name_indication" =>
|
||||||
mk(
|
mk(
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
Removed the recently introduced `cacerts` option from TLS client schema due to incompatibilities with some cluster discovery mechanisms.
|
||||||
Loading…
Reference in New Issue