From 3db876781b6313263028d50e3191e1a4e795e74c Mon Sep 17 00:00:00 2001 From: turtled Date: Thu, 3 Nov 2016 11:04:57 +0800 Subject: [PATCH 1/3] handshake_timeout change --- etc/emq.conf | 4 ++-- priv/emq.schema | 2 +- src/emqttd_http.erl | 2 ++ test/emqttd_SUITE_data/emqttd.conf | 4 ++-- test/emqttd_SUITE_data/emqttd.schema | 2 +- 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/etc/emq.conf b/etc/emq.conf index 694f0fc1e..0bf53ebe7 100644 --- a/etc/emq.conf +++ b/etc/emq.conf @@ -206,7 +206,7 @@ mqtt.listener.ssl.max_clients = 512 ## Configuring SSL Options ## See http://erlang.org/doc/man/ssl.html -mqtt.listener.ssl.handshake_timeout = 2000 +mqtt.listener.ssl.handshake_timeout = 15 mqtt.listener.ssl.keyfile = etc/certs/key.pem mqtt.listener.ssl.certfile = etc/certs/cert.pem ## mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem @@ -222,7 +222,7 @@ mqtt.listener.http.max_clients = 64 ## mqtt.listener.https = 8084 ## mqtt.listener.https.acceptors = 4 ## mqtt.listener.https.max_clients = 64 -## mqtt.listener.https.handshake_timeout = 10 +## mqtt.listener.https.handshake_timeout = 15 ## mqtt.listener.https.certfile = etc/certs/cert.pem ## mqtt.listener.https.keyfile = etc/certs/key.pem ## mqtt.listener.https.cacertfile = etc/certs/cacert.pem diff --git a/priv/emq.schema b/priv/emq.schema index a9d04575c..05a7209e5 100644 --- a/priv/emq.schema +++ b/priv/emq.schema @@ -611,7 +611,7 @@ end}. {nodelay, cuttlefish:conf_get(Prefix ++ ".nodelay", Conf, true)}]) end, SslOpts = fun(Prefix) -> - Filter([{handshake_timeout, cuttlefish:conf_get(Prefix ++ ".handshake_timeout", Conf)}, + Filter([{handshake_timeout, cuttlefish:conf_get(Prefix ++ ".handshake_timeout", Conf) * 1000}, {keyfile, cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)}, {certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)}, {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}, diff --git a/src/emqttd_http.erl b/src/emqttd_http.erl index 6b1c7dc93..2f1d32a44 100644 --- a/src/emqttd_http.erl +++ b/src/emqttd_http.erl @@ -137,6 +137,8 @@ authorized(Req) -> case emqttd_access_control:auth(#mqtt_client{username = Username, peername = Peer}, Password) of ok -> true; + {ok, _IsSuper} -> + true; {error, Reason} -> lager:error("HTTP Auth failure: username=~s, reason=~p", [Username, Reason]), false diff --git a/test/emqttd_SUITE_data/emqttd.conf b/test/emqttd_SUITE_data/emqttd.conf index 694f0fc1e..0bf53ebe7 100644 --- a/test/emqttd_SUITE_data/emqttd.conf +++ b/test/emqttd_SUITE_data/emqttd.conf @@ -206,7 +206,7 @@ mqtt.listener.ssl.max_clients = 512 ## Configuring SSL Options ## See http://erlang.org/doc/man/ssl.html -mqtt.listener.ssl.handshake_timeout = 2000 +mqtt.listener.ssl.handshake_timeout = 15 mqtt.listener.ssl.keyfile = etc/certs/key.pem mqtt.listener.ssl.certfile = etc/certs/cert.pem ## mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem @@ -222,7 +222,7 @@ mqtt.listener.http.max_clients = 64 ## mqtt.listener.https = 8084 ## mqtt.listener.https.acceptors = 4 ## mqtt.listener.https.max_clients = 64 -## mqtt.listener.https.handshake_timeout = 10 +## mqtt.listener.https.handshake_timeout = 15 ## mqtt.listener.https.certfile = etc/certs/cert.pem ## mqtt.listener.https.keyfile = etc/certs/key.pem ## mqtt.listener.https.cacertfile = etc/certs/cacert.pem diff --git a/test/emqttd_SUITE_data/emqttd.schema b/test/emqttd_SUITE_data/emqttd.schema index a9d04575c..05a7209e5 100644 --- a/test/emqttd_SUITE_data/emqttd.schema +++ b/test/emqttd_SUITE_data/emqttd.schema @@ -611,7 +611,7 @@ end}. {nodelay, cuttlefish:conf_get(Prefix ++ ".nodelay", Conf, true)}]) end, SslOpts = fun(Prefix) -> - Filter([{handshake_timeout, cuttlefish:conf_get(Prefix ++ ".handshake_timeout", Conf)}, + Filter([{handshake_timeout, cuttlefish:conf_get(Prefix ++ ".handshake_timeout", Conf) * 1000}, {keyfile, cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)}, {certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)}, {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}, From 186d512038b4250a012eed11f98ea021628e273d Mon Sep 17 00:00:00 2001 From: turtled Date: Mon, 7 Nov 2016 13:40:52 +0800 Subject: [PATCH 2/3] fixed ssl opts fail_if_no_peer_cert --- etc/emq.conf | 4 ++-- priv/emq.schema | 6 +++--- test/emqttd_SUITE_data/emqttd.conf | 4 ++-- test/emqttd_SUITE_data/emqttd.schema | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/etc/emq.conf b/etc/emq.conf index 0bf53ebe7..e4434283a 100644 --- a/etc/emq.conf +++ b/etc/emq.conf @@ -211,7 +211,7 @@ mqtt.listener.ssl.keyfile = etc/certs/key.pem mqtt.listener.ssl.certfile = etc/certs/cert.pem ## mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem ## mqtt.listener.ssl.verify = verify_peer -## mqtt.listener.ssl.failed_if_no_peer_cert = true +## mqtt.listener.ssl.fail_if_no_peer_cert = true ## HTTP and WebSocket Listener mqtt.listener.http = 8083 @@ -227,7 +227,7 @@ mqtt.listener.http.max_clients = 64 ## mqtt.listener.https.keyfile = etc/certs/key.pem ## mqtt.listener.https.cacertfile = etc/certs/cacert.pem ## mqtt.listener.https.verify = verify_peer -## mqtt.listener.https.failed_if_no_peer_cert = true +## mqtt.listener.https.fail_if_no_peer_cert = true ##------------------------------------------------------------------- ## System Monitor diff --git a/priv/emq.schema b/priv/emq.schema index 05a7209e5..2c73482ed 100644 --- a/priv/emq.schema +++ b/priv/emq.schema @@ -536,7 +536,7 @@ end}. {datatype, atom} ]}. -{mapping, "mqtt.listener.ssl.failed_if_no_peer_cert", "emqttd.listeners", [ +{mapping, "mqtt.listener.ssl.fail_if_no_peer_cert", "emqttd.listeners", [ {datatype, {enum, [true, false]}} ]}. @@ -592,7 +592,7 @@ end}. {datatype, atom} ]}. -{mapping, "mqtt.listener.https.failed_if_no_peer_cert", "emqttd.listeners", [ +{mapping, "mqtt.listener.https.fail_if_no_peer_cert", "emqttd.listeners", [ {datatype, {enum, [true, false]}} ]}. @@ -616,7 +616,7 @@ end}. {certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)}, {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}, {verify, cuttlefish:conf_get(Prefix ++ ".verify", Conf, undefined)}, - {failed_if_no_peer_cert, cuttlefish:conf_get(Prefix ++ ".failed_if_no_peer_cert", Conf, undefined)}]) + {fail_if_no_peer_cert, cuttlefish:conf_get(Prefix ++ ".fail_if_no_peer_cert", Conf, undefined)}]) end, Listeners = fun(Name) when is_atom(Name) -> diff --git a/test/emqttd_SUITE_data/emqttd.conf b/test/emqttd_SUITE_data/emqttd.conf index 0bf53ebe7..e4434283a 100644 --- a/test/emqttd_SUITE_data/emqttd.conf +++ b/test/emqttd_SUITE_data/emqttd.conf @@ -211,7 +211,7 @@ mqtt.listener.ssl.keyfile = etc/certs/key.pem mqtt.listener.ssl.certfile = etc/certs/cert.pem ## mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem ## mqtt.listener.ssl.verify = verify_peer -## mqtt.listener.ssl.failed_if_no_peer_cert = true +## mqtt.listener.ssl.fail_if_no_peer_cert = true ## HTTP and WebSocket Listener mqtt.listener.http = 8083 @@ -227,7 +227,7 @@ mqtt.listener.http.max_clients = 64 ## mqtt.listener.https.keyfile = etc/certs/key.pem ## mqtt.listener.https.cacertfile = etc/certs/cacert.pem ## mqtt.listener.https.verify = verify_peer -## mqtt.listener.https.failed_if_no_peer_cert = true +## mqtt.listener.https.fail_if_no_peer_cert = true ##------------------------------------------------------------------- ## System Monitor diff --git a/test/emqttd_SUITE_data/emqttd.schema b/test/emqttd_SUITE_data/emqttd.schema index 05a7209e5..2c73482ed 100644 --- a/test/emqttd_SUITE_data/emqttd.schema +++ b/test/emqttd_SUITE_data/emqttd.schema @@ -536,7 +536,7 @@ end}. {datatype, atom} ]}. -{mapping, "mqtt.listener.ssl.failed_if_no_peer_cert", "emqttd.listeners", [ +{mapping, "mqtt.listener.ssl.fail_if_no_peer_cert", "emqttd.listeners", [ {datatype, {enum, [true, false]}} ]}. @@ -592,7 +592,7 @@ end}. {datatype, atom} ]}. -{mapping, "mqtt.listener.https.failed_if_no_peer_cert", "emqttd.listeners", [ +{mapping, "mqtt.listener.https.fail_if_no_peer_cert", "emqttd.listeners", [ {datatype, {enum, [true, false]}} ]}. @@ -616,7 +616,7 @@ end}. {certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)}, {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}, {verify, cuttlefish:conf_get(Prefix ++ ".verify", Conf, undefined)}, - {failed_if_no_peer_cert, cuttlefish:conf_get(Prefix ++ ".failed_if_no_peer_cert", Conf, undefined)}]) + {fail_if_no_peer_cert, cuttlefish:conf_get(Prefix ++ ".fail_if_no_peer_cert", Conf, undefined)}]) end, Listeners = fun(Name) when is_atom(Name) -> From 7f3dd494bd6a0eacb2a775ba45fd506c22a6d87c Mon Sep 17 00:00:00 2001 From: Feng Lee Date: Tue, 8 Nov 2016 10:08:13 +0800 Subject: [PATCH 3/3] fix option: ssl.fail_if_no_peer_cert --- docs/source/config.rst | 4 ++-- docs/source/plugins.rst | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/source/config.rst b/docs/source/config.rst index e6f786812..0ef44c644 100644 --- a/docs/source/config.rst +++ b/docs/source/config.rst @@ -453,7 +453,7 @@ SSL Listener - 8883 mqtt.listener.ssl.certfile = etc/certs/cert.pem mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem ## mqtt.listener.ssl.verify = verify_peer - ## mqtt.listener.ssl.failed_if_no_peer_cert = true + ## mqtt.listener.ssl.fail_if_no_peer_cert = true HTTP/WS Listener - 8083 ----------------------- @@ -480,7 +480,7 @@ HTTPS/WSS Listener - 8084 mqtt.listener.https.cacertfile = etc/certs/cacert.pem ## 开启双向认证 ## mqtt.listener.https.verify = verify_peer - ## mqtt.listener.https.failed_if_no_peer_cert = true + ## mqtt.listener.https.fail_if_no_peer_cert = true -------------- System Monitor diff --git a/docs/source/plugins.rst b/docs/source/plugins.rst index 183446ea5..983beb3ca 100644 --- a/docs/source/plugins.rst +++ b/docs/source/plugins.rst @@ -167,7 +167,7 @@ etc/plugins/emq_dashboard.conf: ## dashboard.listener.https.keyfile = etc/certs/key.pem ## dashboard.listener.https.cacertfile = etc/certs/cacert.pem ## dashboard.listener.https.verify = verify_peer - ## dashboard.listener.https.failed_if_no_peer_cert = true + ## dashboard.listener.https.fail_if_no_peer_cert = true ------------------------------- emq_auth_ldap: LDAP Auth Plugin