yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(tls-partial-chains): update schema

This commit is contained in:
William Yang 2023-05-15 12:38:20 +02:00
parent 9986a2b8df
commit 9c76bd2c4b
3 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
priv/emqx.schema
View File

@ -1647,7 +1647,7 @@ end}.
]}. ]}.
{mapping, "listener.ssl.$name.partial_chain", "emqx.listeners", [ {mapping, "listener.ssl.$name.partial_chain", "emqx.listeners", [
{datatype, atom} {datatype, {enum, [true, false, two_cacerts_from_cacertfile, cacert_from_cacertfile]}}
]}. ]}.
{mapping, "listener.ssl.$name.verify_peer_ext_key_usage", "emqx.listeners", [ {mapping, "listener.ssl.$name.verify_peer_ext_key_usage", "emqx.listeners", [

2
src/emqx_tls_lib.erl
View File

@ -200,7 +200,7 @@ opt_partial_chain(SslOpts) ->
undefined -> undefined ->
SslOpts; SslOpts;
false -> false ->
SslOpts; proplists:delete(partial_chain, SslOpts);
V when V =:= cacert_from_cacertfile orelse V == true -> V when V =:= cacert_from_cacertfile orelse V == true ->
replace(SslOpts, partial_chain, rootfun_trusted_ca_from_cacertfile(1, SslOpts)); replace(SslOpts, partial_chain, rootfun_trusted_ca_from_cacertfile(1, SslOpts));
V when V =:= two_cacerts_from_cacertfile -> %% for certificate rotations V when V =:= two_cacerts_from_cacertfile -> %% for certificate rotations

16
test/emqx_listener_tls_verify_partial_chain_SUITE.erl
View File

@ -400,6 +400,22 @@ t_conn_fail_with_server_two_IA_bundle_and_client_root_chain(Config) ->
fail_when_no_ssl_alert(Socket, unknown_ca), fail_when_no_ssl_alert(Socket, unknown_ca),
ok = ssl:close(Socket). ok = ssl:close(Socket).
t_conn_fail_with_server_partial_chain_false_intermediate_cacert_and_client_cert(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl),
DataDir = ?config(data_dir, Config),
Options = [{ssl_options, [ {cacertfile, filename:join(DataDir, "intermediate1.pem")}
, {certfile, filename:join(DataDir, "server1.pem")}
, {keyfile, filename:join(DataDir, "server1.key")}
, {partial_chain, false}
| ?config(ssl_config, Config)
]}],
emqx_listeners:start_listener(ssl, Port, Options),
{ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile, filename:join(DataDir, "client1.key")},
{certfile, filename:join(DataDir, "client1.pem")}
], 1000),
fail_when_no_ssl_alert(Socket, unknown_ca),
ssl:close(Socket).
t_error_handling_invalid_cacertfile(Config) -> t_error_handling_invalid_cacertfile(Config) ->
Port = emqx_test_tls_certs_helper:select_free_port(ssl), Port = emqx_test_tls_certs_helper:select_free_port(ssl),
DataDir = ?config(data_dir, Config), DataDir = ?config(data_dir, Config),