feat(tls-partial-chains): update schema

2023-05-15 12:38:20 +02:00 · 2023-05-15 12:38:20 +02:00 · 9c76bd2c4b
parent 9986a2b8df
commit 9c76bd2c4b
3 changed files with 18 additions and 2 deletions
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@ -1647,7 +1647,7 @@ end}.
 ]}.

 {mapping, "listener.ssl.$name.partial_chain", "emqx.listeners", [
-  {datatype, atom}
+  {datatype, {enum, [true, false, two_cacerts_from_cacertfile, cacert_from_cacertfile]}}
 ]}.

 {mapping, "listener.ssl.$name.verify_peer_ext_key_usage", "emqx.listeners", [
--- a/src/emqx_tls_lib.erl
+++ b/src/emqx_tls_lib.erl
@ -200,7 +200,7 @@ opt_partial_chain(SslOpts) ->
        undefined ->
            SslOpts;
        false ->
-            SslOpts;
+            proplists:delete(partial_chain, SslOpts);
        V when V =:= cacert_from_cacertfile orelse V == true ->
            replace(SslOpts, partial_chain, rootfun_trusted_ca_from_cacertfile(1, SslOpts));
        V when V =:= two_cacerts_from_cacertfile -> %% for certificate rotations
--- a/test/emqx_listener_tls_verify_partial_chain_SUITE.erl
+++ b/test/emqx_listener_tls_verify_partial_chain_SUITE.erl
@ -400,6 +400,22 @@ t_conn_fail_with_server_two_IA_bundle_and_client_root_chain(Config) ->
  fail_when_no_ssl_alert(Socket, unknown_ca),
  ok = ssl:close(Socket).

+t_conn_fail_with_server_partial_chain_false_intermediate_cacert_and_client_cert(Config) ->
+  Port = emqx_test_tls_certs_helper:select_free_port(ssl),
+  DataDir = ?config(data_dir, Config),
+  Options = [{ssl_options, [ {cacertfile, filename:join(DataDir, "intermediate1.pem")}
+                           , {certfile, filename:join(DataDir, "server1.pem")}
+                           , {keyfile, filename:join(DataDir, "server1.key")}
+                           , {partial_chain, false}
+                           | ?config(ssl_config, Config)
+                           ]}],
+  emqx_listeners:start_listener(ssl, Port, Options),
+  {ok, Socket} = ssl:connect({127, 0, 0, 1}, Port, [{keyfile,  filename:join(DataDir, "client1.key")},
+                                                    {certfile,  filename:join(DataDir, "client1.pem")}
+                                                   ], 1000),
+  fail_when_no_ssl_alert(Socket, unknown_ca),
+  ssl:close(Socket).
+
 t_error_handling_invalid_cacertfile(Config) ->
  Port = emqx_test_tls_certs_helper:select_free_port(ssl),
  DataDir = ?config(data_dir, Config),