Merge pull request #4151 from emqx/v4.3.0-to-v5.0-resolve-tls-config-conflicts
Auto-pull-request-on-2021-02-05
This commit is contained in:
Zaiming Shi
GitHub
commit
a2d3b413a6
|
|
@ -112,7 +112,7 @@ bridge.mqtt.aws.keyfile = "{{ platform_etc_dir }}/certs/client-key.pem"
|
||||||
## SSL Ciphers used by the bridge.
|
## SSL Ciphers used by the bridge.
|
||||||
##
|
##
|
||||||
## Value: String
|
## Value: String
|
||||||
bridge.mqtt.aws.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
bridge.mqtt.aws.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
||||||
|
|
||||||
## Ciphers for TLS PSK.
|
## Ciphers for TLS PSK.
|
||||||
## Note that 'bridge.${BridgeName}.ciphers' and 'bridge.${BridgeName}.psk_ciphers' cannot
|
## Note that 'bridge.${BridgeName}.ciphers' and 'bridge.${BridgeName}.psk_ciphers' cannot
|
||||||
|
|
@ -129,7 +129,7 @@ bridge.mqtt.aws.keepalive = 60s
|
||||||
## TLS versions used by the bridge.
|
## TLS versions used by the bridge.
|
||||||
##
|
##
|
||||||
## Value: String
|
## Value: String
|
||||||
bridge.mqtt.aws.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
|
bridge.mqtt.aws.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||||
|
|
||||||
## Bridge reconnect time.
|
## Bridge reconnect time.
|
||||||
##
|
##
|
||||||
|
|
|
||||||
|
|
@ -92,9 +92,9 @@ dashboard.listener.http.ipv6_v6only = false
|
||||||
## Value: File
|
## Value: File
|
||||||
## dashboard.listener.https.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem"
|
## dashboard.listener.https.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem"
|
||||||
|
|
||||||
## See: 'listener.ssl.<name>.vefify' in emq.conf
|
## See: 'listener.ssl.<name>.verify' in emq.conf
|
||||||
##
|
##
|
||||||
## Value: vefify_peer | verify_none
|
## Value: verify_peer | verify_none
|
||||||
## dashboard.listener.https.verify = verify_peer
|
## dashboard.listener.https.verify = verify_peer
|
||||||
|
|
||||||
## See: 'listener.ssl.<name>.fail_if_no_peer_cert' in emq.conf
|
## See: 'listener.ssl.<name>.fail_if_no_peer_cert' in emq.conf
|
||||||
|
|
@ -110,7 +110,7 @@ dashboard.listener.http.ipv6_v6only = false
|
||||||
## See: 'listener.ssl.<name>.ciphers' in emq.conf
|
## See: 'listener.ssl.<name>.ciphers' in emq.conf
|
||||||
##
|
##
|
||||||
## Value: Ciphers
|
## Value: Ciphers
|
||||||
## dashboard.listener.https.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
## dashboard.listener.https.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
||||||
|
|
||||||
## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
|
## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
|
||||||
##
|
##
|
||||||
|
|
|
||||||
|
|
@ -218,7 +218,7 @@ exproto.listener.protoname.reuseaddr = true
|
||||||
## Most of it was copied from Mozilla’s Server Side TLS article
|
## Most of it was copied from Mozilla’s Server Side TLS article
|
||||||
##
|
##
|
||||||
## Value: Ciphers
|
## Value: Ciphers
|
||||||
#exproto.listener.protoname.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
#exproto.listener.protoname.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
||||||
|
|
||||||
## Ciphers for TLS PSK.
|
## Ciphers for TLS PSK.
|
||||||
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
|
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
|
||||||
|
|
|
||||||
|
|
@ -424,30 +424,31 @@ udp_opts() ->
|
||||||
{reuseaddr, true}].
|
{reuseaddr, true}].
|
||||||
|
|
||||||
ssl_opts() ->
|
ssl_opts() ->
|
||||||
Path = emqx_ct_helpers:deps_path(emqx, "etc/certs"),
|
Certs = certs("key.pem", "cert.pem", "cacert.pem"),
|
||||||
[{versions, ['tlsv1.2','tlsv1.1',tlsv1]},
|
[{versions, ['tlsv1.2','tlsv1.1',tlsv1]},
|
||||||
{ciphers, ciphers()},
|
{ciphers, ciphers('tlsv1.2')},
|
||||||
{keyfile, Path ++ "/key.pem"},
|
|
||||||
{certfile, Path ++ "/cert.pem"},
|
|
||||||
{cacertfile, Path ++ "/cacert.pem"},
|
|
||||||
{verify, verify_peer},
|
{verify, verify_peer},
|
||||||
{fail_if_no_peer_cert, true},
|
{fail_if_no_peer_cert, true},
|
||||||
{secure_renegotiate, false},
|
{secure_renegotiate, false},
|
||||||
{reuse_sessions, true},
|
{reuse_sessions, true},
|
||||||
{honor_cipher_order, true}].
|
{honor_cipher_order, true}]++Certs.
|
||||||
|
|
||||||
dtls_opts() ->
|
dtls_opts() ->
|
||||||
Opts = ssl_opts(),
|
Opts = ssl_opts(),
|
||||||
lists:keyreplace(versions, 1, Opts, {versions, ['dtlsv1.2', 'dtlsv1']}).
|
lists:keyreplace(versions, 1, Opts, {versions, ['dtlsv1.2', 'dtlsv1']}).
|
||||||
|
|
||||||
ciphers() ->
|
ciphers(Version) ->
|
||||||
proplists:get_value(ciphers, emqx_ct_helpers:client_ssl()).
|
proplists:get_value(ciphers, emqx_ct_helpers:client_ssl(Version)).
|
||||||
|
|
||||||
%%--------------------------------------------------------------------
|
%%--------------------------------------------------------------------
|
||||||
%% Client-Opts
|
%% Client-Opts
|
||||||
|
|
||||||
client_ssl_opts() ->
|
client_ssl_opts() ->
|
||||||
Path = emqx_ct_helpers:deps_path(emqx, "etc/certs"),
|
certs( "client-key.pem", "client-cert.pem", "cacert.pem" ).
|
||||||
[{keyfile, Path ++ "/client-key.pem"},
|
|
||||||
{certfile, Path ++ "/client-cert.pem"},
|
certs( Key, Cert, CACert ) ->
|
||||||
{cacertfile, Path ++ "/cacert.pem"}].
|
CertsPath = emqx_ct_helpers:deps_path(emqx, "etc/certs"),
|
||||||
|
[ { keyfile, filename:join([ CertsPath, Key ]) },
|
||||||
|
{ certfile, filename:join([ CertsPath, Cert ]) },
|
||||||
|
{ cacertfile, filename:join([ CertsPath, CACert ]) } ].
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -45,8 +45,8 @@ management.listener.http.ipv6_v6only = false
|
||||||
## management.listener.https.keyfile = "etc/certs/key.pem"
|
## management.listener.https.keyfile = "etc/certs/key.pem"
|
||||||
## management.listener.https.cacertfile = "etc/certs/cacert.pem"
|
## management.listener.https.cacertfile = "etc/certs/cacert.pem"
|
||||||
## management.listener.https.verify = verify_peer
|
## management.listener.https.verify = verify_peer
|
||||||
## management.listener.https.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
|
## management.listener.https.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||||
## management.listener.https.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
## management.listener.https.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
||||||
## management.listener.https.fail_if_no_peer_cert = true
|
## management.listener.https.fail_if_no_peer_cert = true
|
||||||
## management.listener.https.inet6 = false
|
## management.listener.https.inet6 = false
|
||||||
## management.listener.https.ipv6_v6only = false
|
## management.listener.https.ipv6_v6only = false
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,7 @@
|
||||||
, preproc_sql/2
|
, preproc_sql/2
|
||||||
, proc_sql/2
|
, proc_sql/2
|
||||||
, proc_sql_param_str/2
|
, proc_sql_param_str/2
|
||||||
|
, proc_cql_param_str/2
|
||||||
]).
|
]).
|
||||||
|
|
||||||
%% type converting
|
%% type converting
|
||||||
|
|
@ -145,8 +146,15 @@ proc_sql(Tokens, Data) ->
|
||||||
|
|
||||||
-spec(proc_sql_param_str(tmpl_token(), map()) -> binary()).
|
-spec(proc_sql_param_str(tmpl_token(), map()) -> binary()).
|
||||||
proc_sql_param_str(Tokens, Data) ->
|
proc_sql_param_str(Tokens, Data) ->
|
||||||
|
proc_param_str(Tokens, Data, fun quote_sql/1).
|
||||||
|
|
||||||
|
-spec(proc_cql_param_str(tmpl_token(), map()) -> binary()).
|
||||||
|
proc_cql_param_str(Tokens, Data) ->
|
||||||
|
proc_param_str(Tokens, Data, fun quote_cql/1).
|
||||||
|
|
||||||
|
proc_param_str(Tokens, Data, Quote) ->
|
||||||
iolist_to_binary(
|
iolist_to_binary(
|
||||||
proc_tmpl(Tokens, Data, #{return => rawlist, var_trans => fun quote/1})).
|
proc_tmpl(Tokens, Data, #{return => rawlist, var_trans => Quote})).
|
||||||
|
|
||||||
%% backward compatibility for hot upgrading from =< e4.2.1
|
%% backward compatibility for hot upgrading from =< e4.2.1
|
||||||
get_phld_var(Fun, Data) when is_function(Fun) ->
|
get_phld_var(Fun, Data) when is_function(Fun) ->
|
||||||
|
|
@ -238,12 +246,23 @@ sql_data(Bool) when is_boolean(Bool) -> Bool;
|
||||||
sql_data(Atom) when is_atom(Atom) -> atom_to_binary(Atom, utf8);
|
sql_data(Atom) when is_atom(Atom) -> atom_to_binary(Atom, utf8);
|
||||||
sql_data(Map) when is_map(Map) -> emqx_json:encode(Map).
|
sql_data(Map) when is_map(Map) -> emqx_json:encode(Map).
|
||||||
|
|
||||||
quote(List) when is_list(List) -> [$', List, $'];
|
quote_sql(Str) ->
|
||||||
quote(Bin) when is_binary(Bin) -> [$', Bin, $'];
|
quote(Str, <<"\\\\'">>).
|
||||||
quote(Num) when is_number(Num) -> bin(Num);
|
|
||||||
quote(Bool) when is_boolean(Bool) -> bin(Bool);
|
quote_cql(Str) ->
|
||||||
quote(Atom) when is_atom(Atom) -> [$', atom_to_binary(Atom, utf8), $'];
|
quote(Str, <<"''">>).
|
||||||
quote(Map) when is_map(Map) -> [$', emqx_json:encode(Map), $'].
|
|
||||||
|
quote(Str, ReplaceWith) when
|
||||||
|
is_list(Str);
|
||||||
|
is_binary(Str);
|
||||||
|
is_atom(Str);
|
||||||
|
is_map(Str) ->
|
||||||
|
[$', escape_apo(bin(Str), ReplaceWith), $'];
|
||||||
|
quote(Val, _) ->
|
||||||
|
bin(Val).
|
||||||
|
|
||||||
|
escape_apo(Str, ReplaceWith) ->
|
||||||
|
re:replace(Str, <<"'">>, ReplaceWith, [{return, binary}, global]).
|
||||||
|
|
||||||
str(Bin) when is_binary(Bin) -> binary_to_list(Bin);
|
str(Bin) when is_binary(Bin) -> binary_to_list(Bin);
|
||||||
str(Num) when is_number(Num) -> number_to_list(Num);
|
str(Num) when is_number(Num) -> number_to_list(Num);
|
||||||
|
|
|
||||||
|
|
@ -116,3 +116,21 @@ t_preproc_sql3(_) ->
|
||||||
ParamsTokens = emqx_rule_utils:preproc_tmpl(<<"a:${a},b:${b},c:${c},d:${d}">>),
|
ParamsTokens = emqx_rule_utils:preproc_tmpl(<<"a:${a},b:${b},c:${c},d:${d}">>),
|
||||||
?assertEqual(<<"a:'1',b:1,c:1.0,d:'{\"d1\":\"hi\"}'">>,
|
?assertEqual(<<"a:'1',b:1,c:1.0,d:'{\"d1\":\"hi\"}'">>,
|
||||||
emqx_rule_utils:proc_sql_param_str(ParamsTokens, Selected)).
|
emqx_rule_utils:proc_sql_param_str(ParamsTokens, Selected)).
|
||||||
|
|
||||||
|
t_preproc_sql4(_) ->
|
||||||
|
%% with apostrophes
|
||||||
|
%% https://github.com/emqx/emqx/issues/4135
|
||||||
|
Selected = #{a => <<"1''2">>, b => 1, c => 1.0,
|
||||||
|
d => #{d1 => <<"someone's phone">>}},
|
||||||
|
ParamsTokens = emqx_rule_utils:preproc_tmpl(<<"a:${a},b:${b},c:${c},d:${d}">>),
|
||||||
|
?assertEqual(<<"a:'1\\'\\'2',b:1,c:1.0,d:'{\"d1\":\"someone\\'s phone\"}'">>,
|
||||||
|
emqx_rule_utils:proc_sql_param_str(ParamsTokens, Selected)).
|
||||||
|
|
||||||
|
t_preproc_sql5(_) ->
|
||||||
|
%% with apostrophes for cassandra
|
||||||
|
%% https://github.com/emqx/emqx/issues/4148
|
||||||
|
Selected = #{a => <<"1''2">>, b => 1, c => 1.0,
|
||||||
|
d => #{d1 => <<"someone's phone">>}},
|
||||||
|
ParamsTokens = emqx_rule_utils:preproc_tmpl(<<"a:${a},b:${b},c:${c},d:${d}">>),
|
||||||
|
?assertEqual(<<"a:'1''''2',b:1,c:1.0,d:'{\"d1\":\"someone''s phone\"}'">>,
|
||||||
|
emqx_rule_utils:proc_cql_param_str(ParamsTokens, Selected)).
|
||||||
|
|
|
||||||
|
|
@ -45,9 +45,9 @@ stomp.listener.max_connections = 512
|
||||||
## Value: File
|
## Value: File
|
||||||
## stomp.listener.dhfile = "etc/certs/dh-params.pem"
|
## stomp.listener.dhfile = "etc/certs/dh-params.pem"
|
||||||
|
|
||||||
## See: 'listener.ssl.<name>.vefify' in emq.conf
|
## See: 'listener.ssl.<name>.verify' in emq.conf
|
||||||
##
|
##
|
||||||
## Value: vefify_peer | verify_none
|
## Value: verify_peer | verify_none
|
||||||
## stomp.listener.verify = verify_peer
|
## stomp.listener.verify = verify_peer
|
||||||
|
|
||||||
## See: 'listener.ssl.<name>.fail_if_no_peer_cert' in emq.conf
|
## See: 'listener.ssl.<name>.fail_if_no_peer_cert' in emq.conf
|
||||||
|
|
@ -58,7 +58,7 @@ stomp.listener.max_connections = 512
|
||||||
## TLS versions only to protect from POODLE attack.
|
## TLS versions only to protect from POODLE attack.
|
||||||
##
|
##
|
||||||
## Value: String, seperated by ','
|
## Value: String, seperated by ','
|
||||||
## stomp.listener.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
|
## stomp.listener.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
|
||||||
|
|
||||||
## SSL Handshake timeout.
|
## SSL Handshake timeout.
|
||||||
##
|
##
|
||||||
|
|
@ -68,7 +68,7 @@ stomp.listener.max_connections = 512
|
||||||
## See: 'listener.ssl.<name>.ciphers' in emq.conf
|
## See: 'listener.ssl.<name>.ciphers' in emq.conf
|
||||||
##
|
##
|
||||||
## Value: Ciphers
|
## Value: Ciphers
|
||||||
## stomp.listener.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
## stomp.listener.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
||||||
|
|
||||||
## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
|
## See: 'listener.ssl.<name>.secure_renegotiate' in emq.conf
|
||||||
##
|
##
|
||||||
|
|
|
||||||
|
|
@ -1406,7 +1406,7 @@ listener.ssl.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
|
||||||
## Most of it was copied from Mozilla’s Server Side TLS article
|
## Most of it was copied from Mozilla’s Server Side TLS article
|
||||||
##
|
##
|
||||||
## Value: Ciphers
|
## Value: Ciphers
|
||||||
listener.ssl.external.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
listener.ssl.external.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
||||||
|
|
||||||
## Ciphers for TLS PSK.
|
## Ciphers for TLS PSK.
|
||||||
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
|
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot
|
||||||
|
|
@ -1849,9 +1849,9 @@ listener.wss.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
|
||||||
## Value: File
|
## Value: File
|
||||||
## listener.ssl.external.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem"
|
## listener.ssl.external.dhfile = "{{ platform_etc_dir }}/certs/dh-params.pem"
|
||||||
|
|
||||||
## See: listener.ssl.$name.vefify
|
## See: listener.ssl.$name.verify
|
||||||
##
|
##
|
||||||
## Value: vefify_peer | verify_none
|
## Value: verify_peer | verify_none
|
||||||
## listener.wss.external.verify = verify_peer
|
## listener.wss.external.verify = verify_peer
|
||||||
|
|
||||||
## See: listener.ssl.$name.fail_if_no_peer_cert
|
## See: listener.ssl.$name.fail_if_no_peer_cert
|
||||||
|
|
@ -1862,7 +1862,7 @@ listener.wss.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
|
||||||
## See: listener.ssl.$name.ciphers
|
## See: listener.ssl.$name.ciphers
|
||||||
##
|
##
|
||||||
## Value: Ciphers
|
## Value: Ciphers
|
||||||
listener.wss.external.ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
listener.wss.external.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
|
||||||
|
|
||||||
## Ciphers for TLS PSK.
|
## Ciphers for TLS PSK.
|
||||||
## Note that 'listener.wss.external.ciphers' and 'listener.wss.external.psk_ciphers' cannot
|
## Note that 'listener.wss.external.ciphers' and 'listener.wss.external.psk_ciphers' cannot
|
||||||
|
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
||||||
%%--------------------------------------------------------------------
|
|
||||||
%% [ACL](https://docs.emqx.io/broker/v3/en/config.html)
|
|
||||||
%%
|
|
||||||
%% -type(who() :: all | binary() |
|
|
||||||
%% {ipaddr, esockd_access:cidr()} |
|
|
||||||
%% {client, binary()} |
|
|
||||||
%% {user, binary()}).
|
|
||||||
%%
|
|
||||||
%% -type(access() :: subscribe | publish | pubsub).
|
|
||||||
%%
|
|
||||||
%% -type(topic() :: binary()).
|
|
||||||
%%
|
|
||||||
%% -type(rule() :: {allow, all} |
|
|
||||||
%% {allow, who(), access(), list(topic())} |
|
|
||||||
%% {deny, all} |
|
|
||||||
%% {deny, who(), access(), list(topic())}).
|
|
||||||
%%--------------------------------------------------------------------
|
|
||||||
|
|
||||||
{allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}.
|
|
||||||
|
|
||||||
{allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}.
|
|
||||||
|
|
||||||
{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
|
|
||||||
|
|
||||||
{allow, all}.
|
|
||||||
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
||||||
%% The options in the {server, Opts} tuple are used when calling ssl:ssl_accept/3,
|
|
||||||
%% and the options in the {client, Opts} tuple are used when calling ssl:connect/4.
|
|
||||||
%%
|
|
||||||
%% More information at: http://erlang.org/doc/apps/ssl/ssl_distribution.html
|
|
||||||
[{server,
|
|
||||||
[{certfile, "{{ platform_etc_dir }}/certs/cert.pem"},
|
|
||||||
{keyfile, "{{ platform_etc_dir }}/certs/key.pem"},
|
|
||||||
{secure_renegotiate, true},
|
|
||||||
{depth, 0}]},
|
|
||||||
{client,
|
|
||||||
[{secure_renegotiate, true}]}].
|
|
||||||
|
|
@ -70,7 +70,9 @@ groups() ->
|
||||||
]},
|
]},
|
||||||
{others, [non_parallel_tests],
|
{others, [non_parallel_tests],
|
||||||
[t_username_as_clientid,
|
[t_username_as_clientid,
|
||||||
t_certcn_as_clientid
|
t_certcn_as_clientid_default_config_tls,
|
||||||
|
t_certcn_as_clientid_tlsv1_3,
|
||||||
|
t_certcn_as_clientid_tlsv1_2
|
||||||
]}
|
]}
|
||||||
].
|
].
|
||||||
|
|
||||||
|
|
@ -278,14 +280,18 @@ t_username_as_clientid(_) ->
|
||||||
#{clientinfo := #{clientid := Username}} = emqx_cm:get_chan_info(Username),
|
#{clientinfo := #{clientid := Username}} = emqx_cm:get_chan_info(Username),
|
||||||
emqtt:disconnect(C).
|
emqtt:disconnect(C).
|
||||||
|
|
||||||
t_certcn_as_clientid(_) ->
|
|
||||||
CN = <<"Client">>,
|
|
||||||
emqx_zone:set_env(external, use_username_as_clientid, true),
|
t_certcn_as_clientid_default_config_tls(_) ->
|
||||||
SslConf = emqx_ct_helpers:client_ssl_twoway(),
|
tls_certcn_as_clientid(default).
|
||||||
{ok, C} = emqtt:start_link([{port, 8883}, {ssl, true}, {ssl_opts, SslConf}]),
|
|
||||||
{ok, _} = emqtt:connect(C),
|
t_certcn_as_clientid_tlsv1_3(_) ->
|
||||||
#{clientinfo := #{clientid := CN}} = emqx_cm:get_chan_info(CN),
|
tls_certcn_as_clientid('tlsv1.3').
|
||||||
emqtt:disconnect(C).
|
|
||||||
|
t_certcn_as_clientid_tlsv1_2(_) ->
|
||||||
|
tls_certcn_as_clientid('tlsv1.2').
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
%%--------------------------------------------------------------------
|
%%--------------------------------------------------------------------
|
||||||
%% Helper functions
|
%% Helper functions
|
||||||
|
|
@ -304,3 +310,29 @@ recv_msgs(Count, Msgs) ->
|
||||||
after 100 ->
|
after 100 ->
|
||||||
Msgs
|
Msgs
|
||||||
end.
|
end.
|
||||||
|
|
||||||
|
|
||||||
|
confirm_tls_version( Client, RequiredProtocol ) ->
|
||||||
|
Info = emqtt:info(Client),
|
||||||
|
SocketInfo = proplists:get_value( socket, Info ),
|
||||||
|
%% emqtt_sock has #ssl_socket.ssl
|
||||||
|
SSLSocket = element( 3, SocketInfo ),
|
||||||
|
{ ok, SSLInfo } = ssl:connection_information(SSLSocket),
|
||||||
|
Protocol = proplists:get_value( protocol, SSLInfo ),
|
||||||
|
RequiredProtocol = Protocol.
|
||||||
|
|
||||||
|
|
||||||
|
tls_certcn_as_clientid(default = TLSVsn) ->
|
||||||
|
tls_certcn_as_clientid(TLSVsn, 'tlsv1.3');
|
||||||
|
tls_certcn_as_clientid(TLSVsn) ->
|
||||||
|
tls_certcn_as_clientid(TLSVsn, TLSVsn).
|
||||||
|
|
||||||
|
tls_certcn_as_clientid(TLSVsn, RequiredTLSVsn) ->
|
||||||
|
CN = <<"Client">>,
|
||||||
|
emqx_zone:set_env(external, use_username_as_clientid, true),
|
||||||
|
SslConf = emqx_ct_helpers:client_ssl_twoway(TLSVsn),
|
||||||
|
{ok, Client} = emqtt:start_link([{port, 8883}, {ssl, true}, {ssl_opts, SslConf}]),
|
||||||
|
{ok, _} = emqtt:connect(Client),
|
||||||
|
#{clientinfo := #{clientid := CN}} = emqx_cm:get_chan_info(CN),
|
||||||
|
confirm_tls_version( Client, RequiredTLSVsn ),
|
||||||
|
emqtt:disconnect(Client).
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue