From a614e3065a002151b46b7984a294feb69ea219e7 Mon Sep 17 00:00:00 2001 From: Andrew Mayorov Date: Thu, 8 Dec 2022 14:14:50 +0300 Subject: [PATCH] chore(tls): drop OTP-22-related workaround --- apps/emqx/src/emqx_tls_lib.erl | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/apps/emqx/src/emqx_tls_lib.erl b/apps/emqx/src/emqx_tls_lib.erl index 85c4396ab..fc3ed9353 100644 --- a/apps/emqx/src/emqx_tls_lib.erl +++ b/apps/emqx/src/emqx_tls_lib.erl @@ -55,18 +55,6 @@ %% non-empty list of strings -define(IS_STRING_LIST(L), (is_list(L) andalso L =/= [] andalso ?IS_STRING(hd(L)))). -%% The ciphers that ssl:cipher_suites(exclusive, 'tlsv1.3', openssl) -%% should return when running on otp 23. -%% But we still have to hard-code them because tlsv1.3 on otp 22 is -%% not trustworthy. --define(TLSV13_EXCLUSIVE_CIPHERS, [ - "TLS_AES_256_GCM_SHA384", - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_128_CCM_SHA256", - "TLS_AES_128_CCM_8_SHA256" -]). - -define(SELECTED_CIPHERS, [ "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", @@ -162,7 +150,7 @@ all_ciphers(['tlsv1.3']) -> %% because 'all' returns legacy cipher suites too, %% which does not make sense since tlsv1.3 can not use %% legacy cipher suites. - ?TLSV13_EXCLUSIVE_CIPHERS; + ssl:cipher_suites(exclusive, 'tlsv1.3', openssl); all_ciphers(Versions) -> %% assert non-empty List = lists:append([ssl:cipher_suites(all, V, openssl) || V <- Versions]), @@ -197,7 +185,7 @@ selected_ciphers(Vsns) -> do_selected_ciphers('tlsv1.3') -> case lists:member('tlsv1.3', proplists:get_value(available, ssl:versions())) of - true -> ?TLSV13_EXCLUSIVE_CIPHERS; + true -> ssl:cipher_suites(exclusive, 'tlsv1.3', openssl); false -> [] end ++ do_selected_ciphers('tlsv1.2'); do_selected_ciphers(_) ->