chore(TLS-chain-test): update for OTP 26

2024-04-30 09:01:52 +02:00 · 2024-04-30 09:01:52 +02:00 · abbf2ef62f
parent 9e196680de
commit abbf2ef62f
6 changed files with 44 additions and 27 deletions
--- a/apps/emqx/src/emqx_const_v2.erl
+++ b/apps/emqx/src/emqx_const_v2.erl
@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
--- a/apps/emqx/test/emqx_listener_tls_verify_chain_SUITE.erl
+++ b/apps/emqx/test/emqx_listener_tls_verify_chain_SUITE.erl
@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@ -58,7 +58,8 @@ t_conn_fail_with_intermediate_ca_cert(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
@ -83,7 +84,8 @@ t_conn_fail_with_other_intermediate_ca_cert(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client2.key")},
-            {certfile, filename:join(DataDir, "client2.pem")}
+            {certfile, filename:join(DataDir, "client2.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
@ -110,7 +112,8 @@ t_conn_success_with_server_client_composed_complete_chain(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client2.key")},
-            {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
+            {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
@ -136,7 +139,8 @@ t_conn_success_with_other_signed_client_composed_complete_chain(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client2.key")},
-            {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
+            {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
@ -161,7 +165,8 @@ t_conn_success_with_renewed_intermediate_root_bundle(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
@ -185,7 +190,8 @@ t_conn_success_with_client_complete_cert_chain(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client2.key")},
-            {certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
+            {certfile, filename:join(DataDir, "client2-complete-bundle.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
@ -237,7 +243,8 @@ t_conn_fail_without_root_cacert(Config) ->
            {keyfile, filename:join(DataDir, "client2.key")},
            {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
            %% stick to tlsv1.2 for consistent error message
-            {versions, ['tlsv1.2']}
+            {versions, ['tlsv1.2']},
+            {cacertfile, filename:join(DataDir, "intermediate2.pem")}
        ],
        1000
    ),
--- a/apps/emqx/test/emqx_listener_tls_verify_keyusage_SUITE.erl
+++ b/apps/emqx/test/emqx_listener_tls_verify_keyusage_SUITE.erl
@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@ -77,7 +77,8 @@ t_conn_success_verify_peer_ext_key_usage_unset(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
@ -102,7 +103,8 @@ t_conn_success_verify_peer_ext_key_usage_undefined(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
@ -129,7 +131,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_predefined(Config) ->
        Port,
        [
            {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
        ],
        1000
    ),
@ -157,7 +160,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_raw_oid(Config) ->
        Port,
        [
            {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
        ],
        1000
    ),
@ -184,7 +188,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_ordered_list(Config) ->
        Port,
        [
            {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
        ],
        1000
    ),
@ -210,7 +215,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_unordered_list(Config) ->
        Port,
        [
            {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
        ],
        1000
    ),
@ -237,7 +243,8 @@ t_conn_fail_verify_peer_ext_key_usage_unmatched_raw_oid(Config) ->
        Port,
        [
            {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
        ],
        1000
    ),
@ -263,7 +270,8 @@ t_conn_fail_verify_peer_ext_key_usage_empty_str(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
@ -290,7 +298,8 @@ t_conn_fail_client_keyusage_unmatch(Config) ->
        Port,
        [
            {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
        ],
        1000
    ),
@ -317,7 +326,8 @@ t_conn_fail_client_keyusage_incomplete(Config) ->
        Port,
        [
            {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
        ],
        1000
    ),
--- a/apps/emqx/test/emqx_listener_tls_verify_partial_chain_SUITE.erl
+++ b/apps/emqx/test/emqx_listener_tls_verify_partial_chain_SUITE.erl
@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@ -702,4 +702,7 @@ ssl_config_verify_partial_chain() ->
    ].

 client_default_tls_opts() ->
-    [{versions, ['tlsv1.2']}].
+    [
+        {versions, ['tlsv1.2']},
+        {verify, verify_none}
+    ].
--- a/apps/emqx/test/emqx_test_tls_certs_helper.erl
+++ b/apps/emqx/test/emqx_test_tls_certs_helper.erl
@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@ -40,6 +40,7 @@ emqx_start_listener(Name, Type, Port, Opts) when is_list(Opts) ->
    emqx_start_listener(Name, Type, Port, maps:from_list(Opts));
 emqx_start_listener(Name, ssl, Port, #{ssl_options := SslOptions} = Opts0) ->
    Opts = Opts0#{
+        enable => true,
        bind => {{127, 0, 0, 1}, Port},
        mountpoint => <<>>,
        zone => default,
--- a/changes/ce/feat-11721.zh.md
+++ b/changes/ce/feat-11721.zh.md
@ -1,4 +0,0 @@
- 移植 emqx 4.4 中的两项 TLS 握手验证功能
-
- 支持部分链 ( partial_chain )
- 证书密钥使用验证