Merge pull request #11697 from ieQu1/dev/gen-rpc-3.1.1

chore(gen_rpc): Bump version to 3.1.1

apps/emqx/rebar.config

@@ -29,7 +29,7 @@
     {cowboy, {git, "https://github.com/emqx/cowboy", {tag, "2.9.2"}}},
     {esockd, {git, "https://github.com/emqx/esockd", {tag, "5.9.7"}}},
     {ekka, {git, "https://github.com/emqx/ekka", {tag, "0.15.15"}}},
-    {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.0"}}},
+    {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.1"}}},
     {hocon, {git, "https://github.com/emqx/hocon.git", {tag, "0.39.16"}}},
     {emqx_http_lib, {git, "https://github.com/emqx/emqx_http_lib.git", {tag, "0.5.3"}}},
     {pbkdf2, {git, "https://github.com/emqx/erlang-pbkdf2.git", {tag, "2.0.4"}}},

apps/emqx/src/emqx_schema.erl

@@ -168,7 +168,9 @@
 
 -export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]).
 -export([conf_get/2, conf_get/3, keys/2, filter/1]).
--export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]).
+-export([
+    server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1, tls_versions_schema/1
+]).
 -export([password_converter/2, bin_str_converter/2]).
 -export([authz_fields/0]).
 -export([sc/2, map/2]).
@@ -2019,7 +2021,6 @@ common_ssl_opts_schema(Defaults, Type) ->
     D = fun(Field) -> maps:get(Field, Defaults, undefined) end,
     Df = fun(Field, Default) -> maps:get(Field, Defaults, Default) end,
     Collection = maps:get(versions, Defaults, tls_all_available),
-    DefaultVersions = default_tls_vsns(Collection),
     [
         {"cacertfile",
             sc(
@@ -2093,16 +2094,7 @@ common_ssl_opts_schema(Defaults, Type) ->
                     converter => fun password_converter/2
                 }
             )},
-        {"versions",
-            sc(
-                hoconsc:array(typerefl:atom()),
-                #{
-                    default => DefaultVersions,
-                    desc => ?DESC(common_ssl_opts_schema_versions),
-                    importance => ?IMPORTANCE_HIGH,
-                    validator => fun(Input) -> validate_tls_versions(Collection, Input) end
-                }
-            )},
+        {"versions", tls_versions_schema(Collection)},
         {"ciphers", ciphers_schema(D(ciphers))},
         {"user_lookup_fun",
             sc(
@@ -2319,6 +2311,19 @@ outdated_tls_vsn(tls_all_available) -> ['tlsv1.1', tlsv1].
 default_tls_vsns(Key) ->
     available_tls_vsns(Key) -- outdated_tls_vsn(Key).
 
+-spec tls_versions_schema(tls_all_available | dtls_all_available) -> hocon_schema:field_schema().
+tls_versions_schema(Collection) ->
+    DefaultVersions = default_tls_vsns(Collection),
+    sc(
+        hoconsc:array(typerefl:atom()),
+        #{
+            default => DefaultVersions,
+            desc => ?DESC(common_ssl_opts_schema_versions),
+            importance => ?IMPORTANCE_HIGH,
+            validator => fun(Input) -> validate_tls_versions(Collection, Input) end
+        }
+    ).
+
 -spec ciphers_schema(quic | dtls_all_available | tls_all_available | undefined) ->
     hocon_schema:field_schema().
 ciphers_schema(Default) ->

apps/emqx_conf/src/emqx_conf_schema.erl

@@ -940,7 +940,9 @@ fields("rpc") ->
                     default => true,
                     desc => ?DESC(rpc_insecure_fallback)
                 }
-            )}
+            )},
+        {"ciphers", emqx_schema:ciphers_schema(tls_all_available)},
+        {"tls_versions", emqx_schema:tls_versions_schema(tls_all_available)}
     ];
 fields("log") ->
     [
@@ -1176,7 +1178,11 @@ translation("emqx") ->
         {"cluster_hocon_file", fun tr_cluster_hocon_file/1}
     ];
 translation("gen_rpc") ->
-    [{"default_client_driver", fun tr_default_config_driver/1}];
+    [
+        {"default_client_driver", fun tr_default_config_driver/1},
+        {"ssl_client_options", fun tr_gen_rpc_ssl_options/1},
+        {"ssl_server_options", fun tr_gen_rpc_ssl_options/1}
+    ];
 translation("prometheus") ->
     [
         {"collectors", fun tr_prometheus_collectors/1}
@@ -1240,6 +1246,11 @@ collector_enabled(disabled, _) -> [].
 tr_default_config_driver(Conf) ->
     conf_get("rpc.driver", Conf).
 
+tr_gen_rpc_ssl_options(Conf) ->
+    Ciphers = conf_get("rpc.ciphers", Conf),
+    Versions = conf_get("rpc.tls_versions", Conf),
+    [{ciphers, Ciphers}, {versions, Versions}].
+
 tr_config_files(_Conf) ->
     case os:getenv("EMQX_ETC_DIR") of
         false ->

changes/ce/fix-11697.en.md

@@ -0,0 +1,6 @@
+Disable outdated TLS versions and ciphersuites in the EMQX backplane network (`gen_rpc`).
+Allow using tlsv1.3 on the backplane.
+
+Add new configuration parameters: `EMQX_RPC__TLS_VERSIONS` and `EMQX_RPC__CIPHERS`.
+
+The corresponding `gen_rpc` PR: https://github.com/emqx/gen_rpc/pull/36

mix.exs

@@ -56,7 +56,7 @@ defmodule EMQXUmbrella.MixProject do
       {:esockd, github: "emqx/esockd", tag: "5.9.7", override: true},
       {:rocksdb, github: "emqx/erlang-rocksdb", tag: "1.8.0-emqx-1", override: true},
       {:ekka, github: "emqx/ekka", tag: "0.15.15", override: true},
-      {:gen_rpc, github: "emqx/gen_rpc", tag: "3.1.0", override: true},
+      {:gen_rpc, github: "emqx/gen_rpc", tag: "3.1.1", override: true},
       {:grpc, github: "emqx/grpc-erl", tag: "0.6.8", override: true},
       {:minirest, github: "emqx/minirest", tag: "1.3.13", override: true},
       {:ecpool, github: "emqx/ecpool", tag: "0.5.4", override: true},

rebar.config

@@ -63,7 +63,7 @@
     , {esockd, {git, "https://github.com/emqx/esockd", {tag, "5.9.7"}}}
     , {rocksdb, {git, "https://github.com/emqx/erlang-rocksdb", {tag, "1.8.0-emqx-1"}}}
     , {ekka, {git, "https://github.com/emqx/ekka", {tag, "0.15.15"}}}
-    , {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.0"}}}
+    , {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.1"}}}
     , {grpc, {git, "https://github.com/emqx/grpc-erl", {tag, "0.6.8"}}}
     , {minirest, {git, "https://github.com/emqx/minirest", {tag, "1.3.13"}}}
     , {ecpool, {git, "https://github.com/emqx/ecpool", {tag, "0.5.4"}}}