diff --git a/apps/emqx/rebar.config b/apps/emqx/rebar.config index 4d1f73890..a69060b9d 100644 --- a/apps/emqx/rebar.config +++ b/apps/emqx/rebar.config @@ -29,7 +29,7 @@ {cowboy, {git, "https://github.com/emqx/cowboy", {tag, "2.9.2"}}}, {esockd, {git, "https://github.com/emqx/esockd", {tag, "5.9.7"}}}, {ekka, {git, "https://github.com/emqx/ekka", {tag, "0.15.15"}}}, - {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.0"}}}, + {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.1"}}}, {hocon, {git, "https://github.com/emqx/hocon.git", {tag, "0.39.16"}}}, {emqx_http_lib, {git, "https://github.com/emqx/emqx_http_lib.git", {tag, "0.5.3"}}}, {pbkdf2, {git, "https://github.com/emqx/erlang-pbkdf2.git", {tag, "2.0.4"}}}, diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl index 04bd397ec..beb8c2567 100644 --- a/apps/emqx/src/emqx_schema.erl +++ b/apps/emqx/src/emqx_schema.erl @@ -168,7 +168,9 @@ -export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]). -export([conf_get/2, conf_get/3, keys/2, filter/1]). --export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]). +-export([ + server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1, tls_versions_schema/1 +]). -export([password_converter/2, bin_str_converter/2]). -export([authz_fields/0]). -export([sc/2, map/2]). @@ -2019,7 +2021,6 @@ common_ssl_opts_schema(Defaults, Type) -> D = fun(Field) -> maps:get(Field, Defaults, undefined) end, Df = fun(Field, Default) -> maps:get(Field, Defaults, Default) end, Collection = maps:get(versions, Defaults, tls_all_available), - DefaultVersions = default_tls_vsns(Collection), [ {"cacertfile", sc( @@ -2093,16 +2094,7 @@ common_ssl_opts_schema(Defaults, Type) -> converter => fun password_converter/2 } )}, - {"versions", - sc( - hoconsc:array(typerefl:atom()), - #{ - default => DefaultVersions, - desc => ?DESC(common_ssl_opts_schema_versions), - importance => ?IMPORTANCE_HIGH, - validator => fun(Input) -> validate_tls_versions(Collection, Input) end - } - )}, + {"versions", tls_versions_schema(Collection)}, {"ciphers", ciphers_schema(D(ciphers))}, {"user_lookup_fun", sc( @@ -2319,6 +2311,19 @@ outdated_tls_vsn(tls_all_available) -> ['tlsv1.1', tlsv1]. default_tls_vsns(Key) -> available_tls_vsns(Key) -- outdated_tls_vsn(Key). +-spec tls_versions_schema(tls_all_available | dtls_all_available) -> hocon_schema:field_schema(). +tls_versions_schema(Collection) -> + DefaultVersions = default_tls_vsns(Collection), + sc( + hoconsc:array(typerefl:atom()), + #{ + default => DefaultVersions, + desc => ?DESC(common_ssl_opts_schema_versions), + importance => ?IMPORTANCE_HIGH, + validator => fun(Input) -> validate_tls_versions(Collection, Input) end + } + ). + -spec ciphers_schema(quic | dtls_all_available | tls_all_available | undefined) -> hocon_schema:field_schema(). ciphers_schema(Default) -> diff --git a/apps/emqx_conf/src/emqx_conf_schema.erl b/apps/emqx_conf/src/emqx_conf_schema.erl index f1bfc3d31..e87c3c898 100644 --- a/apps/emqx_conf/src/emqx_conf_schema.erl +++ b/apps/emqx_conf/src/emqx_conf_schema.erl @@ -940,7 +940,9 @@ fields("rpc") -> default => true, desc => ?DESC(rpc_insecure_fallback) } - )} + )}, + {"ciphers", emqx_schema:ciphers_schema(tls_all_available)}, + {"tls_versions", emqx_schema:tls_versions_schema(tls_all_available)} ]; fields("log") -> [ @@ -1176,7 +1178,11 @@ translation("emqx") -> {"cluster_hocon_file", fun tr_cluster_hocon_file/1} ]; translation("gen_rpc") -> - [{"default_client_driver", fun tr_default_config_driver/1}]; + [ + {"default_client_driver", fun tr_default_config_driver/1}, + {"ssl_client_options", fun tr_gen_rpc_ssl_options/1}, + {"ssl_server_options", fun tr_gen_rpc_ssl_options/1} + ]; translation("prometheus") -> [ {"collectors", fun tr_prometheus_collectors/1} @@ -1240,6 +1246,11 @@ collector_enabled(disabled, _) -> []. tr_default_config_driver(Conf) -> conf_get("rpc.driver", Conf). +tr_gen_rpc_ssl_options(Conf) -> + Ciphers = conf_get("rpc.ciphers", Conf), + Versions = conf_get("rpc.tls_versions", Conf), + [{ciphers, Ciphers}, {versions, Versions}]. + tr_config_files(_Conf) -> case os:getenv("EMQX_ETC_DIR") of false -> diff --git a/changes/ce/fix-11697.en.md b/changes/ce/fix-11697.en.md new file mode 100644 index 000000000..d4931539f --- /dev/null +++ b/changes/ce/fix-11697.en.md @@ -0,0 +1,6 @@ +Disable outdated TLS versions and ciphersuites in the EMQX backplane network (`gen_rpc`). +Allow using tlsv1.3 on the backplane. + +Add new configuration parameters: `EMQX_RPC__TLS_VERSIONS` and `EMQX_RPC__CIPHERS`. + +The corresponding `gen_rpc` PR: https://github.com/emqx/gen_rpc/pull/36 diff --git a/mix.exs b/mix.exs index 0edb28f9b..ff552c93d 100644 --- a/mix.exs +++ b/mix.exs @@ -56,7 +56,7 @@ defmodule EMQXUmbrella.MixProject do {:esockd, github: "emqx/esockd", tag: "5.9.7", override: true}, {:rocksdb, github: "emqx/erlang-rocksdb", tag: "1.8.0-emqx-1", override: true}, {:ekka, github: "emqx/ekka", tag: "0.15.15", override: true}, - {:gen_rpc, github: "emqx/gen_rpc", tag: "3.1.0", override: true}, + {:gen_rpc, github: "emqx/gen_rpc", tag: "3.1.1", override: true}, {:grpc, github: "emqx/grpc-erl", tag: "0.6.8", override: true}, {:minirest, github: "emqx/minirest", tag: "1.3.13", override: true}, {:ecpool, github: "emqx/ecpool", tag: "0.5.4", override: true}, diff --git a/rebar.config b/rebar.config index 8b893d6d1..70341ef31 100644 --- a/rebar.config +++ b/rebar.config @@ -63,7 +63,7 @@ , {esockd, {git, "https://github.com/emqx/esockd", {tag, "5.9.7"}}} , {rocksdb, {git, "https://github.com/emqx/erlang-rocksdb", {tag, "1.8.0-emqx-1"}}} , {ekka, {git, "https://github.com/emqx/ekka", {tag, "0.15.15"}}} - , {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.0"}}} + , {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.1"}}} , {grpc, {git, "https://github.com/emqx/grpc-erl", {tag, "0.6.8"}}} , {minirest, {git, "https://github.com/emqx/minirest", {tag, "1.3.13"}}} , {ecpool, {git, "https://github.com/emqx/ecpool", {tag, "0.5.4"}}}