From 3c37f1910587ca89cec01becd2215f2424b54de2 Mon Sep 17 00:00:00 2001
From: ieQu1 <99872536+ieQu1@users.noreply.github.com>
Date: Wed, 27 Sep 2023 20:35:29 +0200
Subject: [PATCH 1/2] chore(gen_rpc): Bump version to 3.1.1

---
 apps/emqx/rebar.config     | 2 +-
 changes/ce/fix-11697.en.md | 2 ++
 mix.exs                    | 2 +-
 rebar.config               | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)
 create mode 100644 changes/ce/fix-11697.en.md

diff --git a/apps/emqx/rebar.config b/apps/emqx/rebar.config
index 4d1f73890..a69060b9d 100644
--- a/apps/emqx/rebar.config
+++ b/apps/emqx/rebar.config
@@ -29,7 +29,7 @@
     {cowboy, {git, "https://github.com/emqx/cowboy", {tag, "2.9.2"}}},
     {esockd, {git, "https://github.com/emqx/esockd", {tag, "5.9.7"}}},
     {ekka, {git, "https://github.com/emqx/ekka", {tag, "0.15.15"}}},
-    {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.0"}}},
+    {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.1"}}},
     {hocon, {git, "https://github.com/emqx/hocon.git", {tag, "0.39.16"}}},
     {emqx_http_lib, {git, "https://github.com/emqx/emqx_http_lib.git", {tag, "0.5.3"}}},
     {pbkdf2, {git, "https://github.com/emqx/erlang-pbkdf2.git", {tag, "2.0.4"}}},
diff --git a/changes/ce/fix-11697.en.md b/changes/ce/fix-11697.en.md
new file mode 100644
index 000000000..453b0113b
--- /dev/null
+++ b/changes/ce/fix-11697.en.md
@@ -0,0 +1,2 @@
+Use default TLS options for the EMQX backplane communications via gen_rpc.
+The corresponding PR: https://github.com/emqx/gen_rpc/pull/36
diff --git a/mix.exs b/mix.exs
index 0edb28f9b..ff552c93d 100644
--- a/mix.exs
+++ b/mix.exs
@@ -56,7 +56,7 @@ defmodule EMQXUmbrella.MixProject do
       {:esockd, github: "emqx/esockd", tag: "5.9.7", override: true},
       {:rocksdb, github: "emqx/erlang-rocksdb", tag: "1.8.0-emqx-1", override: true},
       {:ekka, github: "emqx/ekka", tag: "0.15.15", override: true},
-      {:gen_rpc, github: "emqx/gen_rpc", tag: "3.1.0", override: true},
+      {:gen_rpc, github: "emqx/gen_rpc", tag: "3.1.1", override: true},
       {:grpc, github: "emqx/grpc-erl", tag: "0.6.8", override: true},
       {:minirest, github: "emqx/minirest", tag: "1.3.13", override: true},
       {:ecpool, github: "emqx/ecpool", tag: "0.5.4", override: true},
diff --git a/rebar.config b/rebar.config
index 8b893d6d1..70341ef31 100644
--- a/rebar.config
+++ b/rebar.config
@@ -63,7 +63,7 @@
     , {esockd, {git, "https://github.com/emqx/esockd", {tag, "5.9.7"}}}
     , {rocksdb, {git, "https://github.com/emqx/erlang-rocksdb", {tag, "1.8.0-emqx-1"}}}
     , {ekka, {git, "https://github.com/emqx/ekka", {tag, "0.15.15"}}}
-    , {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.0"}}}
+    , {gen_rpc, {git, "https://github.com/emqx/gen_rpc", {tag, "3.1.1"}}}
     , {grpc, {git, "https://github.com/emqx/grpc-erl", {tag, "0.6.8"}}}
     , {minirest, {git, "https://github.com/emqx/minirest", {tag, "1.3.13"}}}
     , {ecpool, {git, "https://github.com/emqx/ecpool", {tag, "0.5.4"}}}

From 0aa3ccdd655cb2035abe741ed1b63be0593f1e91 Mon Sep 17 00:00:00 2001
From: ieQu1 <99872536+ieQu1@users.noreply.github.com>
Date: Thu, 28 Sep 2023 00:30:36 +0200
Subject: [PATCH 2/2] feat(gen_rpc): Add schema for the TLS versions and cipher
 suites

---
 apps/emqx/src/emqx_schema.erl           | 29 +++++++++++++++----------
 apps/emqx_conf/src/emqx_conf_schema.erl | 15 +++++++++++--
 changes/ce/fix-11697.en.md              |  8 +++++--
 3 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl
index 04bd397ec..beb8c2567 100644
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -168,7 +168,9 @@
 
 -export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]).
 -export([conf_get/2, conf_get/3, keys/2, filter/1]).
--export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]).
+-export([
+    server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1, tls_versions_schema/1
+]).
 -export([password_converter/2, bin_str_converter/2]).
 -export([authz_fields/0]).
 -export([sc/2, map/2]).
@@ -2019,7 +2021,6 @@ common_ssl_opts_schema(Defaults, Type) ->
     D = fun(Field) -> maps:get(Field, Defaults, undefined) end,
     Df = fun(Field, Default) -> maps:get(Field, Defaults, Default) end,
     Collection = maps:get(versions, Defaults, tls_all_available),
-    DefaultVersions = default_tls_vsns(Collection),
     [
         {"cacertfile",
             sc(
@@ -2093,16 +2094,7 @@ common_ssl_opts_schema(Defaults, Type) ->
                     converter => fun password_converter/2
                 }
             )},
-        {"versions",
-            sc(
-                hoconsc:array(typerefl:atom()),
-                #{
-                    default => DefaultVersions,
-                    desc => ?DESC(common_ssl_opts_schema_versions),
-                    importance => ?IMPORTANCE_HIGH,
-                    validator => fun(Input) -> validate_tls_versions(Collection, Input) end
-                }
-            )},
+        {"versions", tls_versions_schema(Collection)},
         {"ciphers", ciphers_schema(D(ciphers))},
         {"user_lookup_fun",
             sc(
@@ -2319,6 +2311,19 @@ outdated_tls_vsn(tls_all_available) -> ['tlsv1.1', tlsv1].
 default_tls_vsns(Key) ->
     available_tls_vsns(Key) -- outdated_tls_vsn(Key).
 
+-spec tls_versions_schema(tls_all_available | dtls_all_available) -> hocon_schema:field_schema().
+tls_versions_schema(Collection) ->
+    DefaultVersions = default_tls_vsns(Collection),
+    sc(
+        hoconsc:array(typerefl:atom()),
+        #{
+            default => DefaultVersions,
+            desc => ?DESC(common_ssl_opts_schema_versions),
+            importance => ?IMPORTANCE_HIGH,
+            validator => fun(Input) -> validate_tls_versions(Collection, Input) end
+        }
+    ).
+
 -spec ciphers_schema(quic | dtls_all_available | tls_all_available | undefined) ->
     hocon_schema:field_schema().
 ciphers_schema(Default) ->
diff --git a/apps/emqx_conf/src/emqx_conf_schema.erl b/apps/emqx_conf/src/emqx_conf_schema.erl
index f1bfc3d31..e87c3c898 100644
--- a/apps/emqx_conf/src/emqx_conf_schema.erl
+++ b/apps/emqx_conf/src/emqx_conf_schema.erl
@@ -940,7 +940,9 @@ fields("rpc") ->
                     default => true,
                     desc => ?DESC(rpc_insecure_fallback)
                 }
-            )}
+            )},
+        {"ciphers", emqx_schema:ciphers_schema(tls_all_available)},
+        {"tls_versions", emqx_schema:tls_versions_schema(tls_all_available)}
     ];
 fields("log") ->
     [
@@ -1176,7 +1178,11 @@ translation("emqx") ->
         {"cluster_hocon_file", fun tr_cluster_hocon_file/1}
     ];
 translation("gen_rpc") ->
-    [{"default_client_driver", fun tr_default_config_driver/1}];
+    [
+        {"default_client_driver", fun tr_default_config_driver/1},
+        {"ssl_client_options", fun tr_gen_rpc_ssl_options/1},
+        {"ssl_server_options", fun tr_gen_rpc_ssl_options/1}
+    ];
 translation("prometheus") ->
     [
         {"collectors", fun tr_prometheus_collectors/1}
@@ -1240,6 +1246,11 @@ collector_enabled(disabled, _) -> [].
 tr_default_config_driver(Conf) ->
     conf_get("rpc.driver", Conf).
 
+tr_gen_rpc_ssl_options(Conf) ->
+    Ciphers = conf_get("rpc.ciphers", Conf),
+    Versions = conf_get("rpc.tls_versions", Conf),
+    [{ciphers, Ciphers}, {versions, Versions}].
+
 tr_config_files(_Conf) ->
     case os:getenv("EMQX_ETC_DIR") of
         false ->
diff --git a/changes/ce/fix-11697.en.md b/changes/ce/fix-11697.en.md
index 453b0113b..d4931539f 100644
--- a/changes/ce/fix-11697.en.md
+++ b/changes/ce/fix-11697.en.md
@@ -1,2 +1,6 @@
-Use default TLS options for the EMQX backplane communications via gen_rpc.
-The corresponding PR: https://github.com/emqx/gen_rpc/pull/36
+Disable outdated TLS versions and ciphersuites in the EMQX backplane network (`gen_rpc`).
+Allow using tlsv1.3 on the backplane.
+
+Add new configuration parameters: `EMQX_RPC__TLS_VERSIONS` and `EMQX_RPC__CIPHERS`.
+
+The corresponding `gen_rpc` PR: https://github.com/emqx/gen_rpc/pull/36