yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #10981 from qzhuyan/docs/william/tls-partial-chain-add-defaults 

chore: add missing TLS defaults in emqx.conf
This commit is contained in:
William Yang 2023-06-09 09:28:14 +02:00 committed by GitHub
parent 414f6af663 007144a3cc
commit b85f5f0b23
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
etc/emqx.conf
View File

@ -1673,6 +1673,41 @@ crl_cache_refresh_interval = 15m
## Value: Ciphers
listener.ssl.external.ciphers = TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA
## When EMQX verifies a client certificate during the x509 path validation
## process, it constructs a certificate chain that starts with the client
## certificate and ends with a trust anchor.
## By default, if the setting is set to `false`, the trust anchor is the
## rootCA, and the certificate chain must be complete.
## However, if the setting is set to `true` or `cacert_from_cacertfile`,
## the last certificate in the cacertfile will be used as the trust anchor
## certificate (such as an intermediate CA). This creates a partial chain
## in the path validation.
## Alternatively, if the setting is set to `two_cacerts_from_cacertfile`,
## one of the last two certificates in the cacertfile will be used as the
## trust anchor certificate, forming a partial chain. This option is
## particularly useful for CA certificate rotation.
## However, please note that it incurs some additional overhead, so it
## should only be used for certificate rotation purposes.
##
## Values: false | true | cacert_from_cacertfile | two_cacerts_from_cacertfile
## listener.ssl.external.partial_chain = false
## For additional client certificate validation, the value defined here must present in the
## 'Extended Key Usage' of client certificate defined in
## [rfc5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.12).
##
## Allowed values are
## - "clientAuth"
## - "serverAuth"
## - "codeSigning"
## - "emailProtection"
## - "timeStamping"
## - "ocspSigning"
## - raw OID, example: "OID:1.3.6.1.5.5.7.3.2"
## Comma-separated string is also supported for validating the subset of key usages.
## example, "serverAuth,OID:1.3.6.1.5.5.7.3.2"
##
## listener.ssl.external.verify_peer_ext_key_usage = "clientAuth"
## Ciphers for TLS PSK.
## Note that 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot