yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: default config should specify `cacert` file (4.3) 

The default configuration had the `cacert` option for the
`ssl.external` listener commented out.  If one is to set `verify =
verify_peer` in that listener without noticing that `cacert` is
unspecified, all connections will fail with:

```
2022-07-11T11:48:28.540807-03:00 [error] supervisor: 'esockd_connection_sup - <0.3971.0>', errorContext: connection_shutdown, reason: {ssl_error,{options,{cacertfile,[]}}}, offender: [{pid,<0.8225.13>},{name,connection},{mfargs,{emqx_connection,start_link,[[{deflate_options,[]},{max_conn_rate,10000},{active_n,100},{zone,external},{proxy_address_header,<<>>},{proxy_port_header,<<>>},{supported_subprotocols,[]}]]}}]
```
This commit is contained in:
Thales Macedo Garitezi 2022-07-11 11:50:20 -03:00
parent 419ab97e72
commit bc132a4275
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etc/emqx.conf
View File

@ -1472,7 +1472,7 @@ listener.ssl.external.certfile = {{ platform_etc_dir }}/certs/cert.pem
## are used during server authentication and when building the client certificate chain. ## are used during server authentication and when building the client certificate chain.
## ##
## Value: File ## Value: File
## listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
## The Ephemeral Diffie-Helman key exchange is a very effective way of ## The Ephemeral Diffie-Helman key exchange is a very effective way of
## ensuring Forward Secrecy by exchanging a set of keys that never hit ## ensuring Forward Secrecy by exchanging a set of keys that never hit