diff --git a/etc/emqx.conf b/etc/emqx.conf index 38f8bd198..9d26e7b46 100644 --- a/etc/emqx.conf +++ b/etc/emqx.conf @@ -1521,11 +1521,12 @@ listener.ssl.external.certfile = {{ platform_etc_dir }}/certs/cert.pem ## Value: File listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem -## Wheter to enable OCSP for the listener. +## Whether to enable OCSP stapling for the listener. If set to true, +## requires definining the OCSP responder URL. ## ## Value: boolean ## Default: false -## listener.ssl.external.enable_ocsp = true +## listener.ssl.external.enable_ocsp_stapling = true ## URL for the OCSP responder to check the server certificate against. ## diff --git a/priv/emqx.schema b/priv/emqx.schema index ffc5130a2..f1d68d4e8 100644 --- a/priv/emqx.schema +++ b/priv/emqx.schema @@ -1679,7 +1679,7 @@ end}. {datatype, {duration, ms}} ]}. -{mapping, "listener.ssl.$name.enable_ocsp", "emqx.listeners", [ +{mapping, "listener.ssl.$name.enable_ocsp_stapling", "emqx.listeners", [ {default, false}, {datatype, {enum, [true, false]}} ]}. @@ -2242,7 +2242,7 @@ end}. {supported_subprotocols, string:tokens(cuttlefish:conf_get(Prefix ++ ".supported_subprotocols", Conf, ""), ", ")}, {peer_cert_as_username, cuttlefish:conf_get(Prefix ++ ".peer_cert_as_username", Conf, undefined)}, {peer_cert_as_clientid, cuttlefish:conf_get(Prefix ++ ".peer_cert_as_clientid", Conf, undefined)}, - {ocsp_enabled, cuttlefish:conf_get(Prefix ++ ".enable_ocsp", Conf, undefined)}, + {ocsp_stapling_enabled, cuttlefish:conf_get(Prefix ++ ".enable_ocsp_stapling", Conf, undefined)}, {ocsp_responder_url, cuttlefish:conf_get(Prefix ++ ".ocsp_responder_url", Conf, undefined)}, {ocsp_issuer_pem, cuttlefish:conf_get(Prefix ++ ".ocsp_issuer_pem", Conf, undefined)}, {ocsp_refresh_interval, cuttlefish:conf_get(Prefix ++ ".ocsp_refresh_interval", Conf, undefined)}, diff --git a/src/emqx_ocsp_cache.erl b/src/emqx_ocsp_cache.erl index 281614edb..3f339e7e8 100644 --- a/src/emqx_ocsp_cache.erl +++ b/src/emqx_ocsp_cache.erl @@ -98,7 +98,7 @@ inject_sni_fun(Listener = #{proto := Proto, name := Name, opts := Options0}) -> %% because otherwise an anonymous function will end up in %% `app.*.config'... ListenerID = emqx_listeners:identifier(Listener), - case proplists:get_bool(ocsp_enabled, Options0) of + case proplists:get_bool(ocsp_stapling_enabled, Options0) of false -> Options0; true -> @@ -182,7 +182,7 @@ code_change(_Vsn, State, _Extra) -> lists:filter( fun(#{opts := Opts}) -> undefined =/= proplists:get_value(ocsp_responder_url, Opts) andalso - false =/= proplists:get_bool(ocsp_enabled, Opts) + false =/= proplists:get_bool(ocsp_stapling_enabled, Opts) end, emqx:get_env(listeners, [])), PatchedListeners = [L#{opts => ?MODULE:inject_sni_fun(L)} || L <- ListenersToPatch], diff --git a/test/emqx_ocsp_cache_SUITE.erl b/test/emqx_ocsp_cache_SUITE.erl index ac2fd2b90..f85945fca 100644 --- a/test/emqx_ocsp_cache_SUITE.erl +++ b/test/emqx_ocsp_cache_SUITE.erl @@ -96,7 +96,7 @@ init_per_testcase(t_openssl_client, Config) -> , {cacertfile, CACert} ]), Opts1 = proplists:delete(ssl_options, Opts0), - Opts2 = emqx_misc:merge_opts(Opts1, [ {ocsp_enabled, true} + Opts2 = emqx_misc:merge_opts(Opts1, [ {ocsp_stapling_enabled, true} , {ocsp_responder_url, "http://127.0.0.1:9877"} , {ocsp_issuer_pem, IssuerPem} , {ssl_options, SSLOpts2}]), @@ -145,7 +145,7 @@ init_per_testcase(_TestCase, Config) -> , name => "test_ocsp" , opts => [ {ssl_options, [{certfile, filename:join(DataDir, "server.pem")}]} - , {ocsp_enabled, true} + , {ocsp_stapling_enabled, true} , {ocsp_responder_url, "http://localhost:9877"} , {ocsp_issuer_pem, filename:join(DataDir, "ocsp-issuer.pem")}