From 0c7bbf9e64db9305beb058d3b52c3151f4053b23 Mon Sep 17 00:00:00 2001 From: JimMoen Date: Tue, 26 Apr 2022 09:17:15 +0800 Subject: [PATCH 1/4] revert: ssl option should not provide default cert file revert commit 3b9b12fe36a9b68b36cfbf7b6e9a4d484263563d in PR#7527 --- apps/emqx/src/emqx_schema.erl | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl index 471670beb..f8c4ad335 100644 --- a/apps/emqx/src/emqx_schema.erl +++ b/apps/emqx/src/emqx_schema.erl @@ -1824,13 +1824,7 @@ common_ssl_opts_schema(Defaults) -> %% @doc Make schema for SSL listener options. %% When it's for ranch listener, an extra field `handshake_timeout' is added. -spec server_ssl_opts_schema(map(), boolean()) -> hocon_schema:field_schema(). -server_ssl_opts_schema(Defaults1, IsRanchListener) -> - Defaults0 = #{ - cacertfile => emqx:cert_file("cacert.pem"), - certfile => emqx:cert_file("cert.pem"), - keyfile => emqx:cert_file("key.pem") - }, - Defaults = maps:merge(Defaults0, Defaults1), +server_ssl_opts_schema(Defaults, IsRanchListener) -> D = fun(Field) -> maps:get(to_atom(Field), Defaults, undefined) end, Df = fun(Field, Default) -> maps:get(to_atom(Field), Defaults, Default) end, common_ssl_opts_schema(Defaults) ++ @@ -1883,15 +1877,7 @@ server_ssl_opts_schema(Defaults1, IsRanchListener) -> %% @doc Make schema for SSL client. -spec client_ssl_opts_schema(map()) -> hocon_schema:field_schema(). -client_ssl_opts_schema(Defaults1) -> - %% assert - true = lists:all(fun(K) -> is_atom(K) end, maps:keys(Defaults1)), - Defaults0 = #{ - cacertfile => emqx:cert_file("cacert.pem"), - certfile => emqx:cert_file("client-cert.pem"), - keyfile => emqx:cert_file("client-key.pem") - }, - Defaults = maps:merge(Defaults0, Defaults1), +client_ssl_opts_schema(Defaults) -> common_ssl_opts_schema(Defaults) ++ [ {"server_name_indication", From e5d4e272b2e1418c66ff246268e333ab88ef9da2 Mon Sep 17 00:00:00 2001 From: JimMoen Date: Tue, 26 Apr 2022 21:50:21 +0800 Subject: [PATCH 2/4] fix(ssl): sni option should be atom --- apps/emqx/src/emqx_tls_lib.erl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apps/emqx/src/emqx_tls_lib.erl b/apps/emqx/src/emqx_tls_lib.erl index 9f0c80be2..5f7c895cf 100644 --- a/apps/emqx/src/emqx_tls_lib.erl +++ b/apps/emqx/src/emqx_tls_lib.erl @@ -476,7 +476,7 @@ to_client_opts(Opts) -> CertFile = ensure_str(Get(certfile)), CAFile = ensure_str(Get(cacertfile)), Verify = GetD(verify, verify_none), - SNI = ensure_str(Get(server_name_indication)), + SNI = ensure_sni(Get(server_name_indication)), Versions = integral_versions(Get(versions)), Ciphers = integral_ciphers(Versions, Get(ciphers)), filter([ @@ -505,6 +505,11 @@ fuzzy_map_get(Key, Options, Default) -> Default end. +ensure_sni(disable) -> disable; +ensure_sni(undefined) -> undefined; +ensure_sni(L) when is_list(L) -> L; +ensure_sni(B) when is_binary(B) -> unicode:characters_to_list(B, utf8). + ensure_str(undefined) -> undefined; ensure_str(L) when is_list(L) -> L; ensure_str(B) when is_binary(B) -> unicode:characters_to_list(B, utf8). From 4f9b42a2506b51a0c17d1f90ec1712030df56d88 Mon Sep 17 00:00:00 2001 From: JimMoen Date: Thu, 28 Apr 2022 09:45:18 +0800 Subject: [PATCH 3/4] style: make erlfmt happy --- apps/emqx_prometheus/test/emqx_prometheus_SUITE.erl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/emqx_prometheus/test/emqx_prometheus_SUITE.erl b/apps/emqx_prometheus/test/emqx_prometheus_SUITE.erl index 03e8d6d78..16590b114 100644 --- a/apps/emqx_prometheus/test/emqx_prometheus_SUITE.erl +++ b/apps/emqx_prometheus/test/emqx_prometheus_SUITE.erl @@ -22,14 +22,14 @@ -compile(export_all). -define(CLUSTER_RPC_SHARD, emqx_cluster_rpc_shard). --define(CONF_DEFAULT, - <<"\n" +-define(CONF_DEFAULT, << + "\n" "prometheus {\n" " push_gateway_server = \"http://127.0.0.1:9091\"\n" " interval = \"1s\"\n" " enable = true\n" - "}\n">> -). + "}\n" +>>). %%-------------------------------------------------------------------- %% Setups From 2c95fba4df1264a9968e799c8d8488eda99a1e02 Mon Sep 17 00:00:00 2001 From: Zhongwen Deng Date: Thu, 28 Apr 2022 09:55:51 +0800 Subject: [PATCH 4/4] fix: api_listener min TLS ct fail --- .../test/emqx_mgmt_api_listeners_SUITE.erl | 44 ++++++++++++++----- 1 file changed, 33 insertions(+), 11 deletions(-) diff --git a/apps/emqx_management/test/emqx_mgmt_api_listeners_SUITE.erl b/apps/emqx_management/test/emqx_mgmt_api_listeners_SUITE.erl index 169a272e3..29adfc302 100644 --- a/apps/emqx_management/test/emqx_mgmt_api_listeners_SUITE.erl +++ b/apps/emqx_management/test/emqx_mgmt_api_listeners_SUITE.erl @@ -72,19 +72,19 @@ t_wss_crud_listeners_by_id(_) -> crud_listeners_by_id(ListenerId, NewListenerId, MinListenerId, BadId, Type). crud_listeners_by_id(ListenerId, NewListenerId, MinListenerId, BadId, Type) -> - TcpPath = emqx_mgmt_api_test_util:api_path(["listeners", ListenerId]), + OriginPath = emqx_mgmt_api_test_util:api_path(["listeners", ListenerId]), NewPath = emqx_mgmt_api_test_util:api_path(["listeners", NewListenerId]), - TcpListener = request(get, TcpPath, [], []), + OriginListener = request(get, OriginPath, [], []), %% create with full options ?assertEqual({error, not_found}, is_running(NewListenerId)), ?assertMatch({error, {"HTTP/1.1", 404, _}}, request(get, NewPath, [], [])), - NewConf = TcpListener#{ + NewConf = OriginListener#{ <<"id">> => NewListenerId, <<"bind">> => <<"0.0.0.0:2883">> }, Create = request(post, NewPath, [], NewConf), - ?assertEqual(lists:sort(maps:keys(TcpListener)), lists:sort(maps:keys(Create))), + ?assertEqual(lists:sort(maps:keys(OriginListener)), lists:sort(maps:keys(Create))), Get1 = request(get, NewPath, [], []), ?assertMatch(Create, Get1), ?assert(is_running(NewListenerId)), @@ -93,20 +93,42 @@ crud_listeners_by_id(ListenerId, NewListenerId, MinListenerId, BadId, Type) -> MinPath = emqx_mgmt_api_test_util:api_path(["listeners", MinListenerId]), ?assertEqual({error, not_found}, is_running(MinListenerId)), ?assertMatch({error, {"HTTP/1.1", 404, _}}, request(get, MinPath, [], [])), - MinConf = #{ - <<"id">> => MinListenerId, - <<"bind">> => <<"0.0.0.0:3883">>, - <<"type">> => Type - }, + MinConf = + case OriginListener of + #{ + <<"ssl">> := + #{ + <<"cacertfile">> := CaCertFile, + <<"certfile">> := CertFile, + <<"keyfile">> := KeyFile + } + } -> + #{ + <<"id">> => MinListenerId, + <<"bind">> => <<"0.0.0.0:3883">>, + <<"type">> => Type, + <<"ssl">> => #{ + <<"cacertfile">> => CaCertFile, + <<"certfile">> => CertFile, + <<"keyfile">> => KeyFile + } + }; + _ -> + #{ + <<"id">> => MinListenerId, + <<"bind">> => <<"0.0.0.0:3883">>, + <<"type">> => Type + } + end, MinCreate = request(post, MinPath, [], MinConf), - ?assertEqual(lists:sort(maps:keys(TcpListener)), lists:sort(maps:keys(MinCreate))), + ?assertEqual(lists:sort(maps:keys(OriginListener)), lists:sort(maps:keys(MinCreate))), MinGet = request(get, MinPath, [], []), ?assertMatch(MinCreate, MinGet), ?assert(is_running(MinListenerId)), %% bad create(same port) BadPath = emqx_mgmt_api_test_util:api_path(["listeners", BadId]), - BadConf = TcpListener#{ + BadConf = OriginListener#{ <<"id">> => BadId, <<"bind">> => <<"0.0.0.0:2883">> },