fix(ssl): verify ciphers list against all available ciphers

Prior to this change the ciphers are only checked against
the list returned from from
`ssl:cipher_suites(all, 'tlsv1.2', openssl)`
which may cause some (weak) ciphers missing in certain
otp + openssl installation

apps/emqx/src/emqx_schema.erl

@@ -1290,10 +1290,7 @@ parse_user_lookup_fun(StrConf) ->
     {fun Mod:Fun/3, undefined}.
 
 validate_ciphers(Ciphers) ->
-    All = case is_tlsv13_available() of
+    All = emqx_tls_lib:all_ciphers(),
-              true -> ssl:cipher_suites(all, 'tlsv1.3', openssl);
-              false -> []
-          end ++ ssl:cipher_suites(all, 'tlsv1.2', openssl),
     case lists:filter(fun(Cipher) -> not lists:member(Cipher, All) end, Ciphers) of
         [] -> ok;
         Bad -> {error, {bad_ciphers, Bad}}
@@ -1306,6 +1303,3 @@ validate_tls_versions(Versions) ->
         [] -> ok;
         Vs -> {error, {unsupported_ssl_versions, Vs}}
     end.
-
-is_tlsv13_available() ->
-    lists:member('tlsv1.3', proplists:get_value(available, ssl:versions())).

apps/emqx/src/emqx_tls_lib.erl

@@ -22,6 +22,7 @@
         , selected_ciphers/1
         , integral_ciphers/2
         , drop_tls13_for_old_otp/1
+        , all_ciphers/0
         ]).
 
 %% non-empty string
@@ -59,6 +60,9 @@ integral_versions(Desired) ->
             Filtered
     end.
 
+%% @doc Return a list of all supported ciphers.
+all_ciphers() -> all_ciphers(default_versions()).
+
 %% @doc Return a list of (openssl string format) cipher suites.
 -spec all_ciphers([ssl:tls_version()]) -> [string()].
 all_ciphers(['tlsv1.3']) ->
@@ -212,8 +216,6 @@ drop_tls13(SslOpts0) ->
 -ifdef(TEST).
 -include_lib("eunit/include/eunit.hrl").
 
-all_ciphers() -> all_ciphers(default_versions()).
-
 drop_tls13_test() ->
     Versions = default_versions(),
     ?assert(lists:member('tlsv1.3', Versions)),