Merge remote-tracking branch 'origin/dev/v4.3.0' into resolve-conflict-v4.3.0-to-v5.0

.ci/compatibility_tests/docker-compose-pgsql-tls.yaml

@@ -24,9 +24,9 @@ services:
     image: emqx_pgsql:${PGSQL_TAG}
     restart: always
     environment:
-      POSTGRES_DB: postgres
+      POSTGRES_DB: mqtt
-      POSTGRES_USER: postgres
+      POSTGRES_USER: root
-      POSTGRES_PASSWORD: postgres
+      POSTGRES_PASSWORD: public
     ports:
       - "5432:5432"
     command:

.github/workflows/run_cts_tests.yaml

@@ -194,15 +194,9 @@ jobs:
         run: |
           docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml build --no-cache
           docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml up -d
-          if [ "$PGSQL_TAG" = "12" ] || [ "$PGSQL_TAG" = "13" ]; then
+          sed -i 's|^[#[:space:]]*auth.pgsql.username[ \t]*=.*|auth.pgsql.username = root|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-              sed -i 's|^[#[:space:]]*auth.pgsql.ssl.tls_versions[ \t]*=.*|auth.pgsql.ssl.tls_versions = "tlsv1.3,tlsv1.2"|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
+          sed -i 's|^[#[:space:]]*auth.pgsql.password[ \t]*=.*|auth.pgsql.password = public|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          else
+          sed -i 's|^[#[:space:]]*auth.pgsql.database[ \t]*=.*|auth.pgsql.database = mqtt|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-              sed -i 's|^[#[:space:]]*auth.pgsql.ssl.tls_versions[ \t]*=.*|auth.pgsql.ssl.tls_versions = "tlsv1.2,tlsv1.1"|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          fi
-
-          sed -i 's|^[#[:space:]]*auth.pgsql.username[ \t]*=.*|auth.pgsql.username = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          sed -i 's|^[#[:space:]]*auth.pgsql.password[ \t]*=.*|auth.pgsql.password = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
-          sed -i 's|^[#[:space:]]*auth.pgsql.database[ \t]*=.*|auth.pgsql.database = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
           sed -i 's|^[#[:space:]]*auth.pgsql.ssl.enable[ \t]*=.*|auth.pgsql.ssl.enable = on|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
           sed -i 's|^[#[:space:]]*auth.pgsql.cacertfile[ \t]*=.*|auth.pgsql.cacertfile = /emqx/apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE_data/root.crt|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
       - name: setup

.gitignore

@@ -41,5 +41,5 @@ tmp/
 _packages
 elvis
 emqx_dialyzer_*_plt
-apps/emqx_dashboard/priv/www
+*/emqx_dashboard/priv/www
 dist.zip

Makefile

@@ -2,6 +2,7 @@ REBAR_VERSION = 3.14.3-emqx-4
 DASHBOARD_VERSION = v4.3.0
 REBAR = $(CURDIR)/rebar3
 BUILD = $(CURDIR)/build
+export EMQX_ENTERPRISE=false
 export PKG_VSN ?= $(shell $(CURDIR)/pkg-vsn.sh)
 
 PROFILE ?= emqx

apps/emqx_auth_http/src/emqx_auth_http_app.erl

@@ -74,11 +74,10 @@ translate_env(EnvName) ->
                                                         (_) ->
                                                         true
                                                     end, [{keyfile, KeyFile}, {certfile, CertFile}, {cacertfile, CACertFile}]),
-                            TlsVers = ['tlsv1.2','tlsv1.1',tlsv1],
+                            NTLSOpts = [ {versions, emqx_tls_lib:default_versions()}
-                            NTLSOpts = [{versions, TlsVers},
+                                       , {ciphers, emqx_tls_lib:default_ciphers()}
-                                        {ciphers, lists:foldl(fun(TlsVer, Ciphers) ->
+                                       | TLSOpts
-                                                                    Ciphers ++ ssl:cipher_suites(all, TlsVer)
+                                       ],
-                                                                end, [], TlsVers)} | TLSOpts],
                             [{transport, ssl}, {transport_opts, [Inet | NTLSOpts]}]
                         end,
             PoolOpts = [{host, Host},

apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf

@@ -22,7 +22,7 @@ auth.pgsql.username = root
 ## PostgreSQL password.
 ##
 ## Value: String
-# auth.pgsql.password =
+#auth.pgsql.password =
 
 ## PostgreSQL database.
 ##
@@ -39,13 +39,13 @@ auth.pgsql.encoding = utf8
 ## Value: on | off
 auth.pgsql.ssl.enable = off
 
-## TLS version
+## TLS version.
-## You can configure multi-version use "," split,
-## default value is :tlsv1.2
-## Example:
-##    tlsv1.1,tlsv1.2,tlsv1.3
 ##
-#auth.pgsql.ssl.tls_versions = tlsv1.2
+## Available enum values:
+##    tlsv1.3,tlsv1.2,tlsv1.1,tlsv1
+##
+## Value: String, seperated by ','
+#auth.pgsql.ssl.tls_versions = tlsv1.3,tlsv1.2,tlsv1.1
 
 ## SSL keyfile.
 ##

apps/emqx_auth_pgsql/priv/emqx_auth_pgsql.schema

@@ -36,7 +36,7 @@
 ]}.
 
 {mapping, "auth.pgsql.ssl.tls_versions", "emqx_auth_pgsql.server", [
-  {default, "tlsv1.2"},
+  {default, "tlsv1.3,tlsv1.2,tlsv1.1"},
   {datatype, string}
 ]}.
 
@@ -92,9 +92,9 @@
   SslOpts = fun(Prefix) ->
                 Filter([{keyfile,    cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
                         {certfile,   cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
-                        {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined),
+                        {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)},
                         {versions, [list_to_existing_atom(Value)
-                                    ||Value <- string:tokens(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf), " ,")]}}])
+                                    || Value <- string:tokens(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf), " ,")]}])
             end,
 
   %% FIXME: compatible with 4.0-4.2 version format, plan to delete in 5.0

apps/emqx_bridge_mqtt/README.md

@@ -126,7 +126,7 @@ bridge.mqtt.emqx2.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-S
 bridge.mqtt.emqx2.keepalive = 60s
 
 ## Supported TLS version
-bridge.mqtt.emqx2.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+bridge.mqtt.emqx2.tls_versions = tlsv1.3,tlsv1.2,tlsv1.1,tlsv1
 
 ## Forwarding topics of the message
 bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#

apps/emqx_bridge_mqtt/docs/guide.rst

@@ -133,9 +133,6 @@ EMQ X MQTT bridging principle: Create an MQTT client on the EMQ X broker, and co
    ## Key file of Client SSL connection 
    bridge.mqtt.emqx2.keyfile = etc/certs/client-key.pem
 
-   ## SSL encryption
-   bridge.mqtt.emqx2.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384
-
    ## TTLS PSK password
    ## Note 'listener.ssl.external.ciphers' and 'listener.ssl.external.psk_ciphers' cannot be configured at the same time
    ##
@@ -146,7 +143,10 @@ EMQ X MQTT bridging principle: Create an MQTT client on the EMQ X broker, and co
    bridge.mqtt.emqx2.keepalive = 60s
 
    ## Supported TLS version
-   bridge.mqtt.emqx2.tls_versions = tlsv1.2,tlsv1.1,tlsv1
+   bridge.mqtt.emqx2.tls_versions = tlsv1.2
+
+   ## SSL encryption
+   bridge.mqtt.emqx2.ciphers = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384
 
    ## Forwarding topics of the message
    bridge.mqtt.emqx2.forwards = sensor1/#,sensor2/#

apps/emqx_bridge_mqtt/etc/emqx_bridge_mqtt.conf

@@ -128,6 +128,7 @@ bridge.mqtt.aws.keepalive = 60s
 
 ## TLS versions used by the bridge.
 ##
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
 ## Value: String
 bridge.mqtt.aws.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 

apps/emqx_bridge_mqtt/priv/emqx_bridge_mqtt.schema

@@ -90,7 +90,7 @@
 
 {mapping, "bridge.mqtt.$name.tls_versions", "emqx_bridge_mqtt.bridges", [
   {datatype, string},
-  {default, "tlsv1,tlsv1.1,tlsv1.2"}
+  {default, "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"}
 ]}.
 
 {mapping, "bridge.mqtt.$name.reconnect_interval", "emqx_bridge_mqtt.bridges", [

apps/emqx_bridge_mqtt/src/emqx_bridge_mqtt_actions.erl

@@ -671,12 +671,6 @@ format_data([], Msg) ->
 format_data(Tokens, Msg) ->
     emqx_rule_utils:proc_tmpl(Tokens, Msg).
 
-tls_versions() ->
-    ['tlsv1.2','tlsv1.1', tlsv1].
-
-ciphers(Ciphers) ->
-    string:tokens(str(Ciphers), ", ").
-
 subscriptions(Subscriptions) ->
     scan_binary(<<"[", Subscriptions/binary, "].">>).
 
@@ -749,6 +743,8 @@ options(Options, PoolName) ->
                      Topic ->
                          [{subscriptions, [{Topic, Get(<<"qos">>)}]} | Subscriptions]
                  end,
+                 %% TODO check why only ciphers are configurable but not versions
+                 TlsVersions = emqx_tls_lib:default_versions(),
                  [{address, binary_to_list(Address)},
                   {bridge_mode, GetD(<<"bridge_mode">>, true)},
                   {clean_start, true},
@@ -761,12 +757,13 @@ options(Options, PoolName) ->
                   {proto_ver, mqtt_ver(Get(<<"proto_ver">>))},
                   {retry_interval, cuttlefish_duration:parse(str(GetD(<<"retry_interval">>, "30s")), s)},
                   {ssl, cuttlefish_flag:parse(str(Get(<<"ssl">>)))},
-                  {ssl_opts, [{versions, tls_versions()},
+                  {ssl_opts, [ {keyfile, str(Get(<<"keyfile">>))}
-                              {ciphers, ciphers(Get(<<"ciphers">>))},
+                             , {certfile, str(Get(<<"certfile">>))}
-                              {keyfile, str(Get(<<"keyfile">>))},
+                             , {cacertfile, str(Get(<<"cacertfile">>))}
-                              {certfile, str(Get(<<"certfile">>))},
+                             , {versions, TlsVersions}
-                              {cacertfile, str(Get(<<"cacertfile">>))}
+                             , {ciphers, emqx_tls_lib:integral_ciphers(TlsVersions, Get(<<"ciphers">>))}
-                             ]}] ++ Subscriptions1
+                             ]}
+                 ] ++ Subscriptions1
          end.
 
 

apps/emqx_coap/priv/emqx_coap.schema

@@ -75,10 +75,7 @@ end}.
   Ciphers =
       case cuttlefish:conf_get("coap.dtls.ciphers", Conf, undefined) of
           undefined ->
-              lists:foldl(
+              lists:append([ssl:cipher_suites(all, V, openssl) || V <- ['dtlsv1.2', 'dtlsv1']]);
-                  fun(TlsVer, Ciphers) ->
-                      Ciphers ++ ssl:cipher_suites(all, TlsVer)
-                  end, [], ['dtlsv1', 'dtlsv1.2']);
           C ->
               SplitFun(C)
       end,

apps/emqx_exproto/test/emqx_exproto_SUITE.erl

@@ -425,8 +425,8 @@ udp_opts() ->
 
 ssl_opts() ->
     Certs = certs("key.pem", "cert.pem", "cacert.pem"),
-    [{versions, ['tlsv1.2','tlsv1.1',tlsv1]},
+    [{versions, emqx_tls_lib:default_versions()},
-     {ciphers, ciphers('tlsv1.2')},
+     {ciphers, emqx_tls_lib:default_ciphers()},
      {verify, verify_peer},
      {fail_if_no_peer_cert, true},
      {secure_renegotiate, false},
@@ -437,9 +437,6 @@ dtls_opts() ->
     Opts = ssl_opts(),
     lists:keyreplace(versions, 1, Opts, {versions, ['dtlsv1.2', 'dtlsv1']}).
 
-ciphers(Version) ->
-    proplists:get_value(ciphers, emqx_ct_helpers:client_ssl(Version)).
-
 %%--------------------------------------------------------------------
 %% Client-Opts
 

apps/emqx_stomp/etc/emqx_stomp.conf

@@ -58,6 +58,7 @@ stomp.listener.max_connections = 512
 ## TLS versions only to protect from POODLE attack.
 ##
 ## Value: String, seperated by ','
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
 ## stomp.listener.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 
 ## SSL Handshake timeout.

apps/emqx_web_hook/src/emqx_web_hook_actions.erl

@@ -354,12 +354,11 @@ pool_opts(Params = #{<<"url">> := URL}) ->
                                                  (_) ->
                                                   true
                                               end, [{keyfile, KeyFile}, {certfile, CertFile}, {cacertfile, CACertFile}]),
-                       TlsVers = ['tlsv1.2', 'tlsv1.1', tlsv1],
+                       NTLSOpts = [ {verify, VerifyType}
-                       NTLSOpts = [{verify, VerifyType},
+                                  , {versions, emqx_tls_lib:default_versions()}
-                                   {versions, TlsVers},
+                                  , {ciphers, emqx_tls_lib:default_ciphers()}
-                                   {ciphers, lists:foldl(fun(TlsVer, Ciphers) ->
+                                  | TLSOpts
-                                                             Ciphers ++ ssl:cipher_suites(all, TlsVer)
+                                  ],
-                                                         end, [], TlsVers)} | TLSOpts],
                        [{transport, ssl}, {transport_opts, [Inet | NTLSOpts]}]
               end,
     [{host, Host},
@@ -397,4 +396,4 @@ test_http_connect(Conf) ->
         Err:Reason:ST ->
            ?LOG(error, "check http_connectivity failed: ~p, ~0p", [Conf, {Err, Reason, ST}]),
            false
-    end.
+    end.

apps/emqx_web_hook/src/emqx_web_hook_app.erl

@@ -75,12 +75,11 @@ translate_env() ->
                        TLSOpts = lists:filter(fun({_K, V}) ->
                                                 V /= <<>> andalso V /= undefined andalso V /= "" andalso true
                                               end, [{keyfile, KeyFile}, {certfile, CertFile}, {cacertfile, CACertFile}]),
-                       TlsVers = ['tlsv1.2','tlsv1.1',tlsv1],
+                       NTLSOpts = [ {verify, VerifyType}
-                       NTLSOpts = [{verify, VerifyType},
+                                  , {versions, emqx_tls_lib:default_versions()}
-                                   {versions, TlsVers},
+                                  , {ciphers, emqx_tls_lib:default_ciphers()}
-                                   {ciphers, lists:foldl(fun(TlsVer, Ciphers) ->
+                                  | TLSOpts
-                                                               Ciphers ++ ssl:cipher_suites(all, TlsVer)
+                                  ],
-                                                           end, [], TlsVers)} | TLSOpts],
                        [{transport, ssl}, {transport_opts, [Inet | NTLSOpts]}]
                 end,
     PoolOpts = [{host, Host},
@@ -114,4 +113,4 @@ parse_host(Host) ->
                 {ok, _} -> {inet6, Host};
                 {error, _} -> {inet, Host}
             end
-    end.
+    end.

elvis.config

@@ -5,7 +5,7 @@
    [
     {config,
      [
-      #{dirs => ["apps/**/src", "src"],
+      #{dirs => ["src", "apps/**/src", "lib-opensource/**/src"],
         filter => "*.erl",
         ruleset => erl_files,
         rules => [
@@ -16,7 +16,7 @@
                                                                ]}}
            ]
         },
-      #{dirs => ["apps/**/test", "test"],
+      #{dirs => ["test", "apps/**/test", "lib-opensource/**/src"],
         filter => "*.erl",
         rules => [
            {elvis_text_style, line_length, #{ limit => 100

etc/emqx.conf

@@ -1317,7 +1317,8 @@ listener.ssl.external.access.1 = "allow all"
 ## See: http://erlang.org/doc/man/ssl.html
 ##
 ## Value: String, seperated by ','
-## listener.ssl.external.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
+## listener.ssl.external.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 
 ## TLS Handshake timeout.
 ##
@@ -1784,7 +1785,7 @@ listener.wss.external.access.1 = "allow all"
 ## Supported subprotocols
 ##
 ## Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
-## listener.ws.external.supported_protocols = mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
+## listener.wss.external.supported_protocols = mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5
 
 ## Enable the Proxy Protocol V1/2 support.
 ##
@@ -1805,7 +1806,8 @@ listener.wss.external.access.1 = "allow all"
 ## See: listener.ssl.$name.tls_versions
 ##
 ## Value: String, seperated by ','
-## listener.wss.external.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
+## listener.wss.external.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 
 ## Path to the file containing the user's private PEM-encoded key.
 ##

get-dashboard.sh

@@ -1,6 +1,5 @@
-#!/bin/sh
+#!/bin/bash
 
-#set -euo pipefail
 set -eu
 
 VERSION="$1"
@@ -10,7 +9,11 @@ cd -P -- "$(dirname -- "$0")"
 
 DOWNLOAD_URL='https://github.com/emqx/emqx-dashboard-frontend/releases/download'
 
-DASHBOARD_PATH='apps/emqx_dashboard/priv'
+if [ "$EMQX_ENTERPRISE" = 'true' ] || [ "$EMQX_ENTERPRISE" == '1' ]; then
+    DASHBOARD_PATH='lib-enterprise/emqx_dashboard/priv'
+else
+    DASHBOARD_PATH='lib-opensource/emqx_dashboard/priv'
+fi
 
 case $(uname) in
     *Darwin*) SED="sed -E";;

lib-opensource/emqx_dashboard/etc/emqx_dashboard.conf

@@ -105,7 +105,8 @@ dashboard.listener.http.ipv6_v6only = false
 ## TLS versions only to protect from POODLE attack.
 ##
 ## Value: String, seperated by ','
-## dashboard.listener.https.tls_versions = "tlsv1.2,tlsv1.1,tlsv1"
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
+## dashboard.listener.https.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 
 ## See: 'listener.ssl.<name>.ciphers' in emq.conf
 ##

lib-opensource/emqx_management/etc/emqx_management.conf

@@ -45,6 +45,7 @@ management.listener.http.ipv6_v6only = false
 ## management.listener.https.keyfile = "etc/certs/key.pem"
 ## management.listener.https.cacertfile = "etc/certs/cacert.pem"
 ## management.listener.https.verify = verify_peer
+## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
 ## management.listener.https.tls_versions = "tlsv1.3,tlsv1.2,tlsv1.1,tlsv1"
 ## management.listener.https.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 ## management.listener.https.fail_if_no_peer_cert = true