test: fix mtls options

2023-12-12 20:48:31 +01:00 · 2023-12-12 20:48:31 +01:00 · dca72e0052
parent 8ee83ae05b
commit dca72e0052
4 changed files with 33 additions and 10 deletions
--- a/apps/emqx/test/emqx_broker_SUITE.erl
+++ b/apps/emqx/test/emqx_broker_SUITE.erl
@ -94,7 +94,7 @@ init_per_group(quic, Config) ->
    [
        {conn_fun, quic_connect},
        {port, emqx_config:get([listeners, quic, test, bind])},
-        {ssl_opts, emqx_common_test_helpers:client_ssl_twoway()},
+        {ssl_opts, emqx_common_test_helpers:client_mtls()},
        {ssl, true},
        {group_apps, Apps}
        | Config
--- a/apps/emqx/test/emqx_client_SUITE.erl
+++ b/apps/emqx/test/emqx_client_SUITE.erl
@ -395,7 +395,7 @@ t_peercert_preserved_before_connected(_) ->
        ?HP_HIGHEST
    ),
    ClientId = atom_to_binary(?FUNCTION_NAME),
-    SslConf = emqx_common_test_helpers:client_ssl_twoway(default),
+    SslConf = emqx_common_test_helpers:client_mtls(default),
    {ok, Client} = emqtt:start_link([
        {port, 8883},
        {clientid, ClientId},
@ -455,7 +455,7 @@ tls_certcn_as_clientid(TLSVsn) ->
 tls_certcn_as_clientid(TLSVsn, RequiredTLSVsn) ->
    CN = <<"Client">>,
    emqx_config:put_zone_conf(default, [mqtt, peer_cert_as_clientid], cn),
-    SslConf = emqx_common_test_helpers:client_ssl_twoway(TLSVsn),
+    SslConf = emqx_common_test_helpers:client_mtls(TLSVsn),
    {ok, Client} = emqtt:start_link([{port, 8883}, {ssl, true}, {ssl_opts, SslConf}]),
    {ok, _} = emqtt:connect(Client),
    #{clientinfo := #{clientid := CN}} = emqx_cm:get_chan_info(CN),
--- a/apps/emqx/test/emqx_common_test_helpers.erl
+++ b/apps/emqx/test/emqx_common_test_helpers.erl
@ -48,8 +48,10 @@
 -export([
    client_ssl/0,
    client_ssl/1,
-    client_ssl_twoway/0,
-    client_ssl_twoway/1,
+    client_mtls/0,
+    client_mtls/1,
+    ssl_verify_fun_allow_any_host/0,
+    ssl_verify_fun_allow_any_host_impl/3,
    ensure_mnesia_stopped/0,
    ensure_quic_listener/2,
    ensure_quic_listener/3,
@ -430,11 +432,11 @@ flush(Msgs) ->
    after 0 -> lists:reverse(Msgs)
    end.

-client_ssl_twoway() ->
-    client_ssl_twoway(default).
+client_mtls() ->
+    client_mtls(default).

-client_ssl_twoway(TLSVsn) ->
-    client_certs() ++ ciphers(TLSVsn).
+client_mtls(TLSVsn) ->
+    ssl_verify_fun_allow_any_host() ++ client_certs() ++ ciphers(TLSVsn).

 %% Paths prepended to cert filenames
 client_certs() ->
@ -1421,3 +1423,24 @@ group_path(Config) ->
        _:_ ->
            []
    end.
+
+%% almost verify_none equivalent, but only ignores 'hostname_check_failed'
+ssl_verify_fun_allow_any_host_impl(_Cert, Event, State) ->
+    case Event of
+        valid ->
+            {valid, State};
+        valid_peer ->
+            {valid, State};
+        {bad_cert, hostname_check_failed} ->
+            {valid, State};
+        {bad_cert, _} ->
+            {fail, Event};
+        {extension, _} ->
+            {unknown, State}
+    end.
+
+ssl_verify_fun_allow_any_host() ->
+    [
+        {verify, verify_peer},
+        {verify_fun, {fun ?MODULE:ssl_verify_fun_allow_any_host_impl/3, _State = #{}}}
+    ].
--- a/apps/emqx/test/emqx_persistent_session_SUITE.erl
+++ b/apps/emqx/test/emqx_persistent_session_SUITE.erl
@ -115,7 +115,7 @@ init_per_group(quic, Config) ->
    [
        {port, get_listener_port(quic, test)},
        {conn_fun, quic_connect},
-        {ssl_opts, emqx_common_test_helpers:client_ssl_twoway()},
+        {ssl_opts, emqx_common_test_helpers:client_mtls()},
        {ssl, true},
        {group_apps, Apps}
        | Config