diff --git a/apps/emqx/test/emqx_broker_SUITE.erl b/apps/emqx/test/emqx_broker_SUITE.erl index b416f1730..0325260ac 100644 --- a/apps/emqx/test/emqx_broker_SUITE.erl +++ b/apps/emqx/test/emqx_broker_SUITE.erl @@ -94,7 +94,7 @@ init_per_group(quic, Config) -> [ {conn_fun, quic_connect}, {port, emqx_config:get([listeners, quic, test, bind])}, - {ssl_opts, emqx_common_test_helpers:client_ssl_twoway()}, + {ssl_opts, emqx_common_test_helpers:client_mtls()}, {ssl, true}, {group_apps, Apps} | Config diff --git a/apps/emqx/test/emqx_client_SUITE.erl b/apps/emqx/test/emqx_client_SUITE.erl index 7c2c18126..bb4ef0826 100644 --- a/apps/emqx/test/emqx_client_SUITE.erl +++ b/apps/emqx/test/emqx_client_SUITE.erl @@ -395,7 +395,7 @@ t_peercert_preserved_before_connected(_) -> ?HP_HIGHEST ), ClientId = atom_to_binary(?FUNCTION_NAME), - SslConf = emqx_common_test_helpers:client_ssl_twoway(default), + SslConf = emqx_common_test_helpers:client_mtls(default), {ok, Client} = emqtt:start_link([ {port, 8883}, {clientid, ClientId}, @@ -455,7 +455,7 @@ tls_certcn_as_clientid(TLSVsn) -> tls_certcn_as_clientid(TLSVsn, RequiredTLSVsn) -> CN = <<"Client">>, emqx_config:put_zone_conf(default, [mqtt, peer_cert_as_clientid], cn), - SslConf = emqx_common_test_helpers:client_ssl_twoway(TLSVsn), + SslConf = emqx_common_test_helpers:client_mtls(TLSVsn), {ok, Client} = emqtt:start_link([{port, 8883}, {ssl, true}, {ssl_opts, SslConf}]), {ok, _} = emqtt:connect(Client), #{clientinfo := #{clientid := CN}} = emqx_cm:get_chan_info(CN), diff --git a/apps/emqx/test/emqx_common_test_helpers.erl b/apps/emqx/test/emqx_common_test_helpers.erl index 6f2b05161..10ce3ad74 100644 --- a/apps/emqx/test/emqx_common_test_helpers.erl +++ b/apps/emqx/test/emqx_common_test_helpers.erl @@ -48,8 +48,10 @@ -export([ client_ssl/0, client_ssl/1, - client_ssl_twoway/0, - client_ssl_twoway/1, + client_mtls/0, + client_mtls/1, + ssl_verify_fun_allow_any_host/0, + ssl_verify_fun_allow_any_host_impl/3, ensure_mnesia_stopped/0, ensure_quic_listener/2, ensure_quic_listener/3, @@ -430,11 +432,11 @@ flush(Msgs) -> after 0 -> lists:reverse(Msgs) end. -client_ssl_twoway() -> - client_ssl_twoway(default). +client_mtls() -> + client_mtls(default). -client_ssl_twoway(TLSVsn) -> - client_certs() ++ ciphers(TLSVsn). +client_mtls(TLSVsn) -> + ssl_verify_fun_allow_any_host() ++ client_certs() ++ ciphers(TLSVsn). %% Paths prepended to cert filenames client_certs() -> @@ -1421,3 +1423,24 @@ group_path(Config) -> _:_ -> [] end. + +%% almost verify_none equivalent, but only ignores 'hostname_check_failed' +ssl_verify_fun_allow_any_host_impl(_Cert, Event, State) -> + case Event of + valid -> + {valid, State}; + valid_peer -> + {valid, State}; + {bad_cert, hostname_check_failed} -> + {valid, State}; + {bad_cert, _} -> + {fail, Event}; + {extension, _} -> + {unknown, State} + end. + +ssl_verify_fun_allow_any_host() -> + [ + {verify, verify_peer}, + {verify_fun, {fun ?MODULE:ssl_verify_fun_allow_any_host_impl/3, _State = #{}}} + ]. diff --git a/apps/emqx/test/emqx_persistent_session_SUITE.erl b/apps/emqx/test/emqx_persistent_session_SUITE.erl index b25c1c299..09cbf306d 100644 --- a/apps/emqx/test/emqx_persistent_session_SUITE.erl +++ b/apps/emqx/test/emqx_persistent_session_SUITE.erl @@ -115,7 +115,7 @@ init_per_group(quic, Config) -> [ {port, get_listener_port(quic, test)}, {conn_fun, quic_connect}, - {ssl_opts, emqx_common_test_helpers:client_ssl_twoway()}, + {ssl_opts, emqx_common_test_helpers:client_mtls()}, {ssl, true}, {group_apps, Apps} | Config