emqx/changes/ee/feat-13211.en.md

Enhance TLS listener to support more flexible TLS verifications.

• partial_chain support

  If the option partial_chain is set to true, allow connections with incomplete certificate chains.

  Check the configuration manual document for more details.

• Certificate KeyUsage Validation

  Added support for required Extended Key Usage defined in rfc5280.

  Introduced a new option (verify_peer_ext_key_usage) to require specific key usages (like "serverAuth") in peer certificates during the TLS handshake. This strengthens security by ensuring certificates are used for their intended purposes.

  example: "serverAuth,OID:1.3.6.1.5.5.7.3.2"

  Check the configuration manual document for more details.