Skip to content

Commit

Permalink
Merge pull request #11456 from zhongwencool/allow-empty-cacertfile-pem
Browse files Browse the repository at this point in the history 
fix: allow empty cacertfile pem
  • Loading branch information
@zhongwencool
zhongwencool committed Aug 16, 2023
2 parents 82f27ea + 960944f commit e406cd7
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 16 deletions.
30 changes: 15 additions & 15 deletions apps/emqx/src/emqx_schema.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2001,8 +2001,8 @@ filter(Opts) ->
%% SSL listener and client.
-spec common_ssl_opts_schema(map(), server | client) -> hocon_schema:field_schema().
common_ssl_opts_schema(Defaults, Type) ->
D = fun(Field) -> maps:get(to_atom(Field), Defaults, undefined) end,
Df = fun(Field, Default) -> maps:get(to_atom(Field), Defaults, Default) end,
D = fun(Field) -> maps:get(Field, Defaults, undefined) end,
Df = fun(Field, Default) -> maps:get(Field, Defaults, Default) end,
Collection = maps:get(versions, Defaults, tls_all_available),
DefaultVersions = default_tls_vsns(Collection),
[
Expand Down Expand Up @@ -2045,23 +2045,23 @@ common_ssl_opts_schema(Defaults, Type) ->
sc(
hoconsc:enum([verify_peer, verify_none]),
#{
default => Df("verify", verify_none),
default => Df(verify, verify_none),
desc => ?DESC(common_ssl_opts_schema_verify)
}
)},
{"reuse_sessions",
sc(
boolean(),
#{
default => Df("reuse_sessions", true),
default => Df(reuse_sessions, true),
desc => ?DESC(common_ssl_opts_schema_reuse_sessions)
}
)},
{"depth",
sc(
non_neg_integer(),
#{
default => Df("depth", 10),
default => Df(depth, 10),
desc => ?DESC(common_ssl_opts_schema_depth)
}
)},
Expand All @@ -2088,7 +2088,7 @@ common_ssl_opts_schema(Defaults, Type) ->
validator => fun(Input) -> validate_tls_versions(Collection, Input) end
}
)},
{"ciphers", ciphers_schema(D("ciphers"))},
{"ciphers", ciphers_schema(D(ciphers))},
{"user_lookup_fun",
sc(
typerefl:alias("string", any()),
Expand All @@ -2103,7 +2103,7 @@ common_ssl_opts_schema(Defaults, Type) ->
sc(
boolean(),
#{
default => Df("secure_renegotiate", true),
default => Df(secure_renegotiate, true),
desc => ?DESC(common_ssl_opts_schema_secure_renegotiate)
}
)},
Expand All @@ -2123,7 +2123,7 @@ common_ssl_opts_schema(Defaults, Type) ->
sc(
duration(),
#{
default => Df("hibernate_after", <<"5s">>),
default => Df(hibernate_after, <<"5s">>),
desc => ?DESC(common_ssl_opts_schema_hibernate_after)
}
)}
Expand All @@ -2132,15 +2132,15 @@ common_ssl_opts_schema(Defaults, Type) ->
%% @doc Make schema for SSL listener options.
-spec server_ssl_opts_schema(map(), boolean()) -> hocon_schema:field_schema().
server_ssl_opts_schema(Defaults, IsRanchListener) ->
D = fun(Field) -> maps:get(to_atom(Field), Defaults, undefined) end,
Df = fun(Field, Default) -> maps:get(to_atom(Field), Defaults, Default) end,
D = fun(Field) -> maps:get(Field, Defaults, undefined) end,
Df = fun(Field, Default) -> maps:get(Field, Defaults, Default) end,
common_ssl_opts_schema(Defaults, server) ++
[
{"dhfile",
sc(
string(),
#{
default => D("dhfile"),
default => D(dhfile),
required => false,
desc => ?DESC(server_ssl_opts_schema_dhfile)
}
Expand All @@ -2149,31 +2149,31 @@ server_ssl_opts_schema(Defaults, IsRanchListener) ->
sc(
boolean(),
#{
default => Df("fail_if_no_peer_cert", false),
default => Df(fail_if_no_peer_cert, false),
desc => ?DESC(server_ssl_opts_schema_fail_if_no_peer_cert)
}
)},
{"honor_cipher_order",
sc(
boolean(),
#{
default => Df("honor_cipher_order", true),
default => Df(honor_cipher_order, true),
desc => ?DESC(server_ssl_opts_schema_honor_cipher_order)
}
)},
{"client_renegotiation",
sc(
boolean(),
#{
default => Df("client_renegotiation", true),
default => Df(client_renegotiation, true),
desc => ?DESC(server_ssl_opts_schema_client_renegotiation)
}
)},
{"handshake_timeout",
sc(
duration(),
#{
default => Df("handshake_timeout", <<"15s">>),
default => Df(handshake_timeout, <<"15s">>),
desc => ?DESC(server_ssl_opts_schema_handshake_timeout)
}
)}
Expand Down
9 changes: 9 additions & 0 deletions apps/emqx/src/emqx_tls_lib.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@
[ocsp, issuer_pem]
]).

-define(ALLOW_EMPTY_PEM, [[<<"cacertfile">>], [cacertfile]]).

%% non-empty string
-define(IS_STRING(L), (is_list(L) andalso L =/= [] andalso is_integer(hd(L)))).
%% non-empty list of strings
Expand Down Expand Up @@ -330,6 +332,13 @@ ensure_ssl_files_per_key(Dir, SSL, [KeyPath | KeyPaths], Opts) ->

ensure_ssl_file(_Dir, _KeyPath, SSL, undefined, _Opts) ->
{ok, SSL};
ensure_ssl_file(_Dir, KeyPath, SSL, MaybePem, _Opts) when
MaybePem =:= "" orelse MaybePem =:= <<"">>
->
case lists:member(KeyPath, ?ALLOW_EMPTY_PEM) of
true -> {ok, SSL};
false -> {error, #{reason => pem_file_path_or_string_is_required}}
end;
ensure_ssl_file(Dir, KeyPath, SSL, MaybePem, Opts) ->
case is_valid_string(MaybePem) of
true ->
Expand Down
13 changes: 12 additions & 1 deletion apps/emqx/test/emqx_tls_lib_tests.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,11 +113,22 @@ ssl_files_failure_test_() ->
})
)
end},
{"empty_cacertfile", fun() ->
?assertMatch(
{ok, _},
emqx_tls_lib:ensure_ssl_files("/tmp", #{
<<"keyfile">> => test_key(),
<<"certfile">> => test_key(),
<<"cacertfile">> => <<"">>
})
)
end},
{"bad_pem_string", fun() ->
%% empty string
?assertMatch(
{error, #{
reason := invalid_file_path_or_pem_string, which_options := [[<<"keyfile">>]]
reason := pem_file_path_or_string_is_required,
which_options := [[<<"keyfile">>]]
}},
emqx_tls_lib:ensure_ssl_files("/tmp", #{
<<"keyfile">> => <<>>,
Expand Down
2 changes: 2 additions & 0 deletions changes/ce/fix-11456.en.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Removed validation that enforced non-empty PEM for CA cert file.
CA certificate file PEM can now be empty.

0 comments on commit e406cd7

Please sign in to comment.