feat(quic): support mTLS with 'verify' and 'cacertfile'

apps/emqx/src/emqx_listeners.erl

@@ -370,17 +370,22 @@ do_start_listener(quic, ListenerName, #{bind := Bind} = Opts) ->
     case [A || {quicer, _, _} = A <- application:which_applications()] of
         [_] ->
             DefAcceptors = erlang:system_info(schedulers_online) * 8,
-            ListenOpts = [
-                {cert, maps:get(certfile, Opts)},
-                {key, maps:get(keyfile, Opts)},
-                {alpn, ["mqtt"]},
-                {conn_acceptors, lists:max([DefAcceptors, maps:get(acceptors, Opts, 0)])},
-                {keep_alive_interval_ms, maps:get(keep_alive_interval, Opts, 0)},
-                {idle_timeout_ms, maps:get(idle_timeout, Opts, 0)},
-                {handshake_idle_timeout_ms, maps:get(handshake_idle_timeout, Opts, 10000)},
-                {server_resumption_level, 2},
-                {verify, none}
-            ],
+            ListenOpts =
+                [
+                    {cert, maps:get(certfile, Opts)},
+                    {key, maps:get(keyfile, Opts)},
+                    {alpn, ["mqtt"]},
+                    {conn_acceptors, lists:max([DefAcceptors, maps:get(acceptors, Opts, 0)])},
+                    {keep_alive_interval_ms, maps:get(keep_alive_interval, Opts, 0)},
+                    {idle_timeout_ms, maps:get(idle_timeout, Opts, 0)},
+                    {handshake_idle_timeout_ms, maps:get(handshake_idle_timeout, Opts, 10000)},
+                    {server_resumption_level, 2},
+                    {verify, maps:get(verify, Opts, verify_none)}
+                ] ++
+                    case maps:get(cacertfile, Opts, undefined) of
+                        undefined -> [];
+                        CaCertFile -> [{cacertfile, binary_to_list(CaCertFile)}]
+                    end,
             ConnectionOpts = #{
                 conn_callback => emqx_quic_connection,
                 peer_unidi_stream_count => 1,

apps/emqx/src/emqx_schema.erl

@@ -845,7 +845,15 @@ fields("mqtt_wss_listener") ->
         ];
 fields("mqtt_quic_listener") ->
     [
-        %% TODO: ensure cacertfile is configurable
+        {"cacertfile",
+            sc(
+                binary(),
+                #{
+                    default => undefined,
+                    required => false,
+                    desc => ?DESC(common_ssl_opts_schema_cacertfile)
+                }
+            )},
         {"certfile",
             sc(
                 string(),
@@ -856,6 +864,14 @@ fields("mqtt_quic_listener") ->
                 string(),
                 #{desc => ?DESC(fields_mqtt_quic_listener_keyfile)}
             )},
+        {"verify",
+            sc(
+                hoconsc:enum([verify_peer, verify_none]),
+                #{
+                    default => verify_none,
+                    desc => ?DESC(common_ssl_opts_schema_verify)
+                }
+            )},
         {"ciphers", ciphers_schema(quic)},
         {"idle_timeout",
             sc(