2 lat temu · 0aa3ccdd65
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -168,7 +168,9 @@
 
				 
			
 
				 -export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]).
			
 
				 -export([conf_get/2, conf_get/3, keys/2, filter/1]).
			
 
				--export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]).
			
 
				+-export([
			
 
				+    server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1, tls_versions_schema/1
			
 
				+]).
			
 
				 -export([password_converter/2, bin_str_converter/2]).
			
 
				 -export([authz_fields/0]).
			
 
				 -export([sc/2, map/2]).
			
@@ -2019,7 +2021,6 @@ common_ssl_opts_schema(Defaults, Type) ->
 
				     D = fun(Field) -> maps:get(Field, Defaults, undefined) end,
			
 
				     Df = fun(Field, Default) -> maps:get(Field, Defaults, Default) end,
			
 
				     Collection = maps:get(versions, Defaults, tls_all_available),
			
 
				-    DefaultVersions = default_tls_vsns(Collection),
			
 
				     [
			
 
				         {"cacertfile",
			
 
				             sc(
			
@@ -2093,16 +2094,7 @@ common_ssl_opts_schema(Defaults, Type) ->
 
				                     converter => fun password_converter/2
			
 
				                 }
			
 
				             )},
			
 
				-        {"versions",
			
 
				-            sc(
			
 
				-                hoconsc:array(typerefl:atom()),
			
 
				-                #{
			
 
				-                    default => DefaultVersions,
			
 
				-                    desc => ?DESC(common_ssl_opts_schema_versions),
			
 
				-                    importance => ?IMPORTANCE_HIGH,
			
 
				-                    validator => fun(Input) -> validate_tls_versions(Collection, Input) end
			
 
				-                }
			
 
				-            )},
			
 
				+        {"versions", tls_versions_schema(Collection)},
			
 
				         {"ciphers", ciphers_schema(D(ciphers))},
			
 
				         {"user_lookup_fun",
			
 
				             sc(
			
@@ -2319,6 +2311,19 @@ outdated_tls_vsn(tls_all_available) -> ['tlsv1.1', tlsv1].
 
				 default_tls_vsns(Key) ->
			
 
				     available_tls_vsns(Key) -- outdated_tls_vsn(Key).
			
 
				 
			
 
				+-spec tls_versions_schema(tls_all_available | dtls_all_available) -> hocon_schema:field_schema().
			
 
				+tls_versions_schema(Collection) ->
			
 
				+    DefaultVersions = default_tls_vsns(Collection),
			
 
				+    sc(
			
 
				+        hoconsc:array(typerefl:atom()),
			
 
				+        #{
			
 
				+            default => DefaultVersions,
			
 
				+            desc => ?DESC(common_ssl_opts_schema_versions),
			
 
				+            importance => ?IMPORTANCE_HIGH,
			
 
				+            validator => fun(Input) -> validate_tls_versions(Collection, Input) end
			
 
				+        }
			
 
				+    ).
			
 
				+
			
 
				 -spec ciphers_schema(quic | dtls_all_available | tls_all_available | undefined) ->
			
 
				     hocon_schema:field_schema().
			
 
				 ciphers_schema(Default) ->
			
--- a/apps/emqx_conf/src/emqx_conf_schema.erl
+++ b/apps/emqx_conf/src/emqx_conf_schema.erl
@@ -940,7 +940,9 @@ fields("rpc") ->
 
				                     default => true,
			
 
				                     desc => ?DESC(rpc_insecure_fallback)
			
 
				                 }
			
 
				-            )}
			
 
				+            )},
			
 
				+        {"ciphers", emqx_schema:ciphers_schema(tls_all_available)},
			
 
				+        {"tls_versions", emqx_schema:tls_versions_schema(tls_all_available)}
			
 
				     ];
			
 
				 fields("log") ->
			
 
				     [
			
@@ -1176,7 +1178,11 @@ translation("emqx") ->
 
				         {"cluster_hocon_file", fun tr_cluster_hocon_file/1}
			
 
				     ];
			
 
				 translation("gen_rpc") ->
			
 
				-    [{"default_client_driver", fun tr_default_config_driver/1}];
			
 
				+    [
			
 
				+        {"default_client_driver", fun tr_default_config_driver/1},
			
 
				+        {"ssl_client_options", fun tr_gen_rpc_ssl_options/1},
			
 
				+        {"ssl_server_options", fun tr_gen_rpc_ssl_options/1}
			
 
				+    ];
			
 
				 translation("prometheus") ->
			
 
				     [
			
 
				         {"collectors", fun tr_prometheus_collectors/1}
			
@@ -1240,6 +1246,11 @@ collector_enabled(disabled, _) -> [].
 
				 tr_default_config_driver(Conf) ->
			
 
				     conf_get("rpc.driver", Conf).
			
 
				 
			
 
				+tr_gen_rpc_ssl_options(Conf) ->
			
 
				+    Ciphers = conf_get("rpc.ciphers", Conf),
			
 
				+    Versions = conf_get("rpc.tls_versions", Conf),
			
 
				+    [{ciphers, Ciphers}, {versions, Versions}].
			
 
				+
			
 
				 tr_config_files(_Conf) ->
			
 
				     case os:getenv("EMQX_ETC_DIR") of
			
 
				         false ->
			
--- a/changes/ce/fix-11697.en.md
+++ b/changes/ce/fix-11697.en.md
@@ -1,2 +1,6 @@
 
				-Use default TLS options for the EMQX backplane communications via gen_rpc.
			
 
				-The corresponding PR: https://github.com/emqx/gen_rpc/pull/36
			
 
				+Disable outdated TLS versions and ciphersuites in the EMQX backplane network (`gen_rpc`).
			
 
				+Allow using tlsv1.3 on the backplane.
			
 
				+
			
 
				+Add new configuration parameters: `EMQX_RPC__TLS_VERSIONS` and `EMQX_RPC__CIPHERS`.
			
 
				+
			
 
				+The corresponding `gen_rpc` PR: https://github.com/emqx/gen_rpc/pull/36