1 год назад · 37d66e90fb
--- a/apps/emqx/src/emqx_tls_lib.erl
+++ b/apps/emqx/src/emqx_tls_lib.erl
@@ -542,13 +542,19 @@ to_client_opts(Type, Opts) ->
 
				                     {depth, Get(depth)},
			
 
				                     {password, ensure_str(Get(password))},
			
 
				                     {secure_renegotiate, Get(secure_renegotiate)}
			
 
				-                ],
			
 
				+                ] ++ hostname_check(Verify),
			
 
				                 Versions
			
 
				             );
			
 
				         false ->
			
 
				             []
			
 
				     end.
			
 
				 
			
 
				+hostname_check(verify_none) ->
			
 
				+    [];
			
 
				+hostname_check(verify_peer) ->
			
 
				+    %% allow wildcard certificates
			
 
				+    [{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]}].
			
 
				+
			
 
				 resolve_cert_path_for_read_strict(Path) ->
			
 
				     case resolve_cert_path_for_read(Path) of
			
 
				         undefined ->
			
--- a/apps/emqx/test/emqx_tls_lib_tests.erl
+++ b/apps/emqx/test/emqx_tls_lib_tests.erl
@@ -240,7 +240,7 @@ to_client_opts_test() ->
 
				     Versions13Only = ['tlsv1.3'],
			
 
				     Options = #{
			
 
				         enable => true,
			
 
				-        verify => "Verify",
			
 
				+        verify => verify_none,
			
 
				         server_name_indication => "SNI",
			
 
				         ciphers => "Ciphers",
			
 
				         depth => "depth",
			
@@ -249,9 +249,16 @@ to_client_opts_test() ->
 
				         secure_renegotiate => "secure_renegotiate",
			
 
				         reuse_sessions => "reuse_sessions"
			
 
				     },
			
 
				-    Expected1 = lists:usort(maps:keys(Options) -- [enable]),
			
 
				+    Expected0 = lists:usort(maps:keys(Options) -- [enable]),
			
 
				+    Expected1 = lists:sort(Expected0 ++ [customize_hostname_check]),
			
 
				+    ?assertEqual(
			
 
				+        Expected0, lists:usort(proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options)))
			
 
				+    ),
			
 
				     ?assertEqual(
			
 
				-        Expected1, lists:usort(proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options)))
			
 
				+        Expected1,
			
 
				+        lists:usort(
			
 
				+            proplists:get_keys(emqx_tls_lib:to_client_opts(tls, Options#{verify => verify_peer}))
			
 
				+        )
			
 
				     ),
			
 
				     Expected2 =
			
 
				         lists:usort(
			
--- a/changes/ce/fix-12962.en.md
+++ b/changes/ce/fix-12962.en.md
@@ -0,0 +1,4 @@
 
				+TLS clients can now verify server hostname against wildcard certificate.
			
 
				+
			
 
				+For example, if a certificate is issued for host `*.example.com`,
			
 
				+TLS clients is able to verify server hostnames like `srv1.example.com`.