chore(TLS-chain-test): update for OTP 26

apps/emqx/src/emqx_const_v2.erl

@@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.

apps/emqx/test/emqx_listener_tls_verify_chain_SUITE.erl

@@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -58,7 +58,8 @@ t_conn_fail_with_intermediate_ca_cert(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -83,7 +84,8 @@ t_conn_fail_with_other_intermediate_ca_cert(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client2.key")},
-            {certfile, filename:join(DataDir, "client2.pem")}
+            {certfile, filename:join(DataDir, "client2.pem")},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -110,7 +112,8 @@ t_conn_success_with_server_client_composed_complete_chain(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client2.key")},
-            {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
+            {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -136,7 +139,8 @@ t_conn_success_with_other_signed_client_composed_complete_chain(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client2.key")},
-            {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")}
+            {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -161,7 +165,8 @@ t_conn_success_with_renewed_intermediate_root_bundle(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -185,7 +190,8 @@ t_conn_success_with_client_complete_cert_chain(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client2.key")},
-            {certfile, filename:join(DataDir, "client2-complete-bundle.pem")}
+            {certfile, filename:join(DataDir, "client2-complete-bundle.pem")},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -237,7 +243,8 @@ t_conn_fail_without_root_cacert(Config) ->
             {keyfile, filename:join(DataDir, "client2.key")},
             {certfile, filename:join(DataDir, "client2-intermediate2-bundle.pem")},
             %% stick to tlsv1.2 for consistent error message
-            {versions, ['tlsv1.2']}
+            {versions, ['tlsv1.2']},
+            {cacertfile, filename:join(DataDir, "intermediate2.pem")}
         ],
         1000
     ),

apps/emqx/test/emqx_listener_tls_verify_keyusage_SUITE.erl

@@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -77,7 +77,8 @@ t_conn_success_verify_peer_ext_key_usage_unset(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -102,7 +103,8 @@ t_conn_success_verify_peer_ext_key_usage_undefined(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -129,7 +131,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_predefined(Config) ->
         Port,
         [
             {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -157,7 +160,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_raw_oid(Config) ->
         Port,
         [
             {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -184,7 +188,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_ordered_list(Config) ->
         Port,
         [
             {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -210,7 +215,8 @@ t_conn_success_verify_peer_ext_key_usage_matched_unordered_list(Config) ->
         Port,
         [
             {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -237,7 +243,8 @@ t_conn_fail_verify_peer_ext_key_usage_unmatched_raw_oid(Config) ->
         Port,
         [
             {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -263,7 +270,8 @@ t_conn_fail_verify_peer_ext_key_usage_empty_str(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -290,7 +298,8 @@ t_conn_fail_client_keyusage_unmatch(Config) ->
         Port,
         [
             {keyfile, client_key_file(DataDir, ?FUNCTION_NAME)},
-            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)}
+            {certfile, client_pem_file(DataDir, ?FUNCTION_NAME)},
+            {verify, verify_none}
         ],
         1000
     ),
@@ -317,7 +326,8 @@ t_conn_fail_client_keyusage_incomplete(Config) ->
         Port,
         [
             {keyfile, filename:join(DataDir, "client1.key")},
-            {certfile, filename:join(DataDir, "client1.pem")}
+            {certfile, filename:join(DataDir, "client1.pem")},
+            {verify, verify_none}
         ],
         1000
     ),

apps/emqx/test/emqx_listener_tls_verify_partial_chain_SUITE.erl

@@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -702,4 +702,7 @@ ssl_config_verify_partial_chain() ->
     ].
 
 client_default_tls_opts() ->
-    [{versions, ['tlsv1.2']}].
+    [
+        {versions, ['tlsv1.2']},
+        {verify, verify_none}
+    ].

apps/emqx/test/emqx_test_tls_certs_helper.erl

@@ -1,5 +1,5 @@
 %%--------------------------------------------------------------------
-%% Copyright (c) 2023 EMQ Technologies Co., Ltd. All Rights Reserved.
+%% Copyright (c) 2024 EMQ Technologies Co., Ltd. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@ emqx_start_listener(Name, Type, Port, Opts) when is_list(Opts) ->
     emqx_start_listener(Name, Type, Port, maps:from_list(Opts));
 emqx_start_listener(Name, ssl, Port, #{ssl_options := SslOptions} = Opts0) ->
     Opts = Opts0#{
+        enable => true,
         bind => {{127, 0, 0, 1}, Port},
         mountpoint => <<>>,
         zone => default,

changes/ce/feat-11721.zh.md

@@ -1,4 +0,0 @@
- 移植 emqx 4.4 中的两项 TLS 握手验证功能
-
-- 支持部分链 ( partial_chain )
-- 证书密钥使用验证