Merge pull request #4134 from jovdipp/tlsv1.3-as-default

Tlsv1.3 as default

apps/emqx_exproto/test/emqx_exproto_SUITE.erl

@@ -424,30 +424,31 @@ udp_opts() ->
      {reuseaddr, true}].
 
 ssl_opts() ->
-    Path = emqx_ct_helpers:deps_path(emqx, "etc/certs"),
+    Certs = certs("key.pem", "cert.pem", "cacert.pem"),
     [{versions, ['tlsv1.2','tlsv1.1',tlsv1]},
-     {ciphers, ciphers()},
-     {keyfile, Path ++ "/key.pem"},
-     {certfile, Path ++ "/cert.pem"},
-     {cacertfile, Path ++ "/cacert.pem"},
+     {ciphers, ciphers('tlsv1.2')},
      {verify, verify_peer},
      {fail_if_no_peer_cert, true},
      {secure_renegotiate, false},
      {reuse_sessions, true},
-     {honor_cipher_order, true}].
+     {honor_cipher_order, true}]++Certs.
 
 dtls_opts() ->
     Opts = ssl_opts(),
     lists:keyreplace(versions, 1, Opts, {versions, ['dtlsv1.2', 'dtlsv1']}).
 
-ciphers() ->
-    proplists:get_value(ciphers, emqx_ct_helpers:client_ssl()).
+ciphers(Version) ->
+    proplists:get_value(ciphers, emqx_ct_helpers:client_ssl(Version)).
 
 %%--------------------------------------------------------------------
 %% Client-Opts
 
 client_ssl_opts() ->
-    Path = emqx_ct_helpers:deps_path(emqx, "etc/certs"),
-    [{keyfile, Path ++ "/client-key.pem"},
-     {certfile, Path ++ "/client-cert.pem"},
-     {cacertfile, Path ++ "/cacert.pem"}].
+    certs( "client-key.pem", "client-cert.pem", "cacert.pem" ).
+
+certs( Key, Cert, CACert ) ->
+    CertsPath = emqx_ct_helpers:deps_path(emqx, "etc/certs"),
+    [ { keyfile,    filename:join([ CertsPath, Key    ]) },
+      { certfile,   filename:join([ CertsPath, Cert   ]) },
+      { cacertfile, filename:join([ CertsPath, CACert ]) } ].
+

rebar.config.erl

@@ -34,8 +34,8 @@ test_plugins() ->
 
 test_deps() ->
     [ {bbmustache, "1.10.0"}
-    , {emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.3.4"}}}
-    , meck
+     , {emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.3.5"}}}
+     , meck
     ].
 
 default_compile_opts() ->

test/emqx_client_SUITE.erl

@@ -70,7 +70,9 @@ groups() ->
       ]},
      {others, [non_parallel_tests],
       [t_username_as_clientid,
-       t_certcn_as_clientid
+       t_certcn_as_clientid_default_config_tls,
+       t_certcn_as_clientid_tlsv1_3,
+       t_certcn_as_clientid_tlsv1_2
       ]}
     ].
 
@@ -278,14 +280,18 @@ t_username_as_clientid(_) ->
     #{clientinfo := #{clientid := Username}} = emqx_cm:get_chan_info(Username),
     emqtt:disconnect(C).
 
-t_certcn_as_clientid(_) ->
-    CN = <<"Client">>,
-    emqx_zone:set_env(external, use_username_as_clientid, true),
-    SslConf = emqx_ct_helpers:client_ssl_twoway(),
-    {ok, C} = emqtt:start_link([{port, 8883}, {ssl, true}, {ssl_opts, SslConf}]),
-    {ok, _} = emqtt:connect(C),
-    #{clientinfo := #{clientid := CN}} = emqx_cm:get_chan_info(CN),
-    emqtt:disconnect(C).
+
+
+t_certcn_as_clientid_default_config_tls(_) ->
+    tls_certcn_as_clientid(default).
+
+t_certcn_as_clientid_tlsv1_3(_) ->
+    tls_certcn_as_clientid('tlsv1.3').
+
+t_certcn_as_clientid_tlsv1_2(_) ->
+    tls_certcn_as_clientid('tlsv1.2').
+
+
 
 %%--------------------------------------------------------------------
 %% Helper functions
@@ -304,3 +310,29 @@ recv_msgs(Count, Msgs) ->
     after 100 ->
         Msgs
     end.
+
+
+confirm_tls_version( Client, RequiredProtocol ) ->
+    Info = emqtt:info(Client),
+    SocketInfo = proplists:get_value( socket, Info ),
+    %% emqtt_sock has #ssl_socket.ssl
+    SSLSocket = element( 3, SocketInfo ),
+    { ok, SSLInfo } = ssl:connection_information(SSLSocket),
+    Protocol = proplists:get_value( protocol, SSLInfo ),
+    RequiredProtocol = Protocol.
+
+
+tls_certcn_as_clientid(default = TLSVsn) ->
+    tls_certcn_as_clientid(TLSVsn, 'tlsv1.3');
+tls_certcn_as_clientid(TLSVsn) ->
+    tls_certcn_as_clientid(TLSVsn, TLSVsn).
+
+tls_certcn_as_clientid(TLSVsn, RequiredTLSVsn) ->
+    CN = <<"Client">>,
+    emqx_zone:set_env(external, use_username_as_clientid, true),
+    SslConf = emqx_ct_helpers:client_ssl_twoway(TLSVsn),
+    {ok, Client} = emqtt:start_link([{port, 8883}, {ssl, true}, {ssl_opts, SslConf}]),
+    {ok, _} = emqtt:connect(Client),
+    #{clientinfo := #{clientid := CN}} = emqx_cm:get_chan_info(CN),
+    confirm_tls_version( Client, RequiredTLSVsn ),
+    emqtt:disconnect(Client).