test: fix mtls options

apps/emqx/test/emqx_broker_SUITE.erl

@@ -94,7 +94,7 @@ init_per_group(quic, Config) ->
     [
         {conn_fun, quic_connect},
         {port, emqx_config:get([listeners, quic, test, bind])},
-        {ssl_opts, emqx_common_test_helpers:client_ssl_twoway()},
+        {ssl_opts, emqx_common_test_helpers:client_mtls()},
         {ssl, true},
         {group_apps, Apps}
         | Config

apps/emqx/test/emqx_client_SUITE.erl

@@ -395,7 +395,7 @@ t_peercert_preserved_before_connected(_) ->
         ?HP_HIGHEST
     ),
     ClientId = atom_to_binary(?FUNCTION_NAME),
-    SslConf = emqx_common_test_helpers:client_ssl_twoway(default),
+    SslConf = emqx_common_test_helpers:client_mtls(default),
     {ok, Client} = emqtt:start_link([
         {port, 8883},
         {clientid, ClientId},
@@ -455,7 +455,7 @@ tls_certcn_as_clientid(TLSVsn) ->
 tls_certcn_as_clientid(TLSVsn, RequiredTLSVsn) ->
     CN = <<"Client">>,
     emqx_config:put_zone_conf(default, [mqtt, peer_cert_as_clientid], cn),
-    SslConf = emqx_common_test_helpers:client_ssl_twoway(TLSVsn),
+    SslConf = emqx_common_test_helpers:client_mtls(TLSVsn),
     {ok, Client} = emqtt:start_link([{port, 8883}, {ssl, true}, {ssl_opts, SslConf}]),
     {ok, _} = emqtt:connect(Client),
     #{clientinfo := #{clientid := CN}} = emqx_cm:get_chan_info(CN),

apps/emqx/test/emqx_common_test_helpers.erl

@@ -48,8 +48,10 @@
 -export([
     client_ssl/0,
     client_ssl/1,
-    client_ssl_twoway/0,
-    client_ssl_twoway/1,
+    client_mtls/0,
+    client_mtls/1,
+    ssl_verify_fun_allow_any_host/0,
+    ssl_verify_fun_allow_any_host_impl/3,
     ensure_mnesia_stopped/0,
     ensure_quic_listener/2,
     ensure_quic_listener/3,
@@ -430,11 +432,11 @@ flush(Msgs) ->
     after 0 -> lists:reverse(Msgs)
     end.
 
-client_ssl_twoway() ->
-    client_ssl_twoway(default).
+client_mtls() ->
+    client_mtls(default).
 
-client_ssl_twoway(TLSVsn) ->
-    client_certs() ++ ciphers(TLSVsn).
+client_mtls(TLSVsn) ->
+    ssl_verify_fun_allow_any_host() ++ client_certs() ++ ciphers(TLSVsn).
 
 %% Paths prepended to cert filenames
 client_certs() ->
@@ -1421,3 +1423,24 @@ group_path(Config) ->
         _:_ ->
             []
     end.
+
+%% almost verify_none equivalent, but only ignores 'hostname_check_failed'
+ssl_verify_fun_allow_any_host_impl(_Cert, Event, State) ->
+    case Event of
+        valid ->
+            {valid, State};
+        valid_peer ->
+            {valid, State};
+        {bad_cert, hostname_check_failed} ->
+            {valid, State};
+        {bad_cert, _} ->
+            {fail, Event};
+        {extension, _} ->
+            {unknown, State}
+    end.
+
+ssl_verify_fun_allow_any_host() ->
+    [
+        {verify, verify_peer},
+        {verify_fun, {fun ?MODULE:ssl_verify_fun_allow_any_host_impl/3, _State = #{}}}
+    ].

apps/emqx/test/emqx_persistent_session_SUITE.erl

@@ -115,7 +115,7 @@ init_per_group(quic, Config) ->
     [
         {port, get_listener_port(quic, test)},
         {conn_fun, quic_connect},
-        {ssl_opts, emqx_common_test_helpers:client_ssl_twoway()},
+        {ssl_opts, emqx_common_test_helpers:client_mtls()},
         {ssl, true},
         {group_apps, Apps}
         | Config