emqx4.3/changes/ee/feat-13211.en.md

Enhance TLS listener to support more flexible TLS verifications.

• partial_chain support

If the option partial_chain is set to true, allow connections with incomplete certificate chains.

Check the configuration manual document for more details.

• Certificate KeyUsage Validation

Added support for required Extended Key Usage defined in rfc5280.

Introduced a new option (verify_peer_ext_key_usage) to require specific key usages (like "serverAuth") in peer certificates during the TLS handshake. This strengthens security by ensuring certificates are used for their intended purposes.

example:

 "serverAuth,OID:1.3.6.1.5.5.7.3.2"

Check the configuration manual document for more details.