Skip to content

Commit

Permalink
Merge pull request #55 from emqx/0619-ssl-cacerts-option-support-syst…
Browse files Browse the repository at this point in the history
…em_defaults

feat(ssl): cacert option suppor 'system_defaults'
  • Loading branch information
zmstone authored Jun 20, 2024
2 parents 4cd8e6f + 5bec0ea commit 8cea620
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 5 deletions.
2 changes: 1 addition & 1 deletion OTP_VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
26.2.5-2
26.2.5-3
30 changes: 26 additions & 4 deletions lib/ssl/src/ssl.erl
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,9 @@
%% Tracing
-export([handle_trace/3]).

%% EMQ fork
-export([default_cacerts/0]).

-removed({ssl_accept, '_',
"use ssl_handshake/1,2,3 instead"}).
-removed({cipher_suites, 0,
Expand Down Expand Up @@ -461,7 +464,7 @@
-type client_reuse_session() :: session_id() | {session_id(), SessionData::binary()}.
-type client_reuse_sessions() :: boolean() | save.
-type client_certificate_authorities() :: boolean().
-type client_cacerts() :: [public_key:der_encoded()] | [public_key:combined_cert()].
-type client_cacerts() :: system_defaults | [public_key:der_encoded()] | [public_key:combined_cert()].
-type client_cafile() :: file:filename().
-type app_level_protocol() :: binary().
-type client_alpn() :: [app_level_protocol()].
Expand Down Expand Up @@ -507,7 +510,7 @@
{early_data, server_early_data()} |
{use_srtp, use_srtp()}.

-type server_cacerts() :: [public_key:der_encoded()] | [public_key:combined_cert()].
-type server_cacerts() :: system_defaults | [public_key:der_encoded()] | [public_key:combined_cert()].
-type server_cafile() :: file:filename().
-type server_alpn() :: [app_level_protocol()].
-type server_next_protocol() :: [app_level_protocol()].
Expand Down Expand Up @@ -570,6 +573,20 @@
%%% API
%%%--------------------------------------------------------------------

%% This function is added in EMQ's OTP fork until the upstream provides a similar solution.
%% The application code can be implement like:
%%
%% default_cacerts() ->
%% try
%% ssl:default_cacerts()
%% catch
%% _:_ ->
%% public_key:cacerts_get()
%% end.
-spec default_cacerts() -> system_defaults.
default_cacerts() ->
system_defaults.

%%--------------------------------------------------------------------
%%
%% Description: Utility function that starts the ssl and applications
Expand Down Expand Up @@ -1979,8 +1996,13 @@ check_cert_key(UserOpts, CertKeys, LogLevel) ->

opt_cacerts(UserOpts, #{verify := Verify, log_level := LogLevel, versions := Versions} = Opts,
#{role := Role}) ->
{_, CaCerts} = get_opt_list(cacerts, undefined, UserOpts, Opts),

CaCerts = case get_opt(cacerts, undefined, UserOpts, Opts) of
{_, system_defaults} ->
public_key:cacerts_get();
_ ->
{_, CaCerts0} = get_opt_list(cacerts, undefined, UserOpts, Opts),
CaCerts0
end,
CaCertFile = case get_opt_file(cacertfile, <<>>, UserOpts, Opts) of
{Where1, _FileName} when CaCerts =/= undefined ->
warn_override(Where1, UserOpts, cacerts, [cacertfile], LogLevel),
Expand Down

0 comments on commit 8cea620

Please sign in to comment.