SSL listener's check for "CA Cert" about emqx HOT 4 OPEN

maybe change error to info as SSL will search for cacert from OS dir with {cacerts, public_key:cacerts_get()}

from emqx.

@qzhuyan I think you mean that for two-way authentication, it is allowed not to explicitly set CACert, so that EMQX can find it from the OS dir and provide clear info logs.

For one-way authentication, CACert is not needed at all, and even if it is set, it will not be used, so there should be no logs, not even info level.

Do I understand correctly?

from emqx.

After I double checked, I think current behaviour is ok as in schema cacertfile is not required.
So if it is set, EMQX must find it otherwise error log it.

Other features like check the configuraiton combination of verify_peer, partial_chain and cacerts is new feature, there will be many branches, to me it is over engineering but let Product to decide if we really need it and study it first.

BTW, disabling verify_peer will not prevent TLS client sending its cert to EMQX according to standard, the client cert can be used in other subsystem like AUTHN but EMQX need to ensure the cert is readable from lower layer.

from emqx.

So if it is set, EMQX must find it otherwise error log it.

I agree that EMQX must ensure that the specified file exists.

But in the current implementation, even if I don't set the CA Cert, EMQX will try to find this file (I'm not sure what EMQX is looking for at this time), and then throw an error log.

Let me sort out my expectations:

1. verify_peer is disabled, and CA Cert is not set, EMQX should not output error logs (Now it will)
2. verify_peer is disabled, and CA Cert is set, EMQX will confirm whether the file exists and output an error log if it does not exist.
3. verify_peer is enabled, CA Cert must be set, otherwise it will be considered an incorrect configuration.

1 and 3 are not the current behavior of EMQX.

from emqx.