diff --git a/ChangeLog.txt b/ChangeLog.txt
index c2322855..e850c2c5 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -14,11 +14,15 @@ Broker features:
- Add improved bridge restart interval based on Decorrelated Jitter.
- Add `dhparamfile` option, to allow DH parameters to be loaded for Ephemeral
DH support
+- Add explicit support for TLS v1.3.
+- Drop support for TLS v1.0.
Client library features:
- Add mosquitto_subscribe_multiple() for sending subscriptions to multiple
topics in one command.
- Add TLS Engine support.
+- Add explicit support for TLS v1.3.
+- Drop support for TLS v1.0.
Client features:
- Add -E to mosquitto_sub, which causes it to exit immediately after having
@@ -26,6 +30,8 @@ Client features:
session without requiring a message to be received.
- -V now accepts `5, `311`, `31`, as well as `mqttv5` etc.
- Add TLS Engine support.
+- Add explicit support for TLS v1.3.
+- Drop support for TLS v1.0.
Client fixes:
- mosquitto_pub wouldn't always publish all messages when using `-l` and
diff --git a/client/pub_client.c b/client/pub_client.c
index 404f7885..bb8e14f6 100644
--- a/client/pub_client.c
+++ b/client/pub_client.c
@@ -182,7 +182,7 @@ void print_usage(void)
printf(" --key : client private key for authentication, if required by server.\n");
printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
- printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
+ printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
printf(" Defaults to tlsv1.2 if available.\n");
printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
printf(" hostname. Using this option means that you cannot be sure that the\n");
diff --git a/client/sub_client.c b/client/sub_client.c
index 4e99b10c..f11f0844 100644
--- a/client/sub_client.c
+++ b/client/sub_client.c
@@ -214,7 +214,7 @@ void print_usage(void)
printf(" --key : client private key for authentication, if required by server.\n");
printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
- printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
+ printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
printf(" Defaults to tlsv1.2 if available.\n");
printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
printf(" hostname. Using this option means that you cannot be sure that the\n");
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index 35bbf466..c67bc973 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -531,13 +531,13 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
}
if(!mosq->tls_version){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+ }else if(!strcmp(mosq->tls_version, "tlsv1.3")){
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
- }else if(!strcmp(mosq->tls_version, "tlsv1")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
}else{
log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
COMPAT_CLOSE(mosq->sock);
diff --git a/lib/options.c b/lib/options.c
index 5346066b..92860cb8 100644
--- a/lib/options.c
+++ b/lib/options.c
@@ -199,9 +199,9 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
mosq->tls_cert_reqs = cert_reqs;
if(tls_version){
- if(!strcasecmp(tls_version, "tlsv1.2")
- || !strcasecmp(tls_version, "tlsv1.1")
- || !strcasecmp(tls_version, "tlsv1")){
+ if(!strcasecmp(tls_version, "tlsv1.3")
+ || !strcasecmp(tls_version, "tlsv1.2")
+ || !strcasecmp(tls_version, "tlsv1.1")){
mosq->tls_version = mosquitto__strdup(tls_version);
if(!mosq->tls_version) return MOSQ_ERR_NOMEM;
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index a34feefb..def5406c 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -1111,11 +1111,11 @@ openssl dhparam -out dhparam.pem 2048
Configure the version of the TLS protocol to be
used for this listener. Possible values are
- tlsv1.2,
- tlsv1.1 and
- tlsv1. If left unset,
- the default of allowing all of TLS v1.2, v1.1 and
- v1.0 is used.
+ tlsv1.3,
+ tlsv1.2 and
+ tlsv1.1. If left unset,
+ the default of allowing all of TLS v1.3, v1.2 and
+ v1.1 is used.
@@ -1194,11 +1194,11 @@ openssl dhparam -out dhparam.pem 2048
Configure the version of the TLS protocol to be
used for this listener. Possible values are
- tlsv1.2,
- tlsv1.1 and
- tlsv1. If left unset,
- the default of allowing all of TLS v1.2, v1.1 and
- v1.0 is used.
+ tlsv1.3,
+ tlsv1.2 and
+ tlsv1.1. If left unset,
+ the default of allowing all of TLS v1.3, v1.2 and
+ v1.1 is used.
@@ -1707,9 +1707,9 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
Configure the version of the TLS protocol to be
used for this bridge. Possible values are
- tlsv1.2,
- tlsv1.1 and
- tlsv1. Defaults to
+ tlsv1.3,
+ tlsv1.2 and
+ tlsv1.1. Defaults to
tlsv1.2. The remote
broker must support the same version of TLS for the
connection to succeed.
diff --git a/man/mosquitto_pub.1.xml b/man/mosquitto_pub.1.xml
index 363a9aec..b02e3214 100644
--- a/man/mosquitto_pub.1.xml
+++ b/man/mosquitto_pub.1.xml
@@ -480,12 +480,10 @@
Choose which TLS protocol version to use when
communicating with the broker. Valid options are
- , and
- . The default value is
- . If the installed version of
- openssl is too old, only will be
- available. Must match the protocol version used by the
- broker.
+ , and
+ . The default value is
+ . Must match the protocol
+ version used by the broker.
diff --git a/man/mosquitto_sub.1.xml b/man/mosquitto_sub.1.xml
index 88a24c68..824fe9c4 100644
--- a/man/mosquitto_sub.1.xml
+++ b/man/mosquitto_sub.1.xml
@@ -559,12 +559,10 @@
Choose which TLS protocol version to use when
communicating with the broker. Valid options are
- , and
- . The default value is
- . If the installed version of
- openssl is too old, only will be
- available. Must match the protocol version used by the
- broker.
+ , and
+ . The default value is
+ . Must match the protocol
+ version used by the broker.
diff --git a/mosquitto.conf b/mosquitto.conf
index 2927a610..ed71c7f4 100644
--- a/mosquitto.conf
+++ b/mosquitto.conf
@@ -274,8 +274,8 @@
#keyfile
# This option defines the version of the TLS protocol to use for this listener.
-# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
-# tlsv1.1 and tlsv1.
+# The default value allows all of v1.3, v1.2 and v1.1. The valid values are
+# tlsv1.3 tlsv1.2 and tlsv1.1.
#tls_version
# By default a TLS enabled listener will operate in a similar fashion to a
diff --git a/src/net.c b/src/net.c
index d6220a0f..c3c682f4 100644
--- a/src/net.c
+++ b/src/net.c
@@ -327,13 +327,16 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
}
if(listener->tls_version == NULL){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+ }else if(!strcmp(listener->tls_version, "tlsv1.3")){
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
}else if(!strcmp(listener->tls_version, "tlsv1.2")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
}else if(!strcmp(listener->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
- }else if(!strcmp(listener->tls_version, "tlsv1")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
+ }else{
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
+ return 1;
}
#ifdef SSL_OP_NO_COMPRESSION