github
/
mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

TLS-PSK mismatch fix.

Browse Source 
Produce an error if a TLS-PSK client tries to connect to a broker
that is not configured with TLS-PSK.
pull/2343/head
Roger A. Light 4 years ago
parent fc4099eafa
commit a37c8e65d2
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File

7
ChangeLog.txt
Unescape Escape View File

@ -7,6 +7,13 @@ Broker:
users this is not a risk. Closes #567213. users this is not a risk. Closes #567213.
- Fix `max_connections` option not being correctly counted. - Fix `max_connections` option not being correctly counted.
Client library:
- If a client uses TLS-PSK then force the default cipher list to use "PSK"
ciphers only. This means that a client connecting to a broker configured
with x509 certificates only will now fail. Prior to this, the client would
connect successfully without verifying certificates, because they were not
configured.
Clients: Clients:
- mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows - mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows
so binary payloads are not modified when printing. so binary payloads are not modified when printing.

3
lib/net_mosq.c
Unescape Escape View File

@ -857,6 +857,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
#ifdef FINAL_WITH_TLS_PSK #ifdef FINAL_WITH_TLS_PSK
}else if(mosq->tls_psk){ }else if(mosq->tls_psk){
SSL_CTX_set_psk_client_callback(mosq->ssl_ctx, psk_client_callback); SSL_CTX_set_psk_client_callback(mosq->ssl_ctx, psk_client_callback);
if(mosq->tls_ciphers == NULL){
SSL_CTX_set_cipher_list(mosq->ssl_ctx, "PSK");
}
#endif #endif
} }
} }

Write Preview
Loading…
Cancel
Save