Don't use TLS v1.1 by default.

3 years ago · d64331603c
parent e123f661c8
commit d64331603c
4 changed files with 9 additions and 3 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -70,6 +70,9 @@ Broker:
  Previously update intervals were aligned to the time the broker was started.
 - Add `log_dest android` for logging to the Android logd daemon.
 - Fix some retained topic memory not being cleared immediately after used.
+- TLS v1.1 now not enabled by default. It is still possible to explicitly
+  choose TLS v1.1, but this is not recommended and will be removed in a future
+  version.

 Plugins / plugin interface:
 - Add persist-sqlite plugin.
@ -153,6 +156,9 @@ Client library:
 - `mosquitto_property_read_binary/string/string_pair` will now set the
  name/value parameter to NULL if the binary/string is empty. This aligns the
  behaviour with other property functions. Closes #2648.
+- TLS v1.1 now not enabled by default. It is still possible to explicitly
+  choose TLS v1.1, but this is not recommended and will be removed in a future
+  version.

 Clients:
 - Add `-W` timeout support to Windows.
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@ -697,7 +697,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #endif

 		if(!mosq->tls_version){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
 		}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
 			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@ -1670,7 +1670,7 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
 							<replaceable>tlsv1.3</replaceable>,
 							<replaceable>tlsv1.2</replaceable> and
 							<replaceable>tlsv1.1</replaceable>. If left unset,
-							the default of allowing TLS v1.3 and v1.2.</para>
+							the default is to allow TLS v1.3 and v1.2.</para>
 						<para>In Mosquitto version 1.6.x and earlier, this
 							option set the only TLS protocol version that
 							was allowed, rather than the minimum.</para>
--- a/src/net.c
+++ b/src/net.c
@ -377,7 +377,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 #endif

 	if(listener->tls_version == NULL){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
 	}else if(!strcmp(listener->tls_version, "tlsv1.3")){
 		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);