github
/
mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't use TLS v1.1 by default.

Browse Source
pull/2345/merge
Roger A. Light 3 years ago
parent e123f661c8
commit d64331603c
4 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File

6
ChangeLog.txt
Unescape Escape View File

@ -70,6 +70,9 @@ Broker:
Previously update intervals were aligned to the time the broker was started. Previously update intervals were aligned to the time the broker was started.
- Add `log_dest android` for logging to the Android logd daemon. - Add `log_dest android` for logging to the Android logd daemon.
- Fix some retained topic memory not being cleared immediately after used. - Fix some retained topic memory not being cleared immediately after used.
- TLS v1.1 now not enabled by default. It is still possible to explicitly
choose TLS v1.1, but this is not recommended and will be removed in a future
version.
Plugins / plugin interface: Plugins / plugin interface:
- Add persist-sqlite plugin. - Add persist-sqlite plugin.
@ -153,6 +156,9 @@ Client library:
- `mosquitto_property_read_binary/string/string_pair` will now set the - `mosquitto_property_read_binary/string/string_pair` will now set the
name/value parameter to NULL if the binary/string is empty. This aligns the name/value parameter to NULL if the binary/string is empty. This aligns the
behaviour with other property functions. Closes #2648. behaviour with other property functions. Closes #2648.
- TLS v1.1 now not enabled by default. It is still possible to explicitly
choose TLS v1.1, but this is not recommended and will be removed in a future
version.
Clients: Clients:
- Add `-W` timeout support to Windows. - Add `-W` timeout support to Windows.

2
lib/net_mosq.c
Unescape Escape View File

@ -697,7 +697,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
#endif #endif
if(!mosq->tls_version){ if(!mosq->tls_version){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){ }else if(!strcmp(mosq->tls_version, "tlsv1.3")){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);

2
man/mosquitto.conf.5.xml
Unescape Escape View File

@ -1670,7 +1670,7 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
<replaceable>tlsv1.3</replaceable>, <replaceable>tlsv1.3</replaceable>,
<replaceable>tlsv1.2</replaceable> and <replaceable>tlsv1.2</replaceable> and
<replaceable>tlsv1.1</replaceable>. If left unset, <replaceable>tlsv1.1</replaceable>. If left unset,
the default of allowing TLS v1.3 and v1.2.</para> the default is to allow TLS v1.3 and v1.2.</para>
<para>In Mosquitto version 1.6.x and earlier, this <para>In Mosquitto version 1.6.x and earlier, this
option set the only TLS protocol version that option set the only TLS protocol version that
was allowed, rather than the minimum.</para> was allowed, rather than the minimum.</para>

2
src/net.c
Unescape Escape View File

@ -377,7 +377,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
#endif #endif
if(listener->tls_version == NULL){ if(listener->tls_version == NULL){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
}else if(!strcmp(listener->tls_version, "tlsv1.3")){ }else if(!strcmp(listener->tls_version, "tlsv1.3")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);

Write Preview
Loading…
Cancel
Save