github
/
mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disable TLS 1.3 when using TLS-PSK, because it isn't correctly config'd.

Browse Source
pull/2343/head
Roger A. Light 4 years ago
parent 0143db71a1
commit ea371564e7
3 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File

2
ChangeLog.txt
Unescape Escape View File

@ -8,6 +8,7 @@ Broker:
- Fix `max_connections` option not being correctly counted. - Fix `max_connections` option not being correctly counted.
- Fix TLS certificates and TLS-PSK not being able to be configured at the same - Fix TLS certificates and TLS-PSK not being able to be configured at the same
time. time.
- Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured.
Client library: Client library:
- If a client uses TLS-PSK then force the default cipher list to use "PSK" - If a client uses TLS-PSK then force the default cipher list to use "PSK"
@ -15,6 +16,7 @@ Client library:
with x509 certificates only will now fail. Prior to this, the client would with x509 certificates only will now fail. Prior to this, the client would
connect successfully without verifying certificates, because they were not connect successfully without verifying certificates, because they were not
configured. configured.
- Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured.
Clients: Clients:
- mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows - mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows

8
lib/net_mosq.c
Unescape Escape View File

@ -698,8 +698,14 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
} }
} }
#ifdef SSL_OP_NO_TLSv1_3
if(mosq->tls_psk){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_TLSv1_3);
}
#endif
if(!mosq->tls_version){ if(!mosq->tls_version){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){ }else if(!strcmp(mosq->tls_version, "tlsv1.3")){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);

21
src/net.c
Unescape Escape View File

@ -329,21 +329,28 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
return MOSQ_ERR_TLS; return MOSQ_ERR_TLS;
} }
#ifdef SSL_OP_NO_TLSv1_3
if(db.config->per_listener_settings){
if(listener->security_options.psk_file){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_TLSv1_3);
}
}else{
if(db.config->security_options.psk_file){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_TLSv1_3);
}
}
#endif
if(listener->tls_version == NULL){ if(listener->tls_version == NULL){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
}else if(!strcmp(listener->tls_version, "tlsv1.3")){ }else if(!strcmp(listener->tls_version, "tlsv1.3")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
#endif
}else if(!strcmp(listener->tls_version, "tlsv1.2")){ }else if(!strcmp(listener->tls_version, "tlsv1.2")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
}else if(!strcmp(listener->tls_version, "tlsv1.1")){ }else if(!strcmp(listener->tls_version, "tlsv1.1")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
#else
}else if(!strcmp(listener->tls_version, "tlsv1.2")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
}else if(!strcmp(listener->tls_version, "tlsv1.1")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
#endif
}else{ }else{
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version); log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
return MOSQ_ERR_TLS; return MOSQ_ERR_TLS;
@ -903,8 +910,8 @@ int net__socket_listen(struct mosquitto__listener *listener)
return 1; return 1;
} }
} }
# endif /* FINAL_WITH_TLS_PSK */
} }
# endif /* FINAL_WITH_TLS_PSK */
#endif /* WITH_TLS */ #endif /* WITH_TLS */
return 0; return 0;
}else{ }else{

Write Preview
Loading…
Cancel
Save