github
/
mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disable TLS 1.3 when using TLS-PSK, because it isn't correctly config'd.

Browse Source
pull/2343/head
Roger A. Light 4 years ago
parent 0143db71a1
commit ea371564e7
3 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File

2
ChangeLog.txt
Unescape Escape View File

@ -8,6 +8,7 @@ Broker:
- Fix `max_connections` option not being correctly counted.
- Fix TLS certificates and TLS-PSK not being able to be configured at the same
time.
- Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured.
Client library:
- If a client uses TLS-PSK then force the default cipher list to use "PSK"
@ -15,6 +16,7 @@ Client library:
with x509 certificates only will now fail. Prior to this, the client would
connect successfully without verifying certificates, because they were not
configured.
- Disable TLS v1.3 when using TLS-PSK, because it isn't correctly configured.
Clients:
- mosquitto_sub and mosquitto_rr now open stdout in binary mode on Windows

8
lib/net_mosq.c
Unescape Escape View File

@ -698,8 +698,14 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
}
}
#ifdef SSL_OP_NO_TLSv1_3
if(mosq->tls_psk){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_TLSv1_3);
}
#endif
if(!mosq->tls_version){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
#ifdef SSL_OP_NO_TLSv1_3
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);

21
src/net.c
Unescape Escape View File

@ -329,21 +329,28 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
return MOSQ_ERR_TLS;
}
#ifdef SSL_OP_NO_TLSv1_3
if(db.config->per_listener_settings){
if(listener->security_options.psk_file){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_TLSv1_3);
}
}else{
if(db.config->security_options.psk_file){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_TLSv1_3);
}
}
#endif
if(listener->tls_version == NULL){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
#ifdef SSL_OP_NO_TLSv1_3
}else if(!strcmp(listener->tls_version, "tlsv1.3")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
#endif
}else if(!strcmp(listener->tls_version, "tlsv1.2")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
}else if(!strcmp(listener->tls_version, "tlsv1.1")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
#else
}else if(!strcmp(listener->tls_version, "tlsv1.2")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
}else if(!strcmp(listener->tls_version, "tlsv1.1")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
#endif
}else{
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
return MOSQ_ERR_TLS;
@ -903,8 +910,8 @@ int net__socket_listen(struct mosquitto__listener *listener)
return 1;
}
}
# endif /* FINAL_WITH_TLS_PSK */
}
# endif /* FINAL_WITH_TLS_PSK */
#endif /* WITH_TLS */
return 0;
}else{

Write Preview
Loading…
Cancel
Save