Add explicit support for TLS v1.3 and drop TLS v1.0.
This commit is contained in:
parent
130ddf47f7
commit
1924afe49e
@ -14,11 +14,15 @@ Broker features:
|
||||
- Add improved bridge restart interval based on Decorrelated Jitter.
|
||||
- Add `dhparamfile` option, to allow DH parameters to be loaded for Ephemeral
|
||||
DH support
|
||||
- Add explicit support for TLS v1.3.
|
||||
- Drop support for TLS v1.0.
|
||||
|
||||
Client library features:
|
||||
- Add mosquitto_subscribe_multiple() for sending subscriptions to multiple
|
||||
topics in one command.
|
||||
- Add TLS Engine support.
|
||||
- Add explicit support for TLS v1.3.
|
||||
- Drop support for TLS v1.0.
|
||||
|
||||
Client features:
|
||||
- Add -E to mosquitto_sub, which causes it to exit immediately after having
|
||||
@ -26,6 +30,8 @@ Client features:
|
||||
session without requiring a message to be received.
|
||||
- -V now accepts `5, `311`, `31`, as well as `mqttv5` etc.
|
||||
- Add TLS Engine support.
|
||||
- Add explicit support for TLS v1.3.
|
||||
- Drop support for TLS v1.0.
|
||||
|
||||
Client fixes:
|
||||
- mosquitto_pub wouldn't always publish all messages when using `-l` and
|
||||
|
@ -182,7 +182,7 @@ void print_usage(void)
|
||||
printf(" --key : client private key for authentication, if required by server.\n");
|
||||
printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
|
||||
printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
|
||||
printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
|
||||
printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
|
||||
printf(" Defaults to tlsv1.2 if available.\n");
|
||||
printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
|
||||
printf(" hostname. Using this option means that you cannot be sure that the\n");
|
||||
|
@ -214,7 +214,7 @@ void print_usage(void)
|
||||
printf(" --key : client private key for authentication, if required by server.\n");
|
||||
printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
|
||||
printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
|
||||
printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
|
||||
printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
|
||||
printf(" Defaults to tlsv1.2 if available.\n");
|
||||
printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
|
||||
printf(" hostname. Using this option means that you cannot be sure that the\n");
|
||||
|
@ -531,13 +531,13 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
||||
}
|
||||
|
||||
if(!mosq->tls_version){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3);
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
|
||||
}else{
|
||||
log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
|
||||
COMPAT_CLOSE(mosq->sock);
|
||||
|
@ -199,9 +199,9 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
|
||||
|
||||
mosq->tls_cert_reqs = cert_reqs;
|
||||
if(tls_version){
|
||||
if(!strcasecmp(tls_version, "tlsv1.2")
|
||||
|| !strcasecmp(tls_version, "tlsv1.1")
|
||||
|| !strcasecmp(tls_version, "tlsv1")){
|
||||
if(!strcasecmp(tls_version, "tlsv1.3")
|
||||
|| !strcasecmp(tls_version, "tlsv1.2")
|
||||
|| !strcasecmp(tls_version, "tlsv1.1")){
|
||||
|
||||
mosq->tls_version = mosquitto__strdup(tls_version);
|
||||
if(!mosq->tls_version) return MOSQ_ERR_NOMEM;
|
||||
|
@ -1111,11 +1111,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
|
||||
<listitem>
|
||||
<para>Configure the version of the TLS protocol to be
|
||||
used for this listener. Possible values are
|
||||
<replaceable>tlsv1.2</replaceable>,
|
||||
<replaceable>tlsv1.1</replaceable> and
|
||||
<replaceable>tlsv1</replaceable>. If left unset,
|
||||
the default of allowing all of TLS v1.2, v1.1 and
|
||||
v1.0 is used.</para>
|
||||
<replaceable>tlsv1.3</replaceable>,
|
||||
<replaceable>tlsv1.2</replaceable> and
|
||||
<replaceable>tlsv1.1</replaceable>. If left unset,
|
||||
the default of allowing all of TLS v1.3, v1.2 and
|
||||
v1.1 is used.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
@ -1194,11 +1194,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
|
||||
<listitem>
|
||||
<para>Configure the version of the TLS protocol to be
|
||||
used for this listener. Possible values are
|
||||
<replaceable>tlsv1.2</replaceable>,
|
||||
<replaceable>tlsv1.1</replaceable> and
|
||||
<replaceable>tlsv1</replaceable>. If left unset,
|
||||
the default of allowing all of TLS v1.2, v1.1 and
|
||||
v1.0 is used.</para>
|
||||
<replaceable>tlsv1.3</replaceable>,
|
||||
<replaceable>tlsv1.2</replaceable> and
|
||||
<replaceable>tlsv1.1</replaceable>. If left unset,
|
||||
the default of allowing all of TLS v1.3, v1.2 and
|
||||
v1.1 is used.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
@ -1707,9 +1707,9 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
|
||||
<listitem>
|
||||
<para>Configure the version of the TLS protocol to be
|
||||
used for this bridge. Possible values are
|
||||
<replaceable>tlsv1.2</replaceable>,
|
||||
<replaceable>tlsv1.1</replaceable> and
|
||||
<replaceable>tlsv1</replaceable>. Defaults to
|
||||
<replaceable>tlsv1.3</replaceable>,
|
||||
<replaceable>tlsv1.2</replaceable> and
|
||||
<replaceable>tlsv1.1</replaceable>. Defaults to
|
||||
<replaceable>tlsv1.2</replaceable>. The remote
|
||||
broker must support the same version of TLS for the
|
||||
connection to succeed.</para>
|
||||
|
@ -480,12 +480,10 @@
|
||||
<listitem>
|
||||
<para>Choose which TLS protocol version to use when
|
||||
communicating with the broker. Valid options are
|
||||
<option>tlsv1.2</option>, <option>tlsv1.1</option> and
|
||||
<option>tlsv1</option>. The default value is
|
||||
<option>tlsv1.2</option>. If the installed version of
|
||||
openssl is too old, only <option>tlsv1</option> will be
|
||||
available. Must match the protocol version used by the
|
||||
broker.</para>
|
||||
<option>tlsv1.3</option>, <option>tlsv1.2</option> and
|
||||
<option>tlsv1.1</option>. The default value is
|
||||
<option>tlsv1.2</option>. Must match the protocol
|
||||
version used by the broker.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
|
@ -559,12 +559,10 @@
|
||||
<listitem>
|
||||
<para>Choose which TLS protocol version to use when
|
||||
communicating with the broker. Valid options are
|
||||
<option>tlsv1.2</option>, <option>tlsv1.1</option> and
|
||||
<option>tlsv1</option>. The default value is
|
||||
<option>tlsv1.2</option>. If the installed version of
|
||||
openssl is too old, only <option>tlsv1</option> will be
|
||||
available. Must match the protocol version used by the
|
||||
broker.</para>
|
||||
<option>tlsv1.3</option>, <option>tlsv1.2</option> and
|
||||
<option>tlsv1.1</option>. The default value is
|
||||
<option>tlsv1.2</option>. Must match the protocol
|
||||
version used by the broker.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
|
@ -274,8 +274,8 @@
|
||||
#keyfile
|
||||
|
||||
# This option defines the version of the TLS protocol to use for this listener.
|
||||
# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
|
||||
# tlsv1.1 and tlsv1.
|
||||
# The default value allows all of v1.3, v1.2 and v1.1. The valid values are
|
||||
# tlsv1.3 tlsv1.2 and tlsv1.1.
|
||||
#tls_version
|
||||
|
||||
# By default a TLS enabled listener will operate in a similar fashion to a
|
||||
|
13
src/net.c
13
src/net.c
@ -327,13 +327,16 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
|
||||
}
|
||||
|
||||
if(listener->tls_version == NULL){
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3);
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
|
||||
}else if(!strcmp(listener->tls_version, "tlsv1.3")){
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
|
||||
}else if(!strcmp(listener->tls_version, "tlsv1.2")){
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
|
||||
}else if(!strcmp(listener->tls_version, "tlsv1.1")){
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
|
||||
}else if(!strcmp(listener->tls_version, "tlsv1")){
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
|
||||
}else{
|
||||
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
|
||||
return 1;
|
||||
}
|
||||
|
||||
#ifdef SSL_OP_NO_COMPRESSION
|
||||
|
Loading…
Reference in New Issue
Block a user