From 1924afe49ed2375bf3c78c3d4ac6f60f7d7be2ea Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Wed, 27 Feb 2019 22:50:01 +0000 Subject: [PATCH] Add explicit support for TLS v1.3 and drop TLS v1.0. --- ChangeLog.txt | 6 ++++++ client/pub_client.c | 2 +- client/sub_client.c | 2 +- lib/net_mosq.c | 10 +++++----- lib/options.c | 6 +++--- man/mosquitto.conf.5.xml | 26 +++++++++++++------------- man/mosquitto_pub.1.xml | 10 ++++------ man/mosquitto_sub.1.xml | 10 ++++------ mosquitto.conf | 4 ++-- src/net.c | 13 ++++++++----- 10 files changed, 47 insertions(+), 42 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index c2322855..e850c2c5 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -14,11 +14,15 @@ Broker features: - Add improved bridge restart interval based on Decorrelated Jitter. - Add `dhparamfile` option, to allow DH parameters to be loaded for Ephemeral DH support +- Add explicit support for TLS v1.3. +- Drop support for TLS v1.0. Client library features: - Add mosquitto_subscribe_multiple() for sending subscriptions to multiple topics in one command. - Add TLS Engine support. +- Add explicit support for TLS v1.3. +- Drop support for TLS v1.0. Client features: - Add -E to mosquitto_sub, which causes it to exit immediately after having @@ -26,6 +30,8 @@ Client features: session without requiring a message to be received. - -V now accepts `5, `311`, `31`, as well as `mqttv5` etc. - Add TLS Engine support. +- Add explicit support for TLS v1.3. +- Drop support for TLS v1.0. Client fixes: - mosquitto_pub wouldn't always publish all messages when using `-l` and diff --git a/client/pub_client.c b/client/pub_client.c index 404f7885..bb8e14f6 100644 --- a/client/pub_client.c +++ b/client/pub_client.c @@ -182,7 +182,7 @@ void print_usage(void) printf(" --key : client private key for authentication, if required by server.\n"); printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n"); printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n"); - printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n"); + printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n"); printf(" Defaults to tlsv1.2 if available.\n"); printf(" --insecure : do not check that the server certificate hostname matches the remote\n"); printf(" hostname. Using this option means that you cannot be sure that the\n"); diff --git a/client/sub_client.c b/client/sub_client.c index 4e99b10c..f11f0844 100644 --- a/client/sub_client.c +++ b/client/sub_client.c @@ -214,7 +214,7 @@ void print_usage(void) printf(" --key : client private key for authentication, if required by server.\n"); printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n"); printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n"); - printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n"); + printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n"); printf(" Defaults to tlsv1.2 if available.\n"); printf(" --insecure : do not check that the server certificate hostname matches the remote\n"); printf(" hostname. Using this option means that you cannot be sure that the\n"); diff --git a/lib/net_mosq.c b/lib/net_mosq.c index 35bbf466..c67bc973 100644 --- a/lib/net_mosq.c +++ b/lib/net_mosq.c @@ -531,13 +531,13 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) } if(!mosq->tls_version){ - SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); + }else if(!strcmp(mosq->tls_version, "tlsv1.3")){ + SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); }else if(!strcmp(mosq->tls_version, "tlsv1.2")){ - SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1); + SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3); }else if(!strcmp(mosq->tls_version, "tlsv1.1")){ - SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1); - }else if(!strcmp(mosq->tls_version, "tlsv1")){ - SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1); + SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); }else{ log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version); COMPAT_CLOSE(mosq->sock); diff --git a/lib/options.c b/lib/options.c index 5346066b..92860cb8 100644 --- a/lib/options.c +++ b/lib/options.c @@ -199,9 +199,9 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl mosq->tls_cert_reqs = cert_reqs; if(tls_version){ - if(!strcasecmp(tls_version, "tlsv1.2") - || !strcasecmp(tls_version, "tlsv1.1") - || !strcasecmp(tls_version, "tlsv1")){ + if(!strcasecmp(tls_version, "tlsv1.3") + || !strcasecmp(tls_version, "tlsv1.2") + || !strcasecmp(tls_version, "tlsv1.1")){ mosq->tls_version = mosquitto__strdup(tls_version); if(!mosq->tls_version) return MOSQ_ERR_NOMEM; diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml index a34feefb..def5406c 100644 --- a/man/mosquitto.conf.5.xml +++ b/man/mosquitto.conf.5.xml @@ -1111,11 +1111,11 @@ openssl dhparam -out dhparam.pem 2048 Configure the version of the TLS protocol to be used for this listener. Possible values are - tlsv1.2, - tlsv1.1 and - tlsv1. If left unset, - the default of allowing all of TLS v1.2, v1.1 and - v1.0 is used. + tlsv1.3, + tlsv1.2 and + tlsv1.1. If left unset, + the default of allowing all of TLS v1.3, v1.2 and + v1.1 is used. @@ -1194,11 +1194,11 @@ openssl dhparam -out dhparam.pem 2048 Configure the version of the TLS protocol to be used for this listener. Possible values are - tlsv1.2, - tlsv1.1 and - tlsv1. If left unset, - the default of allowing all of TLS v1.2, v1.1 and - v1.0 is used. + tlsv1.3, + tlsv1.2 and + tlsv1.1. If left unset, + the default of allowing all of TLS v1.3, v1.2 and + v1.1 is used. @@ -1707,9 +1707,9 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/ Configure the version of the TLS protocol to be used for this bridge. Possible values are - tlsv1.2, - tlsv1.1 and - tlsv1. Defaults to + tlsv1.3, + tlsv1.2 and + tlsv1.1. Defaults to tlsv1.2. The remote broker must support the same version of TLS for the connection to succeed. diff --git a/man/mosquitto_pub.1.xml b/man/mosquitto_pub.1.xml index 363a9aec..b02e3214 100644 --- a/man/mosquitto_pub.1.xml +++ b/man/mosquitto_pub.1.xml @@ -480,12 +480,10 @@ Choose which TLS protocol version to use when communicating with the broker. Valid options are - , and - . The default value is - . If the installed version of - openssl is too old, only will be - available. Must match the protocol version used by the - broker. + , and + . The default value is + . Must match the protocol + version used by the broker. diff --git a/man/mosquitto_sub.1.xml b/man/mosquitto_sub.1.xml index 88a24c68..824fe9c4 100644 --- a/man/mosquitto_sub.1.xml +++ b/man/mosquitto_sub.1.xml @@ -559,12 +559,10 @@ Choose which TLS protocol version to use when communicating with the broker. Valid options are - , and - . The default value is - . If the installed version of - openssl is too old, only will be - available. Must match the protocol version used by the - broker. + , and + . The default value is + . Must match the protocol + version used by the broker. diff --git a/mosquitto.conf b/mosquitto.conf index 2927a610..ed71c7f4 100644 --- a/mosquitto.conf +++ b/mosquitto.conf @@ -274,8 +274,8 @@ #keyfile # This option defines the version of the TLS protocol to use for this listener. -# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2 -# tlsv1.1 and tlsv1. +# The default value allows all of v1.3, v1.2 and v1.1. The valid values are +# tlsv1.3 tlsv1.2 and tlsv1.1. #tls_version # By default a TLS enabled listener will operate in a similar fashion to a diff --git a/src/net.c b/src/net.c index d6220a0f..c3c682f4 100644 --- a/src/net.c +++ b/src/net.c @@ -327,13 +327,16 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener) } if(listener->tls_version == NULL){ - SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); + }else if(!strcmp(listener->tls_version, "tlsv1.3")){ + SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); }else if(!strcmp(listener->tls_version, "tlsv1.2")){ - SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1); + SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3); }else if(!strcmp(listener->tls_version, "tlsv1.1")){ - SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1); - }else if(!strcmp(listener->tls_version, "tlsv1")){ - SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1); + SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); + }else{ + log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version); + return 1; } #ifdef SSL_OP_NO_COMPRESSION