Add explicit support for TLS v1.3 and drop TLS v1.0.

ChangeLog.txt

@@ -14,11 +14,15 @@ Broker features:
 - Add improved bridge restart interval based on Decorrelated Jitter.
 - Add `dhparamfile` option, to allow DH parameters to be loaded for Ephemeral
   DH support
+- Add explicit support for TLS v1.3.
+- Drop support for TLS v1.0.
 
 Client library features:
 - Add mosquitto_subscribe_multiple() for sending subscriptions to multiple
   topics in one command.
 - Add TLS Engine support.
+- Add explicit support for TLS v1.3.
+- Drop support for TLS v1.0.
 
 Client features:
 - Add -E to mosquitto_sub, which causes it to exit immediately after having
@@ -26,6 +30,8 @@ Client features:
   session without requiring a message to be received.
 - -V now accepts `5, `311`, `31`, as well as `mqttv5` etc.
 - Add TLS Engine support.
+- Add explicit support for TLS v1.3.
+- Drop support for TLS v1.0.
 
 Client fixes:
 - mosquitto_pub wouldn't always publish all messages when using `-l` and

client/pub_client.c

@@ -182,7 +182,7 @@ void print_usage(void)
 	printf(" --key : client private key for authentication, if required by server.\n");
 	printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
 	printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
-	printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
+	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
 	printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
 	printf("              hostname. Using this option means that you cannot be sure that the\n");

client/sub_client.c

@@ -214,7 +214,7 @@ void print_usage(void)
 	printf(" --key : client private key for authentication, if required by server.\n");
 	printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
 	printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
-	printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
+	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
 	printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
 	printf("              hostname. Using this option means that you cannot be sure that the\n");

lib/net_mosq.c

@@ -531,13 +531,13 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 		}
 
 		if(!mosq->tls_version){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3);
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+		}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
 		}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
 		}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
-		}else if(!strcmp(mosq->tls_version, "tlsv1")){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
 		}else{
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
 			COMPAT_CLOSE(mosq->sock);

lib/options.c

@@ -199,9 +199,9 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
 
 	mosq->tls_cert_reqs = cert_reqs;
 	if(tls_version){
-		if(!strcasecmp(tls_version, "tlsv1.2")
-				|| !strcasecmp(tls_version, "tlsv1.1")
-				|| !strcasecmp(tls_version, "tlsv1")){
+		if(!strcasecmp(tls_version, "tlsv1.3")
+				|| !strcasecmp(tls_version, "tlsv1.2")
+				|| !strcasecmp(tls_version, "tlsv1.1")){
 
 			mosq->tls_version = mosquitto__strdup(tls_version);
 			if(!mosq->tls_version) return MOSQ_ERR_NOMEM;

man/mosquitto.conf.5.xml

@@ -1111,11 +1111,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
 					<listitem>
 						<para>Configure the version of the TLS protocol to be
 							used for this listener. Possible values are
-							<replaceable>tlsv1.2</replaceable>,
-							<replaceable>tlsv1.1</replaceable> and
-							<replaceable>tlsv1</replaceable>. If left unset,
-							the default of allowing all of TLS v1.2, v1.1 and
-							v1.0 is used.</para>
+							<replaceable>tlsv1.3</replaceable>,
+							<replaceable>tlsv1.2</replaceable> and
+							<replaceable>tlsv1.1</replaceable>. If left unset,
+							the default of allowing all of TLS v1.3, v1.2 and
+							v1.1 is used.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
@@ -1194,11 +1194,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
 					<listitem>
 						<para>Configure the version of the TLS protocol to be
 							used for this listener. Possible values are
-							<replaceable>tlsv1.2</replaceable>,
-							<replaceable>tlsv1.1</replaceable> and
-							<replaceable>tlsv1</replaceable>. If left unset,
-							the default of allowing all of TLS v1.2, v1.1 and
-							v1.0 is used.</para>
+							<replaceable>tlsv1.3</replaceable>,
+							<replaceable>tlsv1.2</replaceable> and
+							<replaceable>tlsv1.1</replaceable>. If left unset,
+							the default of allowing all of TLS v1.3, v1.2 and
+							v1.1 is used.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
@@ -1707,9 +1707,9 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
 					<listitem>
 						<para>Configure the version of the TLS protocol to be
 							used for this bridge. Possible values are
-							<replaceable>tlsv1.2</replaceable>,
-							<replaceable>tlsv1.1</replaceable> and
-							<replaceable>tlsv1</replaceable>. Defaults to
+							<replaceable>tlsv1.3</replaceable>,
+							<replaceable>tlsv1.2</replaceable> and
+							<replaceable>tlsv1.1</replaceable>. Defaults to
 							<replaceable>tlsv1.2</replaceable>. The remote
 							broker must support the same version of TLS for the
 							connection to succeed.</para>

man/mosquitto_pub.1.xml

@@ -480,12 +480,10 @@
 				<listitem>
 					<para>Choose which TLS protocol version to use when
 						communicating with the broker. Valid options are
-						<option>tlsv1.2</option>, <option>tlsv1.1</option> and
-						<option>tlsv1</option>. The default value is
-						<option>tlsv1.2</option>. If the installed version of
-						openssl is too old, only <option>tlsv1</option> will be
-						available. Must match the protocol version used by the
-						broker.</para>
+						<option>tlsv1.3</option>, <option>tlsv1.2</option> and
+						<option>tlsv1.1</option>. The default value is
+						<option>tlsv1.2</option>. Must match the protocol
+						version used by the broker.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>

man/mosquitto_sub.1.xml

@@ -559,12 +559,10 @@
 				<listitem>
 					<para>Choose which TLS protocol version to use when
 						communicating with the broker. Valid options are
-						<option>tlsv1.2</option>, <option>tlsv1.1</option> and
-						<option>tlsv1</option>. The default value is
-						<option>tlsv1.2</option>. If the installed version of
-						openssl is too old, only <option>tlsv1</option> will be
-						available. Must match the protocol version used by the
-						broker.</para>
+						<option>tlsv1.3</option>, <option>tlsv1.2</option> and
+						<option>tlsv1.1</option>. The default value is
+						<option>tlsv1.2</option>. Must match the protocol
+						version used by the broker.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>

mosquitto.conf

@@ -274,8 +274,8 @@
 #keyfile
 
 # This option defines the version of the TLS protocol to use for this listener.
-# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
-# tlsv1.1 and tlsv1.
+# The default value allows all of v1.3, v1.2 and v1.1. The valid values are
+# tlsv1.3 tlsv1.2 and tlsv1.1.
 #tls_version
 
 # By default a TLS enabled listener will operate in a similar fashion to a

src/net.c

@@ -327,13 +327,16 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 	}
 
 	if(listener->tls_version == NULL){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3);
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+	}else if(!strcmp(listener->tls_version, "tlsv1.3")){
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
 	}else if(!strcmp(listener->tls_version, "tlsv1.2")){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
 	}else if(!strcmp(listener->tls_version, "tlsv1.1")){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
-	}else if(!strcmp(listener->tls_version, "tlsv1")){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
+	}else{
+		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
+		return 1;
 	}
 
 #ifdef SSL_OP_NO_COMPRESSION