From 63da7472b519487611b047ca1d550e7dcc806286 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Tue, 28 Mar 2023 01:15:28 +0100
Subject: [PATCH] Fix default settings incorrectly allowing TLS v1.1.

Closes #2722. Thanks to KramNamez.
---
 ChangeLog.txt            | 2 ++
 lib/net_mosq.c           | 2 +-
 man/mosquitto.conf.5.xml | 2 +-
 src/net.c                | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 1f4f69c4..2d19f52c 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -5,11 +5,13 @@ Broker:
 - Fix error handling related to the `bind_interface` option.
 - Fix std* files not being redirected when daemonising, when built with
   assertions removed. Closes #2708.
+- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
 
 Client library:
 - Use CLOCK_BOOTTIME when available, to keep track of time. This solves the
   problem of the client OS sleeping and the client hence not being able to
   calculate the actual time for keepalive purposes. Closes #2760.
+- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
 
 Clients:
 - Fix incorrect topic-alias property value in mosquitto_sub json output.
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index 80d9195b..b8d14a02 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -684,7 +684,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #endif
 
 		if(!mosq->tls_version){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
 		}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
 			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index 35e016c8..297dadb8 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -1458,7 +1458,7 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
 							<replaceable>tlsv1.3</replaceable>,
 							<replaceable>tlsv1.2</replaceable> and
 							<replaceable>tlsv1.1</replaceable>. If left unset,
-							the default of allowing TLS v1.3 and v1.2.</para>
+							the default allows TLS v1.3 and v1.2.</para>
 						<para>In Mosquitto version 1.6.x and earlier, this
 							option set the only TLS protocol version that
 							was allowed, rather than the minimum.</para>
diff --git a/src/net.c b/src/net.c
index 0466a165..7ae33cbc 100644
--- a/src/net.c
+++ b/src/net.c
@@ -343,7 +343,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 #endif
 
 	if(listener->tls_version == NULL){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
 	}else if(!strcmp(listener->tls_version, "tlsv1.3")){
 		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);