d0kuhn/mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix default settings incorrectly allowing TLS v1.1.

Browse Source 
Closes #2722. Thanks to KramNamez.
This commit is contained in:
Roger A. Light 2023-03-28 01:15:28 +01:00
parent 5cae46d26d
commit 63da7472b5
4 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog.txt
View File

@ -5,11 +5,13 @@ Broker:
- Fix error handling related to the `bind_interface` option. - Fix error handling related to the `bind_interface` option.
- Fix std* files not being redirected when daemonising, when built with - Fix std* files not being redirected when daemonising, when built with
assertions removed. Closes #2708. assertions removed. Closes #2708.
- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
Client library: Client library:
- Use CLOCK_BOOTTIME when available, to keep track of time. This solves the - Use CLOCK_BOOTTIME when available, to keep track of time. This solves the
problem of the client OS sleeping and the client hence not being able to problem of the client OS sleeping and the client hence not being able to
calculate the actual time for keepalive purposes. Closes #2760. calculate the actual time for keepalive purposes. Closes #2760.
- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
Clients: Clients:
- Fix incorrect topic-alias property value in mosquitto_sub json output. - Fix incorrect topic-alias property value in mosquitto_sub json output.

2
lib/net_mosq.c
View File

@ -684,7 +684,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
#endif #endif
if(!mosq->tls_version){ if(!mosq->tls_version){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){ }else if(!strcmp(mosq->tls_version, "tlsv1.3")){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);

2
man/mosquitto.conf.5.xml
View File

@ -1458,7 +1458,7 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
<replaceable>tlsv1.3</replaceable>, <replaceable>tlsv1.3</replaceable>,
<replaceable>tlsv1.2</replaceable> and <replaceable>tlsv1.2</replaceable> and
<replaceable>tlsv1.1</replaceable>. If left unset, <replaceable>tlsv1.1</replaceable>. If left unset,
the default of allowing TLS v1.3 and v1.2.</para> the default allows TLS v1.3 and v1.2.</para>
<para>In Mosquitto version 1.6.x and earlier, this <para>In Mosquitto version 1.6.x and earlier, this
option set the only TLS protocol version that option set the only TLS protocol version that
was allowed, rather than the minimum.</para> was allowed, rather than the minimum.</para>

2
src/net.c
View File

@ -343,7 +343,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
#endif #endif
if(listener->tls_version == NULL){ if(listener->tls_version == NULL){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#ifdef SSL_OP_NO_TLSv1_3 #ifdef SSL_OP_NO_TLSv1_3
}else if(!strcmp(listener->tls_version, "tlsv1.3")){ }else if(!strcmp(listener->tls_version, "tlsv1.3")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);