Fix default settings incorrectly allowing TLS v1.1.
Closes #2722. Thanks to KramNamez.
This commit is contained in:
parent
5cae46d26d
commit
63da7472b5
@ -5,11 +5,13 @@ Broker:
|
|||||||
- Fix error handling related to the `bind_interface` option.
|
- Fix error handling related to the `bind_interface` option.
|
||||||
- Fix std* files not being redirected when daemonising, when built with
|
- Fix std* files not being redirected when daemonising, when built with
|
||||||
assertions removed. Closes #2708.
|
assertions removed. Closes #2708.
|
||||||
|
- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
|
||||||
|
|
||||||
Client library:
|
Client library:
|
||||||
- Use CLOCK_BOOTTIME when available, to keep track of time. This solves the
|
- Use CLOCK_BOOTTIME when available, to keep track of time. This solves the
|
||||||
problem of the client OS sleeping and the client hence not being able to
|
problem of the client OS sleeping and the client hence not being able to
|
||||||
calculate the actual time for keepalive purposes. Closes #2760.
|
calculate the actual time for keepalive purposes. Closes #2760.
|
||||||
|
- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
|
||||||
|
|
||||||
Clients:
|
Clients:
|
||||||
- Fix incorrect topic-alias property value in mosquitto_sub json output.
|
- Fix incorrect topic-alias property value in mosquitto_sub json output.
|
||||||
|
@ -684,7 +684,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
if(!mosq->tls_version){
|
if(!mosq->tls_version){
|
||||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
|
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
|
||||||
#ifdef SSL_OP_NO_TLSv1_3
|
#ifdef SSL_OP_NO_TLSv1_3
|
||||||
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
|
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
|
||||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
|
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
|
||||||
|
@ -1458,7 +1458,7 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
|
|||||||
<replaceable>tlsv1.3</replaceable>,
|
<replaceable>tlsv1.3</replaceable>,
|
||||||
<replaceable>tlsv1.2</replaceable> and
|
<replaceable>tlsv1.2</replaceable> and
|
||||||
<replaceable>tlsv1.1</replaceable>. If left unset,
|
<replaceable>tlsv1.1</replaceable>. If left unset,
|
||||||
the default of allowing TLS v1.3 and v1.2.</para>
|
the default allows TLS v1.3 and v1.2.</para>
|
||||||
<para>In Mosquitto version 1.6.x and earlier, this
|
<para>In Mosquitto version 1.6.x and earlier, this
|
||||||
option set the only TLS protocol version that
|
option set the only TLS protocol version that
|
||||||
was allowed, rather than the minimum.</para>
|
was allowed, rather than the minimum.</para>
|
||||||
|
@ -343,7 +343,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
if(listener->tls_version == NULL){
|
if(listener->tls_version == NULL){
|
||||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
|
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
|
||||||
#ifdef SSL_OP_NO_TLSv1_3
|
#ifdef SSL_OP_NO_TLSv1_3
|
||||||
}else if(!strcmp(listener->tls_version, "tlsv1.3")){
|
}else if(!strcmp(listener->tls_version, "tlsv1.3")){
|
||||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
|
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
|
||||||
|
Loading…
Reference in New Issue
Block a user