Fix default settings incorrectly allowing TLS v1.1.
Closes #2722. Thanks to KramNamez.
This commit is contained in:
parent
5cae46d26d
commit
63da7472b5
@ -5,11 +5,13 @@ Broker:
|
||||
- Fix error handling related to the `bind_interface` option.
|
||||
- Fix std* files not being redirected when daemonising, when built with
|
||||
assertions removed. Closes #2708.
|
||||
- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
|
||||
|
||||
Client library:
|
||||
- Use CLOCK_BOOTTIME when available, to keep track of time. This solves the
|
||||
problem of the client OS sleeping and the client hence not being able to
|
||||
calculate the actual time for keepalive purposes. Closes #2760.
|
||||
- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
|
||||
|
||||
Clients:
|
||||
- Fix incorrect topic-alias property value in mosquitto_sub json output.
|
||||
|
@ -684,7 +684,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
||||
#endif
|
||||
|
||||
if(!mosq->tls_version){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
|
||||
#ifdef SSL_OP_NO_TLSv1_3
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
|
||||
|
@ -1458,7 +1458,7 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
|
||||
<replaceable>tlsv1.3</replaceable>,
|
||||
<replaceable>tlsv1.2</replaceable> and
|
||||
<replaceable>tlsv1.1</replaceable>. If left unset,
|
||||
the default of allowing TLS v1.3 and v1.2.</para>
|
||||
the default allows TLS v1.3 and v1.2.</para>
|
||||
<para>In Mosquitto version 1.6.x and earlier, this
|
||||
option set the only TLS protocol version that
|
||||
was allowed, rather than the minimum.</para>
|
||||
|
@ -343,7 +343,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
|
||||
#endif
|
||||
|
||||
if(listener->tls_version == NULL){
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
|
||||
#ifdef SSL_OP_NO_TLSv1_3
|
||||
}else if(!strcmp(listener->tls_version, "tlsv1.3")){
|
||||
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
|
||||
|
Loading…
Reference in New Issue
Block a user