Default TLS mode now accepts TLS v1.2, v1.1 and v1.0.

2014-05-24 23:16:55 +01:00 · 2014-05-24 23:16:55 +01:00 · 933dc09489
commit 933dc09489
parent 94ec27911b
4 changed files with 11 additions and 7 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -1,3 +1,5 @@
+- Default TLS mode now accepts TLS v1.2, v1.1 and v1.0.
+
 1.3.2 - 2014xxxx
 ================

--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@ -740,8 +740,9 @@
 							used for this listener. Possible values are
 							<replaceable>tlsv1.2</replaceable>,
 							<replaceable>tlsv1.1</replaceable> and
-							<replaceable>tlsv1</replaceable>. Defaults to
-							<replaceable>tlsv1.2</replaceable>.</para>
+							<replaceable>tlsv1</replaceable>. If left unset,
+							the default of allowing all of TLS v1.2, v1.1 and
+							v1.0 is used.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
@ -800,8 +801,9 @@
 							used for this listener. Possible values are
 							<replaceable>tlsv1.2</replaceable>,
 							<replaceable>tlsv1.1</replaceable> and
-							<replaceable>tlsv1</replaceable>. Defaults to
-							<replaceable>tlsv1.2</replaceable>.</para>
+							<replaceable>tlsv1</replaceable>. If left unset,
+							the default of allowing all of TLS v1.2, v1.1 and
+							v1.0 is used.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
--- a/mosquitto.conf
+++ b/mosquitto.conf
@ -171,7 +171,7 @@
 #keyfile

 # This option defines the version of the TLS protocol to use for this listener.
-# The default value will always be the highest version that is available for
+# The default value allows v1.2, v1.1 and v1.0, if they are all supported by
 # the version of openssl that the broker was compiled against. For openssl >=
 # 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the
 # valid values are tlsv1.
--- a/src/net.c
+++ b/src/net.c
@ -342,13 +342,13 @@ int mqtt3_socket_listen(struct _mqtt3_listener *listener)
 		if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
 			if(listener->tls_version == NULL){
-				listener->ssl_ctx = SSL_CTX_new(TLSv1_2_server_method());
+				listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 			}else if(!strcmp(listener->tls_version, "tlsv1.2")){
 				listener->ssl_ctx = SSL_CTX_new(TLSv1_2_server_method());
 			}else if(!strcmp(listener->tls_version, "tlsv1.1")){
 				listener->ssl_ctx = SSL_CTX_new(TLSv1_1_server_method());
 			}else if(!strcmp(listener->tls_version, "tlsv1")){
-				listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+				listener->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
 			}
 #else
 			listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());