diff --git a/ChangeLog.txt b/ChangeLog.txt
index 1d36f22b..bf969ef5 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,3 +1,5 @@
+- Default TLS mode now accepts TLS v1.2, v1.1 and v1.0.
+
1.3.2 - 2014xxxx
================
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index 4d6028ea..03ca0805 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -740,8 +740,9 @@
used for this listener. Possible values are
tlsv1.2,
tlsv1.1 and
- tlsv1. Defaults to
- tlsv1.2.
+ tlsv1. If left unset,
+ the default of allowing all of TLS v1.2, v1.1 and
+ v1.0 is used.
@@ -800,8 +801,9 @@
used for this listener. Possible values are
tlsv1.2,
tlsv1.1 and
- tlsv1. Defaults to
- tlsv1.2.
+ tlsv1. If left unset,
+ the default of allowing all of TLS v1.2, v1.1 and
+ v1.0 is used.
diff --git a/mosquitto.conf b/mosquitto.conf
index f8ea9990..7c22e4f4 100644
--- a/mosquitto.conf
+++ b/mosquitto.conf
@@ -171,7 +171,7 @@
#keyfile
# This option defines the version of the TLS protocol to use for this listener.
-# The default value will always be the highest version that is available for
+# The default value allows v1.2, v1.1 and v1.0, if they are all supported by
# the version of openssl that the broker was compiled against. For openssl >=
# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the
# valid values are tlsv1.
diff --git a/src/net.c b/src/net.c
index 0db4c9a5..d323b54d 100644
--- a/src/net.c
+++ b/src/net.c
@@ -342,13 +342,13 @@ int mqtt3_socket_listen(struct _mqtt3_listener *listener)
if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
if(listener->tls_version == NULL){
- listener->ssl_ctx = SSL_CTX_new(TLSv1_2_server_method());
+ listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
}else if(!strcmp(listener->tls_version, "tlsv1.2")){
listener->ssl_ctx = SSL_CTX_new(TLSv1_2_server_method());
}else if(!strcmp(listener->tls_version, "tlsv1.1")){
listener->ssl_ctx = SSL_CTX_new(TLSv1_1_server_method());
}else if(!strcmp(listener->tls_version, "tlsv1")){
- listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+ listener->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
}
#else
listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());