Change tls_version
option behaviour.
The `tls_version` option now defines the *minimum* TLS protocol version to be used, rather than the exact version. Closes #1258. Thanks to Daniele Sluijters.
This commit is contained in:
parent
edee5aaf8d
commit
abbeb4494f
@ -24,6 +24,8 @@ Breaking changes:
|
||||
connections are allowed.
|
||||
- The `pid_file` option will now always attempt to write a pid file,
|
||||
regardless of whether the `-d` argument is used when running the broker.
|
||||
- The `tls_version` option now defines the *minimum* TLS protocol version to
|
||||
be used, rather than the exact version. Closes #1258.
|
||||
|
||||
Broker:
|
||||
- When running as root, if dropping privileges to the "mosquitto" user fails,
|
||||
|
@ -692,20 +692,15 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
||||
}
|
||||
|
||||
if(!mosq->tls_version){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
|
||||
#ifdef SSL_OP_NO_TLSv1_3
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
|
||||
#else
|
||||
#endif
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
|
||||
}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2);
|
||||
#endif
|
||||
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
|
||||
}else{
|
||||
log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
|
||||
COMPAT_CLOSE(mosq->sock);
|
||||
|
@ -1377,13 +1377,15 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
|
||||
<varlistentry>
|
||||
<term><option>tls_version</option> <replaceable>version</replaceable></term>
|
||||
<listitem>
|
||||
<para>Configure the version of the TLS protocol to be
|
||||
<para>Configure the minimum version of the TLS protocol to be
|
||||
used for this listener. Possible values are
|
||||
<replaceable>tlsv1.3</replaceable>,
|
||||
<replaceable>tlsv1.2</replaceable> and
|
||||
<replaceable>tlsv1.1</replaceable>. If left unset,
|
||||
the default of allowing all of TLS v1.3, v1.2 and
|
||||
v1.1 is used.</para>
|
||||
the default of allowing TLS v1.3 and v1.2.</para>
|
||||
<para>In Mosquitto version 1.6.x and earlier, this
|
||||
option set the only TLS protocol version that
|
||||
was allowed, rather than the minimum.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
@ -1460,13 +1462,15 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
|
||||
<varlistentry>
|
||||
<term><option>tls_version</option> <replaceable>version</replaceable></term>
|
||||
<listitem>
|
||||
<para>Configure the version of the TLS protocol to be
|
||||
<para>Configure the minimum version of the TLS protocol to be
|
||||
used for this listener. Possible values are
|
||||
<replaceable>tlsv1.3</replaceable>,
|
||||
<replaceable>tlsv1.2</replaceable> and
|
||||
<replaceable>tlsv1.1</replaceable>. If left unset,
|
||||
the default of allowing all of TLS v1.3, v1.2 and
|
||||
v1.1 is used.</para>
|
||||
the default of allowing TLS v1.3 and v1.2.</para>
|
||||
<para>In Mosquitto version 1.6.x and earlier, this
|
||||
option set the only TLS protocol version that
|
||||
was allowed, rather than the minimum.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
|
Loading…
Reference in New Issue
Block a user