Change tls_version option behaviour.

The `tls_version` option now defines the *minimum* TLS protocol version to
be used, rather than the exact version.

Closes #1258. Thanks to Daniele Sluijters.

ChangeLog.txt

@@ -24,6 +24,8 @@ Breaking changes:
   connections are allowed.
 - The `pid_file` option will now always attempt to write a pid file,
   regardless of whether the `-d` argument is used when running the broker.
+- The `tls_version` option now defines the *minimum* TLS protocol version to
+  be used, rather than the exact version. Closes #1258.
 
 Broker:
 - When running as root, if dropping privileges to the "mosquitto" user fails,

lib/net_mosq.c

@@ -692,20 +692,15 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 		}
 
 		if(!mosq->tls_version){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
 		}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
 			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
-		}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
-		}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
-#else
+#endif
 		}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
 			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 		}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2);
-#endif
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
 		}else{
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
 			COMPAT_CLOSE(mosq->sock);

man/mosquitto.conf.5.xml

@@ -1377,13 +1377,15 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
 				<varlistentry>
 					<term><option>tls_version</option> <replaceable>version</replaceable></term>
 					<listitem>
-						<para>Configure the version of the TLS protocol to be
+						<para>Configure the minimum version of the TLS protocol to be
 							used for this listener. Possible values are
 							<replaceable>tlsv1.3</replaceable>,
 							<replaceable>tlsv1.2</replaceable> and
 							<replaceable>tlsv1.1</replaceable>. If left unset,
-							the default of allowing all of TLS v1.3, v1.2 and
-							v1.1 is used.</para>
+							the default of allowing TLS v1.3 and v1.2.</para>
+						<para>In Mosquitto version 1.6.x and earlier, this
+							option set the only TLS protocol version that
+							was allowed, rather than the minimum.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
@@ -1460,13 +1462,15 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
 				<varlistentry>
 					<term><option>tls_version</option> <replaceable>version</replaceable></term>
 					<listitem>
-						<para>Configure the version of the TLS protocol to be
+						<para>Configure the minimum version of the TLS protocol to be
 							used for this listener. Possible values are
 							<replaceable>tlsv1.3</replaceable>,
 							<replaceable>tlsv1.2</replaceable> and
 							<replaceable>tlsv1.1</replaceable>. If left unset,
-							the default of allowing all of TLS v1.3, v1.2 and
-							v1.1 is used.</para>
+							the default of allowing TLS v1.3 and v1.2.</para>
+						<para>In Mosquitto version 1.6.x and earlier, this
+							option set the only TLS protocol version that
+							was allowed, rather than the minimum.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>