Add explicit support for TLS v1.3 and drop TLS v1.0.

eclipse · Feb 27, 2019 · 1924afe · 1924afe
1 parent 130ddf4
commit 1924afe
Show file tree

Hide file tree

Showing 10 changed files with 47 additions and 42 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -14,18 +14,24 @@ Broker features:
 - Add improved bridge restart interval based on Decorrelated Jitter.
 - Add `dhparamfile` option, to allow DH parameters to be loaded for Ephemeral
  DH support
+- Add explicit support for TLS v1.3.
+- Drop support for TLS v1.0.
 
 Client library features:
 - Add mosquitto_subscribe_multiple() for sending subscriptions to multiple
  topics in one command.
 - Add TLS Engine support.
+- Add explicit support for TLS v1.3.
+- Drop support for TLS v1.0.
 
 Client features:
 - Add -E to mosquitto_sub, which causes it to exit immediately after having
  its subscriptions acknowledged. Use with -c to create a durable client
  session without requiring a message to be received.
 - -V now accepts `5, `311`, `31`, as well as `mqttv5` etc.
 - Add TLS Engine support.
+- Add explicit support for TLS v1.3.
+- Drop support for TLS v1.0.
 
 Client fixes:
 - mosquitto_pub wouldn't always publish all messages when using `-l` and

diff --git a/client/pub_client.c b/client/pub_client.c
@@ -182,7 +182,7 @@ void print_usage(void)
  printf(" --key : client private key for authentication, if required by server.\n");
  printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
  printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
- printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
+ printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
  printf(" Defaults to tlsv1.2 if available.\n");
  printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
  printf(" hostname. Using this option means that you cannot be sure that the\n");

diff --git a/client/sub_client.c b/client/sub_client.c
@@ -214,7 +214,7 @@ void print_usage(void)
  printf(" --key : client private key for authentication, if required by server.\n");
  printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
  printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
- printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
+ printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
  printf(" Defaults to tlsv1.2 if available.\n");
  printf(" --insecure : do not check that the server certificate hostname matches the remote\n");
  printf(" hostname. Using this option means that you cannot be sure that the\n");

diff --git a/lib/net_mosq.c b/lib/net_mosq.c
@@ -531,13 +531,13 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  }
 
  if(!mosq->tls_version){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+ }else if(!strcmp(mosq->tls_version, "tlsv1.3")){
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
  }else if(!strcmp(mosq->tls_version, "tlsv1.2")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
  }else if(!strcmp(mosq->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
- }else if(!strcmp(mosq->tls_version, "tlsv1")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
  }else{
  log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
  COMPAT_CLOSE(mosq->sock);

diff --git a/lib/options.c b/lib/options.c
@@ -199,9 +199,9 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
 
  mosq->tls_cert_reqs = cert_reqs;
  if(tls_version){
- if(!strcasecmp(tls_version, "tlsv1.2")
- || !strcasecmp(tls_version, "tlsv1.1")
- || !strcasecmp(tls_version, "tlsv1")){
+ if(!strcasecmp(tls_version, "tlsv1.3")
+ || !strcasecmp(tls_version, "tlsv1.2")
+ || !strcasecmp(tls_version, "tlsv1.1")){
 
  mosq->tls_version = mosquitto__strdup(tls_version);
  if(!mosq->tls_version) return MOSQ_ERR_NOMEM;

diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
@@ -1111,11 +1111,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
  <listitem>
  <para>Configure the version of the TLS protocol to be
  used for this listener. Possible values are
- <replaceable>tlsv1.2</replaceable>,
- <replaceable>tlsv1.1</replaceable> and
- <replaceable>tlsv1</replaceable>. If left unset,
- the default of allowing all of TLS v1.2, v1.1 and
- v1.0 is used.</para>
+ <replaceable>tlsv1.3</replaceable>,
+ <replaceable>tlsv1.2</replaceable> and
+ <replaceable>tlsv1.1</replaceable>. If left unset,
+ the default of allowing all of TLS v1.3, v1.2 and
+ v1.1 is used.</para>
  </listitem>
  </varlistentry>
  <varlistentry>
@@ -1194,11 +1194,11 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
  <listitem>
  <para>Configure the version of the TLS protocol to be
  used for this listener. Possible values are
- <replaceable>tlsv1.2</replaceable>,
- <replaceable>tlsv1.1</replaceable> and
- <replaceable>tlsv1</replaceable>. If left unset,
- the default of allowing all of TLS v1.2, v1.1 and
- v1.0 is used.</para>
+ <replaceable>tlsv1.3</replaceable>,
+ <replaceable>tlsv1.2</replaceable> and
+ <replaceable>tlsv1.1</replaceable>. If left unset,
+ the default of allowing all of TLS v1.3, v1.2 and
+ v1.1 is used.</para>
  </listitem>
  </varlistentry>
  <varlistentry>
@@ -1707,9 +1707,9 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
  <listitem>
  <para>Configure the version of the TLS protocol to be
  used for this bridge. Possible values are
- <replaceable>tlsv1.2</replaceable>,
- <replaceable>tlsv1.1</replaceable> and
- <replaceable>tlsv1</replaceable>. Defaults to
+ <replaceable>tlsv1.3</replaceable>,
+ <replaceable>tlsv1.2</replaceable> and
+ <replaceable>tlsv1.1</replaceable>. Defaults to
  <replaceable>tlsv1.2</replaceable>. The remote
  broker must support the same version of TLS for the
  connection to succeed.</para>

diff --git a/man/mosquitto_pub.1.xml b/man/mosquitto_pub.1.xml
@@ -480,12 +480,10 @@
  <listitem>
  <para>Choose which TLS protocol version to use when
  communicating with the broker. Valid options are
- <option>tlsv1.2</option>, <option>tlsv1.1</option> and
- <option>tlsv1</option>. The default value is
- <option>tlsv1.2</option>. If the installed version of
- openssl is too old, only <option>tlsv1</option> will be
- available. Must match the protocol version used by the
- broker.</para>
+ <option>tlsv1.3</option>, <option>tlsv1.2</option> and
+ <option>tlsv1.1</option>. The default value is
+ <option>tlsv1.2</option>. Must match the protocol
+ version used by the broker.</para>
  </listitem>
  </varlistentry>
  <varlistentry>

diff --git a/man/mosquitto_sub.1.xml b/man/mosquitto_sub.1.xml
@@ -559,12 +559,10 @@
  <listitem>
  <para>Choose which TLS protocol version to use when
  communicating with the broker. Valid options are
- <option>tlsv1.2</option>, <option>tlsv1.1</option> and
- <option>tlsv1</option>. The default value is
- <option>tlsv1.2</option>. If the installed version of
- openssl is too old, only <option>tlsv1</option> will be
- available. Must match the protocol version used by the
- broker.</para>
+ <option>tlsv1.3</option>, <option>tlsv1.2</option> and
+ <option>tlsv1.1</option>. The default value is
+ <option>tlsv1.2</option>. Must match the protocol
+ version used by the broker.</para>
  </listitem>
  </varlistentry>
  <varlistentry>

diff --git a/mosquitto.conf b/mosquitto.conf
@@ -274,8 +274,8 @@
 #keyfile
 
 # This option defines the version of the TLS protocol to use for this listener.
-# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
-# tlsv1.1 and tlsv1.
+# The default value allows all of v1.3, v1.2 and v1.1. The valid values are
+# tlsv1.3 tlsv1.2 and tlsv1.1.
 #tls_version
 
 # By default a TLS enabled listener will operate in a similar fashion to a

diff --git a/src/net.c b/src/net.c
@@ -327,13 +327,16 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
  }
 
  if(listener->tls_version == NULL){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+ }else if(!strcmp(listener->tls_version, "tlsv1.3")){
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
  }else if(!strcmp(listener->tls_version, "tlsv1.2")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
  }else if(!strcmp(listener->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
- }else if(!strcmp(listener->tls_version, "tlsv1")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
+ }else{
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
+ return 1;
  }
 
 #ifdef SSL_OP_NO_COMPRESSION