Fix default settings incorrectly allowing TLS v1.1.

Closes #2722. Thanks to KramNamez.
eclipse · Mar 28, 2023 · 63da747 · 63da747
1 parent 5cae46d
commit 63da747
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 3 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -5,11 +5,13 @@ Broker:
 - Fix error handling related to the `bind_interface` option.
 - Fix std* files not being redirected when daemonising, when built with
  assertions removed. Closes #2708.
+- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
 
 Client library:
 - Use CLOCK_BOOTTIME when available, to keep track of time. This solves the
  problem of the client OS sleeping and the client hence not being able to
  calculate the actual time for keepalive purposes. Closes #2760.
+- Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
 
 Clients:
 - Fix incorrect topic-alias property value in mosquitto_sub json output.

diff --git a/lib/net_mosq.c b/lib/net_mosq.c
@@ -684,7 +684,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #endif
 
  if(!mosq->tls_version){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
  }else if(!strcmp(mosq->tls_version, "tlsv1.3")){
  SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);

diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
@@ -1458,7 +1458,7 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
  <replaceable>tlsv1.3</replaceable>,
  <replaceable>tlsv1.2</replaceable> and
  <replaceable>tlsv1.1</replaceable>. If left unset,
- the default of allowing TLS v1.3 and v1.2.</para>
+ the default allows TLS v1.3 and v1.2.</para>
  <para>In Mosquitto version 1.6.x and earlier, this
  option set the only TLS protocol version that
  was allowed, rather than the minimum.</para>

diff --git a/src/net.c b/src/net.c
@@ -343,7 +343,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 #endif
 
  if(listener->tls_version == NULL){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
  }else if(!strcmp(listener->tls_version, "tlsv1.3")){
  SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);