Fix tls_version behaviour not matching documentation.

It was setting the exact TLS version to use, not the minimium TLS version to use. Closes #2110. Thanks to Petter Jönsson.
eclipse · Mar 3, 2021 · 64f697d · 64f697d
1 parent 5c45bc4
commit 64f697d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -1,3 +1,11 @@
+2.0.9 - 2021-03-xx
+==================
+
+Broker:
+- Fix `tls_version` behaviour not matching documentation. It was setting the
+ exact TLS version to use, not the minimium TLS version to use. Closes #2110.
+
+
 2.0.8 - 2021-02-25
 ==================
 

diff --git a/src/net.c b/src/net.c
@@ -335,14 +335,14 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
  }else if(!strcmp(listener->tls_version, "tlsv1.3")){
  SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
  }else if(!strcmp(listener->tls_version, "tlsv1.2")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
  }else if(!strcmp(listener->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
 #else
  }else if(!strcmp(listener->tls_version, "tlsv1.2")){
  SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
  }else if(!strcmp(listener->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2);
+ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
 #endif
  }else{
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);