From 64f697d55da1d02cd40d43e5349c83aeae681f41 Mon Sep 17 00:00:00 2001 From: Roger Light Date: Wed, 3 Mar 2021 22:21:24 +0000 Subject: [PATCH] Fix `tls_version` behaviour not matching documentation. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It was setting the exact TLS version to use, not the minimium TLS version to use. Closes #2110. Thanks to Petter Jönsson. --- ChangeLog.txt | 8 ++++++++ src/net.c | 6 +++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index a83937e26b..73b29b75ea 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,3 +1,11 @@ +2.0.9 - 2021-03-xx +================== + +Broker: +- Fix `tls_version` behaviour not matching documentation. It was setting the + exact TLS version to use, not the minimium TLS version to use. Closes #2110. + + 2.0.8 - 2021-02-25 ================== diff --git a/src/net.c b/src/net.c index dcc9db3689..2c7b0cf8a9 100644 --- a/src/net.c +++ b/src/net.c @@ -335,14 +335,14 @@ int net__tls_server_ctx(struct mosquitto__listener *listener) }else if(!strcmp(listener->tls_version, "tlsv1.3")){ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); }else if(!strcmp(listener->tls_version, "tlsv1.2")){ - SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3); + SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); }else if(!strcmp(listener->tls_version, "tlsv1.1")){ - SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3); + SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); #else }else if(!strcmp(listener->tls_version, "tlsv1.2")){ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); }else if(!strcmp(listener->tls_version, "tlsv1.1")){ - SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2); + SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); #endif }else{ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);