From a8e37851c0a92120050bf2195164168610fc0b98 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Wed, 9 Dec 2020 15:54:33 +0000 Subject: [PATCH] lib: Fix DH group not being set for TLS connections. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This meant ciphers using DHE couldn't be used. Closes #1925. Closes #1476. Thanks to Jonathan Sönnerup, Valerii Demeshko, and sectokia. --- ChangeLog.txt | 3 +++ lib/net_mosq.c | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/ChangeLog.txt b/ChangeLog.txt index 39b49d2f58..43966002c9 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -2,6 +2,7 @@ Broker: - Fix crash on Windows if loading a plugin fails. Closes #1866. - Fix DH group not being set for TLS connections, which meant ciphers using DHE couldn't be used. Closes #1925. Closes #1476. + - Fix listener not being reassociated with client when reloading a persistence file and `per_listener_settings true` is set and the client did not set a username. Closes #1891. @@ -10,6 +11,8 @@ Broker: Client library: - Fix build on Mac Big Sur. Closes #1905. +- Fix DH group not being set for TLS connections, which meant ciphers using + DHE couldn't be used. Closes #1925. Closes #1476. Clients: - mosquitto_sub will now quit with an error if the %U option is used on diff --git a/lib/net_mosq.c b/lib/net_mosq.c index 9c0fb717a5..91fc4d3f88 100644 --- a/lib/net_mosq.c +++ b/lib/net_mosq.c @@ -648,6 +648,10 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) return MOSQ_ERR_INVAL; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + /* Allow use of DHE ciphers */ + SSL_CTX_set_dh_auto(listener->ssl_ctx, 1); +#endif /* Disable compression */ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_COMPRESSION);