Change tls_version option behaviour.

The `tls_version` option now defines the *minimum* TLS protocol version to
be used, rather than the exact version.

Closes #1258. Thanks to Daniele Sluijters.

ChangeLog.txt

@@ -24,6 +24,8 @@ Breaking changes:
  connections are allowed.
 - The `pid_file` option will now always attempt to write a pid file,
  regardless of whether the `-d` argument is used when running the broker.
+- The `tls_version` option now defines the *minimum* TLS protocol version to
+ be used, rather than the exact version. Closes #1258.
 
 Broker:
 - When running as root, if dropping privileges to the "mosquitto" user fails,

lib/net_mosq.c

@@ -692,20 +692,15 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  }
 
  if(!mosq->tls_version){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
 #ifdef SSL_OP_NO_TLSv1_3
  }else if(!strcmp(mosq->tls_version, "tlsv1.3")){
  SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
- }else if(!strcmp(mosq->tls_version, "tlsv1.2")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
- }else if(!strcmp(mosq->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
-#else
+#endif
  }else if(!strcmp(mosq->tls_version, "tlsv1.2")){
  SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
  }else if(!strcmp(mosq->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2);
-#endif
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
  }else{
  log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
  COMPAT_CLOSE(mosq->sock);

man/mosquitto.conf.5.xml

@@ -1377,13 +1377,15 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
  <varlistentry>
  <term><option>tls_version</option> <replaceable>version</replaceable></term>
  <listitem>
- <para>Configure the version of the TLS protocol to be
+ <para>Configure the minimum version of the TLS protocol to be
  used for this listener. Possible values are
  <replaceable>tlsv1.3</replaceable>,
  <replaceable>tlsv1.2</replaceable> and
  <replaceable>tlsv1.1</replaceable>. If left unset,
- the default of allowing all of TLS v1.3, v1.2 and
- v1.1 is used.</para>
+ the default of allowing TLS v1.3 and v1.2.</para>
+ <para>In Mosquitto version 1.6.x and earlier, this
+ option set the only TLS protocol version that
+ was allowed, rather than the minimum.</para>
  </listitem>
  </varlistentry>
  <varlistentry>
@@ -1460,13 +1462,15 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
  <varlistentry>
  <term><option>tls_version</option> <replaceable>version</replaceable></term>
  <listitem>
- <para>Configure the version of the TLS protocol to be
+ <para>Configure the minimum version of the TLS protocol to be
  used for this listener. Possible values are
  <replaceable>tlsv1.3</replaceable>,
  <replaceable>tlsv1.2</replaceable> and
  <replaceable>tlsv1.1</replaceable>. If left unset,
- the default of allowing all of TLS v1.3, v1.2 and
- v1.1 is used.</para>
+ the default of allowing TLS v1.3 and v1.2.</para>
+ <para>In Mosquitto version 1.6.x and earlier, this
+ option set the only TLS protocol version that
+ was allowed, rather than the minimum.</para>
  </listitem>
  </varlistentry>
  <varlistentry>