diff --git a/ChangeLog.txt b/ChangeLog.txt
index 5b47f71eeb..8fa8ba61b7 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -24,6 +24,8 @@ Breaking changes:
connections are allowed.
- The `pid_file` option will now always attempt to write a pid file,
regardless of whether the `-d` argument is used when running the broker.
+- The `tls_version` option now defines the *minimum* TLS protocol version to
+ be used, rather than the exact version. Closes #1258.
Broker:
- When running as root, if dropping privileges to the "mosquitto" user fails,
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index 6743d768bd..c05537b7c7 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -692,20 +692,15 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
}
if(!mosq->tls_version){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#ifdef SSL_OP_NO_TLSv1_3
}else if(!strcmp(mosq->tls_version, "tlsv1.3")){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
- }else if(!strcmp(mosq->tls_version, "tlsv1.2")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3);
- }else if(!strcmp(mosq->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
-#else
+#endif
}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2);
-#endif
+ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
}else{
log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
COMPAT_CLOSE(mosq->sock);
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index adb3ac1005..503003e576 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -1377,13 +1377,15 @@ openssl dhparam -out dhparam.pem 2048
version
- Configure the version of the TLS protocol to be
+ Configure the minimum version of the TLS protocol to be
used for this listener. Possible values are
tlsv1.3,
tlsv1.2 and
tlsv1.1. If left unset,
- the default of allowing all of TLS v1.3, v1.2 and
- v1.1 is used.
+ the default of allowing TLS v1.3 and v1.2.
+ In Mosquitto version 1.6.x and earlier, this
+ option set the only TLS protocol version that
+ was allowed, rather than the minimum.
@@ -1460,13 +1462,15 @@ openssl dhparam -out dhparam.pem 2048
version
- Configure the version of the TLS protocol to be
+ Configure the minimum version of the TLS protocol to be
used for this listener. Possible values are
tlsv1.3,
tlsv1.2 and
tlsv1.1. If left unset,
- the default of allowing all of TLS v1.3, v1.2 and
- v1.1 is used.
+ the default of allowing TLS v1.3 and v1.2.
+ In Mosquitto version 1.6.x and earlier, this
+ option set the only TLS protocol version that
+ was allowed, rather than the minimum.