-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow disabling of TLS 1.0 #469
Comments
What's the downside to just disabling TLS v1.0? |
I don't have a problem to just disable it, but there may be users who have clients that still support only TLS v1.0 or lower. |
In many projects, we've disabled TLS v1.0 as a default in the code, removed all versions of SSL from the code and still have the option to enable TLS v1.0 in the configuration file. |
I agree, but I guess disabling TLS v1.0 should be cautious. Because, IoT use cases are different from web browsing. There might be many devices cannot be upgraded to use TLS v1.1 or later. For mosquitto, changing the default behavior causes larger impact than for web servers. |
I think this can be closed now as TLS 1.0 is not available in version 1.6. |
At the moment you can only pick a certain TLS version, or allow all TLS versions. It would be better if that could be done for TLS as well, since it's vulnerable to BEAST.
I think this is done in net.c,
mosquitto__tls_server_ctx
. There it picks one*_server_method
based on the settings.It would be useful if there was also a way to have mosquitto pass
SSL_OP_NO_TLSv1
viassl_options
slightly below that. Possibly the option could be comma separated; if so, the code would useSSLv23_server_method
and then use the relatedSSL_OP_NO_SSL*
andSSL_OP_NO_TLS*
for the ones not in the list.The text was updated successfully, but these errors were encountered: