Remove support for TLS v1.1

ChangeLog.txt

@@ -79,6 +79,7 @@ Broker:
 - Add `listener_allow_anonymous` option.
 - Add `listener_auto_id_prefix` option.
 - Add support for systemd watchdog.
+- Remove support for TLS v1.1.
 
 Plugins / plugin interface:
 - Add persist-sqlite plugin.
@@ -176,6 +177,7 @@ Client library:
 - Add `on_ext_auth()` callback to allow handling MQTT v5 extended authentication.
 - Add `mosquitto_ext_auth_continue()` function to continue an MQTT v5 extended
   authentication.
+- Remove support for TLS v1.1.
 
 Clients:
 - Add `-W` timeout support to Windows.
@@ -192,6 +194,7 @@ Clients:
 - mosquitto_sub payload hex output can now be split by fixed field length.
 - Add `--message-rate` option to mosquitto_sub, for printing the count of
   messages received each second.
+- Remove support for TLS v1.1.
 
 DB Dump:
 - Add `--json` output mode.

client/pub_client.c

@@ -498,7 +498,7 @@ static void print_usage(void)
 	printf(" --key : client private key for authentication, if required by server.\n");
 	printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
 	printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
-	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
+	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 or tlsv1.2.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
 	printf(" --insecure : do not verify the the server certificate. Using this option means that\n");
 	printf("              you cannot be sure that the remote host is the server you wish to connect\n");

client/rr_client.c

@@ -248,7 +248,7 @@ static void print_usage(void)
 	printf(" --key : client private key for authentication, if required by server.\n");
 	printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
 	printf(" --tls-use-os-certs : Load and trust OS provided CA certificates.\n");
-	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
+	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 or tlsv1.2.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
 	printf(" --insecure : do not verify the the server certificate. Using this option means that\n");
 	printf("              you cannot be sure that the remote host is the server you wish to connect\n");

client/sub_client.c

@@ -326,7 +326,7 @@ static void print_usage(void)
 	printf(" --key : client private key for authentication, if required by server.\n");
 	printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
 	printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
-	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
+	printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 or tlsv1.2.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
 	printf(" --insecure : do not verify the the server certificate. Using this option means that\n");
 	printf("              you cannot be sure that the remote host is the server you wish to connect\n");

include/mosquitto/libmosquitto_tls.h

@@ -130,9 +130,8 @@ libmosq_EXPORT int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value
  *	tls_version - the version of the SSL/TLS protocol to use as a string. If NULL,
  *	              the default value is used. The default value and the
  *	              available values depend on the version of openssl that the
- *	              library was compiled against. For openssl >= 1.0.1, the
- *	              available options are tlsv1.2, tlsv1.1 and tlsv1, with tlv1.2
- *	              as the default. For openssl < 1.0.1, only tlsv1 is available.
+ *	              library was compiled against. The available options are
+ *	              tlsv1.3 and tlsv1.2, with tlsv1.2 as the default.
  *	ciphers -     a string describing the ciphers available for use. See the
  *	              "openssl ciphers" tool for more information. If NULL, the
  *	              default ciphers will be used.

lib/net_mosq.c

@@ -699,8 +699,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #endif
 		}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
 			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
-		}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
-			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
 		}else{
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
 			return MOSQ_ERR_INVAL;

lib/options.c

@@ -214,8 +214,7 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
 	mosq->tls_cert_reqs = cert_reqs;
 	if(tls_version){
 		if(!strcasecmp(tls_version, "tlsv1.3")
-				|| !strcasecmp(tls_version, "tlsv1.2")
-				|| !strcasecmp(tls_version, "tlsv1.1")){
+				|| !strcasecmp(tls_version, "tlsv1.2")){
 
 			mosquitto_FREE(mosq->tls_version);
 			mosq->tls_version = mosquitto_strdup(tls_version);

man/mosquitto.conf.5.xml

@@ -1833,15 +1833,18 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
 				<varlistentry>
 					<term><option>tls_version</option> <replaceable>version</replaceable></term>
 					<listitem>
-						<para>Configure the minimum version of the TLS protocol to be
+						<para>
+							Configure the minimum version of the TLS protocol to be
 							used for this listener. Possible values are
-							<replaceable>tlsv1.3</replaceable>,
-							<replaceable>tlsv1.2</replaceable> and
-							<replaceable>tlsv1.1</replaceable>. If left unset,
-							the default is to allow TLS v1.3 and v1.2.</para>
-						<para>In Mosquitto version 1.6.x and earlier, this
+							<replaceable>tlsv1.3</replaceable> and
+							<replaceable>tlsv1.2</replaceable>.
+							If left unset, the default is to allow TLS v1.3 and v1.2.
+						</para>
+						<para>
+							In Mosquitto version 1.6.x and earlier, this
 							option set the only TLS protocol version that
-							was allowed, rather than the minimum.</para>
+							was allowed, rather than the minimum.
+						</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
@@ -1918,12 +1921,13 @@ openssl dhparam -out dhparam.pem 2048</programlisting>
 				<varlistentry>
 					<term><option>tls_version</option> <replaceable>version</replaceable></term>
 					<listitem>
-						<para>Configure the minimum version of the TLS protocol to be
+						<para>
+							Configure the minimum version of the TLS protocol to be
 							used for this listener. Possible values are
-							<replaceable>tlsv1.3</replaceable>,
-							<replaceable>tlsv1.2</replaceable> and
-							<replaceable>tlsv1.1</replaceable>. If left unset,
-							the default of allowing TLS v1.3 and v1.2.</para>
+							<replaceable>tlsv1.3</replaceable> and
+							<replaceable>tlsv1.2</replaceable>.
+							If left unset, the default is to allow TLS v1.3 and v1.2.
+						</para>
 						<para>In Mosquitto version 1.6.x and earlier, this
 							option set the only TLS protocol version that
 							was allowed, rather than the minimum.</para>
@@ -2619,14 +2623,15 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/
 				<varlistentry>
 					<term><option>bridge_tls_version</option> <replaceable>version</replaceable></term>
 					<listitem>
-						<para>Configure the version of the TLS protocol to be
+						<para>
+							Configure the version of the TLS protocol to be
 							used for this bridge. Possible values are
-							<replaceable>tlsv1.3</replaceable>,
-							<replaceable>tlsv1.2</replaceable> and
-							<replaceable>tlsv1.1</replaceable>. Defaults to
+							<replaceable>tlsv1.3</replaceable> and
+							<replaceable>tlsv1.2</replaceable>. Defaults to
 							<replaceable>tlsv1.2</replaceable>. The remote
 							broker must support the same version of TLS for the
-							connection to succeed.</para>
+							connection to succeed.
+						</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>

man/mosquitto_ctrl.1.xml

@@ -450,12 +450,13 @@
 			<varlistentry>
 				<term><option>--tls-version</option></term>
 				<listitem>
-					<para>Choose which TLS protocol version to use when
+					<para>
+						Choose which TLS protocol version to use when
 						communicating with the broker. Valid options are
-						<option>tlsv1.3</option>, <option>tlsv1.2</option> and
-						<option>tlsv1.1</option>. The default value is
-						<option>tlsv1.2</option>. Must match the protocol
-						version used by the broker.</para>
+						<option>tlsv1.3</option> and <option>tlsv1.2</option>.
+						The default value is <option>tlsv1.2</option>.
+						Must match the protocol version used by the broker.
+					</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>

man/mosquitto_pub.1.xml

@@ -641,12 +641,13 @@
 			<varlistentry>
 				<term><option>--tls-version</option></term>
 				<listitem>
-					<para>Choose which TLS protocol version to use when
+					<para>
+						Choose which TLS protocol version to use when
 						communicating with the broker. Valid options are
-						<option>tlsv1.3</option>, <option>tlsv1.2</option> and
-						<option>tlsv1.1</option>. The default value is
-						<option>tlsv1.2</option>. Must match the protocol
-						version used by the broker.</para>
+						<option>tlsv1.3</option> and <option>tlsv1.2</option>.
+						The default value is <option>tlsv1.2</option>.
+						Must match the protocol version used by the broker.
+					</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>

man/mosquitto_rr.1.xml

@@ -660,12 +660,13 @@
 			<varlistentry>
 				<term><option>--tls-version</option></term>
 				<listitem>
-					<para>Choose which TLS protocol version to use when
+					<para>
+						Choose which TLS protocol version to use when
 						communicating with the broker. Valid options are
-						<option>tlsv1.3</option>, <option>tlsv1.2</option> and
-						<option>tlsv1.1</option>. The default value is
-						<option>tlsv1.2</option>. Must match the protocol
-						version used by the broker.</para>
+						<option>tlsv1.3</option> and <option>tlsv1.2</option>.
+						The default value is <option>tlsv1.2</option>.
+						Must match the protocol version used by the broker.
+					</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>

man/mosquitto_sub.1.xml

@@ -754,12 +754,13 @@ mosquitto_sub -t 'bbc/#' -T bbc/bbc1 --remove-retained</programlisting>
 			<varlistentry>
 				<term><option>--tls-version</option></term>
 				<listitem>
-					<para>Choose which TLS protocol version to use when
+					<para>
+						Choose which TLS protocol version to use when
 						communicating with the broker. Valid options are
-						<option>tlsv1.3</option>, <option>tlsv1.2</option> and
-						<option>tlsv1.1</option>. The default value is
-						<option>tlsv1.2</option>. Must match the protocol
-						version used by the broker.</para>
+						<option>tlsv1.3</option> and <option>tlsv1.2</option>.
+						The default value is <option>tlsv1.2</option>.
+						Must match the protocol version used by the broker.
+					</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>

mosquitto.conf

@@ -381,7 +381,7 @@
 #keyfile
 
 # Configure the minimum version of the TLS protocol to be used for this listener.
-# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1.
+# Possible values are tlsv1.3 and tlsv1.2.
 #tls_version tlsv1.2
 
 # If you wish to control which encryption ciphers are used, use the ciphers
@@ -1060,7 +1060,7 @@
 #bridge_keyfile
 
 # Configure the version of the TLS protocol to be used for this bridge.
-# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. Defaults to tlsv1.2.
+# Possible values are tlsv1.3 and tlsv1.2. Defaults to tlsv1.2.
 # The remote broker must support the same version of TLS for the connection to succeed.
 #bridge_tls_version
 

src/net.c

@@ -417,8 +417,6 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 #endif
 	}else if(!strcmp(listener->tls_version, "tlsv1.2")){
 		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
-	}else if(!strcmp(listener->tls_version, "tlsv1.1")){
-		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
 	}else{
 		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
 		return MOSQ_ERR_TLS;

www/pages/documentation/dynamic-security.md

@@ -554,8 +554,8 @@ they would be provided on the command line. For example:
   This excludes any error messages given in case of invalid user input (e.g.
   using `-p` without a port).
 * `--tls-version version` : Choose which TLS protocol version to use when
-  communicating with the broker. Valid options are tlsv1.3, tlsv1.2 and
-  tlsv1.1. The default value is tlsv1.2. Must match the protocol version used
+  communicating with the broker. Valid options are tlsv1.3 and tlsv1.2.
+  The default value is tlsv1.2. Must match the protocol version used
   by the broker.
 * `-u username` : Provide a username to be used for authenticating with the
   broker. See also the `-P` argument.