diff --git a/ChangeLog.txt b/ChangeLog.txt
index d9b762e1..b8c1cd79 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -79,6 +79,7 @@ Broker:
- Add `listener_allow_anonymous` option.
- Add `listener_auto_id_prefix` option.
- Add support for systemd watchdog.
+- Remove support for TLS v1.1.
Plugins / plugin interface:
- Add persist-sqlite plugin.
@@ -176,6 +177,7 @@ Client library:
- Add `on_ext_auth()` callback to allow handling MQTT v5 extended authentication.
- Add `mosquitto_ext_auth_continue()` function to continue an MQTT v5 extended
authentication.
+- Remove support for TLS v1.1.
Clients:
- Add `-W` timeout support to Windows.
@@ -192,6 +194,7 @@ Clients:
- mosquitto_sub payload hex output can now be split by fixed field length.
- Add `--message-rate` option to mosquitto_sub, for printing the count of
messages received each second.
+- Remove support for TLS v1.1.
DB Dump:
- Add `--json` output mode.
diff --git a/client/pub_client.c b/client/pub_client.c
index 4b67b3c1..ff5ac224 100644
--- a/client/pub_client.c
+++ b/client/pub_client.c
@@ -498,7 +498,7 @@ static void print_usage(void)
printf(" --key : client private key for authentication, if required by server.\n");
printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
- printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
+ printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 or tlsv1.2.\n");
printf(" Defaults to tlsv1.2 if available.\n");
printf(" --insecure : do not verify the the server certificate. Using this option means that\n");
printf(" you cannot be sure that the remote host is the server you wish to connect\n");
diff --git a/client/rr_client.c b/client/rr_client.c
index ffb432be..b7c02142 100644
--- a/client/rr_client.c
+++ b/client/rr_client.c
@@ -248,7 +248,7 @@ static void print_usage(void)
printf(" --key : client private key for authentication, if required by server.\n");
printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
printf(" --tls-use-os-certs : Load and trust OS provided CA certificates.\n");
- printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
+ printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 or tlsv1.2.\n");
printf(" Defaults to tlsv1.2 if available.\n");
printf(" --insecure : do not verify the the server certificate. Using this option means that\n");
printf(" you cannot be sure that the remote host is the server you wish to connect\n");
diff --git a/client/sub_client.c b/client/sub_client.c
index 72e2d78b..e7747cc1 100644
--- a/client/sub_client.c
+++ b/client/sub_client.c
@@ -326,7 +326,7 @@ static void print_usage(void)
printf(" --key : client private key for authentication, if required by server.\n");
printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
- printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n");
+ printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 or tlsv1.2.\n");
printf(" Defaults to tlsv1.2 if available.\n");
printf(" --insecure : do not verify the the server certificate. Using this option means that\n");
printf(" you cannot be sure that the remote host is the server you wish to connect\n");
diff --git a/include/mosquitto/libmosquitto_tls.h b/include/mosquitto/libmosquitto_tls.h
index a4d7b838..8702af8c 100644
--- a/include/mosquitto/libmosquitto_tls.h
+++ b/include/mosquitto/libmosquitto_tls.h
@@ -130,9 +130,8 @@ libmosq_EXPORT int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value
* tls_version - the version of the SSL/TLS protocol to use as a string. If NULL,
* the default value is used. The default value and the
* available values depend on the version of openssl that the
- * library was compiled against. For openssl >= 1.0.1, the
- * available options are tlsv1.2, tlsv1.1 and tlsv1, with tlv1.2
- * as the default. For openssl < 1.0.1, only tlsv1 is available.
+ * library was compiled against. The available options are
+ * tlsv1.3 and tlsv1.2, with tlsv1.2 as the default.
* ciphers - a string describing the ciphers available for use. See the
* "openssl ciphers" tool for more information. If NULL, the
* default ciphers will be used.
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index 2e88dc01..fc39642d 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -699,8 +699,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
#endif
}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
- }else if(!strcmp(mosq->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
}else{
log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
return MOSQ_ERR_INVAL;
diff --git a/lib/options.c b/lib/options.c
index 8f13e9e0..91daaa38 100644
--- a/lib/options.c
+++ b/lib/options.c
@@ -214,8 +214,7 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
mosq->tls_cert_reqs = cert_reqs;
if(tls_version){
if(!strcasecmp(tls_version, "tlsv1.3")
- || !strcasecmp(tls_version, "tlsv1.2")
- || !strcasecmp(tls_version, "tlsv1.1")){
+ || !strcasecmp(tls_version, "tlsv1.2")){
mosquitto_FREE(mosq->tls_version);
mosq->tls_version = mosquitto_strdup(tls_version);
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index 027cb912..198c651e 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -1833,15 +1833,18 @@ openssl dhparam -out dhparam.pem 2048
version
- Configure the minimum version of the TLS protocol to be
+
+ Configure the minimum version of the TLS protocol to be
used for this listener. Possible values are
- tlsv1.3,
- tlsv1.2 and
- tlsv1.1. If left unset,
- the default is to allow TLS v1.3 and v1.2.
- In Mosquitto version 1.6.x and earlier, this
+ tlsv1.3 and
+ tlsv1.2.
+ If left unset, the default is to allow TLS v1.3 and v1.2.
+
+
+ In Mosquitto version 1.6.x and earlier, this
option set the only TLS protocol version that
- was allowed, rather than the minimum.
+ was allowed, rather than the minimum.
+
@@ -1918,12 +1921,13 @@ openssl dhparam -out dhparam.pem 2048
version
- Configure the minimum version of the TLS protocol to be
+
+ Configure the minimum version of the TLS protocol to be
used for this listener. Possible values are
- tlsv1.3,
- tlsv1.2 and
- tlsv1.1. If left unset,
- the default of allowing TLS v1.3 and v1.2.
+ tlsv1.3 and
+ tlsv1.2.
+ If left unset, the default is to allow TLS v1.3 and v1.2.
+ In Mosquitto version 1.6.x and earlier, this
option set the only TLS protocol version that
was allowed, rather than the minimum.
@@ -2619,14 +2623,15 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/
version
- Configure the version of the TLS protocol to be
+
+ Configure the version of the TLS protocol to be
used for this bridge. Possible values are
- tlsv1.3,
- tlsv1.2 and
- tlsv1.1. Defaults to
+ tlsv1.3 and
+ tlsv1.2. Defaults to
tlsv1.2. The remote
broker must support the same version of TLS for the
- connection to succeed.
+ connection to succeed.
+
diff --git a/man/mosquitto_ctrl.1.xml b/man/mosquitto_ctrl.1.xml
index da088ac9..85422741 100644
--- a/man/mosquitto_ctrl.1.xml
+++ b/man/mosquitto_ctrl.1.xml
@@ -450,12 +450,13 @@
- Choose which TLS protocol version to use when
+
+ Choose which TLS protocol version to use when
communicating with the broker. Valid options are
- , and
- . The default value is
- . Must match the protocol
- version used by the broker.
+ and .
+ The default value is .
+ Must match the protocol version used by the broker.
+
diff --git a/man/mosquitto_pub.1.xml b/man/mosquitto_pub.1.xml
index 68afe01f..fc27978c 100644
--- a/man/mosquitto_pub.1.xml
+++ b/man/mosquitto_pub.1.xml
@@ -641,12 +641,13 @@
- Choose which TLS protocol version to use when
+
+ Choose which TLS protocol version to use when
communicating with the broker. Valid options are
- , and
- . The default value is
- . Must match the protocol
- version used by the broker.
+ and .
+ The default value is .
+ Must match the protocol version used by the broker.
+
diff --git a/man/mosquitto_rr.1.xml b/man/mosquitto_rr.1.xml
index e542f920..3790542c 100644
--- a/man/mosquitto_rr.1.xml
+++ b/man/mosquitto_rr.1.xml
@@ -660,12 +660,13 @@
- Choose which TLS protocol version to use when
+
+ Choose which TLS protocol version to use when
communicating with the broker. Valid options are
- , and
- . The default value is
- . Must match the protocol
- version used by the broker.
+ and .
+ The default value is .
+ Must match the protocol version used by the broker.
+
diff --git a/man/mosquitto_sub.1.xml b/man/mosquitto_sub.1.xml
index f1aded01..4a1f9289 100644
--- a/man/mosquitto_sub.1.xml
+++ b/man/mosquitto_sub.1.xml
@@ -754,12 +754,13 @@ mosquitto_sub -t 'bbc/#' -T bbc/bbc1 --remove-retained
- Choose which TLS protocol version to use when
+
+ Choose which TLS protocol version to use when
communicating with the broker. Valid options are
- , and
- . The default value is
- . Must match the protocol
- version used by the broker.
+ and .
+ The default value is .
+ Must match the protocol version used by the broker.
+
diff --git a/mosquitto.conf b/mosquitto.conf
index 9295e481..28f6cc6f 100644
--- a/mosquitto.conf
+++ b/mosquitto.conf
@@ -381,7 +381,7 @@
#keyfile
# Configure the minimum version of the TLS protocol to be used for this listener.
-# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1.
+# Possible values are tlsv1.3 and tlsv1.2.
#tls_version tlsv1.2
# If you wish to control which encryption ciphers are used, use the ciphers
@@ -1060,7 +1060,7 @@
#bridge_keyfile
# Configure the version of the TLS protocol to be used for this bridge.
-# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. Defaults to tlsv1.2.
+# Possible values are tlsv1.3 and tlsv1.2. Defaults to tlsv1.2.
# The remote broker must support the same version of TLS for the connection to succeed.
#bridge_tls_version
diff --git a/src/net.c b/src/net.c
index 60ed5eb2..4a39a3b7 100644
--- a/src/net.c
+++ b/src/net.c
@@ -417,8 +417,6 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
#endif
}else if(!strcmp(listener->tls_version, "tlsv1.2")){
SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
- }else if(!strcmp(listener->tls_version, "tlsv1.1")){
- SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
}else{
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
return MOSQ_ERR_TLS;
diff --git a/www/pages/documentation/dynamic-security.md b/www/pages/documentation/dynamic-security.md
index 7c1af0e5..e025adb2 100644
--- a/www/pages/documentation/dynamic-security.md
+++ b/www/pages/documentation/dynamic-security.md
@@ -554,8 +554,8 @@ they would be provided on the command line. For example:
This excludes any error messages given in case of invalid user input (e.g.
using `-p` without a port).
* `--tls-version version` : Choose which TLS protocol version to use when
- communicating with the broker. Valid options are tlsv1.3, tlsv1.2 and
- tlsv1.1. The default value is tlsv1.2. Must match the protocol version used
+ communicating with the broker. Valid options are tlsv1.3 and tlsv1.2.
+ The default value is tlsv1.2. Must match the protocol version used
by the broker.
* `-u username` : Provide a username to be used for authenticating with the
broker. See also the `-P` argument.