From bd52ede4de36b5fd0136be83864a48c3d8a1f3de Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Tue, 1 Apr 2025 11:36:39 +0100 Subject: [PATCH] Remove support for TLS v1.1 --- ChangeLog.txt | 3 ++ client/pub_client.c | 2 +- client/rr_client.c | 2 +- client/sub_client.c | 2 +- include/mosquitto/libmosquitto_tls.h | 5 ++- lib/net_mosq.c | 2 -- lib/options.c | 3 +- man/mosquitto.conf.5.xml | 39 ++++++++++++--------- man/mosquitto_ctrl.1.xml | 11 +++--- man/mosquitto_pub.1.xml | 11 +++--- man/mosquitto_rr.1.xml | 11 +++--- man/mosquitto_sub.1.xml | 11 +++--- mosquitto.conf | 4 +-- src/net.c | 2 -- www/pages/documentation/dynamic-security.md | 4 +-- 15 files changed, 59 insertions(+), 53 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index d9b762e1..b8c1cd79 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -79,6 +79,7 @@ Broker: - Add `listener_allow_anonymous` option. - Add `listener_auto_id_prefix` option. - Add support for systemd watchdog. +- Remove support for TLS v1.1. Plugins / plugin interface: - Add persist-sqlite plugin. @@ -176,6 +177,7 @@ Client library: - Add `on_ext_auth()` callback to allow handling MQTT v5 extended authentication. - Add `mosquitto_ext_auth_continue()` function to continue an MQTT v5 extended authentication. +- Remove support for TLS v1.1. Clients: - Add `-W` timeout support to Windows. @@ -192,6 +194,7 @@ Clients: - mosquitto_sub payload hex output can now be split by fixed field length. - Add `--message-rate` option to mosquitto_sub, for printing the count of messages received each second. +- Remove support for TLS v1.1. DB Dump: - Add `--json` output mode. diff --git a/client/pub_client.c b/client/pub_client.c index 4b67b3c1..ff5ac224 100644 --- a/client/pub_client.c +++ b/client/pub_client.c @@ -498,7 +498,7 @@ static void print_usage(void) printf(" --key : client private key for authentication, if required by server.\n"); printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n"); printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n"); - printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n"); + printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 or tlsv1.2.\n"); printf(" Defaults to tlsv1.2 if available.\n"); printf(" --insecure : do not verify the the server certificate. Using this option means that\n"); printf(" you cannot be sure that the remote host is the server you wish to connect\n"); diff --git a/client/rr_client.c b/client/rr_client.c index ffb432be..b7c02142 100644 --- a/client/rr_client.c +++ b/client/rr_client.c @@ -248,7 +248,7 @@ static void print_usage(void) printf(" --key : client private key for authentication, if required by server.\n"); printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n"); printf(" --tls-use-os-certs : Load and trust OS provided CA certificates.\n"); - printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n"); + printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 or tlsv1.2.\n"); printf(" Defaults to tlsv1.2 if available.\n"); printf(" --insecure : do not verify the the server certificate. Using this option means that\n"); printf(" you cannot be sure that the remote host is the server you wish to connect\n"); diff --git a/client/sub_client.c b/client/sub_client.c index 72e2d78b..e7747cc1 100644 --- a/client/sub_client.c +++ b/client/sub_client.c @@ -326,7 +326,7 @@ static void print_usage(void) printf(" --key : client private key for authentication, if required by server.\n"); printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n"); printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n"); - printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 tlsv1.2 or tlsv1.1.\n"); + printf(" --tls-version : TLS protocol version, can be one of tlsv1.3 or tlsv1.2.\n"); printf(" Defaults to tlsv1.2 if available.\n"); printf(" --insecure : do not verify the the server certificate. Using this option means that\n"); printf(" you cannot be sure that the remote host is the server you wish to connect\n"); diff --git a/include/mosquitto/libmosquitto_tls.h b/include/mosquitto/libmosquitto_tls.h index a4d7b838..8702af8c 100644 --- a/include/mosquitto/libmosquitto_tls.h +++ b/include/mosquitto/libmosquitto_tls.h @@ -130,9 +130,8 @@ libmosq_EXPORT int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value * tls_version - the version of the SSL/TLS protocol to use as a string. If NULL, * the default value is used. The default value and the * available values depend on the version of openssl that the - * library was compiled against. For openssl >= 1.0.1, the - * available options are tlsv1.2, tlsv1.1 and tlsv1, with tlv1.2 - * as the default. For openssl < 1.0.1, only tlsv1 is available. + * library was compiled against. The available options are + * tlsv1.3 and tlsv1.2, with tlsv1.2 as the default. * ciphers - a string describing the ciphers available for use. See the * "openssl ciphers" tool for more information. If NULL, the * default ciphers will be used. diff --git a/lib/net_mosq.c b/lib/net_mosq.c index 2e88dc01..fc39642d 100644 --- a/lib/net_mosq.c +++ b/lib/net_mosq.c @@ -699,8 +699,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) #endif }else if(!strcmp(mosq->tls_version, "tlsv1.2")){ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); - }else if(!strcmp(mosq->tls_version, "tlsv1.1")){ - SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); }else{ log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version); return MOSQ_ERR_INVAL; diff --git a/lib/options.c b/lib/options.c index 8f13e9e0..91daaa38 100644 --- a/lib/options.c +++ b/lib/options.c @@ -214,8 +214,7 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl mosq->tls_cert_reqs = cert_reqs; if(tls_version){ if(!strcasecmp(tls_version, "tlsv1.3") - || !strcasecmp(tls_version, "tlsv1.2") - || !strcasecmp(tls_version, "tlsv1.1")){ + || !strcasecmp(tls_version, "tlsv1.2")){ mosquitto_FREE(mosq->tls_version); mosq->tls_version = mosquitto_strdup(tls_version); diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml index 027cb912..198c651e 100644 --- a/man/mosquitto.conf.5.xml +++ b/man/mosquitto.conf.5.xml @@ -1833,15 +1833,18 @@ openssl dhparam -out dhparam.pem 2048 version - Configure the minimum version of the TLS protocol to be + + Configure the minimum version of the TLS protocol to be used for this listener. Possible values are - tlsv1.3, - tlsv1.2 and - tlsv1.1. If left unset, - the default is to allow TLS v1.3 and v1.2. - In Mosquitto version 1.6.x and earlier, this + tlsv1.3 and + tlsv1.2. + If left unset, the default is to allow TLS v1.3 and v1.2. + + + In Mosquitto version 1.6.x and earlier, this option set the only TLS protocol version that - was allowed, rather than the minimum. + was allowed, rather than the minimum. + @@ -1918,12 +1921,13 @@ openssl dhparam -out dhparam.pem 2048 version - Configure the minimum version of the TLS protocol to be + + Configure the minimum version of the TLS protocol to be used for this listener. Possible values are - tlsv1.3, - tlsv1.2 and - tlsv1.1. If left unset, - the default of allowing TLS v1.3 and v1.2. + tlsv1.3 and + tlsv1.2. + If left unset, the default is to allow TLS v1.3 and v1.2. + In Mosquitto version 1.6.x and earlier, this option set the only TLS protocol version that was allowed, rather than the minimum. @@ -2619,14 +2623,15 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/ version - Configure the version of the TLS protocol to be + + Configure the version of the TLS protocol to be used for this bridge. Possible values are - tlsv1.3, - tlsv1.2 and - tlsv1.1. Defaults to + tlsv1.3 and + tlsv1.2. Defaults to tlsv1.2. The remote broker must support the same version of TLS for the - connection to succeed. + connection to succeed. + diff --git a/man/mosquitto_ctrl.1.xml b/man/mosquitto_ctrl.1.xml index da088ac9..85422741 100644 --- a/man/mosquitto_ctrl.1.xml +++ b/man/mosquitto_ctrl.1.xml @@ -450,12 +450,13 @@ - Choose which TLS protocol version to use when + + Choose which TLS protocol version to use when communicating with the broker. Valid options are - , and - . The default value is - . Must match the protocol - version used by the broker. + and . + The default value is . + Must match the protocol version used by the broker. + diff --git a/man/mosquitto_pub.1.xml b/man/mosquitto_pub.1.xml index 68afe01f..fc27978c 100644 --- a/man/mosquitto_pub.1.xml +++ b/man/mosquitto_pub.1.xml @@ -641,12 +641,13 @@ - Choose which TLS protocol version to use when + + Choose which TLS protocol version to use when communicating with the broker. Valid options are - , and - . The default value is - . Must match the protocol - version used by the broker. + and . + The default value is . + Must match the protocol version used by the broker. + diff --git a/man/mosquitto_rr.1.xml b/man/mosquitto_rr.1.xml index e542f920..3790542c 100644 --- a/man/mosquitto_rr.1.xml +++ b/man/mosquitto_rr.1.xml @@ -660,12 +660,13 @@ - Choose which TLS protocol version to use when + + Choose which TLS protocol version to use when communicating with the broker. Valid options are - , and - . The default value is - . Must match the protocol - version used by the broker. + and . + The default value is . + Must match the protocol version used by the broker. + diff --git a/man/mosquitto_sub.1.xml b/man/mosquitto_sub.1.xml index f1aded01..4a1f9289 100644 --- a/man/mosquitto_sub.1.xml +++ b/man/mosquitto_sub.1.xml @@ -754,12 +754,13 @@ mosquitto_sub -t 'bbc/#' -T bbc/bbc1 --remove-retained - Choose which TLS protocol version to use when + + Choose which TLS protocol version to use when communicating with the broker. Valid options are - , and - . The default value is - . Must match the protocol - version used by the broker. + and . + The default value is . + Must match the protocol version used by the broker. + diff --git a/mosquitto.conf b/mosquitto.conf index 9295e481..28f6cc6f 100644 --- a/mosquitto.conf +++ b/mosquitto.conf @@ -381,7 +381,7 @@ #keyfile # Configure the minimum version of the TLS protocol to be used for this listener. -# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. +# Possible values are tlsv1.3 and tlsv1.2. #tls_version tlsv1.2 # If you wish to control which encryption ciphers are used, use the ciphers @@ -1060,7 +1060,7 @@ #bridge_keyfile # Configure the version of the TLS protocol to be used for this bridge. -# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. Defaults to tlsv1.2. +# Possible values are tlsv1.3 and tlsv1.2. Defaults to tlsv1.2. # The remote broker must support the same version of TLS for the connection to succeed. #bridge_tls_version diff --git a/src/net.c b/src/net.c index 60ed5eb2..4a39a3b7 100644 --- a/src/net.c +++ b/src/net.c @@ -417,8 +417,6 @@ int net__tls_server_ctx(struct mosquitto__listener *listener) #endif }else if(!strcmp(listener->tls_version, "tlsv1.2")){ SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); - }else if(!strcmp(listener->tls_version, "tlsv1.1")){ - SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); }else{ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version); return MOSQ_ERR_TLS; diff --git a/www/pages/documentation/dynamic-security.md b/www/pages/documentation/dynamic-security.md index 7c1af0e5..e025adb2 100644 --- a/www/pages/documentation/dynamic-security.md +++ b/www/pages/documentation/dynamic-security.md @@ -554,8 +554,8 @@ they would be provided on the command line. For example: This excludes any error messages given in case of invalid user input (e.g. using `-p` without a port). * `--tls-version version` : Choose which TLS protocol version to use when - communicating with the broker. Valid options are tlsv1.3, tlsv1.2 and - tlsv1.1. The default value is tlsv1.2. Must match the protocol version used + communicating with the broker. Valid options are tlsv1.3 and tlsv1.2. + The default value is tlsv1.2. Must match the protocol version used by the broker. * `-u username` : Provide a username to be used for authenticating with the broker. See also the `-P` argument.