paho.mqtt.c icon indicating copy to clipboard operation
paho.mqtt.c copied to clipboard

Published 20 hours ago verified publisher icon eclipse

Advisory: How to disable TLS1.0 and TLS1.1

Open Longqin88888 opened this issue 1 year ago • 5 comments

What should I do if I want to disable TLS 1.0 and TLS 1.0? Is there an interface to do it? I don't want TLS1.0 and TLS1.0 in the supported versions of the client and server, but I tried sslVersion set to MQTT_SSL_VERSION_TLS_1_2, TLS1.0 and TLS1.0 still exist in supported versions.

Longqin88888 avatar Jul 01 '24 06:07 Longqin88888

Set the sslVersion on the Broker side

jumoog avatar Jul 01 '24 12:07 jumoog

Isn't there a way to do this on the client side?

Longqin88888 avatar Jul 03 '24 10:07 Longqin88888

Yes, but you have to modify SSLSocket.c and set the minimum TLS version.

  SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);

jumoog avatar Jul 03 '24 12:07 jumoog

It is available after the modification according to your suggestion. if(opts->sslVersion) { if(opts->sslVersion == MQTT_SSL_VERSION_DEFAULT || opts->sslVersion == MQTT_SSL_VERSION_TLS_1_0) { SSL_CTX_set_min_proto_version(net->ctx, TLS1_VERSION); }else if(opts->sslVersion == MQTT_SSL_VERSION_TLS_1_1) { SSL_CTX_set_min_proto_version(net->ctx, TLS1_1_VERSION); } else if (opts->sslVersion == MQTT_SSL_VERSION_TLS_1_2) { SSL_CTX_set_min_proto_version(net->ctx, TLS1_2_VERSION); } }

Longqin88888 avatar Jul 04 '24 03:07 Longqin88888

Is there any consideration to add this function? I see that when using openssl1.1.0 or below, the client can disable TLS1.0 and 1.1 by sslVersion, but if using openssl1.1.0 or above, this parameter is invalid on the client. #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) net->ctx = SSL_CTX_new(TLS_client_method()); #else int sslVersion = MQTT_SSL_VERSION_DEFAULT; if (opts->struct_version >= 1) sslVersion = opts->sslVersion; /* SSL_OP_NO_TLSv1_1 is defined in ssl.h if the library version supports TLSv1.1.

  • OPENSSL_NO_TLS1 is defined in opensslconf.h or on the compiler command line
  • if TLS1.x was removed at OpenSSL library build time via Configure options. / switch (sslVersion) { case MQTT_SSL_VERSION_DEFAULT: net->ctx = SSL_CTX_new(SSLv23_client_method()); / SSLv23 for compatibility with SSLv2, SSLv3 and TLSv1 */ break; #if defined(SSL_OP_NO_TLSv1) && !defined(OPENSSL_NO_TLS1) case MQTT_SSL_VERSION_TLS_1_0: net->ctx = SSL_CTX_new(TLSv1_client_method()); break; #endif #if defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1) case MQTT_SSL_VERSION_TLS_1_1: net->ctx = SSL_CTX_new(TLSv1_1_client_method()); break; #endif #if defined(SSL_OP_NO_TLSv1_2) && !defined(OPENSSL_NO_TLS1) case MQTT_SSL_VERSION_TLS_1_2: net->ctx = SSL_CTX_new(TLSv1_2_client_method()); break; #endif default: break; }

Longqin88888 avatar Jul 04 '24 03:07 Longqin88888