eclipse/paho.mqtt.c

Advisory: How to disable TLS1.0 and TLS1.1

Longqin88888 opened this issue · 5 comments

Longqin88888 commented

What should I do if I want to disable TLS 1.0 and TLS 1.0? Is there an interface to do it? I don't want TLS1.0 and TLS1.0 in the supported versions of the client and server, but I tried sslVersion set to MQTT_SSL_VERSION_TLS_1_2, TLS1.0 and TLS1.0 still exist in supported versions.

jumoog commented

Set the sslVersion on the Broker side

Longqin88888 commented

Isn't there a way to do this on the client side?

jumoog commented

Yes, but you have to modify SSLSocket.c and set the minimum TLS version.

  SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
Longqin88888 commented

It is available after the modification according to your suggestion.
if(opts->sslVersion)
{
if(opts->sslVersion == MQTT_SSL_VERSION_DEFAULT || opts->sslVersion == MQTT_SSL_VERSION_TLS_1_0) {
SSL_CTX_set_min_proto_version(net->ctx, TLS1_VERSION);
}else if(opts->sslVersion == MQTT_SSL_VERSION_TLS_1_1) {
SSL_CTX_set_min_proto_version(net->ctx, TLS1_1_VERSION);
} else if (opts->sslVersion == MQTT_SSL_VERSION_TLS_1_2) {
SSL_CTX_set_min_proto_version(net->ctx, TLS1_2_VERSION);
}
}

  • 👍1
Longqin88888 commented

Is there any consideration to add this function? I see that when using openssl1.1.0 or below, the client can disable TLS1.0 and 1.1 by sslVersion, but if using openssl1.1.0 or above, this parameter is invalid on the client.
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
net->ctx = SSL_CTX_new(TLS_client_method());
#else
int sslVersion = MQTT_SSL_VERSION_DEFAULT;
if (opts->struct_version >= 1) sslVersion = opts->sslVersion;
/* SSL_OP_NO_TLSv1_1 is defined in ssl.h if the library version supports TLSv1.1.

  • OPENSSL_NO_TLS1 is defined in opensslconf.h or on the compiler command line
  • if TLS1.x was removed at OpenSSL library build time via Configure options.
    /
    switch (sslVersion)
    {
    case MQTT_SSL_VERSION_DEFAULT:
    net->ctx = SSL_CTX_new(SSLv23_client_method()); /     SSLv23 for compatibility with SSLv2, SSLv3 and TLSv1 */
    break;
    #if defined(SSL_OP_NO_TLSv1) && !defined(OPENSSL_NO_TLS1)
    case MQTT_SSL_VERSION_TLS_1_0:
    net->ctx = SSL_CTX_new(TLSv1_client_method());
    break;
    #endif
    #if defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1)
    case MQTT_SSL_VERSION_TLS_1_1:
    net->ctx = SSL_CTX_new(TLSv1_1_client_method());
    break;
    #endif
    #if defined(SSL_OP_NO_TLSv1_2) && !defined(OPENSSL_NO_TLS1)
    case MQTT_SSL_VERSION_TLS_1_2:
    net->ctx = SSL_CTX_new(TLSv1_2_client_method());
    break;
    #endif
    default:
    break;
    }