jumoog
commented
4 months ago Set the sslVersion on the Broker side
Open Longqin88888 opened 4 months ago
jumoog
commented
4 months ago Set the sslVersion on the Broker side
Longqin88888
commented
4 months ago Isn't there a way to do this on the client side?
jumoog
commented
4 months ago Yes, but you have to modify SSLSocket.c and set the minimum TLS version.
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);It is available after the modification according to your suggestion. if(opts->sslVersion) { if(opts->sslVersion == MQTT_SSL_VERSION_DEFAULT || opts->sslVersion == MQTT_SSL_VERSION_TLS_1_0) { SSL_CTX_set_min_proto_version(net->ctx, TLS1_VERSION); }else if(opts->sslVersion == MQTT_SSL_VERSION_TLS_1_1) { SSL_CTX_set_min_proto_version(net->ctx, TLS1_1_VERSION); } else if (opts->sslVersion == MQTT_SSL_VERSION_TLS_1_2) { SSL_CTX_set_min_proto_version(net->ctx, TLS1_2_VERSION); } }
Longqin88888
commented
4 months ago Is there any consideration to add this function? I see that when using openssl1.1.0 or below, the client can disable TLS1.0 and 1.1 by sslVersion, but if using openssl1.1.0 or above, this parameter is invalid on the client.
net->ctx = SSL_CTX_new(TLS_client_method()); int sslVersion = MQTT_SSL_VERSION_DEFAULT;
if (opts->struct_version >= 1) sslVersion = opts->sslVersion;/* SSL_OP_NO_TLSv1_1 is defined in ssl.h if the library version supports TLSv1.1.
case MQTT_SSL_VERSION_TLS_1_0:
net->ctx = SSL_CTX_new(TLSv1_client_method());
break;case MQTT_SSL_VERSION_TLS_1_1:
net->ctx = SSL_CTX_new(TLSv1_1_client_method());
break;case MQTT_SSL_VERSION_TLS_1_2:
net->ctx = SSL_CTX_new(TLSv1_2_client_method());
break;default:
break;
}
What should I do if I want to disable TLS 1.0 and TLS 1.0? Is there an interface to do it? I don't want TLS1.0 and TLS1.0 in the supported versions of the client and server, but I tried sslVersion set to MQTT_SSL_VERSION_TLS_1_2, TLS1.0 and TLS1.0 still exist in supported versions.