Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mosquitto-dev] trip report from upgrading a machine 
I built packages on a staging server and then did a "upgrade packages"
which installed deps and moved mosquitto from 2.0.22 to 2.1.0rc3.

Starting it:

  Starting mosquitto.
  1769370293: The 'per_listener_settings' option is now deprecated and will be removed in version 3.0. Please see the documentation for how to achieve the same effect.
  1769370293: Warning: dhparamfile is no longer required.
  1769370293: You are using the 'allow_anonymous' option with 'per_listener_settings true'. Please replace this with 'listener_allow_anonymous'.
  1769370293: Info: running mosquitto as user: mosquitto.

but in the logs

  Jan 25 14:44:43 foo mosquitto[546]: 1769370283: mosquitto version 2.0.22 terminating
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: mosquitto version 2.1.0 starting
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Config loaded from /usr/pkg/etc/mosquitto.conf.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Bridge support available.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Persistence support available.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: TLS support available.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: TLS-PSK support available.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Websockets support available.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Plugin builtin-security has registered to receive 'basic-auth' events.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Plugin builtin-security has registered to receive 'acl-check' events.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Opening ipv6 listen socket on port 8883.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Opening ipv4 listen socket on port 8883.
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Error: Unsupported tls_version "tlsv1.1".
  Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: mosquitto version 2.1.0 terminating

This particular machine needs to support tlsv1.1 because there are
deployed and non-reachable nodemcu devices that connect via tlsv1.1.
Rereading NodeMCU docs, I may be off; it talks about 1.2.  But what
matters to me is what is flashed in a particular device deployed in
2019, that is far away and operational only sometimes.  I suspect others
have similar "embedded/deployed stuff" constraints.

Is there a technical reason why omitting tlsv1.1 is necessary in the
code?  If it's "that's insecure; you shouldn't do that", then non-TLS
connections should also be rejected.  (I'm not objecting to "tls 1.1
isn't allowed if you don't ask for it".)

I put back the two lines to have tlsv1.1 work:

  $NetBSD$

  --- src/net.c.orig	2026-01-25 09:16:52.000000000 +0000
  +++ src/net.c
  @@ -446,6 +446,8 @@ int net__tls_server_ctx(struct mosquitto
   #endif
          }else if(!strcmp(listener->tls_version, "tlsv1.2")){
                  SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
  +	}else if(!strcmp(listener->tls_version, "tlsv1.1")){
  +		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 );
          }else{
                  log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
                  return MOSQ_ERR_TLS;

and now it starts ok with my custom config.  openssl s_client is able to
connect with TLSv1.1.


And, the good news is that everything else seems to be working.  I'll
update other instances and let them run.

Back to the top