Re: [mosquitto-dev] trip report from upgrading a machine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] trip report from upgrading a machine

From: Roger Light <roger@xxxxxxxxxx>
Date: Tue, 27 Jan 2026 17:21:38 +0000
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=CGocIBtZgFJt039j4BoydFstWvh9BXesUqjqnjClLfw=; fh=sRQyG4OUAKZ6l1jolpIuyCU458nvd9BGFWLoO0MdRFE=; b=VKYy20/r79tSw+FOHSmwrI/R8MKJouCaL/sb6lmkcLvJTUrIabeIYN4YL+KWCHMxSa aXAOYXeqceWzgBE4XCDcMPQ2na+RVFlDDuQBang98tlkkra162qrNgLr3FKctV/FbNTl jVI7jHZDvmgzX65Baa7z3cajmW0e2K5EPC4wqSqycBmiKWChPn7TeOGz84I4wS4/3300 +4/bHwpIQu6JWXpQY5VbFWOrwDO9LyNUwyxhNKWwBGAHWw1sYJV1M4nV1EpIjwqLESRh l1NABiTuKMB6fU9xKzx9rMr3r+aDQDVNbce7QugRwTv8sdXKJ/4GJ8nxwtriyNFi3dZW 3MTQ==; darn=eclipse.org
Arc-seal: i=1; a=rsa-sha256; t=1769534509; cv=none; d=google.com; s=arc-20240605; b=DWhDqJpTmmPRDXt7UHPT7MPvUYWuJ9FTTptM37xF2A2dGceB/1Uirqv+KsTNEBdCaZ kN1TQE5MmcImb7CMAv3jD13n62IQl/mX0xliVfKnBYPIBb6COV953SWPSSKh4CeegEvp deoUNC8YInj+4jGm8qhg0sBMPl29bznZ91nQ1yUWtQovRBWu0aysZD7mKhliDVIFkCvr dlhQfH2+t9dHY4mDpaoe3FqBEZKNQsJ7MUspGwpe6klomufGOyRDMtU2YqEV+F5fK0ZN 3dQsRUceLzWAxHaoxDgwdDbkO6GXFoV1QGVD0OtI+9WL2UtRGY3N7utfRsf7M32G5h13 lXOg==
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi Greg,

There's a big difference between "unencrypted is insecure" and "TLS
1.1 is insecure" - there's no expectation for unencrypted to be
secure.

I'll see about adding 1.1 support back in, although I would say that
TLS 1.2 existed before the mosquitto project existed!

Cheers,

Roger

On Sun, 25 Jan 2026 at 20:10, Greg Troxel via mosquitto-dev
<mosquitto-dev@xxxxxxxxxxx> wrote:
>
> I built packages on a staging server and then did a "upgrade packages"
> which installed deps and moved mosquitto from 2.0.22 to 2.1.0rc3.
>
> Starting it:
>
>   Starting mosquitto.
>   1769370293: The 'per_listener_settings' option is now deprecated and will be removed in version 3.0. Please see the documentation for how to achieve the same effect.
>   1769370293: Warning: dhparamfile is no longer required.
>   1769370293: You are using the 'allow_anonymous' option with 'per_listener_settings true'. Please replace this with 'listener_allow_anonymous'.
>   1769370293: Info: running mosquitto as user: mosquitto.
>
> but in the logs
>
>   Jan 25 14:44:43 foo mosquitto[546]: 1769370283: mosquitto version 2.0.22 terminating
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: mosquitto version 2.1.0 starting
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Config loaded from /usr/pkg/etc/mosquitto.conf.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Bridge support available.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Persistence support available.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: TLS support available.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: TLS-PSK support available.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Websockets support available.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Plugin builtin-security has registered to receive 'basic-auth' events.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Plugin builtin-security has registered to receive 'acl-check' events.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Opening ipv6 listen socket on port 8883.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Opening ipv4 listen socket on port 8883.
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: Error: Unsupported tls_version "tlsv1.1".
>   Jan 25 14:44:53 foo mosquitto[14275]: 1769370293: mosquitto version 2.1.0 terminating
>
> This particular machine needs to support tlsv1.1 because there are
> deployed and non-reachable nodemcu devices that connect via tlsv1.1.
> Rereading NodeMCU docs, I may be off; it talks about 1.2.  But what
> matters to me is what is flashed in a particular device deployed in
> 2019, that is far away and operational only sometimes.  I suspect others
> have similar "embedded/deployed stuff" constraints.
>
> Is there a technical reason why omitting tlsv1.1 is necessary in the
> code?  If it's "that's insecure; you shouldn't do that", then non-TLS
> connections should also be rejected.  (I'm not objecting to "tls 1.1
> isn't allowed if you don't ask for it".)
>
> I put back the two lines to have tlsv1.1 work:
>
>   $NetBSD$
>
>   --- src/net.c.orig    2026-01-25 09:16:52.000000000 +0000
>   +++ src/net.c
>   @@ -446,6 +446,8 @@ int net__tls_server_ctx(struct mosquitto
>    #endif
>           }else if(!strcmp(listener->tls_version, "tlsv1.2")){
>                   SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
>   +     }else if(!strcmp(listener->tls_version, "tlsv1.1")){
>   +             SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 );
>           }else{
>                   log__printf(NULL, MOSQ_LOG_ERR, "Error: Unsupported tls_version \"%s\".", listener->tls_version);
>                   return MOSQ_ERR_TLS;
>
> and now it starts ok with my custom config.  openssl s_client is able to
> connect with TLSv1.1.
>
>
> And, the good news is that everything else seems to be working.  I'll
> update other instances and let them run.
>
>
> _______________________________________________
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

Follow-Ups:
- Re: [mosquitto-dev] trip report from upgrading a machine
  - From: Greg Troxel
- Re: [mosquitto-dev] trip report from upgrading a machine
  - From: John Fowler

References:
- [mosquitto-dev] trip report from upgrading a machine
  - From: Greg Troxel

Prev by Date: Re: [mosquitto-dev] 2.1.0rc3 available
Next by Date: Re: [mosquitto-dev] trip report from upgrading a machine
Previous by thread: [mosquitto-dev] trip report from upgrading a machine
Next by thread: Re: [mosquitto-dev] trip report from upgrading a machine
Index(es):
- Date
- Thread

Breadcrumbs