Re: [mosquitto-dev] trip report from upgrading a machine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] trip report from upgrading a machine

From: Greg Troxel <gdt@xxxxxxxxxx>
Date: Tue, 27 Jan 2026 19:43:15 -0500
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>
Openpgp: id=098ED60E
User-agent: Gnus/5.13 (Gnus v5.13)

John Fowler via mosquitto-dev <mosquitto-dev@xxxxxxxxxxx> writes:

> Why when TLS 1.1 is deprecated and has been for a while.

We are not talking about having it enabled when people run mosquitto
with default config.

We are talking about whether there is or is not a config-file option to
enable it, so that people with concerns and constraints that you don't
know anything about, who decide that they are ok with the risk/benefit
tradeoff, can enable it.

I'm totally fine with a Big Scary Warning, and config syntax that looks
like

  tls_version tlsv1.1_insecure_deprecated

so that people won't be able to do this without a clue.

But for people that have deployed devices they can't feasibly change, it
seems better to let them run 1.1 with mosquitto 2.1 than to have them
not upgrade and stay on 2.0.x, which is surely going to be not
maintained at some point.

I am not handling PCI data over MQTT.  (I worked with someone who had to
pass PCI and HIPAA audits, so I have a little bit of clue about that,
enough to know that PCI compliance is quite difficult, not just the
right TLS version, but stuff like cameras viewing the rack, and of
course locked and limited access data center, IIRC.  I only really
remember that he said PCI was much harder than HIPAA and his hardest
audit to pass.)

I am merely avoiding exposing client passwords (which are ACLd to post
to certain topics) in the clear, and I am avoiding passive eavesdroppers
being able to read temperatures.  Mainly, the temperature indicates "the
furnace is ok" vs "the furnace has failed" sort of thing.  But the
bottom line is that me being able to see the temperatures is more
important than denying that information to an adversary who can break
TLSv1.1 but not 1.2.  It's also more important for me to receive temp
data than to prevent such an adversary from figuring out the
username/password and injecting fake data, or doing active MITM.

Yes, in an ideal world, I'd reflash the ESP8266, which is a multiple
hours drive away, in a building I don't have physical access to.   Then
I'd remove the config setting.

Greg

References:
- [mosquitto-dev] trip report from upgrading a machine
  - From: Greg Troxel
- Re: [mosquitto-dev] trip report from upgrading a machine
  - From: Roger Light
- Re: [mosquitto-dev] trip report from upgrading a machine
  - From: John Fowler

Prev by Date: Re: [mosquitto-dev] trip report from upgrading a machine
Next by Date: Re: [mosquitto-dev] trip report from upgrading a machine
Previous by thread: Re: [mosquitto-dev] trip report from upgrading a machine
Next by thread: Re: [mosquitto-dev] trip report from upgrading a machine
Index(es):
- Date
- Thread

Breadcrumbs