Change default TLS version to 1.2 instead of 1.0.

Closes #551.

Change default TLS version to 1.2 instead of 1.0.
Closes #551.
9c22a9c2 · Roger Light · 225ab375 · 9c22a9c2 · 9c22a9c2 · 9c22a9c2
隐藏空白更改
内联并排

Showing with 12 addition and 8 deletion

ChangeLog.txt ChangeLog.txt +6 -1

README.rst README.rst +2 -2

src/paho/mqtt/client.py src/paho/mqtt/client.py +4 -5

未找到文件。
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
+v1.6.0 - 2021-xx-xx
+===================
+
+- Changed default TLS version to 1.2 instead of 1.0.
 - Fix incoming MQTT v5 messages with overall property length > 127 bytes being
 incorrectly decoded. Closes #541.

-v1.5.1 - 2020x-09-22
+
+v1.5.1 - 2020-09-22
 ===================

 - Exceptions that occur in callbacks are no longer suppressed by default. They

--- a/README.rst
+++ b/README.rst
@@ -291,7 +291,7 @@ tls_set()
 Configure network encryption and authentication options. Enables SSL/TLS support.

 ca_certs
-    a string path to the Certificate Authority certificate files that are to be treated as trusted by this client. If this is the only option given then the client will operate in a similar manner to a web browser. That is to say it will require the broker to have a certificate signed by the Certificate Authorities in ``ca_certs`` and will communicate using TLS v1, but will not attempt any form of authentication. This provides basic network encryption but may not be sufficient depending on how the broker is configured. By default, on Python 2.7.9+ or 3.4+, the default certification authority of the system is used. On older Python version this parameter is mandatory.
+    a string path to the Certificate Authority certificate files that are to be treated as trusted by this client. If this is the only option given then the client will operate in a similar manner to a web browser. That is to say it will require the broker to have a certificate signed by the Certificate Authorities in ``ca_certs`` and will communicate using TLS v1.2, but will not attempt any form of authentication. This provides basic network encryption but may not be sufficient depending on how the broker is configured. By default, on Python 2.7.9+ or 3.4+, the default certification authority of the system is used. On older Python version this parameter is mandatory.

 certfile, keyfile
    strings pointing to the PEM encoded client certificate and private keys respectively. If these arguments are not ``None`` then they will be used as client information for TLS based authentication. Support for this feature is broker dependent. Note that if either of these files in encrypted and needs a password to decrypt it, Python will ask for the password at the command line. It is not currently possible to define a callback to provide the password.
@@ -300,7 +300,7 @@ cert_reqs
    defines the certificate requirements that the client imposes on the broker. By default this is ``ssl.CERT_REQUIRED``, which means that the broker must provide a certificate. See the ssl pydoc for more information on this parameter.

 tls_version
-    specifies the version of the SSL/TLS protocol to be used. By default (if the python version supports it) the highest TLS version is detected. If unavailable, TLS v1 is used. Previous versions (all versions beginning with SSL) are possible but not recommended due to possible security problems.
+    specifies the version of the SSL/TLS protocol to be used. By default (if the python version supports it) the highest TLS version is detected. If unavailable, TLS v1.2 is used. Previous versions (all versions beginning with SSL) are possible but not recommended due to possible security problems.

 ciphers
    a string specifying which encryption ciphers are allowable for this connection, or ``None`` to use the defaults. See the ssl pydoc for more information.

--- a/src/paho/mqtt/client.py
+++ b/src/paho/mqtt/client.py
@@ -769,7 +769,7 @@ class Client(object):
        option given then the client will operate in a similar manner to a web
        browser. That is to say it will require the broker to have a
        certificate signed by the Certificate Authorities in ca_certs and will
-        communicate using TLS v1, but will not attempt any form of
+        communicate using TLS v1,2, but will not attempt any form of
        authentication. This provides basic network encryption but may not be
        sufficient depending on how the broker is configured.
        By default, on Python 2.7.9+ or 3.4+, the default certification
@@ -790,9 +790,8 @@ class Client(object):
        pydoc for more information on this parameter.

        tls_version allows the version of the SSL/TLS protocol used to be
-        specified. By default TLS v1 is used. Previous versions (all versions
-        beginning with SSL) are possible but not recommended due to possible
-        security problems.
+        specified. By default TLS v1.2 is used. Previous versions are allowed
+        but not recommended due to possible security problems.

        ciphers is a string specifying which encryption ciphers are allowable
        for this connection, or None to use the defaults. See the ssl pydoc for
@@ -812,7 +811,7 @@ class Client(object):

        # Create SSLContext object
        if tls_version is None:
-            tls_version = ssl.PROTOCOL_TLSv1
+            tls_version = ssl.PROTOCOL_TLSv1_2
            # If the python version supports it, use highest TLS version automatically
            if hasattr(ssl, "PROTOCOL_TLS"):
                tls_version = ssl.PROTOCOL_TLS