Change default TLS version to 1.2 instead of 1.0.

ralight · ralight · commit 9c22a9c297c0 · 2021-04-15T00:05:58.000+01:00
Closes #551.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -1,7 +1,12 @@
+v1.6.0 - 2021-xx-xx
+===================
+
+- Changed default TLS version to 1.2 instead of 1.0.
 - Fix incoming MQTT v5 messages with overall property length > 127 bytes being
 incorrectly decoded. Closes #541.
 
-v1.5.1 - 2020x-09-22
+
+v1.5.1 - 2020-09-22
 ===================
 
 - Exceptions that occur in callbacks are no longer suppressed by default. They
diff --git a/README.rst b/README.rst
@@ -291,7 +291,7 @@ tls_set()
 Configure network encryption and authentication options. Enables SSL/TLS support.
 
 ca_certs
-    a string path to the Certificate Authority certificate files that are to be treated as trusted by this client. If this is the only option given then the client will operate in a similar manner to a web browser. That is to say it will require the broker to have a certificate signed by the Certificate Authorities in ``ca_certs`` and will communicate using TLS v1, but will not attempt any form of authentication. This provides basic network encryption but may not be sufficient depending on how the broker is configured. By default, on Python 2.7.9+ or 3.4+, the default certification authority of the system is used. On older Python version this parameter is mandatory.
+    a string path to the Certificate Authority certificate files that are to be treated as trusted by this client. If this is the only option given then the client will operate in a similar manner to a web browser. That is to say it will require the broker to have a certificate signed by the Certificate Authorities in ``ca_certs`` and will communicate using TLS v1.2, but will not attempt any form of authentication. This provides basic network encryption but may not be sufficient depending on how the broker is configured. By default, on Python 2.7.9+ or 3.4+, the default certification authority of the system is used. On older Python version this parameter is mandatory.
 
 certfile, keyfile
     strings pointing to the PEM encoded client certificate and private keys respectively. If these arguments are not ``None`` then they will be used as client information for TLS based authentication. Support for this feature is broker dependent. Note that if either of these files in encrypted and needs a password to decrypt it, Python will ask for the password at the command line. It is not currently possible to define a callback to provide the password.
@@ -300,7 +300,7 @@ cert_reqs
     defines the certificate requirements that the client imposes on the broker. By default this is ``ssl.CERT_REQUIRED``, which means that the broker must provide a certificate. See the ssl pydoc for more information on this parameter.
 
 tls_version
-    specifies the version of the SSL/TLS protocol to be used. By default (if the python version supports it) the highest TLS version is detected. If unavailable, TLS v1 is used. Previous versions (all versions beginning with SSL) are possible but not recommended due to possible security problems.
+    specifies the version of the SSL/TLS protocol to be used. By default (if the python version supports it) the highest TLS version is detected. If unavailable, TLS v1.2 is used. Previous versions (all versions beginning with SSL) are possible but not recommended due to possible security problems.
 
 ciphers
     a string specifying which encryption ciphers are allowable for this connection, or ``None`` to use the defaults. See the ssl pydoc for more information.
diff --git a/src/paho/mqtt/client.py b/src/paho/mqtt/client.py
@@ -769,7 +769,7 @@ def tls_set(self, ca_certs=None, certfile=None, keyfile=None, cert_reqs=None, tl
         option given then the client will operate in a similar manner to a web
         browser. That is to say it will require the broker to have a
         certificate signed by the Certificate Authorities in ca_certs and will
-        communicate using TLS v1, but will not attempt any form of
+        communicate using TLS v1,2, but will not attempt any form of
         authentication. This provides basic network encryption but may not be
         sufficient depending on how the broker is configured.
         By default, on Python 2.7.9+ or 3.4+, the default certification
@@ -790,9 +790,8 @@ def tls_set(self, ca_certs=None, certfile=None, keyfile=None, cert_reqs=None, tl
         pydoc for more information on this parameter.
 
         tls_version allows the version of the SSL/TLS protocol used to be
-        specified. By default TLS v1 is used. Previous versions (all versions
-        beginning with SSL) are possible but not recommended due to possible
-        security problems.
+        specified. By default TLS v1.2 is used. Previous versions are allowed
+        but not recommended due to possible security problems.
 
         ciphers is a string specifying which encryption ciphers are allowable
         for this connection, or None to use the defaults. See the ssl pydoc for
@@ -812,7 +811,7 @@ def tls_set(self, ca_certs=None, certfile=None, keyfile=None, cert_reqs=None, tl
 
         # Create SSLContext object
         if tls_version is None:
-            tls_version = ssl.PROTOCOL_TLSv1
+            tls_version = ssl.PROTOCOL_TLSv1_2
             # If the python version supports it, use highest TLS version automatically
             if hasattr(ssl, "PROTOCOL_TLS"):
                 tls_version = ssl.PROTOCOL_TLS
