Version 2.1.1 released.

Version 2.1.1 of Mosquitto has been released. This is a bugfix release.

Broker

  • Fix PUID/PGID checking for docker
  • Add MOSQUITTO_UNSAFE_ALLOW_SYMLINKS environment variable to allow the restrictions on reading files through symlinks to be lifted in safe environments like kubernetes. Closes #3461.
  • Fix inconsistent disconnect log message format, and add address:port.
  • Fix plugin/global_plugin option not allowing space characters.
  • Fix $SYS load values not being published initially. Closes #3459.
  • Fix `max_connections not being honoured on libwebsockets listeners. This does not affect the built-in websockets support. Closes #3455.
  • Don't enforce receive-maximum, just log a warning. This allows badly behaving clients to be fixed. Closes #3471.

Plugins

  • Fix incorrect linking of libmosquitto_common.so for the acl and password file plugins. Closes #3460.

Build

  • Fix building with WITH_TLS=no

Version 2.1.0 released.

Version 2.1.0 of Mosquitto has been released. This is a feature release.

Broker

Deprecations

  • The acl_file option is deprecated in favour of the acl-file plugin, which is the same code but moved into a plugin. The acl_file option will be removed in 3.0.
  • The password_file option is deprecated in favour of the password-file plugin, which is the same code but moved into a plugin. The password_file option will be removed in 3.0.
  • The per_listener_settings option is deprecated in favour of the new listener specific options. The per_listener_settings option will be removed in 3.0.

Behaviour changes

  • max_packet_size now defaults to 2,000,000 bytes instead of the 256MB MQTT limit. If you are using payloads that will result in a packet larger than this, you need to manually set the option to a value that suits your application.
  • acl_file and password_file will produce an error on invalid input when reloading the config, causing the broker to quit.
  • Add support for broker created topic aliases. Topics are allocated on a first come first serve basis.
  • Add support for bridges to allow remote brokers to create topic aliases when running in MQTT v5 mode.
  • Enforce receive maximum on MQTT v5.
  • Return protocol error if a client attemps to subscribe to a shared subscription and also sets no-local.
  • Protocol version numbers reported in the log when a client connects now match the MQTT protocol version numbers, not internal Mosquitto values.
  • Send DISCONNECT With session-takeover return code to MQTT v5 clients when a client connects with the same client id. Closes #2340.
  • The allow_duplicate_messages now defaults to true.
  • Add accept_protocol_versions option to allow limiting which MQTT protocol versions are allowed for a particular listener.
  • Add --tls-keylog option which can be used to generate a file that can be used by wireshark to decrypt TLS traffic for debugging purposes. Closes #1818.
  • Add disable_client_cert_date_checks option to allow expired client certificate to be considered valid.
  • Add bridge_tls_use_os_certs option to allow bridges to be easily configured to trust default CA certificates. Closes #2473.
  • Remove support for TLS v1.1 (clients only - it remains available in the broker but is now undocumented)
  • Use openssl provided function for x509 certificate hostname verification, rather than own function.
  • Add bridge_receive_maximum option for MQTT v5.0 bridges.
  • Add bridge_session_expiry_interval option for MQTT v5.0 bridges.
  • Bridge reconnection backoff improvements.
  • Add the websockets_origin option to allow optional enforcement of origin when a connection attempts an upgrade to WebSockets.
  • Add built-in websockets support that doesn't use libwebsockets. This is the preferred websockets implementation.
  • Add support for X-Forwarded-For header for built in websockets.
  • Add suport for PROXY protocol v1 and v2.

Platform specific

  • Increase maximum connection count on Windows from 2048 to 8192 where supported. Closes #2122.
  • Allow multiple instances of mosquitto to run as services on Windows. See README-windows.txt.
  • Add kqueue support.
  • Add support for systemd watchdog.

General

  • Report on what compile time options are enabled. Closes #2193.
  • Performance: reduce memory allocations when sending packets.
  • Log protocol version and ciphers that a client negotiates when connecting.
  • Password salts are now 64 bytes long.
  • Add the global_plugin option, which gives global plugin loaded regardless of per_listener_settings.
  • Add global_max_clients option to allow limiting client sessions globally on the broker.
  • Add global_max_connections option to allow limiting client connections globally on the broker.
  • Improve idle performance. The broker now calculates when the next event of interest is, and uses that as the timeout for e.g. epoll_wait(). This can reduce the number of process wakeups by 100x on an idle broker.
  • Add more efficient keepalive check.
  • Add support for sending the SIGRTMIN signal to trigger log rotation. Closes #2337.
  • Add --test-config option which can be used to test a configuration file before trying to use it in a live broker. Closes #2521.
  • Add support for PUID/PGID environment variables for setting the user/group to drop privileges to. Closes #2441.
  • Report persistence stats when starting.
  • $SYS updates are now aligned to sys_interval seconds, meaning that if set to 10, for example, updates will be sent at times matching x0 seconds. Previously update intervals were aligned to the time the broker was started.
  • Add log_dest android for logging to the Android logd daemon.
  • Fix some retained topic memory not being cleared immediately after used.
  • Add -q option to allow logging to be disabled at the command line.
  • Log message if a client attempts to connect with TLS to a non-TLS listener.
  • Add listener_allow_anonymous option.
  • Add listener_auto_id_prefix option.
  • Allow seconds when defining persistent_client_expiration.

Plugin interface

  • Add mosquitto_topic_matches_sub_with_pattern(), which can match against subscriptions with %c and %u patterns for client id / username substitution.
  • Add support for modifying outgoing messages using MOSQ_EVT_MESSAGE_OUT.
  • Add mosquitto_client() function for retrieving a client struct if that client is connected.
  • Add MOSQ_ERR_PLUGIN_IGNORE to allow plugins to register basic auth or acl check callbacks, but still act as though they are not registered. A plugin that wanted to act as a blocklist for certain usernames, but wasn't carrying out authentication could return MOSQ_ERR_PLUGIN_IGNORE for usernames not on its blocklist. If no other plugins were configured, the client would be authenticated. Using MOSQ_ERR_PLUGIN_DEFER instead would mean the clients would be denied if no other plugins were configured.
  • Add mosquitto_client_port() function for plugins.
  • Add MOSQ_EVT_CONNECT, to allow plugins to know when a client has successfully authenticated to the broker.
  • Add connection-state example plugin to demonstrate MOSQ_EVT_CONNECT.
  • Add MOSQ_EVT_CLIENT_OFFLINE, to allow plugins to know when a client with a non-zero session expiry interval has gone offline.
  • Plugins on non-Windows platforms now no longer make their symbols globally available, which means they are self contained.
  • Add support for delayed basic authentication in plugins.
  • Plugins using the MOSQ_EVT_MESSAGE_WRITE callback can now return MOSQ_ERR_QUOTA_EXCEEDED to have the message be rejected. MQTT v5 clients using QoS 1 or 2 will receive the quota-exceeded reason code in the corresponding PUBACK/PUBREC.
  • MOSQ_EVT_TICK is now passed to plugins when per_listener_settings is true.
  • Add mosquitto_sub_matches_acl(), which can match one topic filter (a subscription) against another topic filter (an ACL).
  • Registration of the MOSQ_EVT_CONTROL plugin event is now handled globally across the broker, so only a single plugin can register for a given $CONTROL topic.
  • Add mosquitto_plugin_set_info() to allow plugins to tell the broker their name and version.
  • Add builtin $CONTROL/broker/v1 control topic with the listPlugins command. This is disabled by default, but can be enabled with the enable_control_api option.
  • Plugins no longer need to define mosquitto_plugin_cleanup() if they do not need to do any of their own cleanup. Callbacks will be unregistered automatically.
  • Add mosquitto_set_clientid() to allow plugins to force a client id for a client.
  • Add MOSQ_EVT_SUBSCRIBE and MOSQ_EVT_UNSUBSCRIBE events that are called when subscribe/unsubscribes actually succeed. Allow modifying topic and qos.
  • Add mosquitto_persistence_location() for plugins to use to find a valid location for storing persistent data.
  • Plugins can now use the next_s and next_ms members of the tick event data struct to set a minimum interval that the broker will wait before calling the tick callback again.
  • MOSQ_EVT_ACL_CHECK event is now passed message properties where possible.

Plugins

  • Add acl-file plugin.
  • Add password-file plugin.
  • Add persist-sqlite plugin.
  • Add sparkplug-aware plugin.

Dynamic security plugin

  • Add ability to deny wildcard subscriptions for a role to the dynsec plugin.
  • The dynamic security plugin now only kicks clients at the start of the next network loop, to give chance for PUBACK/PUBREC to be sent. Closes #2474.
  • The dynamic security plugin now reports client connections in getClient and listClients.
  • The dynamic security plugin now generates an initial configuration if none is present, including a set of default roles.
  • The dynamic security plugin now supports %c and %u patterns for substituting client id and username respectively, in all ACLs except for subscribeLiteral and unsubscribeLiteral.
  • The dynamic security plugin now supports multiple ways to initialise the first configuration file.

Client library

  • Add MOSQ_OPT_DISABLE_SOCKETPAIR to allow the disabling of the socketpair feature that allows the network thread to be woken from select() by another thread when e.g. mosquitto_publish() is called. This reduces the number of sockets used by each client by two.
  • Add on_pre_connect() callback to allow clients to update username/password/TLS parameters before an automatic reconnection.
  • Callbacks no longer block other callbacks, and can be set from within a callback. Closes [#2127].
  • Add support for MQTT v5 broker to client topic aliases.
  • Add mosquitto_topic_matches_sub_with_pattern(), which can match against subscriptions with %c and %u patterns for client id / username substitution.
  • Add mosquitto_sub_matches_acl(), which can match one topic filter (a subscription) against another topic filter (an ACL).
  • Add mosquitto_sub_matches_acl_with_pattern(), which can match one topic filter (a subscription) against another topic filter (an ACL), with %c and %u patterns for client id / username substitution.
  • Performance: reduce memory allocations when sending packets.
  • Reintroduce threading support for Windows. Closes #1509.
  • mosquitto_subscribe*() now returns MOSQ_ERR_INVAL if an empty string is passed as a topic filter.
  • mosquitto_unsubscribe*() now returns MOSQ_ERR_INVAL if an empty string is passed as a topic filter.
  • Add websockets support.
  • mosquitto_property_read_binary/string/string_pair will now set the name/value parameter to NULL if the binary/string is empty. This aligns the behaviour with other property functions. Closes #2648.
  • Add mosquitto_unsubscribe2_v5_callback_set, which provides a callback that gives access to reason codes for each of the unsubscription requests.
  • Add mosquitto_property_remove, for removing properties from property lists.
  • Add on_ext_auth() callback to allow handling MQTT v5 extended authentication.
  • Add mosquitto_ext_auth_continue() function to continue an MQTT v5 extended authentication.
  • Remove support for TLS v1.1.
  • Use openssl provided function for x509 certificate hostname verification, rather than own function.

Clients

General

  • Add -W timeout support to Windows.
  • The --insecure option now disables all server certificate verification.
  • Add websockets support.
  • Using -x now sets the clients to use MQTT v5.0.
  • Fix parsing of IPv6 addresses in socks proxy urls.
  • Add --tls-keylog option which can be used to generate a file that can be used by wireshark to decrypt TLS traffic for debugging purposes.
  • Remove support for TLS v1.1.

mosquitto_rr

  • Fix -f and -s options in mosquitto_rr.
  • Add --latency option to mosquitto_rr, for printing the request/response latency.
  • Add --retain-handling option.

mosquitto_sub

  • Fix incorrect output formatting in mosquitto_sub when using field widths with %x and %X for printing the payload in hex.
  • Add float printing option to mosquitto_sub.
  • mosquitto_sub payload hex output can now be split by fixed field length.
  • Add --message-rate option to mosquitto_sub, for printing the count of messages received each second.
  • Add --retain-handling option.

Apps

mosquitto_signal

  • Add mosquitto_signal for helping send signals to mosquitto on Windows.

mosquitto_ctrl

  • Add interactive shell mode to mosquitto_ctrl.
  • Add support for listPlugins to mosquitto_ctrl.
  • Allow mosquitto_ctrl dynsec module to update passwords in files rather than having to connect to a broker.

mosquitto_passwd

  • Print messages in mosquitto_passwd when adding/updating passwords. Closes #2544.
  • When creating a new file with -c, setting the output filename to a dash - will output the result to stdout.

mosquitto_db_dump

  • Add --json output mode do mosquitto_db_dump.

Build

  • Increased CMake minimal required version to 3.14, which is required for the preinstalled SQLite3 find module.
  • Add an CMake option WITH_LTO to enable/disable link time optimization.
  • Set C99 as the explicit, rather than implicit, build standard.
  • cJSON is now a required dependency.
  • Refactored headers for easier discovery.
  • Support for openssl < 3.0 removed.

Release candidate 2.1.0rc1 available

The first release candidate for Mosquitto 2.1.0 is now available for testing. If no release critical issues are reported, this will become 2.1.0 on 2026-01-26.

The source and binary packages are available:

Test binaries for 2.1 available

For ease of testing there are now some binaries available for testing the upcoming 2.1 release. We would strongly urge everyone using mosquitto to test out these versions and provide feedback if anything doesn't work as you expect.

The version in these binaries is listed as 2.0.99.

There are currently three options available:

Snap

For the x86_64 architecture only.

Update to the edge channel to get the test:

snap refresh --channel=edge mosquitto

Revert to normal using:

snap refresh --channel=stable mosquitto

Windows

Download the 64-bit installer

Docker

The mosquitto docker images are provided the the Official Images program by Docker, it would not be appropriate to put test images there. Given the restrictions Docker Hub places on pull images we are also looking at alternatives. Until the 2.1 release is made, testing images will be available hosted by Cedalo. Cedalo provide a paid version of mosquitto with enterprise features.

Note that the images are produced in a slightly different way to the normal images, so there is some wasted space. This is not representative of the final images.

docker pull registry.cedalo.com/eclipse-mosquitto-2.1-testing/mosquitto:latest

Other

We would like to provide Debian packages, but they are still in progress and we didn't want to delay the other binaries.

Version 2.0.22 released.

Version 2.0.22 of Mosquitto has been released. This is a bugfix release.

Broker

  • Windows: Fix broker crash on startup if using log_dest stdout
  • Bridge: Fix idle_timeout never occurring for lazy bridges.
  • Fix case where max_queued_messages = 0 was not treated as unlimited. Closes #3244.
  • Fix --version exit code and output. Closes #3267.
  • Fix crash on receiving a $CONTROL message over a bridge, if per_listener_settings is set true and the bridge is carrying out topic remapping. Closes #3261.
  • Fix incorrect reference clock being selected on startup on Linux. Closes #3238.
  • Fix reporting of client disconnections being incorrectly attributed to "out of memory". Closes #3253.
  • Fix compilation when using WITH_OLD_KEEPALIVE. Closes #3250.
  • Add Windows linker file for the broker to the installer. Closes #3269.
  • Fix Websockets PING not being sent on Windows. Closes #3272.
  • Fix problems with secure websockets. Closes #1211.
  • Fix crash on exit when using WITH_EPOLL=no. Closes #3302.
  • Fix clients being incorrectly expired when they have keepalive == max_keepalive. Closes #3226, #3286.

Dynamic security plugin

  • Fix mismatch memory free when saving config which caused memory tracking to be incorrect.

Client library

  • Fix C++ symbols being removed when compiled with link time optimisation. Closes #3259.
  • TLS error handling was incorrectly setting a protocol error for non-TLS errors. This would cause the mosquitto_loop_start() thread to exit if no broker was available on the first connection attempt. This has been fixed. Closes #3258.
  • Fix linker errors on some architectures using cmake. Closes #3167.

Tests: - Fix 08-ssl-connect-cert-auth-expired and 08-ssl-connect-cert-auth-revoked tests when running on a single CPU system. Closes #3230.

Version 2.0.21 released.

Version 2.0.21 of Mosquitto has been released. This is a security and bugfix release.

Security: - Fix leak on malicious SUBSCRIBE by authenticated client. Closes [eclipse #248]. - Further fix for CVE-2023-28366.

Broker

  • Fix clients sending a RESERVED packet not being quickly disconnected. Closes #2325.
  • Fix bind_interface producing an error when used with an interface that has an IPv6 link-local address and no other IPv6 addresses. Closes #2696.
  • Fix mismatched wrapped/unwrapped memory alloc/free in properties. Closes #3192.
  • Fix allow_anonymous false not being applied in local only mode. Closes #3198.
  • Add retain_expiry_interval option to fix expired retained message not being removed from memory if they are not subscribed to. Closes #3221.
  • Produce an error if invalid combinations of cafile/capath/certfile/keyfile are used. Closes #1836. Closes #3130.
  • Backport keepalive checking from develop to fix problems in current implementation. Closes #3138.

Client library

  • Fix potential deadlock in mosquitto_sub if -W is used. Closes #3175.

Apps

  • mosquitto_ctrl dynsec now also allows -i to specify a clientid as well as -c. This matches the documentation which states -i. Closes #3219. Client library:
  • Fix threads linking on Windows for static libmosquitto library Closes #3143

Build

  • Fix Windows builds not having websockets enabled.
  • Add tzdata to docker images

Tests

  • Fix 08-ssl-connect-cert-auth-expired and 08-ssl-connect-cert-auth-revoked tests when under load. Closes #3208.

Version 2.0.20 released.

Version 2.0.20 of Mosquitto has been released. This is a bugfix release.

Broker

  • Fix QoS 1 / QoS 2 publish incorrectly returning "no subscribers". Closes #3128.
  • Open files with appropriate access on Windows. Closes #3119.
  • Don't allow invalid response topic values.
  • Fix some strict protocol compliance issues. Closes #3052.

Client library

  • Fix cmake build on OS X. Closes #3125.

Build

  • Fix build on NetBSD

Version 2.0.19 released.

Version 2.0.19 of Mosquitto has been released. This is a security and bugfix release.

Security

  • Fix mismatched subscribe/unsubscribe with normal/shared topics.
  • Fix crash on bridge using remapped topic being sent a crafted packet.
  • Don't allow SUBACK with missing reason codes in client library.

Broker

  • Fix assert failure when loading a persistence file that contains subscriptions with no client id.
  • Fix local bridges being incorrectly expired when persistent_client_expiration is in use.
  • Fix use of CLOCK_BOOTTIME for getting time. Closes #3089.
  • Fix mismatched subscribe/unsubscribe with normal/shared topics.
  • Fix crash on bridge using remapped topic being sent a crafted packet.

Client library

  • Fix some error codes being converted to string as "unknown". Closes #2579.
  • Clear SSL error state to avoid spurious error reporting. Closes #3054.
  • Fix "payload format invalid" not being allowed as a PUBREC reason code.
  • Don't allow SUBACK with missing reason codes.

Build

  • Thread support is re-enabled on Windows.

Version 2.0.16 released.

Version 2.0.16 of Mosquitto has been released. This is a security and bugfix release.

Security

  • CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC commands.
  • CVE-2023-0809: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets.
  • CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types.
  • Broker will now reject Will messages that attempt to publish to $CONTROL/.
  • Broker now validates usernames provided in a TLS certificate or TLS-PSK identity are valid UTF-8.
  • Fix potential crash when loading invalid persistence file.
  • Library will no longer allow single level wildcard certificates, e.g. *.com

Broker

  • Fix $SYS messages being expired after 60 seconds and hence unchanged values disappearing.
  • Fix some retained topic memory not being cleared immediately after used.
  • Fix error handling related to the bind_interface option.
  • Fix std* files not being redirected when daemonising, when built with assertions removed. Closes #2708.
  • Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
  • Use line buffered mode for stdout. Closes #2354. Closes #2749.
  • Fix bridges with non-matching cleansession/local_cleansession being expired on start after restoring from persistence. Closes #2634.
  • Fix connections being limited to 2048 on Windows. The limit is now 8192, where supported. Closes #2732.
  • Broker will log warnings if sensitive files are world readable/writable, or if the owner/group is not the same as the user/group the broker is running as. In future versions the broker will refuse to open these files.
  • mosquitto_memcmp_const is now more constant time.
  • Only register with DLT if DLT logging is enabled.
  • Fix any possible case where a json string might be incorrectly loaded. This could have caused a crash if a textname or textdescription field of a role was not a string, when loading the dynsec config from file only.
  • Dynsec plugin will not allow duplicate clients/groups/roles when loading config from file, which matches the behaviour for when creating them.
  • Fix heap overflow when reading corrupt config with "log_dest file".

Client library

  • Use CLOCK_BOOTTIME when available, to keep track of time. This solves the problem of the client OS sleeping and the client hence not being able to calculate the actual time for keepalive purposes. Closes #2760.
  • Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
  • Fix high CPU use on slow TLS connect. Closes #2794.

Clients

  • Fix incorrect topic-alias property value in mosquitto_sub json output.
  • Fix confusing message on TLS certificate verification. Closes #2746.

Apps

  • mosquitto_passwd uses mkstemp() for backup files.
  • mosquitto_ctrl dynsec init will refuse to overwrite an existing file, without a race-condition.