Mosquitto is an open source (BSD licensed) message broker that implements the MQ Telemetry Transport protocol versions 3.1 and 3.1.1. MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or microcontrollers like the Arduino. A good example of this is all of the work that Andy Stanford-Clark (one of the originators of MQTT) has done in home monitoring and automation with his twittering house and twittering ferry. Andy gave a talk on this at OggCamp that explains a bit about MQTT and how he uses it. The slides and audio are available online at slideshare.

Version 1.4.1 released

This is a bugfix and security release. Users of mosquitto 1.4 are strongly advised to upgrade. Upgrading from earlier versions is recommended but not as important.

Broker

  • Fix possible crash under heavy network load. Closes #463241. This bug only affects version 1.4.
  • Fix possible crash when using pattern ACLs.
  • Fix problems parsing config strings with multiple leading spaces. Closes #462154.
  • Websockets clients are now periodically disconnected if they have not maintained their keepalive timer. Closes #461619.
  • Fix possible minor memory leak on acl parsing.

Client library

  • Inflight limits should only apply to outgoing messages. Closes #461620.
  • Fix reconnect bug on Windows. Closes #463000.
  • Return -1 on error from mosquitto_socket(). Closes #461705.
  • Fix crash on multiple calls to mosquitto_lib_init/mosquitto_lib_cleanup. Closes #462780.
  • Allow longer paths on Windows. Closes #462781.
  • Make _mosquitto_mid_generate() thread safe. Closes #463479.

Version 1.4 released

This is a feature release and is also the first release of the mosquitto project from the Eclipse Foundation umbrella. The code is now dual licenced under the EPL/EDL. The EDL and BSD 3 clause license are essentially identical so if you were happy with the BSD license then you should be happy with the EDL.

Files distributed will remain in the same place but will in some cases also be available on the Eclipse download servers.

Important changes

  • Websockets support in the broker.
  • Bridge behaviour on the local broker has changed due to the introduction of the local_* options. This may affect you if you are using authentication  and/or ACLs with bridges.
  • The default TLS behaviour has changed to accept all of TLS v1.2, v1.1 and v1.0, rather than only one version of the protocol. It is still possible to restrict a listener to a single version of TLS.
  • The Python client has been removed now that the Eclipse Paho Python client has had a release.
  • When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.
  • New use_username_as_clientid option on the broker, for preventing hijacking of a client id.
  • The client library and clients now have experimental SOCKS5 support.
  • Wildcard TLS certificates are now supported for bridges and clients.
  • The clients have support for config files with default options.
  • Client and client libraries have support for MQTT v3.1.1.
  • Bridge support for MQTT v3.1.1.

Broker

  • Websockets support in the broker.
  • Add local_clientid, local_username, local_password for bridge connections to authenticate to the local broker.
  • Default TLS mode now accepts TLS v1.2, v1.1 and v1.0.
  • Support for ECDHE-ECDSA family ciphers.
  • Fix bug #1324411, which could have had unexpected consequences for delayed messages in rare circumstances.
  • Add support for “session present” in CONNACK messages for MQTT v3.1.1.
  • Remove strict protocol #ifdefs.
  • Change $SYS/broker/clients/active -> $SYS/broker/clients/connected
  • Change $SYS/broker/clients/inactive -> $SYS/broker/clients/disconnected
  • When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.
  • libuuid is used to generate client ids, where it is available, when an MQTT v3.1.1 client connects with a zero length client id.
  • Anonymous clients are no longer accidently disconnected from the broker after a SIGHUP.
  • mosquitto_passwd now supports -b (batch mode) to allow the password to be provided at the command line.
  • Removed $SYS/broker/changeset. This was intended for use with debugging, but in practice is of no use.
  • Add support for use_username_as_clientid which can be used with authentication to restrict ownership of client ids and hence prevent one client disconnecting another by using the same client id.
  • When “require_certificate” was false, the broker was incorrectly asking for a certificate (but not checking it). This caused problems with some clients and has been fixed so the broker no longer asks.
  • When using syslog logging on non-Windows OSs, it is now possible to specify the logging facility to one of local0-7 instead of the default “daemon”.
  • The bridge_attempt_unsubscribe option has been added, to allow the sending of UNSUBSCRIBE requests to be disabled for topics with “out” direction. Closes bug #456899.
  • Wildcard TLS certificates are now supported for bridges.
  • Support for “hour” client expiration lengths for the persistent_client_expiration option. Closes bug #425835.
  • Bridge support for MQTT v3.1.1.
  • Root privileges are now dropped after starting listeners and loading certificates/private keys, to allow private keys to have their permissions restricted to the root user only. Closes bug #452914.
  • Usernames and topics given in ACL files can now include a space. Closes bug #431780.
  • Fix hang if pattern acl contains a %u but an anonymous client connect. Closes bug #455402.
  • Fix man page installation with cmake. Closes bug #458843.
  • When using “log_dest file” the output file is now flushed periodically.

Clients

  • Both clients can now load default configuration options from a file.
  • Add -C option to mosquitto_sub to allow the client to quit after receiving a certain count of messages. Closes bug #453850.
  • Add –proxy SOCKS5 support for both clients.
  • Pub client supports setting its keepalive. Closes bug #454852.
  • Add support for config files with default options.
  • Add support for MQTT v3.1.1.

Client library

  • Add experimental SOCKS5 support.
  • mosquitto_loop_forever now quits after a fatal error, rather than blindly retrying.
  • SRV support is now not compiled in by default.
  • Wildcard TLS certificates are now supported.
  • mosquittopp now has a virtual destructor. Closes bug #452915.
  • Add support for MQTT v3.1.1.
  • Don’t quit mosquitto_loop_forever() if broker not available on first connect. Closes bug #453293, but requires more work.

Dependencies

This release introduces two new dependencies, libwebsockets and libuuid. Both are optional. libuuid comes from the e2fsprogs project and allows the broker to generate random client ids for MQTT v.3.1.1. The libwebsockets dependency can use either libwebsockets 1.3 or 1.2.x, with 1.3 being the preferred choice.

Seeking sponsorship

The mosquitto project has,  or can get, access to a wide variety of different systems to help with development. One important platform for which this is not true is Mac OS X. There are sufficient differences between Macs and other systems that this makes life difficult.

To this end, I would like to reach out to the mosquitto community to ask for help with obtaining either

  • A remote login on a Mac system
  • Donation of hardware
  • Donation of money to buy some hardware

I have been offered a remote account by a few individuals in the past, for which I’m very grateful, but only on a short term basis and, understandably, with limited control. Something on a longer term, with the ability to install packages would be much more useful. Unfortunately I realise this is relatively difficult to offer.

On the hardware side of things, there isn’t a need for a modern, powerful computer. A second hand Mac Mini of Core2Duo vintage with 1GB RAM and a reasonably modern version of Mac OS X would be quite sufficient, and ideal for me in terms of the space it takes up. Regrettably I feel I would have to turn down offers of an old iMac or Mac Pro.

2007-era Mac Minis go on Ebay UK for around £100. I’m hopeful that there is a company out there using mosquitto, likes Macs and for whom £100 would be a drop in the ocean. If so, or any individuals want to help out with a small donation towards this, please get in touch directly to roger@atchoo.org or head over to the downloads page to see the paypal donation link, and thanks very much in advance.


Update:

I have now awaiting delivery of a Mac mini. Thanks very much to all of you that have contributed, it is very much appreciated. If you would still like to support mosquitto development please don’t let this put you off…

Mosquitto and POODLE

Details of the POODLE attack that targets SSLv3 have been released recently. Mosquitto has never provided support for SSLv3 (or SSLv2) so should not be vulnerable to this attack and does not require any configuration changes.

Version 1.3.4 introduced the change that when using TLS with require_certificate set to false, the client is no longer asked for a client certificate. This seemed to be causing problems in some situations, particularly with embedded devices.

If use_identity_as_username is set to true when require_certificate is set to false, then the client will not be asked for a certificate, even if it has one configured. This means that the client will be refused access with connack code 4, “bad username or password”, because if use_identity_as_username currently requires that a certificate is present, even if allow_anonymous is set to true.

This change may cause unexpected results, but does not represent a security flaw because the change results in more clients being rejected than would otherwise have been.

Version 1.3.5 released

This is a bugfix release.

Broker

  • Fix possible memory leak when using a topic that has a leading slash. Fixes bug #1360985.
  • Fix saving persistent database on Windows.
  • Temporarily disable ACL checks on subscriptions when using MQTT v3.1.1. This is due to the complexity of checking wildcard ACLs against wildcard subscriptions. This does not have a negative impact on security because checks are still made before a message is sent to a client. Fixes bug #1374291.
  • When using -v and the broker receives a SIGHUP, verbose logging was being
    disabled. This has been fixed.

Client library

  • Fix mutex being incorrectly passed by value. Fixes bug #1373785.

Version 1.3.4 released

This is a bugfix release. The reason for the rapid release of the past two versions is down to a Debian developer reviewing the mosquitto package. This is a good opportunity to ensure that as bug free a version as possible is present in Debian.

Broker

  • Don’t ask client for certificate when require_certificate is false.
  • Backout incomplete functionality that was incorrectly included in 1.3.2.

Binaries will follow shortly.

Version 1.3.3 released

This is a bugfix release.

Broker

  • Fix incorrect handling of anonymous bridges on the local broker.

Binaries will follow shortly.

Version 1.3.2 released

This is a security and bugfix release.

Security

A bug in the way that mosquitto handles authentication plugins has been identified. When using a plugin for authentication purposes, if the plugin returns MOSQ_ERR_UNKNOWN when making an authentication check, as might happen if a database was unavailable for example, then mosquitto incorrectly treats this as a successful authentication. This has the potential for unauthorised clients to access the running mosquitto broker and gain access to information to which they are not authorised. This is an important update for users of authentication plugins in mosquitto.

Broker

  • Don’t allow access to clients when authenticating if a security plugin returns an application error. Fixes bug #1340782.
  • Ensure that bridges verify certificates by default when using TLS.
  • Fix possible crash when using pattern ACLs that do not include a %u and clients that connect without a username.
  • Fix subscriptions being deleted when clients subscribed to a topic beginning with a $ but that is not $SYS.
  • When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.
  • Anonymous clients are no longer accidently disconnected from the broker after a SIGHUP.
  • Fix bug #1324411, which could have had unexpected consequences for delayed messages in rare circumstances.

Client library

  • Fix topic matching edge case.
  • Fix callback deadlocks after calling mosquitto_disconnect(), when using the threaded interfaces. Closes bug #1313725.
  • Fix SRV support when building with CMake.

General

  • Use $(STRIP) for stripping binaries when installing, to allow easier cross compilation.

New arrival

I’m pleased to say that I’m a new father again. My 7lb 12 (3.57kg) boy arrived today and is quite happy, as is his mother.

Apologies to anybody who has emailed me recently and I’ve not yet replied – this is the main reason!

14098345978_c15d12f19a_z