Mosquitto is an open source (BSD licensed) message broker that implements the MQ Telemetry Transport protocol versions 3.1 and 3.1.1. MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "machine to machine" messaging such as with low power sensors or mobile devices such as phones, embedded computers or microcontrollers like the Arduino. A good example of this is all of the work that Andy Stanford-Clark (one of the originators of MQTT) has done in home monitoring and automation with his twittering house and twittering ferry. Andy gave a talk on this at OggCamp that explains a bit about MQTT and how he uses it. The slides and audio are available online at slideshare.

Version 1.4.3 released

This is a bugfix release.

Broker

  • Fix incorrect bridge notification on initial connection. Closes #467096.
  • Build fixes for OpenBSD.
  • Fix incorrect behaviour for autosave_interval, most noticable for autosave_interval=1. Closes #465438.
  • Fix handling of outgoing QoS>0 messages for bridges that could not be sent because the bridge connection was down.
  • Free unused topic tree elements. Closes #468987.
  • Fix some potential memory leaks. Closes #470253.
  • Fix potential crash on libwebsockets error.

Client library

  • Add missing error strings to mosquitto_strerror.
  • Handle fragmented TLS packets without a delay. Closes #470660.
  • Fix incorrect loop timeout being chosen when using threaded interface and keepalive = 0. Closes #471334.
  • Increment inflight messages count correctly. Closes #474935.

Clients

  • Report error string on connection failure rather than error code.

The current unreleased libwebsockets master branch defines the VERSION macro in its header files. I believe this to be a bug in libwebsockets.

This bug causes compilation of mosquitto with websockets support to fail.

Please use a released version of libwebsockets, either 1.2, 1.3 or 1.4. Mosquitto will compile with all of these versions.

I do not recommend using an unreleased version of libwebsockets, the project is not shy about making ABI/API incompatible changes between releases so it is impractical to provide support for.

Version 1.4.2 released

This is a bugfix release.

Broker

  • Fix bridge prefixes only working for the first outgoing message. Closes #464437.
  • Fix incorrect bridge connection notifications on local broker.
  • Fix persistent db writing on Windows. Closes #464779.
  • ACLs are now checked before sending a will message.
  • Fix possible crash when using bridges on Windows. Closes #465384.
  • Fix parsing of auth_opt_ arguments with extra spaces/tabs.
  • Broker will return CONNACK rc=5 when a username/password is not authorised. This was being incorrectly set as rc=4.
  • Fix handling of payload lengths>4096 with websockets.

Client library

  • Inflight message count wasn’t being decreased for outgoing messages using QoS 2, meaning that only up to 20 QoS 2 messages could be sent. This has been fixed. Closes #464436.
  • Fix CMake dependencies for C++ wrapper building. Closes #463884.
  • Fix possibility of select() being called with a socket that is >FD_SETSIZE. This is a fix for #464632 that will be followed up by removing the select() call in a future version.
  • Fix calls to mosquitto_connect*_async() not completing.

Version 1.4.1 released

This is a bugfix and security release. Users of mosquitto 1.4 are strongly advised to upgrade. Upgrading from earlier versions is recommended but not as important.

Broker

  • Fix possible crash under heavy network load. Closes #463241. This bug only affects version 1.4.
  • Fix possible crash when using pattern ACLs.
  • Fix problems parsing config strings with multiple leading spaces. Closes #462154.
  • Websockets clients are now periodically disconnected if they have not maintained their keepalive timer. Closes #461619.
  • Fix possible minor memory leak on acl parsing.

Client library

  • Inflight limits should only apply to outgoing messages. Closes #461620.
  • Fix reconnect bug on Windows. Closes #463000.
  • Return -1 on error from mosquitto_socket(). Closes #461705.
  • Fix crash on multiple calls to mosquitto_lib_init/mosquitto_lib_cleanup. Closes #462780.
  • Allow longer paths on Windows. Closes #462781.
  • Make _mosquitto_mid_generate() thread safe. Closes #463479.

Version 1.4 released

This is a feature release and is also the first release of the mosquitto project from the Eclipse Foundation umbrella. The code is now dual licenced under the EPL/EDL. The EDL and BSD 3 clause license are essentially identical so if you were happy with the BSD license then you should be happy with the EDL.

Files distributed will remain in the same place but will in some cases also be available on the Eclipse download servers.

Important changes

  • Websockets support in the broker.
  • Bridge behaviour on the local broker has changed due to the introduction of the local_* options. This may affect you if you are using authentication  and/or ACLs with bridges.
  • The default TLS behaviour has changed to accept all of TLS v1.2, v1.1 and v1.0, rather than only one version of the protocol. It is still possible to restrict a listener to a single version of TLS.
  • The Python client has been removed now that the Eclipse Paho Python client has had a release.
  • When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.
  • New use_username_as_clientid option on the broker, for preventing hijacking of a client id.
  • The client library and clients now have experimental SOCKS5 support.
  • Wildcard TLS certificates are now supported for bridges and clients.
  • The clients have support for config files with default options.
  • Client and client libraries have support for MQTT v3.1.1.
  • Bridge support for MQTT v3.1.1.

Broker

  • Websockets support in the broker.
  • Add local_clientid, local_username, local_password for bridge connections to authenticate to the local broker.
  • Default TLS mode now accepts TLS v1.2, v1.1 and v1.0.
  • Support for ECDHE-ECDSA family ciphers.
  • Fix bug #1324411, which could have had unexpected consequences for delayed messages in rare circumstances.
  • Add support for “session present” in CONNACK messages for MQTT v3.1.1.
  • Remove strict protocol #ifdefs.
  • Change $SYS/broker/clients/active -> $SYS/broker/clients/connected
  • Change $SYS/broker/clients/inactive -> $SYS/broker/clients/disconnected
  • When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.
  • libuuid is used to generate client ids, where it is available, when an MQTT v3.1.1 client connects with a zero length client id.
  • Anonymous clients are no longer accidently disconnected from the broker after a SIGHUP.
  • mosquitto_passwd now supports -b (batch mode) to allow the password to be provided at the command line.
  • Removed $SYS/broker/changeset. This was intended for use with debugging, but in practice is of no use.
  • Add support for use_username_as_clientid which can be used with authentication to restrict ownership of client ids and hence prevent one client disconnecting another by using the same client id.
  • When “require_certificate” was false, the broker was incorrectly asking for a certificate (but not checking it). This caused problems with some clients and has been fixed so the broker no longer asks.
  • When using syslog logging on non-Windows OSs, it is now possible to specify the logging facility to one of local0-7 instead of the default “daemon”.
  • The bridge_attempt_unsubscribe option has been added, to allow the sending of UNSUBSCRIBE requests to be disabled for topics with “out” direction. Closes bug #456899.
  • Wildcard TLS certificates are now supported for bridges.
  • Support for “hour” client expiration lengths for the persistent_client_expiration option. Closes bug #425835.
  • Bridge support for MQTT v3.1.1.
  • Root privileges are now dropped after starting listeners and loading certificates/private keys, to allow private keys to have their permissions restricted to the root user only. Closes bug #452914.
  • Usernames and topics given in ACL files can now include a space. Closes bug #431780.
  • Fix hang if pattern acl contains a %u but an anonymous client connect. Closes bug #455402.
  • Fix man page installation with cmake. Closes bug #458843.
  • When using “log_dest file” the output file is now flushed periodically.

Clients

  • Both clients can now load default configuration options from a file.
  • Add -C option to mosquitto_sub to allow the client to quit after receiving a certain count of messages. Closes bug #453850.
  • Add –proxy SOCKS5 support for both clients.
  • Pub client supports setting its keepalive. Closes bug #454852.
  • Add support for config files with default options.
  • Add support for MQTT v3.1.1.

Client library

  • Add experimental SOCKS5 support.
  • mosquitto_loop_forever now quits after a fatal error, rather than blindly retrying.
  • SRV support is now not compiled in by default.
  • Wildcard TLS certificates are now supported.
  • mosquittopp now has a virtual destructor. Closes bug #452915.
  • Add support for MQTT v3.1.1.
  • Don’t quit mosquitto_loop_forever() if broker not available on first connect. Closes bug #453293, but requires more work.

Dependencies

This release introduces two new dependencies, libwebsockets and libuuid. Both are optional. libuuid comes from the e2fsprogs project and allows the broker to generate random client ids for MQTT v.3.1.1. The libwebsockets dependency can use either libwebsockets 1.3 or 1.2.x, with 1.3 being the preferred choice.

Seeking sponsorship

The mosquitto project has,  or can get, access to a wide variety of different systems to help with development. One important platform for which this is not true is Mac OS X. There are sufficient differences between Macs and other systems that this makes life difficult.

To this end, I would like to reach out to the mosquitto community to ask for help with obtaining either

  • A remote login on a Mac system
  • Donation of hardware
  • Donation of money to buy some hardware

I have been offered a remote account by a few individuals in the past, for which I’m very grateful, but only on a short term basis and, understandably, with limited control. Something on a longer term, with the ability to install packages would be much more useful. Unfortunately I realise this is relatively difficult to offer.

On the hardware side of things, there isn’t a need for a modern, powerful computer. A second hand Mac Mini of Core2Duo vintage with 1GB RAM and a reasonably modern version of Mac OS X would be quite sufficient, and ideal for me in terms of the space it takes up. Regrettably I feel I would have to turn down offers of an old iMac or Mac Pro.

2007-era Mac Minis go on Ebay UK for around £100. I’m hopeful that there is a company out there using mosquitto, likes Macs and for whom £100 would be a drop in the ocean. If so, or any individuals want to help out with a small donation towards this, please get in touch directly to roger@atchoo.org or head over to the downloads page to see the paypal donation link, and thanks very much in advance.


Update:

I have now awaiting delivery of a Mac mini. Thanks very much to all of you that have contributed, it is very much appreciated. If you would still like to support mosquitto development please don’t let this put you off…

Mosquitto and POODLE

Details of the POODLE attack that targets SSLv3 have been released recently. Mosquitto has never provided support for SSLv3 (or SSLv2) so should not be vulnerable to this attack and does not require any configuration changes.

Version 1.3.4 introduced the change that when using TLS with require_certificate set to false, the client is no longer asked for a client certificate. This seemed to be causing problems in some situations, particularly with embedded devices.

If use_identity_as_username is set to true when require_certificate is set to false, then the client will not be asked for a certificate, even if it has one configured. This means that the client will be refused access with connack code 4, “bad username or password”, because if use_identity_as_username currently requires that a certificate is present, even if allow_anonymous is set to true.

This change may cause unexpected results, but does not represent a security flaw because the change results in more clients being rejected than would otherwise have been.

Version 1.3.5 released

This is a bugfix release.

Broker

  • Fix possible memory leak when using a topic that has a leading slash. Fixes bug #1360985.
  • Fix saving persistent database on Windows.
  • Temporarily disable ACL checks on subscriptions when using MQTT v3.1.1. This is due to the complexity of checking wildcard ACLs against wildcard subscriptions. This does not have a negative impact on security because checks are still made before a message is sent to a client. Fixes bug #1374291.
  • When using -v and the broker receives a SIGHUP, verbose logging was being
    disabled. This has been fixed.

Client library

  • Fix mutex being incorrectly passed by value. Fixes bug #1373785.

Version 1.3.4 released

This is a bugfix release. The reason for the rapid release of the past two versions is down to a Debian developer reviewing the mosquitto package. This is a good opportunity to ensure that as bug free a version as possible is present in Debian.

Broker

  • Don’t ask client for certificate when require_certificate is false.
  • Backout incomplete functionality that was incorrectly included in 1.3.2.

Binaries will follow shortly.