Press release

I am pleased to announce that I am being paid to work on Mosquitto by Cedalo AG. I will be leaving my current job at the end of June this year, but have already started work for Cedalo on a limited basis.

The press release for this change is below:

New 1.5 release, MQTT 5.0 roadmap and commercial sponsor for Open-Source Eclipse Mosquitto MQTT Broker

Open-Source MQTT Broker Version 1.5 released – Estimate for availability of MQTT 5.0 compliant version – German based Cedalo AG becomes commercial sponsor for future Mosquitto Open Source development

A new version of the open source Eclipse Mosquitto MQTT broker is available on the Mosquitto website at mosquitto.org. Mosquitto version 1.5 brings a host of changes to the broker, including performance improvements and more flexible authentication and access control, as well as numerous bug fixes. The client library has added some helper functions to allow the creation of extremely simple MQTT clients.

The initiator and core developer of the Mosquitto project is now employed by the German based company Cedalo AG (www.cedalo.com). Cedalo has hired Roger Light to sponsor the further development of Mosquitto and to accelerate the public availability of a powerful MQTT broker. Cedalo is the creator of the end-user oriented IoT modelling tool “Streamsheets”.

With the new sponsorship the project is now able to accelerate the path towards new releases. The next version of Mosquitto will add support for MQTT version 5, which is the most substantial revision of the protocol since the first public specification was released. MQTT v5 adds error reporting, enhancements for scalability at the server side, features to help resource constrained clients, and extensible metadata - which is used amongst other things to introduce support for a request/response capability.

The MQTT v5 compliant release is planned for the end of August 2018.

Press Contact: Cedalo AG 79098 Freiburg, Schnewlinstr. 6

Kristian Raue Mail: presse@cedalo.com


Version 1.5 released

1.5 - 20180502

This is a features release. Updated binaries will be available shortly.

Security

  • Fix memory leak that could be caused by a malicious CONNECT packet. This does not yet have a CVE assigned. Closes #533493 (on Eclipse bugtracker)

Broker features

  • Add per_listener_settings to allow authentication and access control to be per listener.
  • Add limited support for reloading listener settings. This allows settings for an already defined listener to be reloaded, but port numbers must not be changed.
  • Add ability to deny access to SUBSCRIBE messages as well as the current read/write accesses. Currently for auth plugins only.
  • Reduce calls to malloc through the use of UHPA.
  • Outgoing messages with QoS>1 are no longer retried after a timeout period. Messages will be retried when a client reconnects. This change in behaviour can be justified by considering when the timeout may have occurred.
  • If a connection is unreliable and has dropped, but without one end noticing, the messages will be retried on reconnection. Sending additional PUBLISH or PUBREL would not have changed anything.
  • If a client is overloaded/unable to respond/has a slow connection then sending additional PUBLISH or PUBREL would not help the client catch up. Once the backlog has cleared the client will respond. If it is not able to catch up, sending additional duplicates would not help either.
  • Add use_subject_as_username option for certificate based client authentication to use the entire certificate subject as a username, rather than just the CN. Closes #469467.
  • Change sys tree printing output. This format shouldn't be relied upon and may change at any time. Closes #470246.
  • Minimum supported libwebsockets version is now 1.3.
  • Add systemd startup notification and services. Closes #471053.
  • Reduce unnecessary malloc and memcpy when receiving a message and storing it. Closes #470258.
  • Support for Windows XP has been dropped.
  • Bridge connections now default to using MQTT v3.1.1.
  • mosquitto_db_dump tool can now output some stats on clients.
  • Perform utf-8 validation on incoming will, subscription and unsubscription topics.
  • new $SYS/broker/store/messages/count (deprecates $SYS/broker/messages/stored)
  • new $SYS/broker/store/messages/bytes
  • max_queued_bytes feature to limit queues by real size rather than than just message count. Closes Eclipse #452919 or Github #100
  • Add support for bridges to be configured to only send notifications to the local broker.
  • Add set_tcp_nodelay option to allow Nagle's algorithm to be disabled on client sockets. Closes #433.
  • The behaviour of allow_anonymous has changed. In the old behaviour, the default if not set was to allow anonymous access. The new behaviour is to default is to allow anonymous access unless another security option is set. For example, if password_file is set and allow_anonymous is not set, then anonymous access will be denied. It is still possible to allow anonymous access by setting it explicitly.

Broker fixes

  • Fix UNSUBSCRIBE with no topic is accepted on MQTT 3.1.1. Closes #665.
  • Produce an error if two bridges share the same local_clientid.
  • Miscellaneous fixes on Windows.
  • queue_qos0_messages was not observing max_queued_** limits
  • When using the include_dir configuration option sort the files alphabetically before loading them. Closes #17.
  • IPv6 is no longer disabled for websockets listeners.
  • Remove all build timestamp information including $SYS/broker/timestamp. Closes #651.
  • Correctly handle incoming strings that contain a NULL byte. Closes #693.
  • Use constant time memcmp for password comparisons.
  • Fix incorrect PSK key being used if it had leading zeroes.
  • Fix memory leak if a client provided a username/password for a listener with use_identity_as_username configured.
  • Fix use_identity_as_username not working on websockets clients.
  • Don't crash if an auth plugin returns MOSQ_ERR_AUTH for a username check on a websockets client. Closes #490.
  • Fix 08-ssl-bridge.py test when using async dns lookups. Closes #507.
  • Lines in the config file are no longer limited to 1024 characters long. Closes #652.
  • Fix $SYS counters of messages and bytes sent when message is sent over a Websockets. Closes #250.
  • Fix upgrade_outgoing_qos for retained message. Closes #534.
  • Fix CONNACK message not being sent for unauthorised connect on websockets. Closes #8.
  • Maximum connections on Windows increased to 2048.
  • When a client with an in-use client-id connects, if the old client has a will, send the will message. Closes #26.
  • Fix parsing of configuration options that end with a space. Closes #804.

Client library features

  • Outgoing messages with QoS>1 are no longer retried after a timeout period. Messages will be retried when a client reconnects.
  • DNS-SRV support is now disabled by default.
  • Add mosquitto_subscribe_simple() This is a helper function to make retrieving messages from a broker very straightforward. Examples of its use are in examples/subscribe_simple.
  • Add mosquitto_subscribe_callback() This is a helper function to make processing messages from a broker very straightforward. An example of its use is in examples/subscribe_simple.
  • Connections now default to using MQTT v3.1.1.
  • Add mosquitto_validate_utf8() to check whether a string is valid UTF-8 according to the UTF-8 spec and to the additional restrictions imposed by the MQTT spec.
  • Topic inputs are checked for UTF-8 validity.
  • Add mosquitto_userdata function to allow retrieving the client userdata member variable. Closes #111.
  • Add mosquitto_pub_topic_check2(), mosquitto_sub_topic_check2(), and mosquitto_topic_matches_sub2() which are identical to the similarly named functions but also take length arguments.
  • Add mosquitto_connect_with_flags_callback_set(), which allows a second connect callback to be used which also exposes the connect flags parameter. Closes #738 and #128.
  • Add MOSQ_OPT_SSL_CTX option to allow a user specified SSL_CTX to be used instead of the one generated by libmosquitto. This allows greater control over what options can be set. Closes #715.
  • Add MOSQ_OPT_SSL_CTX_WITH_DEFAULTS to work with MOSQ_OPT_SSL_CTX and have the default libmosquitto SSL_CTX configuration applied to the user provided SSL_CTX. Closes #567.

Client library fixes

  • Fix incorrect PSK key being used if it had leading zeroes.
  • Initialise "result" variable as soon as possible in mosquitto_topic_matches_sub. Closes #654.
  • No need to close socket again if setting non-blocking failed. Closes #649.
  • Fix mosquitto_topic_matches_sub() not correctly matching foo/bar against foo/+/#. Closes #670.
  • SNI host support added.

Client features

  • Add -F to mosquitto_sub to allow the user to choose the output format.
  • Add -U to mosquitto_sub for unsubscribing from topics.
  • Add -c (clean session) to mosquitto_pub.
  • Add --retained-only to mosquitto_sub to exit after receiving all retained messages.
  • Add -W to allow mosquitto_sub to stop processing incoming messages after a timeout.
  • Connections now default to using MQTT v3.1.1.
  • Default to using port 8883 when using TLS.
  • mosquitto_sub doesn't continue to keep connecting if CONNACK tells it the connection was refused.

Client fixes

  • Correctly handle empty files with mosquitto_pub -l. Closes #676.

Build

  • Add WITH_STRIP option (defaulting to "no") that when set to "yes" will strip executables and shared libraries when installing.
  • Add WITH_STATIC_LIBRARIES (defaulting to "no") that when set to "yes" will build and install static versions of the client libraries.
  • Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.
  • Support for openssl versions 1.0.0 and 1.0.1 has been removed as these are no longer supported by openssl.

Documentation

  • Replace mentions of deprecated c_rehash with openssl rehash.

Security advisory: CVE-2017-7651, CVE-2017-7652

Mosquitto 1.4.15 has been released to address two security vulnerabilities.

CVE-2017-7651

A vulnerability exists in all Mosquitto versions up to and including 1.4.14 known as CVE-2017-7651.

Unauthenticated clients can send a crafted CONNECT packet which causes large amounts of memory use in the broker. If multiple clients do this, an out of memory situation can occur and the system may become unresponsive or the broker will be killed by the operating system.

The issue is fixed in Mosquitto 1.4.15. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7651

The fix addresses the problem by limiting the permissible size for CONNECT packet, and by adding a memory_limit configuration option that allows the broker to self limit the amount of memory it uses.

Thanks to Felipe Balabanian for finding this vulnerability and responsibly reporting it.

CVE-2017-7652

A vulnerability exists in Mosquitto versions 1.0 to 1.4.14 inclusive known as CVE-2017-7652.

If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail. This results in many of the configuration options, including security options, being set to their default value. This means that authorisation and access control may no longer be in place.

The issue is fixed in Mosquitto 1.4.15. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7652

The fix addresses the problem by only copying the new configuration options to the in use configuration after a successful reload has taken place.

Version 1.4.15 Changes

The complete list of fixes addressed in version 1.4.15 is:

Security

  • Fix CVE-2017-7652. If a SIGHUP is sent to the broker when there are no more file descriptors, then opening the configuration file will fail and security settings will be set back to their default values.
  • Fix CVE-2017-7651. Unauthenticated clients can cause excessive memory use by setting "remaining length" to be a large value. This is now mitigated by limiting the size of remaining length to valid values. A memory_limit configuration option has also been added to allow the overall memory used by the broker to be limited.

Broker

  • Use constant time memcmp for password comparisons.
  • Fix incorrect PSK key being used if it had leading zeroes.
  • Fix memory leak if a client provided a username/password for a listener with use_identity_as_username configured.
  • Fix use_identity_as_username not working on websockets clients.
  • Don't crash if an auth plugin returns MOSQ_ERR_AUTH for a username check on a websockets client. Closes #490.
  • Fix 08-ssl-bridge.py test when using async dns lookups. Closes #507.
  • Lines in the config file are no longer limited to 1024 characters long. Closes #652.
  • Fix $SYS counters of messages and bytes sent when message is sent over a Websockets. Closes #250.
  • Fix upgrade_outgoing_qos for retained message. Closes #534.
  • Fix CONNACK message not being sent for unauthorised connect on websockets. Closes #8.

Client library

  • Fix incorrect PSK key being used if it had leading zeroes.
  • Initialise "result" variable as soon as possible in mosquitto_topic_matches_sub. Closes #654.
  • No need to close socket again if setting non-blocking failed. Closes #649.
  • Fix mosquitto_topic_matches_sub() not correctly matching foo/bar against foo/+/#. Closes #670.

Clients

  • Correctly handle empty files with mosquitto_pub -l. Closes #676.

Build

  • Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.

Version 1.4.14 released

This is a bugfix release.

Version 1.4.13 contained a regression that meant persistence data was only being saved after client information had been freed. This release fixes that.

If you use persistence then it is strongly recommended to avoid 1.4.13 so you do not suffer data loss.


Version 1.4.13 released

This is a bugfix and security release.

Security

  • Fix CVE-2017-9868. The persistence file was readable by all local users, potentially allowing sensitive information to be leaked. This can also be fixed administratively, by restricting access to the directory in which the persistence file is stored.

Broker

  • Fix for poor websockets performance.
  • Fix lazy bridges not timing out for idle_timeout. Closes #417.
  • Fix problems with large retained messages over websockets. Closes #427.
  • Set persistence file to only be readable by owner, except on Windows. Closes #468.
  • Fix CONNECT check for reserved=0, as per MQTT v3.1.1 check MQTT-3.1.2-3.
  • When the broker stop, wills for any connected clients are now "sent". Closes #477.
  • Auth plugins can be configured to disable the check for +# in usernames/client ids with the auth_plugin_deny_special_chars option. Partially closes #462.
  • Restrictions for CVE-2017-7650 have been relaxed - '/' is allowed in usernames/client ids.
  • Remainder of fix for #462.

Clients

  • Don't use / in auto-generated client ids.

Security advisory: CVE-2017-9868

A vulnerability exists in Mosquitto versions 0.15 to 1.4.12 inclusive known as CVE-2017-9868.

If persistence is enabled, then the persistence file is created world readable, which has the potential to make sensitive information available to any local user.

Patches are available to fix this for Unix like operating systems (i.e. not Windows): https://mosquitto.org/files/cve/2017-9868/

This will be fixed in version 1.4.13, due to be released shortly.

This can also be fixed administratively by removing world read permissions for the directory that the persistence file is stored in. In many systems this can be achieved with:

chmod 700 /var/lib/mosquitto

Citing Eclipse Mosquitto in your academic paper

A short paper has been published on Mosquitto in The Journal of Open Source Software If you use Mosquitto in your academic work, please now use this paper as your citation.

R. A. Light, "Mosquitto: server and client implementation of the MQTT protocol," The Journal of Open Source Software, vol. 2, no. 13, May 2017, DOI: 10.21105/joss.00265

The paper link is http://dx.doi.org/10.21105/joss.00265

A [bibtex] entry is available.


Security advisory: CVE-2017-7650

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11 inclusive known as CVE-2017-7650.

Pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

The issue is fixed in Mosquitto 1.4.12, which has just been released. Patches for older versions are available at https://mosquitto.org/files/cve/2017-7650

The fix addresses the problem by restricting access for clients with a '#', '+', or '/' in their username or client id. '/' has been included in the list of characters disallowed because it also has a special meaning in a topic and may represent an additional risk. The restriction placed on clients is that they may not receive or send messages that are subject to a pattern based ACL check, nor any message that is subject to a plugin check.

Thanks to Artem Zinenko from HackerDom CTF team for finding this vulnerability and responsibly reporting it.

Complete list of fixes addressed in version 1.4.12:

Broker

  • Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
  • Fix bridge not restarting properly. Closes #428.
  • Fix unitialized memory in gets_quiet on Windows. Closes #426.
  • Fix building with WITH_ADNS=no for systems that don't use glibc. Closes #415.
  • Fixes to readme.md.
  • Fix deprecation warning for OpenSSL 1.1. PR #416.
  • Don't segfault on duplicate bridge names. Closes #446.
  • Fix CVE-2017-7650.