Version 1.6.2 released

This is a security and bugfix release.

Security

If a client connects using MQTT v5, will a Will message that has MQTT v5 properties attached, and the very first Will property is one of content-type, correlation-data, payload-format-indicator, or response-topic, then at the point the client disconnects, the broker will attempt to read from freed memory, resulting in a possible crash.

Broker

  • Fix memory access after free, leading to possible crash, when v5 client with Will message disconnects, where the Will message has as its first property one of content-type, correlation-data, payload-format-indicator, or response-topic. Closes #1244.
  • Fix build for WITH_TLS=no. Closes #1250.
  • Fix Will message not allowing user-property properties.
  • Fix broker originated messages (e.g. $SYS/broker/version) not being published when check_retain_source set to true. Closes #1245.
  • Fix $SYS/broker/version being incorrectly expired after 60 seconds. Closes #1245.

Library

  • Fix crash after client has been unable to connect to a broker. This occurs when the client is exiting and is part of the final library cleanup routine. Closes #1246.

Clients

  • Fix -L url parsing. Closes [#1248].

Version 1.6.1 released

This is a minor service release. The fixes are only related to documentation and the build process, and so is primarily of interest for people building Mosquitto.

Broker

  • Document memory_limit option.

Clients

  • Fix compilation on non glibc systems due to missing sys/time.h header.

Build:

  • Add make check target and document testing procedure. Closes #1230.
  • Document bundled dependencies and how to disable. Closes #1231.
  • Split CFLAGS and CPPFLAGS, and LDFLAGS and LDADD/LIBADD.
  • test/unit now respects CPPFLAGS and LDFLAGS. Closes #1232.
  • Don't call ldconfig in CMake scripts. Closes #1048.
  • Use CMAKE_INSTALL_* variables when installing in CMake. Closes #1049.

Version 1.6 released

This is a feature release and represents a substantial amount of change in the project. Since version 1.5, the overall code line count for the broker, library and clients has increased by 37% to 28k. Testing has been an important focus for this release. The number of tests has increased from 102 to 412. The test coverage, whilst still needing further improvement, has increased from 56% to 61%.

A summary of the notable features is given below.

MQTT v5 support

The big addition for this release is support for MQTT v5. This covers the broker, client library and client, and gives full support for the new specification, although not all features are accessible as they will be.

You can quickly test out a v5 client by using -V 5 and adding properties with the -D option, for example:

mosquitto_sub -V 5 -D connect receive-maximum 3 -D subscribe subscription-identifier 1 ...

The authentication plugin interface has been extended to allow use of the v5 extended authentication feature.

Performance improvements

A number of performance improvements have been implemented in the broker, including the message routing logic, topic matching, and persistence file reading/writing.

More improvements are planned for the next release.

New client - mosquitto_rr

mosquitto_rr is the "request-response" client, intended for the situation where you want to publish a request message and await a response. It works best with the MQTT v5 request-response features, but can be used with v3.1.1 servers if the client it is talking to knows how to respond. This tool is almost certainly not going to see as much use as mosquitto_sub or mosquitto_pub, but is a useful utility to have available.

Contributed features

Some notable features have been contributed by the community.

On the TLS front, support for ALPN allows bridges and clients to connect to servers that have multiple protocols on a single port. The new OCSP stapling support allows the status of TLS certificates to be validated. Finally, TLS Engine support has been added.

Away from TLS, support for Automotive DLT logging has been added, disabled by default.

Deprecations

The C++ wrapper library, libmosquittopp is now deprecated and will be removed in version 2.0. It remains largely unchanged since v1.5.

The C library, libmosquitto, is having its interface changed for version 2.0, so any current function should be considered at risk. The rationale for this is to consolidate the changes introduced since version 1.0, in particular the large number of functions required to support MQTT v5, but that otherwise closely match existing functions.

Support for TLS v1.0 has been dropped. Support for TLS v1.1 will be dropped in version 2.0.

Changelog

The more detailed changelog is below, but does not include many of the fixes and improvements that have been made:

Broker features

  • Add support for MQTT v5
  • Add support for OCSP stapling.
  • Add support for ALPN on bridge TLS connections. Closes #924.
  • Add support for Automotive DLT logging.
  • Add TLS Engine support.
  • Persistence file read/write performance improvements.
  • General performance improvements.
  • Add max_keepalive option, to allow a maximum keepalive value to be set for MQTT v5 clients only.
  • Add bind_interface option which allows a listener to be bound to a specific network interface, in a similar fashion to the bind_address option. Linux only.
  • Add improved bridge restart interval based on Decorrelated Jitter.
  • Add dhparamfile option, to allow DH parameters to be loaded for Ephemeral DH support
  • Disallow writing to $ topics where appropriate.
  • Add explicit support for TLS v1.3.
  • Drop support for TLS v1.0.
  • Improved general support for broker generated client ids. Removed libuuid dependency.
  • auto_id_prefix now defaults to 'auto-'.
  • QoS 1 and 2 flow control improvements.

Client library features

  • Add support for MQTT v5
  • Add mosquitto_subscribe_multiple() for sending subscriptions to multiple topics in one command.
  • Add TLS Engine support.
  • Add explicit support for TLS v1.3.
  • Drop support for TLS v1.0.
  • QoS 1 and 2 flow control improvements.

Client features

  • Add support for MQTT v5
  • Add mosquitto_rr client, which can be used for "request-response" messaging, by sending a request message and awaiting a response.
  • Add TLS Engine support.
  • Add support for ALPN on TLS connections. Closes #924.
  • Add -D option for all clients to specify MQTT v5 properties.
  • Add -E to mosquitto_sub, which causes it to exit immediately after having its subscriptions acknowledged. Use with -c to create a durable client session without requiring a message to be received.
  • Add --remove-retained to mosquitto_sub, which can be used to clear retained messages on a broker.
  • Add --repeat and --repeat-delay to mosquitto_pub, which can be used to repeat single message publishes at a regular interval.
  • -V now accepts 5, 311, 31, as well as mqttv5 etc.
  • Add explicit support for TLS v1.3.
  • Drop support for TLS v1.0.

Broker fixes

  • Improve error reporting when creating listeners.
  • Fix mosquitto_passwd crashing on corrupt password file. Closes [#1207].
  • Fix build on SmartOS due to missing IPV6_V6ONLY. Closes #1212.

Client library fixes

  • Add missing mosquitto_userdata() function.

Client fixes

  • mosquitto_pub wouldn't always publish all messages when using -l and QoS>0. This has been fixed.
  • mosquitto_sub was incorrectly encoding special characters when using %j output format. Closes #1220.

Version 1.5.8 released

This is a bugfix release.

Broker

  • Fix clients being disconnected when ACLs are in use. This only affects the case where a client connects using a username, and the anonymous ACL list is defined but specific user ACLs are not defined. Closes #1162.
  • Make error messages for missing config file clearer.
  • Fix some Coverity Scan reported errors that could occur when the broker was already failing to start.
  • Fix broken mosquitto_passwd on FreeBSD. Closes #1032.
  • Fix delayed bridge local subscriptions causing missing messages. Closes #1174.

Library

  • Use higher resolution timer for random initialisation of client id generation. Closes #1177.
  • Fix some Coverity Scan reported errors that could occur when the library was already quitting.

MQTT 5 Test Release

The work on MQTT v5 support in Mosquitto has reached a point where it may be of interest to a range of people. It is not yet complete, but wider testing and feedback would be appreciated.

The source is available at mosquitto-mqtt5-test1.tar.gz and can be compiled as normal.

Supported features

  • Session expiry
  • Message expiry
  • Reason code on all ACKs (not all reason codes are used)
  • Reason string on all ACKs (no reason strings are provided by the broker however)
  • Payload format and content type
  • Request / response pattern
  • Subscription ID
  • Topic alias
  • Flow control
  • User properties
  • Optional server feature availability
  • Subscription options
  • Server keep alive
  • Assigned Client ID

Unsupported features

  • Shared subscriptions
  • Extended authentication
  • Server reference
  • Not all reason codes are used by the broker
  • Bridges do not use MQTT v5
  • On disk persistence does not include MQTT 5 property support
  • The broker will not create topic aliases

Version 1.5.7 released

This is a bugfix release.

Broker

  • Fix build failure when using WITH_ADNS=yes
  • Ensure that an error occurs if per_listener_settings true is given after other security options. Closes #1149.
  • Fix include_dir not sorting config files before loading. This was partially fixed in 1.5 previously.
  • Improve documentation around the include_dir option. Closes #1154.
  • Fix case where old unreferenced msg_store messages were being saved to the persistence file, bloating its size unnecessarily. Closes #389.

Library

  • Fix mosquitto_topic_matches_sub() not returning MOSQ_ERR_INVAL for invalid subscriptions like topic/#abc. This only affects the return value, not the match/no match result, which was already correct.

Build

  • Don't require C99 compiler.
  • Add rewritten build test script and remove some build warnings.

Version 1.5.6 released

Mosquitto 1.5.6 has been released to address three potential security vulnerabilities.

CVE-2018-12551

If Mosquitto is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. Affects version 1.0 to 1.5.5 inclusive.

Patches for older versions are available at https://mosquitto.org/files/cve/2018-12551

CVE-2018-12550

If an ACL file is empty, or has only blank lines or comments, then mosquitto treats the ACL file as not being defined, which means that no topic access is denied. Although denying access to all topics is not a useful configuration, this behaviour is unexpected and could lead to access being incorrectly granted in some circumstances. Affects versions 1.0 to 1.5.5 inclusive.

Patches for older versions are available at https://mosquitto.org/files/cve/2018-12550

CVE-2018-12546

If a client publishes a retained message to a topic that they have access to, and then their access to that topic is revoked, the retained message will still be delivered to future subscribers. This behaviour may be undesirable in some applications, so a configuration option check_retain_source has been introduced to enforce checking of the retained message source on publish.

Patches for older versions are available at https://mosquitto.org/files/cve/2018-12546

Version 1.5.6 Changes

The list of other fixes addressed in version 1.5.6 is:

Broker

  • Fixed comment handling for config options that have optional arguments.
  • Improved documentation around bridge topic remapping.
  • Handle mismatched handshakes (e.g. QoS1 PUBLISH with QoS2 reply) properly.
  • Fix spaces not being allowed in the bridge remote_username option. Closes #1131.
  • Allow broker to always restart on Windows when using log_dest file. Closes #1080.
  • Fix Will not being sent for Websockets clients. Closes #1143.
  • Windows: Fix possible crash when client disconnects. Closes #1137.
  • Fixed durable clients being unable to receive messages when offline, when per_listener_settings was set to true. Closes #1081.
  • Add log message for the case where a client is disconnected for sending a topic with invalid UTF-8. Closes #1144.

Library

  • Fix TLS connections not working over SOCKS.
  • Don't clear SSL context when TLS connection is closed, meaning if a user provided an external SSL_CTX they have less chance of leaking references.

Build

  • Fix comparison of boolean values in CMake build. Closes #1101.
  • Fix compilation when openssl deprecated APIs are not available. Closes #1094.
  • Man pages can now be built on any system. Closes #1139.

Version 1.5.5 released

This is a bugfix and security release.

Version 1.5.5 changes

Security

  • If per_listener_settings is set to true, then the acl_file setting was ignored for the "default listener" only. This has been fixed. This does not affect any listeners defined with the listener option. Closes #1073. This is now tracked as CVE-2018-20145.

Broker

  • Add socket_domain option to allow listeners to disable IPv6 support. This is required to work around a problem in libwebsockets that means sockets only listen on IPv6 by default if IPv6 support is compiled in. Closes #1004.
  • When using ADNS, don't ask for all network protocols when connecting, because this can lead to confusing "Protocol not supported" errors if the network is down. Closes #1062.
  • Fix outgoing retained messages not being sent by bridges on initial connection. Closes #1040.
  • Don't reload auth_opt_ options on reload, to match the behaviour of the other plugin options. Closes #1068.
  • Print message on error when installing/uninstalling as a Windows service.
  • All non-error connect/disconnect messages are controlled by the connection_messages option. Closes #772. Closes #613. Closes #537.

Library

  • Fix reconnect delay backoff behaviour. Closes #1027.
  • Don't call on_disconnect() twice if keepalive tests fail. Closes #1067.

Client

  • Always print leading zeros in mosquitto_sub when output format is hex. Closes #1066.

Build

  • Fix building where TLS-PSK is not available. Closes #68.

MQTT 5 progress

Development of support for MQTT 5 is ongoing and making good progress, but has been substantially delayed due to other non-Mosquitto work having to take priority.

It is possible to test the current state of MQTT 5 support by using the mqtt5 branch of the repository. Please note that this is very much a work in progress, so parts are incomplete and interfaces may yet change. The client library in particular has had to have an increase in functions available in order to provide the features needed whilst providing backwards compatibility. Part of the plan for the 2.0 release, which will follow after 1.6, is to consolidate the libmosquitto API with breaking changes. There are more details on the roadmap.

Current features include:

  • Support for all incoming and outgoing packets, although not everything is processed.
  • Support for sending and receiving all properties, with not all properties processed.
  • Client support for setting properties
  • Request/response support (client cannot process incoming correlation data)
  • Retain availability
  • Message expiry interval support
  • Server support for assigned client identifiers
  • Payload format indicator support
  • Content-type support
  • Basic topic alias support from client to broker
  • Lots of new tests

Both mosquitto_pub and mosquitto_sub support setting properties on the command line, for example:

mosquitto_sub -t topic -v -D connect session-expiry-interval 60 -D connect user-property key value -D subscribe user-property sub-key sub-value
mosquitto_pub -t topic -m '{"key":"value"}' -D publish content-type "application/json"
./sensor_read.sh | mosquitto_pub -t topic -l  -D publish topic-alias 1

Further updates will be posted when more features are available.