This is a bugfix and security release.

Version 1.5.4 changes


  • When using a TLS enabled websockets listener with require_certificate enabled, the mosquitto broker does not correctly verify client certificates. This is now fixed. All other security measures operate as expected, and in particular non-websockets listeners are not affected by this. Closes #996.


  • Process all pending messages even when a client has disconnected. This means a client that send a PUBLISH then DISCONNECT quickly, then disconnects will have its DISCONNECT message processed properly and so no Will will be sent. Closes #7.
  • $SYS/broker/clients/disconnected should never be negative. Closes #287.
  • Give better error message if a client sends a password without a username. Closes #1015.
  • Fix bridge not honoring restart_timeout. Closes #1019.
  • Don't disconnect a client if an auth plugin denies access to SUBSCRIBE. Closes #1016.


  • Fix memory leak that occurred if mosquitto_reconnect() was used when TLS errors were present. Closes #592.
  • Fix TLS connections when using an external event loop with mosquitto_loop_read() and mosquitto_write(). Closes #990.


  • Fix clients not being compiled with threading support when using CMake. Closes #983.
  • Header fixes for FreeBSD. Closes #977.
  • Use _GNU_SOURCE to fix build errors in websockets and getaddrinfo usage. Closes [#862] and #933.
  • Fix builds on QNX 7.0.0. Closes #1018.