Mosquitto and POODLE

Details of the POODLE attack that targets SSLv3 have been released recently. Mosquitto has never provided support for SSLv3 (or SSLv2) so should not be vulnerable to this attack and does not require any configuration changes.


Unintended change of behaviour in 1.3.4

Version 1.3.4 introduced the change that when using TLS with require_certificate set to false, the client is no longer asked for a client certificate. This seemed to be causing problems in some situations, particularly with embedded devices.

If use_identity_as_username is set to true when require_certificate is set to false, then the client will not be asked for a certificate, even if it has one configured. This means that the client will be refused access with connack code 4, "bad username or password", because if use_identity_as_username currently requires that a certificate is present, even if allow_anonymous is set to true.

This change may cause unexpected results, but does not represent a security flaw because the change results in more clients being rejected than would otherwise have been.


Version 1.3.5 released

This is a bugfix release.

Broker

  • Fix possible memory leak when using a topic that has a leading slash. Fixes bug #1360985.
  • Fix saving persistent database on Windows.
  • Temporarily disable ACL checks on subscriptions when using MQTT v3.1.1. This is due to the complexity of checking wildcard ACLs against wildcard subscriptions. This does not have a negative impact on security because checks are still made before a message is sent to a client. Fixes bug #1374291.
  • When using -v and the broker receives a SIGHUP, verbose logging was being disabled. This has been fixed.

Client library

  • Fix mutex being incorrectly passed by value. Fixes bug #1373785.

Version 1.3.4 released

This is a bugfix release. The reason for the rapid release of the past two versions is down to a Debian developer reviewing the mosquitto package. This is a good opportunity to ensure that as bug free a version as possible is present in Debian.

Broker

  • Don't ask client for certificate when require_certificate is false.
  • Backout incomplete functionality that was incorrectly included in 1.3.2.

Binaries will follow shortly.


Version 1.3.2 released

This is a security and bugfix release.

Security

A bug in the way that mosquitto handles authentication plugins has been identified. When using a plugin for authentication purposes, if the plugin returns MOSQ_ERR_UNKNOWN when making an authentication check, as might happen if a database was unavailable for example, then mosquitto incorrectly treats this as a successful authentication. This has the potential for unauthorised clients to access the running mosquitto broker and gain access to information to which they are not authorised. This is an important update for users of authentication plugins in mosquitto.

Broker

  • Don't allow access to clients when authenticating if a security plugin returns an application error. Fixes bug #1340782.
  • Ensure that bridges verify certificates by default when using TLS.
  • Fix possible crash when using pattern ACLs that do not include a %u and clients that connect without a username.
  • Fix subscriptions being deleted when clients subscribed to a topic beginning with a $ but that is not $SYS.
  • When a durable client reconnects, its queued messages are now checked against ACLs in case of a change in username/ACL state since it last connected.
  • Anonymous clients are no longer accidentally disconnected from the broker after a SIGHUP.
  • Fix bug #1324411, which could have had unexpected consequences for delayed messages in rare circumstances.

Client library

  • Fix topic matching edge case.
  • Fix callback deadlocks after calling mosquitto_disconnect(), when using the threaded interfaces. Closes bug #1313725.
  • Fix SRV support when building with CMake.

General

  • Use $(STRIP) for stripping binaries when installing, to allow easier cross compilation.

New arrival

I'm pleased to say that I'm a new father again. My 7lb 12 (3.57kg) boy arrived today and is quite happy, as is his mother.

Apologies to anybody who has emailed me recently and I've not yet replied - this is the main reason!

baby


Version 1.3.1 released

This is a bugfix release:

Broker

  • Prevent possible crash on client reconnect. Closes bug #1294108.
  • Don't accept zero length unsubscription strings (MQTT v3.1.1 fix)
  • Don't accept QoS 3 (MQTT v3.1.1 fix)
  • Don't disconnect clients immediately on HUP to give chance for all data to be read.
  • Reject invalid un/subscriptions e.g. foo/+bar #/bar.
  • Take more care not to disconnect clients that are sending large messages.

Client library

  • Fix socketpair code on the Mac.
  • Fix compilation for WITH_THREADING=no.
  • Break out of select() when calling mosquitto_loop_stop().
  • Reject invalid un/subscriptions e.g. foo/+bar #/bar.

Clients

  • Fix keepalive value on mosquitto_pub.
  • Fix possibility of mosquitto_pub not exiting after sending messages when using -l.

Version 1.3 released

Broker

  • The broker no longer ignores the auth_plugin_init() return value.
  • Accept SSLv2/SSLv3 HELLOs when using TLSv1, whilst keeping SSLv2 and SSLv3 disabled. This increases client compatibility without sacrificing security.
  • The $SYS tree can now be disabled at runtime as well as at compile time.
  • When remapping bridged topics, only check for matches when the message direction is correct. This allows two identical topics to be remapped differently for both in and out.
  • Change $SYS/broker/heap/current size to $SYS/broker/heap/current for easier parsing.
  • Change $SYS/broker/heap/maximum size to $SYS/broker/heap/maximum for easier parsing.
  • Topics are no longer normalised from e.g a///topic to a/topic. This matches the behaviour as clarified by the Oasis MQTT spec. This will lead to unexpected behaviour if you were using topics of this form.
  • Log when outgoing messages for a client begin to drop off the end of the queue.
  • Bridge clients are recognised as bridges even after reloading from persistence.
  • Basic support for MQTT v3.1.1. This does not include being able to bridge to an MQTT v3.1.1 broker.
  • Username is displayed in log if present when a client connects.
  • Support for 0 length client ids (v3.1.1 only) that result in automatically generated client ids on the broker (see option allow_zero_length_clientid).
  • Ability to set the prefix of automatically generated client ids (see option auto_id_prefix).
  • Add support for TLS session resumption.
  • When using TLS, the server now chooses the cipher to use when negotiating with the client.
  • Weak TLS ciphers are now disabled by default.

Client library

  • Fix support for Python 2.6, 3.0, 3.1.
  • Add support for un/subscribing to multiple topics at once in un/subscribe().
  • Clients now close their socket after sending DISCONNECT.
  • Python client now contains its version number.
  • C library mosquitto_want_write() now supports TLS clients.
  • Fix possible memory leak in C/C++ library when communicating with a broker that doesn't follow the spec.
  • Return strerror() through mosquitto_strerror() to make error printing easier.
  • Topics are no longer normalised from e.g a///topic to a/topic. This matches the behaviour as clarified by the Oasis MQTT spec. This will lead to unexpected behaviour if you were using topics of this form.
  • Add support for SRV lookups.
  • Break out of select() on publish(), subscribe() etc. when using the threaded interface. Fixes bug #1270062.
  • Handle incoming and outgoing messages separately. Fixes bug #1263172.
  • Don't terminate threads on mosquitto_destroy() when a client is not using the threaded interface but does use their own thread. Fixes bug #1291473.

Clients

  • Add --ciphers to allow specifying which TLS ciphers to support.
  • Add support for SRV lookups.
  • Add -N to sub client to suppress printing of EOL after the payload.
  • Add -T to sub client to suppress printing of a topic hierarchy.

Paho MQTT Python Client

The Mosquitto Python client was donated to the Eclipse Paho project in June of this year. As mosquitto.py has been very popular, I have been maintaining both code bases together.

With the Mosquitto project also moving to Eclipse it is now even more redundant to keep maintaining mosquitto.py so I would like to recommend that everybody currently using mosquitto.py move over to using the Paho Python client.

The current state of the Paho client is now available on pypi and can be installed using pip install paho-mqtt.

To port code from mosquitto.py, you should change:

import mosquitto
mqttc = mosquitto.Mosquitto()

to:

import paho.mqtt.client as paho
mqttc = paho.Client()

All error codes e.g. MOSQ_ERR_SUCCESS change to MQTT_ERR_SUCCESS.

The Paho module has a compatibility Mosquitto class that means a very simple (but not recommended for the long term) port can be achieved with the following line, assuming none of the error codes are used:

import paho.mqtt.client as mosquitto

I will keep applying updates to mosquitto.py until the Paho 1.0 release.