Pre Christmas Update

I have taken a bit of a break from Mosquitto for the past few months, partly because I needed a break but also to work on another unrelated project. I'm now back and working on Mosquitto again, primarily implementing support for the upcoming MQTT v5 spec which has added even more features since I mentioned last wrote about it. Once that is in a state that is reasonably compliant if incomplete, I will be looking for testers.

There are a few fixes in the repository waiting for release, I anticipate releasing 1.4.11 before the end of the year.

There have been some changes to On its original host I was seeing lots of bandwidth being used by lots of clients, but in particular lots and lots of tiny connections being made which not showing up on my bandwidth monitoring, but were consuming bandwidth and causing problems at my provider. My provider got in touch to say that at times approximately half of the network flows for their network were related to, and could would I please have a chat with the transit provider to discuss how best to manage this service. In the face of that and the risk of exceeding 2TB bandwidth usage per month, has been moved to a lower spec host with smaller pipes and "automatic DDOS protection". This means I now get half a dozen emails per day to say that is under attack. If you find you can't connect to, it might be because you have been blocked by this DDOS protection - if so, maybe think about how you are using the service.

The final thought for this post - if you are part of a company that uses mosquitto and it adds value to your company, please consider making a donation to the project that reflects that value. If it is difficult for your company to make donations but you would still like to contribute back, please get in touch and maybe we can arrange something.

Version 1.4.10 released

This is a bugfix release.


  • Fix TLS operation with websockets listeners and libwebsockets 2.x. Closes #186.
  • Don't disconnect client on HUP before reading the pending data. Closes #7.
  • Fix some $SYS messages being incorrectly persisted. Closes #191.
  • Support OpenSSL 1.1.0.
  • Call fsync after persisting data to ensure it is correctly written. Closes #189.
  • Fix persistence saving of subscription QoS on big-endian machines.
  • Fix will retained flag handling on Windows. Closes #222.
  • Broker now displays an error if it is unable to open the log file. Closes #234.

Client library

  • Support OpenSSL 1.1.0.
  • Fixed the C++ library not allowing SOCKS support to be used. Closes #198.
  • Fix memory leak when verifying a server certificate with a subjectAltName section. Closes #237.


  • Don't attempt to install docs when WITH_DOCS=no. Closes #184.

MQTT v5 draft features

The MQTT Technical Committee at OASIS continue to work on improvements to MQTT. The next version looks set to be MQTT version 5 and has reached the "working draft" stage. This post lists some of the changes that are in the working draft 02 and so gives at least a flavour of the improvements coming up. Take this with a pinch of salt, I may have missed some changes and there is no commitment that any of these features will remain in the final specification as they are described here.

Session management

In MQTT v3.1.1 and earlier, a client could control how the server treats its session with the clean session flag. If set to 1, the server would delete any existing session for that client and would not persist the session after disconnecting. If set to 0, the server would restore any existing session for a client when it reconnected, and persist the session when the client disconnected.

A session here means the subscriptions for a client and any queued messages.

The new spec changes this behaviour. The clean session flag has been renamed to clean start (this was actually the name of the flag in the old MQTT v3 spec) and now only affects how the broker handles a client session when the client connects. If set to 1, the server discards any previous session information, otherwise session information is kept.

To deal with removing of sessions at any other time, a new identifier/value pair has been introduced. These identifier/value pairs are an addition to the variable header part of some MQTT packets and allow configuring of different behaviour. In the case of the CONNECT packet, a Session Expiry interval can be specified which is a 4 byte integer that gives the number of seconds after a client has disconnected that the server should remove session information for that client. If the Session Expiry interval is absent from the CONNECT packet, then the session will never expire. If it is set to 0, then the session is removed as soon as the client disconnects.

The new clean start flag and session expiry interval allow the existing clean session behaviour to be duplicated but also allow client sessions to be expired based on time.

Updated Connect Return codes

The return codes passed to the client in a CONNACK packet have been expanded to include:

  • 6: Connection Refused, reason unspecified
  • 7: Connection Refused, implementation specific
  • 8: Connection Refused, CONNECT packet was malformed

Repeated topics when publishing

When publishing data to a single topic, a new feature will help reduce bandwidth use. A client or server can set the topic in a PUBLISH message to be a zero length string. This tells the client/server being published to, to use the previous topic instead. This goes some way to reducing the current overhead associated with publishing - a shame it isn't quite as good as the registered topics available in MQTT-SN.

Payload Format Indicator

Another identifier/value pair is available for use when sending a PUBLISH message. This is the Payload Format indicator. If present and set to 1, this indicates that the PUBLISH payload is UTF-8 encoded data. If set to 0, or if the indicator is not present then the payload is an unspecified byte format, exactly as with MQTT v3.1.1.

Publication Expiry interval

This is an identifier/value pair for use when publishing. If present, this value is a 4 byte integer which gives the number of seconds for which the server will attempt to deliver this message to a subscriber. This means that an offline client with messages being queued may not receive all of the messages when it reconnects, due to some of them expiring. Interestingly, when the server does deliver a message that had a Publication Expiry set, it sets the Publication Expiry on the outgoing message to the client but with the amount of time that there is left until the message expires. This means that the true time to expiry will propagate through bridges or similar.

Publish Return Codes

The PUBACK and PUBREC packets have a new entry in their variable header which is the Publish Return Code. This can be used to tell the client a message has been refused for various reasons, accepted, or accepted with no matching subscribers.  For the PUBREC packet, if the message is refused or accepted with no matching subscribers then there is no expectation for the PUBREL/PUBCOMP messages to be sent for that message.

The PUBCOMP packet also has a similar entry which has the same set of return codes and an additional one for the case when a message had expired. This is for the case when a client reconnects with clean start set to 0 and it has a QoS 2 message part way through its handshake, but the server has already expired the message.

There is still no way to tell a client that its QoS 0 message was refused.

Disconnect notification

In MQTT v3.1.1 and before, only the client sends a DISCONNECT packet. In the draft spec, either the client or the server can send DISCONNECT and it is used to indicate a reason for disconnection. The disconnect return codes are:

  • 0: Connection disconnected by application (sent by client)
  • 1: Server temporarily unavailable (server)
  • 2: Server unavailable (server)
  • 3: Malformed UNSUBSCRIBE packet received (server)
  • 4: Session taken over (server - for when another client connects with the same ID)
  • 5: Malformed packet received

It is clear that there is some duplication there, so I think this is a likely place that changes will be made.

Disconnect expiry notification

The DISCONNECT packet can also include a Session Expiry interval value, as with CONNECT. This allows a client to clean up when it disconnects, or to set a long expiry time, even if these were not specified at the initial connect.

Version 1.4.9 released

This is a bugfix release.


  • Ensure websockets clients that previously connected with clean session set to false have their queued messages delivered immediately on reconnecting. Closes #5.
  • Reconnecting client with clean session set to false doesn't start with mid=1 again.
  • Will topic isn't truncated by one byte when using a mount_point any more.
  • Network errors are printed correctly on Windows.
  • Fix incorrect $SYS heap memory reporting when using ACLs.
  • Bridge config parameters couldn't contain a space, this has been fixed. Closes #150.
  • Fix saving of persistence messages that start with a '/'. Closes #151.
  • Fix reconnecting for bridges that use TLS on Windows. Closes #154.
  • Broker and bridges can now cope with unknown incoming PUBACK, PUBREC, PUBREL, PUBCOMP without disconnecting. Closes #57.
  • Fix websockets listeners not being able to bind to an IP address. Closes #170.
  • mosquitto_passwd utility now correctly deals with unknown command line arguments in all cases. Closes #169.
  • Fix publishing of $SYS/broker/clients/maximum
  • Fix order of #includes in lib/send_mosq.c to ensure struct mosquitto doesn't differ between source files when websockets is being used. Closes #180.
  • Fix possible rare crash when writing out persistence file and a client has incomplete messages inflight that it has been denied the right to publish.

Client library

  • Fix the case where a message received just before the keepalive timer expired would cause the client to miss the keepalive timer.
  • Return value of pthread_create is now checked.
  • _mosquitto_destroy should not cancel threads that weren't created by libmosquitto. Closes #166.
  • Clients can now cope with unknown incoming PUBACK, PUBREC, PUBREL, PUBCOMP without disconnecting. Closes #57.
  • Fix mosquitto_topic_matches_sub() reporting matches on some invalid subscriptions.


  • Handle some unchecked malloc() calls. Closes #1.


  • Fix string quoting in CMakeLists.txt. Closes #4.
  • Fix building on Visual Studio 2015. Closes #136.


To celebrate the new mosquitto logo, stickers are now available:


If you would like to obtain some stickers for yourself you have two options.

The first is to get in touch and I'll send you some for a small contribution. This contribution is to cover the cost of the stickers plus postage: (cost of postage)+N*£0.45, where N is the number of sheets of 6 stickers that you want. Cost of postage for a letter can be calculated using the Royal Mail price finder, but should be £1.05 for destinations outside of the UK. Please also consider Paypal fees using a fees calculator to calculate the final sum. So for a single sheet of stickers posted internationally, the cost would be £1.76 including paypal fees. Two sheets would be £2.23.

The second option is to buy a full sticker book through This can be done very easily by navigating to This allows you to easily order a sticker book of 90 stickers with either the colour or blue monochrome stickers, or a mix of both.

There is a third option - get in touch to say why you deserve some stickers and maybe we'll send you some. We're looking for things that make us say "wow!" If you will be sending your sticker to space, getting mosquitto on television or using MQTT in your Formula 1 technology, these are all things that would exciting to see with a mosquitto sticker in place. If you want to give out stickers at a local IoT related event or similar that's great, but we'd ask that you make a small donation. It's only a small cost for you, but there are many people in your situation and it becomes a noticeable cost for the project.

Please do post links of your kit sporting any stickers you use!

Logo contest - results for shortlisting

The first round of the logo contest has closed and we now need to shortlist 6 designers. A selection of 20 logos have been chosen out of the 100 entrants and you are invited to vote on them and make comments. If you like a particular logo but not the colour, or like an idea behind the logo but not another element then please say so.

The links for voting (please do look at them all) are:

Repository moved to github

The mosquitto repository is now hosted on github: This is now the canonical location for mosquitto development work.

Bug reports should also be made on github and the existing bug reports will be migrated over shortly.

The documentation still needs updating with the new location and processes, so please do be patient with regards that.

Contributions can now be made through a github pull request. If you want to contribute a bug fix, please base your work off the "fixes" branch, if you are developing a new feature please use the "develop" branch.

Here's to a new stage in the mosquitto project!

Version 1.4.8 released

This is a security bugfix release. Any users of the mount_point feature are strongly advised to upgrade because versions prior to 1.4.8 allow clients to inject messages outside of their mount_point through the use of a Will.


  • Wills published by clients connected to a listener with mount_point defined now correctly obey the mount point. This was a potential security risk because it allowed clients to publish messages outside of their restricted mount point. This is only affects brokers where the mount_point option is in use. Closes #487178.
  • Fix detection of broken connections on Windows. Closes #485143.
  • Close stdin etc. when daemonised. Closes #485589.
  • Fix incorrect detection of FreeBSD and OpenBSD. Closes #485131.

Client library

  • mosq->want_write should be cleared immediately before a call to SSL_write, to allow clients using mosquitto_want_write() to get accurate results.

Thanks to a short discussion on irc, now exists. This is a DNS entry that points to the same address as, but only with an AAAA record. This means that can be used to test clients using IPv6 and to be sure that IPv6 is actually being used.