Version 2.0.2 released.

Version 2.0.2 and 2.0.1 of Mosquitto has been released. These are bugfix releases.

Version 2.0.2 fixes a build regression introduced in 2.0.1 when websockets support was enabled on non-Linux systems.

The 2.0.1 changes are below.


  • Fix websockets connections on Windows blocking subsequent connections. Closes #1934.
  • Fix DH group not being set for TLS connections, which meant ciphers using DHE couldn't be used. Closes #1925. Closes #1476.
  • Fix websockets listeners not causing the main loop not to wake up. Closes #1936.

Client library

  • Fix DH group not being set for TLS connections, which meant ciphers using DHE couldn't be used. Closes #1925. Closes #1476.


  • Fix mosquitto_passwd -U


  • Fix cjson include paths.
  • Fix build using WITH_TLS=no when the openssl headers aren't available.
  • Distribute cmake/ and snap/ directories in tar.

Version 2.0.0 released.

The Mosquitto project is happy to announce the release of version 2.0! This is a big change with breaking behaviour changes in the broker. Users, packages and plugin authors should read migrating from 1.x to 2.0 to help with the changes.

Noteworthy changes

Mosquitto is now more secure by default and requires users to take an active decision in how they configure security on their broker, instead of possibly relying on the older very permissive behaviour, as well as dropping privileged access more quickly. More details are in migrating from 1.x to 2.0.

A new plugin interface has been introduced which goes beyond the existing authentication and access control plugin interface to offer more plugin capabilities, whilst being easier to develop for and easier to extend. More details will follow. Existing plugins are still supported, although plugin authors should look at migrating from 1.x to 2.0 to ensure their plugins remain compatible when compiled against Mosquitto 2.0 headers.

A new plugin has been introduced to provide client, group, and role based authentication and access control. The plugin configuration is managed over special topics and can be updated on the fly. It provides a flexible and straightforward means of configuring access to your broker. For more information, see [Dynamic Security plugin].

The broker performance has been improved, particularly for higher numbers of clients. We plan to run show some benchmarks to show the improvement.

A new utility, mosquitto_ctrl has been added for controlling aspects of a running broker. At the present this is limited to controlling the dynamic security plugin, but will be extended to other features in later releases.

Bridges now support MQTT v5.

The mosquitto command line clients have received a variety of small improvements. mosquitto_sub can now format its output in fixed column widths, for example, and filter its output randomly so you can keep an eye on the overall behaviour of a topic without having to see every message, for example.

Breaking changes

  • When the Mosquitto broker is run without configuring any listeners it will now bind to the loopback interfaces and/or ::1. This means that only connections from the local host will be possible.

Running the broker as mosquitto or mosquitto -p 1883 will bind to the loopback interface.

Running the broker with a configuration file with no listeners configured will bind to the loopback interface with port 1883.

Running the broker with a listener defined will bind by default to / :: and so will be accessible from any interface. It is still possible to bind to a specific address/interface.

If the broker is run as mosquitto -c mosquitto.conf -p 1884, and a listener is defined in the configuration file, then the port defined on the command line will be IGNORED, and no listener configured for it. - All listeners now default to allow_anonymous false unless explicitly set to true in the configuration file. This means that when configuring a listener the user must either configure an authentication and access control method, or set allow_anonymous true. When the broker is run without a configured listener, and so binds to the loopback interface, anonymous connections are allowed. - If Mosquitto is run on as root on a unix like system, it will attempt to drop privileges as soon as the configuration file has been read. This is in contrast to the previous behaviour where elevated privileges were only dropped after listeners had been started (and hence TLS certificates loaded) and logging had been started. The change means that clients will never be able to connect to the broker when it is running as root, unless the user explicitly sets it to run as root, which is not advised. It also means that all locations that the broker needs to access must be available to the unprivileged user. In particular those people using TLS certificates from Lets Encrypt will need to do something to allow Mosquitto to access those certificates. An example deploy renewal hook script to help with this is at misc/letsencrypt/ The user that Mosquitto will change to are the one provided in the configuration, mosquitto, or nobody, in order of availability. - The pid_file option will now always attempt to write a pid file, regardless of whether the -d argument is used when running the broker. - The tls_version option now defines the minimum TLS protocol version to be used, rather than the exact version. Closes #1258. - The max_queued_messages option has been increased from 100 to 1000 by default, and now also applies to QoS 0 messages, when a client is connected. - The mosquitto_sub, mosquitto_pub, and mosquitto_rr clients will now load OS provided CA certificates by default if -L mqtts://... is used, or if the port is set to 8883 and no other CA certificates are loaded. - Minimum support libwebsockets version is now 2.4.0

Broker features

  • New plugin interface which is more flexible, easier to develop for and easier to extend.
  • New dynamic security plugin, which allows clients, groups, and roles to be defined and updated as the broker is running.
  • Performance improvements, particularly for higher numbers of clients.
  • When running as root, if dropping privileges to the "mosquitto" user fails, then try "nobody" instead. This reduces the burden on users installing Mosquitto themselves.
  • Add support for Unix domain socket listeners.
  • Add bridge_outgoing_retain option, to allow outgoing messages from a bridge to have the retain bit completely disabled, which is useful when bridging to e.g. Amazon or Google.
  • Add support for MQTT v5 bridges to handle the "retain-available" property being false.
  • Allow MQTT v5.0 outgoing bridges to fall back to MQTT v3.1.1 if connecting to a v3.x only broker.
  • DLT logging is now configurable at runtime with log_dest dlt. Closes #1735.
  • Add mosquitto_plugin_publish() function, which can be used by plugins to publish messages.
  • Add mosquitto_client_protocol_version() function which can be used by plugins to determine which version of MQTT a client has connected with.
  • Add mosquitto_kick_client_by_clientid() and mosquitto_kick_client_by_username() functions, which can be used by plugins to disconnect clients.
  • Add support for handling $CONTROL/ topics in plugins.
  • Add support for PBKDF2-SHA512 password hashing.
  • Enabling certificate based TLS encryption is now through certfile and keyfile, not capath or cafile.
  • Added support for controlling UNSUBSCRIBE calls in v5 plugin ACL checks.
  • Add "deny" acl type. Closes #1611.
  • The broker now sends the receive-maximum property for MQTT v5 CONNACKs.
  • Add the bridge_max_packet_size option. Closes #265.
  • Add the bridge_bind_address option. Closes #1311.
  • TLS certificates for the server are now reloaded on SIGHUP.
  • Default for max_queued_messages has been changed to 1000.
  • Add ciphers_tls1.3 option, to allow setting TLS v1.3 ciphersuites. Closes #1825.
  • Bridges now obey MQTT v5 server-keepalive.
  • Add bridge support for the MQTT v5 maximum-qos property.
  • Log client port on new connections. Closes #1911.

Broker fixes

  • Send DISCONNECT with malformed-packet reason code on invalid PUBLISH, SUBSCRIBE, and UNSUBSCRIBE packets.
  • Document that X509_free() must be called after using mosquitto_client_certificate(). Closes #1842.
  • Fix listener not being reassociated with client when reloading a persistence file and per_listener_settings true is set and the client did not set a username. Closes #1891.
  • Fix bridge sock not being removed from sock hash on error. Closes #1897.
  • mosquitto_password now forbids the : character. Closes #1833.
  • Fix log_timestamp_format not applying to log_dest topic. Closes #1862.
  • Fix crash on Windows if loading a plugin fails. Closes #1866.
  • Fix file logging on Windows. Closes #1880.
  • Report an error if the config file is set to a directory. Closes #1814.
  • Fix bridges incorrectly setting Wills to manage remote notifications when notifications_local_only was set true. Closes #1902.

Client library features

  • Client no longer generates random client ids for v3.1.1 clients, these are now expected to be generated on the broker. This matches the behaviour for v5 clients. Closes #291.
  • Add support for connecting to brokers through Unix domain sockets.
  • Add mosquitto_property_identifier(), for retrieving the identifier integer for a property.
  • Add mosquitto_property_identifier_to_string() for converting a property identifier integer to the corresponding property name string.
  • Add mosquitto_property_next() to retrieve the next property in a list, for iterating over property lists.
  • mosquitto_pub now handles the MQTT v5 retain-available property by never setting the retain bit.
  • Added MOSQ_OPT_TCP_NODELAY, to allow disabling Nagle's algorithm on client sockets. Closes #1526.
  • Add mosquitto_ssl_get() to allow clients to access their SSL structure and perform additional verification.
  • Add MOSQ_OPT_BIND_ADDRESS to allow setting of a bind address independently of the mosquitto_connect*() call.
  • Add MOSQ_OPT_TLS_USE_OS_CERTS option, to instruct the client to load and trust OS provided CA certificates for use with TLS connections.

Client library fixes

  • Fix send quota being incorrecly reset on reconnect. Closes #1822.
  • Don't use logging until log mutex is initialised. Closes #1819.
  • Fix missing mach/mach_time.h header on OS X. Closes #1831.
  • Fix connect properties not being sent when the client automatically reconnects. Closes #1846.

Client features

  • Add timeout return code (27) for mosquitto_sub -W <secs> and mosquitto_rr -W <secs>. Closes #275.
  • Add support for connecting to brokers through Unix domain sockets with the --unix argument.
  • Use cJSON library for producing JSON output, where available. Closes #1222.
  • Add support for outputting MQTT v5 property information to mosquitto_sub/rr JSON output. Closes #1416.
  • Add --pretty option to mosquitto_sub/rr for formatted/unformatted JSON output.
  • Add support for v5 property printing to mosquitto_sub/rr in non-JSON mode. Closes #1416.
  • Add --nodelay to all clients to allow them to use the MOSQ_OPT_TCP_NODELAY option.
  • Add -x to all clients to all the session-expiry-interval property to be easily set for MQTT v5 clients.
  • Add --random-filter to mosquitto_sub, to allow only a certain proportion of received messages to be printed.
  • mosquitto_sub %j and %J timestamps are now in a ISO 8601 compatible format.
  • mosquitto_sub now supports extra format specifiers for field width and precision for some parameters.
  • Add --version for all clients.
  • All clients now load OS provided CA certificates if used with -L mqtts://..., or if port is set to 8883 and no other CA certificates are used. Closes #1824.
  • Add the --tls-use-os-certs option to all clients.

Client fixes

  • mosquitto_sub will now exit if all subscriptions were denied.
  • mosquitto_pub now sends 0 length files without an error when using -f.
  • Fix description of -e and -t arguments in mosquitto_rr. Closes #1881.
  • mosquitto_sub will now quit with an error if the %U option is used on Windows, rather than just quitting. Closes #1908.

Version 1.6.12 released.

Mosquitto 1.6.12 and 1.5.10 have been released.


  • In some circumstances, Mosquitto could leak memory when handling PUBLISH messages. This is limited to incoming QoS 2 messages, and is related to the combination of the broker having persistence enabled, a clean session=false client, which was connected prior to the broker restarting, then has reconnected and has now sent messages at a sufficiently high rate that the incoming queue at the broker has filled up and hence messages are being dropped. This is more likely to have an effect where max_queued_messages is a small value. This has now been fixed. Closes #1793.

The following fixes apply to 1.6.12 only.


  • Build warning fixes when building with WITH_BRIDGE=no and WITH_TLS=no.


  • All clients exit with an error exit code on CONNACK failure. Closes #1778.
  • Don't busy loop with mosquitto_pub -l on a slow connection.

Version 1.6.11 released.

Mosquitto 1.6.11 has been released, this is a bugfix release.


  • On Windows the Mosquitto service was being installed without appropriate path quoting, this has been fixed. Closes #565671.


  • Fix usage message only mentioning v3.1.1. Closes #1713.
  • Fix broker refusing to start if only websockets listeners were defined. Closes #1740.
  • Change systemd unit files to create /var/log/mosquitto before starting. Closes #821.
  • Don't quit with an error if opening the log file isn't possible. Closes #821.
  • Fix bridge topic remapping when using "" as the topic. Closes #1749.
  • Fix messages being queued for disconnected bridges when clean start was set to true. Closes #1729.
  • Fix autosave_interval not being triggered by messages being delivered. Closes #1726.
  • Fix websockets clients sometimes not being disconnected promptly. Closes #1718.
  • Fix "slow" file based logging by switching to line based buffering. Closes #1689. Closes #1741.
  • Log protocol error message where appropriate from a bad UNSUBSCRIBE, rather than the generic "socket error".
  • Don't try to start DLT logging if DLT unavailable, to avoid a long delay when shutting down the broker. Closes #1735.
  • Fix potential memory leaks. Closes #1773. Closes #1774.
  • Fix clients not receiving messages after a previous client with the same client ID and positive will delay interval quit. Closes #1752.
  • Fix overly broad HAVE_PTHREAD_CANCEL compile guard. Closes #1547.

Client library

  • Improved documentation around connect callback return codes. Close #1730.
  • Fix mosquitto_publish*() no longer returning MOSQ_ERR_NO_CONN when not connected. Closes #1725.
  • mosquitto_loop_start() now sets a thread name on Linux, FreeBSD, NetBSD, and OpenBSD. Closes #1777.
  • Fix mosquitto_loop_stop() not stopping on Windows. Closes #1748. Closes #117.

Mosquitto now an Ubuntu Appliance

Ubuntu has just announced their new Ubuntu Appliance initiative, which provides self contained images for a number of different applications, for use on a Raspberry Pi or PC. These are full Ubuntu derivatives that use snap packages, so will keep up to date with the latest releases.

There are five different applications in the first set of appliances, and Mosquitto is one of them.

Read more at the Ubuntu blog.

Version 1.6.10 released.

Mosquitto 1.6.10 has been released, this is a bugfix release.


  • Report invalid bridge prefix+pattern combinations at config parsing time rather than letting the bridge fail later. Issue #1635.
  • Fix mosquitto_passwd -b not updating passwords for existing users correctly. Creating a new user with -b worked without problem. Closes #1664.
  • Fix memory leak when connecting clients rejected.
  • Don't disconnect clients that are already disconnected. This prevents the session expiry being extended on SIGHUP. Closes #1521.
  • Fix support for openssl 3.0.
  • Fix check when loading persistence file of a different version than the native version. Closes #1684.
  • Fix possible assert crash associated with bridge reconnecting when compiled without epoll support. Closes #1700.

Client library

  • Don't treat an unexpected PUBACK, PUBREL, or PUBCOMP as a fatal error. Issue #1629.
  • Fix support for openssl 3.0.
  • Fix memory leaks from multiple calls to mosquitto_lib_init()/mosquitto_lib_cleanup(). Closes #1691.
  • Fix documentation on return code of mosquitto_lib_init() for Windows. Closes #1690.


  • Fix mosquitto_sub %j or %J not working on Windows. Closes #1674.


  • Various fixes for building with below C99 support. Closes #1622.
  • Fix use of sed on BSD. Closes #1614.

Version 1.6.9 released.

Mosquitto 1.6.9 has been released, this is a bugfix release.


  • Fix session expiry with very large expiry intervals. Closes #1525.
  • Check ACL patterns for validity when loading. Closes #1539.
  • Use presence of password file as indicator for whether username checks should take place, not whether usernames are defined in the password file. Closes #1545.
  • Strip whitespace from end of config file string options. Closes #1566.
  • Satisfy valgrind when exiting on error due to not being able to open a listening socket, by calling freeaddrinfo. Closes #1565.
  • Fix config->user not being freed on exit. Closes #1564.
  • Fix trailing whitespace not being trimmed on acl users. Closes #1539.
  • Fix bind_interface not working for the default listener. Closes #1533.
  • Improve password file parsing in the broker and mosquitto_passwd. Closes #1584.
  • Print OpenSSL errors in more situations, like when loading certificates fails. Closes #1552.
  • Fix mosquitto_client_protocol() returning incorrect values.

Client library

  • Set minimum keepalive argument to mosquitto_connect*() to be 5 seconds. Closes #1550.
  • Fix mosquitto_topic_matches_sub() not returning MOSQ_ERR_INVAL if the topic contains a wildcard. Closes #1589.


  • Fix --remove-retained not obeying the -T option for filtering out topics. Closes #1585.
  • Default behaviour for v5 clients using -c is now to use infinite length sessions, as with v3 clients. Closes #1546.

Version 1.6.8 released.

Mosquitto 1.6.8 has been released, this is a bugfix release.


  • Various fixes for allow_zero_length_clientid config, where this option was not being set correctly. Closes #1429.
  • Fix incorrect memory tracking causing problems with memory_limit option. Closes #1437.
  • Fix subscription topics being limited to 200 characters instead of 200 hierarchy levels. Closes #1441.
  • Only a single CRL could be loaded at once. This has been fixed. Closes #1442.
  • Fix problems with reloading config when per_listener_settings was true. Closes #1459.
  • Fix retained messages with an expiry interval not being expired after being restored from persistence. Closes #1464.
  • Fix messages with an expiry interval being sent without an expiry interval property just before they were expired. Closes #1464.
  • Fix TLS Websockets clients not receiving messages after taking over a previous connection. Closes #1489.
  • Fix MQTT 3.1.1 clients using clean session false, or MQTT 5.0 clients using session-expiry-interval set to infinity never expiring, even when the global persistent_client_expiration option was set. Closes #1494.

Client library

  • Fix publish properties not being passed to on_message_v5() callback for QoS 2 messages. Closes #1432.
  • Fix documentation issues in mosquitto.h. Closes #1478.
  • Document mosquitto_connect_srv(). Closes #1499.


  • Fix duplicate cfg definition in rr_client. Closes #1453.
  • Fix mosquitto_pub -l hang when stdin stream ends. Closes #1448.
  • Fix mosquitto_pub -l not sending the final line of stdin if it does not end with a new line. Closes #1473.
  • Make documentation for mosquitto_pub -l match reality - blank lines are sent as empty messages. Closes #1474.
  • Free memory in mosquitto_sub when quiting without having made a successful connection. Closes #1513.


  • Added CLIENT_STATIC_LDADD to makefile builds to allow more libraries to be linked when compiling the clients with a static libmosquitto, as required for e.g. openssl on some systems.


  • Fix mosquitto_rr.exe not being included in Windows installers. Closes #1463.

Streamsheets now open source

The Mosquitto project is sponsored by Cedalo. This week, Cedalo open sourced its core project, Streamsheets, which has Mosquitto as a key part. Streamsheets are real-time web based spreadsheets that can take input from a variety of data sources, process the data, and provide an output.

They are designed to allow non-programmers to build applications in IoT, industrial, or hobbiest environments, reading data from machines, sensors, APIs, and more.

Connectivity includes MQTT, OPC-UA, REST, file, and others.

If you need a front end for Mosquitto or other communication protocol, it would be worth looking at.

streamsheets screenshot

Some examples:

  • Create dynamic charts and dashboards to visualize your processes
  • Build real-time apps for condition monitoring and alerting
  • Merge data streams from different sources to calculate KPIs and enrich your data
  • Map protocols and change data structures to connect your resources
  • Model simple as well as complex control logic to orchestrate your processes