Eclipse Mosquitto 1.5 Release Review

End Date of the Review Period: 

Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.

Wednesday, May 2, 2018




The main change in this release is in authentication and access control.

This release improves the authentication and access control possibilities in two ways. Firstly, all of these options can now be set on a per-listener basis. Secondly, the capabilities for plugins has been extended. It is now possible to define multiple plugins alongside the default security features, and plugins can get access to a wider variety of information about a client to allow them to better determine what authentication/access control requirements apply.

Other changes are as follows:

  • Add per_listener_settings to allow authentication and access control to be per listener.
  • Resistance to fuzzing has been dramatically improvded.
  • Performance with long queues has been dramatically improved.
  • Add ability to deny access to SUBSCRIBE messages as well as the current read/write accesses. Currently for auth plugins only.
  • Outgoing messages with QoS>1 are no longer retried after a timeout period. Messages will be retried when a client reconnects.
  • Add use_subject_as_username option for certificate based client authentication to use the entire certificate subject as a username, rather than just the CN.
  • Minimum supported libwebsockets version is now 1.3.
  • Add systemd startup notification and services.
  • Reduce unnecessary malloc and memcpy when receiving a message and storing it.Resistance to fuzzing has been dramatically improvded. Performance with long queues has been dramatically improved.
  • Bridge connections now default to using MQTT v3.1.1.
  • mosquitto_db_dump tool can now output some stats on clients.
  • Perform utf-8 validation on incoming will, subscription and unsubscription topics.
  • New $SYS/broker/store/messages/count (deprecates $SYS/broker/messages/stored)
  • New $SYS/broker/store/messages/bytes
  • Add max_queued_bytes feature to limit queues by real size rather than than just message count.
  • Add support for bridges to be configured to only send notifications to the local broker.
  • Add set_tcp_nodelay option to allow Nagle's algorithm to be disabled on client sockets.
  • The behaviour of allow_anonymous has changed. In the old behaviour, the default if not set was to allow anonymous access. The new behaviour is to default is to allow anonymous access unless another security option is set. For example, if password_file is set and allow_anonymous is not set, then anonymous access will be denied. It is still possible to allow anonymous access by setting it explicitly.

Client Library

  • Outgoing messages with QoS>1 are no longer retried after a timeout period. Messages will be retried when a client reconnects.
  • DNS-SRV support is now disabled by default.
  • Add mosquitto_subscribe_simple() This is a helper function to make retrieving messages from a broker very straightforward. Examples of its use are in examples/subscribe_simple.
  • Add mosquitto_subscribe_callback() This is a helper function to make processing messages from a broker very straightforward. An example of its use is in examples/subscribe_simple.
  • Connections now default to using MQTT v3.1.1.
  • Add mosquitto_validate_utf8() to check whether a string is valid UTF-8 according to the UTF-8 spec and to the additional restrictions imposed by the MQTT spec.
  • Topic inputs are checked for UTF-8 validity.
  • Add mosquitto_userdata function to allow retrieving the client userdata member variable.
  • Add mosquitto_pub_topic_check2(), mosquitto_sub_topic_check2(), and mosquitto_topic_matches_sub2() which are identical to the similarly named functions but also take length arguments.


The command line clients gain a few new features, including being able to specify the output printing format and improved TLS error reporting.

  • Add -F to mosquitto_sub to allow the user to choose the output format.
  • Add -U to mosquitto_sub for unsubscribing from topics.
  • Add -c (clean session) to mosquitto_pub.
  • Add --retained-only to mosquitto_sub to exit after receiving all retained messages.
  • Connections now default to using MQTT v3.1.1.
  • Default to using port 8883 when using TLS.
  • mosquitto_sub doesn't continue to keep connecting if CONNACK tells it the connection was refused.
API Certification: 

The project leadership certifies that the APIs in this release are "Eclipse Quality".

Security Issues: 

A few vulnerabilities have been discovered in the time since the last minor release. These have all been resolved in both the 1.4.x series of service releases and the 1.5 branch. The 1.4.16 release will resolve the known security issues that remain outstanding.

Conforms To UI/UX Guidelines: 
Not applicable (project doesn't provide UI)

MQTT 3.1 and 3.1.1.


This release sees an increased number of external code contributions and two new committers have been added to the project. There is active input on both github issues and pull requests and a task for the next release is to get back on top of the outstanding issues.

Martin Assarsson's picture

Thanks for this new version!

I can't find the v1.5 tag in the git repository. Is it relocated?