head 1.9; access; symbols pkgsrc-2026Q1:1.9.0.2 pkgsrc-2026Q1-base:1.9 pkgsrc-2025Q4:1.8.0.8 pkgsrc-2025Q4-base:1.8 pkgsrc-2025Q3:1.8.0.6 pkgsrc-2025Q3-base:1.8 pkgsrc-2025Q2:1.8.0.4 pkgsrc-2025Q2-base:1.8 pkgsrc-2025Q1:1.8.0.2 pkgsrc-2025Q1-base:1.8 pkgsrc-2024Q4:1.6.0.4 pkgsrc-2024Q4-base:1.6 pkgsrc-2024Q3:1.6.0.2 pkgsrc-2024Q3-base:1.6 pkgsrc-2024Q2:1.5.0.20 pkgsrc-2024Q2-base:1.5 pkgsrc-2024Q1:1.5.0.18 pkgsrc-2024Q1-base:1.5 pkgsrc-2023Q4:1.5.0.16 pkgsrc-2023Q4-base:1.5 pkgsrc-2023Q3:1.5.0.14 pkgsrc-2023Q3-base:1.5 pkgsrc-2023Q2:1.5.0.12 pkgsrc-2023Q2-base:1.5 pkgsrc-2023Q1:1.5.0.10 pkgsrc-2023Q1-base:1.5 pkgsrc-2022Q4:1.5.0.8 pkgsrc-2022Q4-base:1.5 pkgsrc-2022Q3:1.5.0.6 pkgsrc-2022Q3-base:1.5 pkgsrc-2022Q2:1.5.0.4 pkgsrc-2022Q2-base:1.5 pkgsrc-2022Q1:1.5.0.2 pkgsrc-2022Q1-base:1.5 pkgsrc-2021Q4:1.4.0.8 pkgsrc-2021Q4-base:1.4 pkgsrc-2021Q3:1.4.0.6 pkgsrc-2021Q3-base:1.4 pkgsrc-2021Q2:1.4.0.4 pkgsrc-2021Q2-base:1.4 pkgsrc-2021Q1:1.4.0.2 pkgsrc-2021Q1-base:1.4 pkgsrc-2020Q4:1.2.0.6 pkgsrc-2020Q4-base:1.2 pkgsrc-2020Q3:1.2.0.4 pkgsrc-2020Q3-base:1.2 pkgsrc-2020Q2:1.2.0.2 pkgsrc-2020Q2-base:1.2 pkgsrc-2020Q1:1.1.0.4 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.6 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.2 pkgsrc-2019Q3-base:1.1; locks; strict; comment @# @; 1.9 date 2026.01.30.01.07.56; author gdt; state Exp; branches; next 1.8; commitid gY6tvV8d4U5KYlsG; 1.8 date 2025.03.08.13.59.13; author gdt; state Exp; branches; next 1.7; commitid X8bLBQYuG1uzMgMF; 1.7 date 2025.03.06.19.46.24; author gdt; state Exp; branches; next 1.6; commitid 3FyKpzNyVQf6M2MF; 1.6 date 2024.08.19.19.11.36; author wiz; state Exp; branches; next 1.5; commitid iIma06uR0gNAYsmF; 1.5 date 2021.12.31.09.57.36; author triaxx; state Exp; branches; next 1.4; commitid jtXcu2DBopqqPMmD; 1.4 date 2021.02.01.16.43.54; author triaxx; state Exp; branches; next 1.3; commitid YohDfDpWCfMDL1GC; 1.3 date 2021.01.28.19.46.24; author triaxx; state Exp; branches; next 1.2; commitid j3vWss3FvgujPwFC; 1.2 date 2020.04.16.15.19.11; author jperkin; state Exp; branches; next 1.1; commitid djLqmWZgTqY8FC4C; 1.1 date 2019.07.20.23.09.27; author gdt; state Exp; branches; next ; commitid gYVLFxF52VoOYPvB; desc @@ 1.9 log @net/mosquitto: Update to 2.1.0 Tested to run on NetBSD 9 amd64, and to build on various NetBSD 9/10 i386, amd64 earvm7, aarch64. 2.1.0 - 2026-01-29 ================== # Broker ## Deprecations - The acl_file option is deprecated in favour of the acl-file plugin, which is the same code but moved into a plugin. The acl_file option will be removed in 3.0. - The password_file option is deprecated in favour of the password-file plugin, which is the same code but moved into a plugin. The password_file option will be removed in 3.0. - The per_listener_settings option is deprecated in favour of the new listener specific options. The per_listener_settings option will be removed in 3.0. ## Behaviour changes - max_packet_size now defaults to 2,000,000 bytes instead of the 256MB MQTT limit. If you are using payloads that will result in a packet larger than this, you need to manually set the option to a value that suits your application. - acl_file and password_file will produce an error on invalid input when reloading the config, causing the broker to quit. ## Protocol related - Add support for broker created topic aliases. Topics are allocated on a first come first serve basis. - Add support for bridges to allow remote brokers to create topic aliases when running in MQTT v5 mode. - Enforce receive maximum on MQTT v5. - Return protocol error if a client attemps to subscribe to a shared subscription and also sets no-local. - Protocol version numbers reported in the log when a client connects now match the MQTT protocol version numbers, not internal Mosquitto values. - Send DISCONNECT With session-takeover return code to MQTT v5 clients when a client connects with the same client id. Closes #2340. - The `allow_duplicate_messages` now defaults to `true`. - Add `accept_protocol_versions` option to allow limiting which MQTT protocol versions are allowed for a particular listener. ## TLS related - Add `--tls-keylog` option which can be used to generate a file that can be used by wireshark to decrypt TLS traffic for debugging purposes. Closes #1818. - Add `disable_client_cert_date_checks` option to allow expired client certificate to be considered valid. - Add `bridge_tls_use_os_certs` option to allow bridges to be easily configured to trust default CA certificates. Closes #2473. - Remove support for TLS v1.1 (clients only - it remains available in the broker but is now undocumented) - Use openssl provided function for x509 certificate hostname verification, rather than own function. ## Bridge related - Add `bridge_receive_maximum` option for MQTT v5.0 bridges. - Add `bridge_session_expiry_interval` option for MQTT v5.0 bridges. - Bridge reconnection backoff improvements. ## Transport related - Add the `websockets_origin` option to allow optional enforcement of origin when a connection attempts an upgrade to WebSockets. - Add built-in websockets support that doesn't use libwebsockets. This is the preferred websockets implementation. - Add support for X-Forwarded-For header for built in websockets. - Add suport for PROXY protocol v1 and v2. ## Platform specific - Increase maximum connection count on Windows from 2048 to 8192 where supported. Closes #2122. - Allow multiple instances of mosquitto to run as services on Windows. See README-windows.txt. - Add kqueue support. - Add support for systemd watchdog. ## General - Report on what compile time options are enabled. Closes #2193. - Performance: reduce memory allocations when sending packets. - Log protocol version and ciphers that a client negotiates when connecting. - Password salts are now 64 bytes long. - Add the `global_plugin` option, which gives global plugin loaded regardless of `per_listener_settings`. - Add `global_max_clients` option to allow limiting client sessions globally on the broker. - Add `global_max_connections` option to allow limiting client connections globally on the broker. - Improve idle performance. The broker now calculates when the next event of interest is, and uses that as the timeout for e.g. `epoll_wait()`. This can reduce the number of process wakeups by 100x on an idle broker. - Add more efficient keepalive check. - Add support for sending the SIGRTMIN signal to trigger log rotation. Closes #2337. - Add `--test-config` option which can be used to test a configuration file before trying to use it in a live broker. Closes #2521. - Add support for PUID/PGID environment variables for setting the user/group to drop privileges to. Closes #2441. - Report persistence stats when starting. - $SYS updates are now aligned to `sys_interval` seconds, meaning that if set to 10, for example, updates will be sent at times matching x0 seconds. Previously update intervals were aligned to the time the broker was started. - Add `log_dest android` for logging to the Android logd daemon. - Fix some retained topic memory not being cleared immediately after used. - Add -q option to allow logging to be disabled at the command line. - Log message if a client attempts to connect with TLS to a non-TLS listener. - Add `listener_allow_anonymous` option. - Add `listener_auto_id_prefix` option. - Allow seconds when defining `persistent_client_expiration`. ## Plugin interface - Add `mosquitto_topic_matches_sub_with_pattern()`, which can match against subscriptions with `%c` and `%u` patterns for client id / username substitution. - Add support for modifying outgoing messages using `MOSQ_EVT_MESSAGE_OUT`. - Add `mosquitto_client()` function for retrieving a client struct if that client is connected. - Add `MOSQ_ERR_PLUGIN_IGNORE` to allow plugins to register basic auth or acl check callbacks, but still act as though they are not registered. A plugin that wanted to act as a blocklist for certain usernames, but wasn't carrying out authentication could return `MOSQ_ERR_PLUGIN_IGNORE` for usernames not on its blocklist. If no other plugins were configured, the client would be authenticated. Using `MOSQ_ERR_PLUGIN_DEFER` instead would mean the clients would be denied if no other plugins were configured. - Add `mosquitto_client_port()` function for plugins. - Add `MOSQ_EVT_CONNECT`, to allow plugins to know when a client has successfully authenticated to the broker. - Add connection-state example plugin to demonstrate `MOSQ_EVT_CONNECT`. - Add `MOSQ_EVT_CLIENT_OFFLINE`, to allow plugins to know when a client with a non-zero session expiry interval has gone offline. - Plugins on non-Windows platforms now no longer make their symbols globally available, which means they are self contained. - Add support for delayed basic authentication in plugins. - Plugins using the `MOSQ_EVT_MESSAGE_WRITE` callback can now return `MOSQ_ERR_QUOTA_EXCEEDED` to have the message be rejected. MQTT v5 clients using QoS 1 or 2 will receive the quota-exceeded reason code in the corresponding PUBACK/PUBREC. - `MOSQ_EVT_TICK` is now passed to plugins when `per_listener_settings` is true. - Add `mosquitto_sub_matches_acl()`, which can match one topic filter (a subscription) against another topic filter (an ACL). - Registration of the `MOSQ_EVT_CONTROL` plugin event is now handled globally across the broker, so only a single plugin can register for a given $CONTROL topic. - Add `mosquitto_plugin_set_info()` to allow plugins to tell the broker their name and version. - Add builtin $CONTROL/broker/v1 control topic with the `listPlugins` command. This is disabled by default, but can be enabled with the `enable_control_api` option. - Plugins no longer need to define `mosquitto_plugin_cleanup()` if they do not need to do any of their own cleanup. Callbacks will be unregistered automatically. - Add `mosquitto_set_clientid()` to allow plugins to force a client id for a client. - Add `MOSQ_EVT_SUBSCRIBE` and `MOSQ_EVT_UNSUBSCRIBE` events that are called when subscribe/unsubscribes actually succeed. Allow modifying topic and qos. - Add `mosquitto_persistence_location()` for plugins to use to find a valid location for storing persistent data. - Plugins can now use the `next_s` and `next_ms` members of the tick event data struct to set a minimum interval that the broker will wait before calling the tick callback again. - MOSQ_EVT_ACL_CHECK event is now passed message properties where possible. # Plugins - Add acl-file plugin. - Add password-file plugin. - Add persist-sqlite plugin. - Add sparkplug-aware plugin. # Dynamic security plugin - Add ability to deny wildcard subscriptions for a role to the dynsec plugin. - The dynamic security plugin now only kicks clients at the start of the next network loop, to give chance for PUBACK/PUBREC to be sent. Closes #2474. - The dynamic security plugin now reports client connections in getClient and listClients. - The dynamic security plugin now generates an initial configuration if none is present, including a set of default roles. - The dynamic security plugin now supports `%c` and `%u` patterns for substituting client id and username respectively, in all ACLs except for subscribeLiteral and unsubscribeLiteral. - The dynamic security plugin now supports multiple ways to initialise the first configuration file. # Client library - Add `MOSQ_OPT_DISABLE_SOCKETPAIR` to allow the disabling of the socketpair feature that allows the network thread to be woken from select() by another thread when e.g. `mosquitto_publish()` is called. This reduces the number of sockets used by each client by two. - Add `on_pre_connect()` callback to allow clients to update username/password/TLS parameters before an automatic reconnection. - Callbacks no longer block other callbacks, and can be set from within a callback. Closes #2127. - Add support for MQTT v5 broker to client topic aliases. - Add `mosquitto_topic_matches_sub_with_pattern()`, which can match against subscriptions with `%c` and `%u` patterns for client id / username substitution. - Add `mosquitto_sub_matches_acl()`, which can match one topic filter (a subscription) against another topic filter (an ACL). - Add `mosquitto_sub_matches_acl_with_pattern()`, which can match one topic filter (a subscription) against another topic filter (an ACL), with `%c` and `%u` patterns for client id / username substitution. - Performance: reduce memory allocations when sending packets. - Reintroduce threading support for Windows. Closes #1509. - `mosquitto_subscribe*()` now returns `MOSQ_ERR_INVAL` if an empty string is passed as a topic filter. - `mosquitto_unsubscribe*()` now returns `MOSQ_ERR_INVAL` if an empty string is passed as a topic filter. - Add websockets support. - `mosquitto_property_read_binary/string/string_pair` will now set the name/value parameter to NULL if the binary/string is empty. This aligns the behaviour with other property functions. Closes #2648. - Add `mosquitto_unsubscribe2_v5_callback_set`, which provides a callback that gives access to reason codes for each of the unsubscription requests. - Add `mosquitto_property_remove`, for removing properties from property lists. - Add `on_ext_auth()` callback to allow handling MQTT v5 extended authentication. - Add `mosquitto_ext_auth_continue()` function to continue an MQTT v5 extended authentication. - Remove support for TLS v1.1. - Use openssl provided function for x509 certificate hostname verification, rather than own function. # Clients ## General - Add `-W` timeout support to Windows. - The `--insecure` option now disables all server certificate verification. - Add websockets support. - Using `-x` now sets the clients to use MQTT v5.0. - Fix parsing of IPv6 addresses in socks proxy urls. - Add `--tls-keylog` option which can be used to generate a file that can be used by wireshark to decrypt TLS traffic for debugging purposes. - Remove support for TLS v1.1. ## mosquitto_rr - Fix `-f` and `-s` options in mosquitto_rr. - Add `--latency` option to mosquitto_rr, for printing the request/response latency. - Add `--retain-handling` option. ## mosquitto_sub - Fix incorrect output formatting in mosquitto_sub when using field widths with `%x` and `%X` for printing the payload in hex. - Add float printing option to mosquitto_sub. - mosquitto_sub payload hex output can now be split by fixed field length. - Add `--message-rate` option to mosquitto_sub, for printing the count of messages received each second. - Add `--retain-handling` option. # Apps ## mosquitto_signal - Add `mosquitto_signal` for helping send signals to mosquitto on Windows. ## mosquitto_ctrl - Add interactive shell mode to mosquitto_ctrl. - Add support for `listPlugins` to mosquitto_ctrl. - Allow mosquitto_ctrl dynsec module to update passwords in files rather than having to connect to a broker. ## mosquitto_passwd - Print messages in mosquitto_passwd when adding/updating passwords. Closes #2544. - When creating a new file with `-c`, setting the output filename to a dash `-` will output the result to stdout. ## mosquitto_db_dump - Add `--json` output mode do mosquitto_db_dump. # Build - Increased CMake minimal required version to 3.14, which is required for the preinstalled SQLite3 find module. - Add an CMake option `WITH_LTO` to enable/disable link time optimization. - Set C99 as the explicit, rather than implicit, build standard. - cJSON is now a required dependency. - Refactored headers for easier discovery. - Support for openssl < 3.0 removed. @ text @$NetBSD: patch-mosquitto.conf,v 1.8 2025/03/08 13:59:13 gdt Exp $ Align pid_file to pkgsrc norms. Log to syslog, instead of (perhaps) not logging. --- mosquitto.conf.orig 2025-03-06 16:25:31.000000000 +0000 +++ mosquitto.conf @@@@ -167,7 +167,7 @@@@ # This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is # being run automatically on boot with an init script and # start-stop-daemon or similar. -#pid_file +pid_file @@VARBASE@@/run/mosquitto/mosquitto.pid # Set to true to queue messages with QoS 0 when a persistent client is # disconnected. These messages are included in the limit imposed by @@@@ -469,7 +469,7 @@@@ # Note that if the broker is running as a Windows service it will default to # "log_dest none" and neither stdout nor stderr logging is available. # Use "log_dest none" if you wish to disable logging. -#log_dest stderr +log_dest syslog # Types of messages to log. Use multiple log_type lines for logging # multiple types of messages. @ 1.8 log @net/mosquitto: Fix capath in example config capath being set without cert/key is an error, and thus should not be on in a default config. Clean up old comments about the config file. (The syslog/pidfile plan has been working for years with no complaints.) @ text @d1 1 a1 1 $NetBSD: patch-mosquitto.conf,v 1.7 2025/03/06 19:46:24 gdt Exp $ a4 6 Provide a dir for capath, but do not set it. (In mosquitto, having a key/cert for the server is linked to having a CA, and to treating clients with a certificate from a known CA as authorized. This is complicated, and not about pkgsrc, and this change does not intend to step into the situation.) a17 9 @@@@ -361,7 +361,7 @@@@ # "openssl rehash " each time you add/remove a certificate. # capath is not supported for websockets. #cafile -#capath +#capath @@SSLCERTS@@ # If require_certificate is true, you may set use_identity_as_username to true @ 1.7 log @net/mosquitto: Update to 2.0.21 Upstream changes, less bugfixes and non-pkgsrc platforms. 2.0.21 - 2025-03-06 =================== Security: - Fix leak on malicious SUBSCRIBE by authenticated client. Closes eclipse #248. - Further fix for CVE-2023-28366. Broker: - Add `retain_expiry_interval` option to fix expired retained message not being removed from memory if they are not subscribed to. Closes #3221. Apps: - mosquitto_ctrl dynsec now also allows `-i` to specify a clientid as well as `-c`. This matches the documentation which states `-i`. Closes #3219. @ text @d1 1 a1 1 $NetBSD: patch-mosquitto.conf,v 1.6 2024/08/19 19:11:36 wiz Exp $ d3 1 a3 1 Log to syslog, instead of (perhaps) not logging. d5 5 a9 1 \todo Figure out what happens if port is not defined, and why we set it. d11 1 a11 2 \todo Think about pidfile; because this can be run in various modes that seems like it should perhaps be command-line, not config. d29 1 a29 1 +capath @@SSLCERTS@@ @ 1.6 log @mosquitto: convert to cmake/build.mk add TOOL_DEPENDS on docbook-xsl, unclear why this was not needed before remove gmake from tools, unused Fix some pkglint while here. @ text @d1 1 a1 1 $NetBSD: patch-mosquitto.conf,v 1.5 2021/12/31 09:57:36 triaxx Exp $ d10 1 a10 1 --- mosquitto.conf.orig 2021-01-11 16:49:40.000000000 +0000 d12 1 a12 1 @@@@ -165,7 +165,7 @@@@ d21 1 a21 2 @@@@ -357,7 +357,7 @@@@ # certificate files must have ".crt" as the file ending and you must run d23 1 d30 1 a30 1 @@@@ -465,7 +465,7 @@@@ @ 1.5 log @mosquitto: Update to 2.0.14 pkgsrc changes: --------------- * Update patches to remove offsets. upstream changes: ----------------- 2.0.14 - 2021-11-17 =================== Broker: - Fix bridge not respecting receive-maximum when reconnecting with MQTT v5. Client library: - Fix mosquitto_topic_matches_sub2() not using the length parameters. Closes #2364. - Fix incorrect subscribe_callback in mosquittopp.h. Closes #2367. 2.0.13 - 2021-10-27 =================== Broker: - Fix `max_keepalive` option not being able to be set to 0. - Fix LWT messages not being delivered if `per_listener_settings` was set to true. Closes #2314. - Various fixes around inflight quota management. Closes #2306. - Fix problem parsing config files with Windows line endings. Closes #2297. - Don't send retained messages when a shared subscription is made. - Fix log being truncated in Windows. - Fix client id not showing in log on failed connections, where possible. - Fix broker sending duplicate CONNACK on failed MQTT v5 reauthentication. Closes #2339. - Fix mosquitto_plugin.h not including mosquitto_broker.h. Closes #2350. Client library: - Initialise sockpairR/W to invalid in `mosquitto_reinitialise()` to avoid closing invalid sockets in `mosquitto_destroy()` on error. Closes #2326. Clients: - Fix date format in mosquitto_sub output. Closes #2353. @ text @d1 2 a2 1 $NetBSD: patch-mosquitto.conf,v 1.4 2021/02/01 16:43:54 triaxx Exp $ @ 1.4 log @mosquitto: Revert the deletion of ${piddir} Mosquitto can no longer write its PID file to ${VARBASE}/run when VARBASE is the system /var owned by root. @ text @d1 1 a1 2 $NetBSD: patch-mosquitto.conf,v 1.3 2021/01/28 19:46:24 triaxx Exp $ d11 1 a11 1 @@@@ -148,7 +148,7 @@@@ d20 1 a20 1 @@@@ -340,7 +340,7 @@@@ d29 1 a29 1 @@@@ -448,7 +448,7 @@@@ @ 1.3 log @mosquitto: Update to 2.0.5 pkgsrc changes: --------------- * The PID file does not need to be written in a dedicated subdirectory and it can be written in ${VARBASE}/run directly instead. * The configuration parameters which need to be tuned in mosquitto.conf can be uncommented and set in according with pkgsrc variables. upstream changes: ----------------- 2.0.5 - 2021-01-11 ================== Broker: - Fix `auth_method` not being provided to the extended auth plugin event. Closes #1975. - Fix large packets not being completely published to slow clients. Closes #1977. - Fix bridge connection not relinquishing POLLOUT after messages are sent. Closes #1979. - Fix apparmor incorrectly denying access to /var/lib/mosquitto/mosquitto.db.new. Closes #1978. - Fix potential intermittent initial bridge connections when using poll(). - Fix `bind_interface` option. Closes #1999. - Fix invalid behaviour in dynsec plugin if a group or client is deleted before a role that was attached to the group or client is deleted. Closes #1998. - Improve logging in dynsec addGroupRole command. Closes #2005. - Improve logging in dynsec addGroupClient command. Closes #2008. Client library: - Improve documentation around the `_v5()` and non-v5 functions, e.g. `mosquitto_publish()` and `mosquitto_publish_v5(). Build: - `install` Makefile target should depend on `all`, not `mosquitto`, to ensure that man pages are always built. Closes #1989. - Fixes for lots of minor build warnings highlighted by Visual Studio. Apps: - Disallow control characters in mosquitto_passwd usernames. - Fix incorrect description in mosquitto_ctrl man page. Closes #1995. - Fix `mosquitto_ctrl dynsec getGroup` not showing roles. Closes #1997. 2.0.4 - 2020-12-22 ================== Broker: - Fix $SYS/broker/publish/messages/+ counters not being updated for QoS 1, 2 messages. Closes #1968. - mosquitto_connect_bind_async() and mosquitto_connect_bind_v5() should not reset the bind address option if called with bind_address == NULL. - Fix dynamic security configuration possibly not being reloaded on Windows only. Closes #1962. - Add more log messages for dynsec load/save error conditions. - Fix websockets connections blocking non-websockets connections on Windows. Closes #1934. Build: - Fix man pages not being built when using CMake. Closes #1969. 2.0.3 - 2020-12-17 ================== Security: - Running mosquitto_passwd with the following arguments only `mosquitto_passwd -b password_file username password` would cause the username to be used as the password. Broker: - Fix excessive CPU use on non-Linux systems when the open file limit is set high. Closes #1947. - Fix LWT not being sent on client takeover when the existing session wasn't being continued. Closes #1946. - Fix bridges possibly not completing connections when WITH_ADNS is in use. Closes #1960. - Fix QoS 0 messages not being delivered if max_queued_messages was set to 0. Closes #1956. - Fix local bridges being disconnected on SIGHUP. Closes #1942. - Fix slow initial bridge connections for WITH_ADNS=no. - Fix persistence_location not appending a '/'. Clients: - Fix mosquitto_sub being unable to terminate with Ctrl-C if a successful connection is not made. Closes #1957. Apps: - Fix `mosquitto_passwd -b` using username as password (not if `-c` is also used). Closes #1949. Build: - Fix `install` target when using WITH_CJSON=no. Closes #1938. - Fix `generic` docker build. Closes #1945. 2.0.2 - 2020-12-10 ================== Broker: - Fix build regression for WITH_WEBSOCKETS=yes on non-Linux systems. 2.0.1 - 2020-12-10 ================== Broker: - Fix websockets connections on Windows blocking subsequent connections. Closes #1934. - Fix DH group not being set for TLS connections, which meant ciphers using DHE couldn't be used. Closes #1925. Closes #1476. - Fix websockets listeners not causing the main loop not to wake up. Closes #1936. Client library: - Fix DH group not being set for TLS connections, which meant ciphers using DHE couldn't be used. Closes #1925. Closes #1476. Apps: - Fix `mosquitto_passwd -U` Build: - Fix cjson include paths. - Fix build using WITH_TLS=no when the openssl headers aren't available. - Distribute cmake/ and snap/ directories in tar. 2.0.0 - 2020-12-03 ================== Breaking changes: - When the Mosquitto broker is run without configuring any listeners it will now bind to the loopback interfaces 127.0.0.1 and/or ::1. This means that only connections from the local host will be possible. Running the broker as `mosquitto` or `mosquitto -p 1883` will bind to the loopback interface. Running the broker with a configuration file with no listeners configured will bind to the loopback interface with port 1883. Running the broker with a listener defined will bind by default to `0.0.0.0` / `::` and so will be accessible from any interface. It is still possible to bind to a specific address/interface. If the broker is run as `mosquitto -c mosquitto.conf -p 1884`, and a listener is defined in the configuration file, then the port defined on the command line will be IGNORED, and no listener configured for it. - All listeners now default to `allow_anonymous false` unless explicitly set to true in the configuration file. This means that when configuring a listener the user must either configure an authentication and access control method, or set `allow_anonymous true`. When the broker is run without a configured listener, and so binds to the loopback interface, anonymous connections are allowed. - If Mosquitto is run on as root on a unix like system, it will attempt to drop privileges as soon as the configuration file has been read. This is in contrast to the previous behaviour where elevated privileges were only dropped after listeners had been started (and hence TLS certificates loaded) and logging had been started. The change means that clients will never be able to connect to the broker when it is running as root, unless the user explicitly sets it to run as root, which is not advised. It also means that all locations that the broker needs to access must be available to the unprivileged user. In particular those people using TLS certificates from Lets Encrypt will need to do something to allow Mosquitto to access those certificates. An example deploy renewal hook script to help with this is at `misc/letsencrypt/mosquitto-copy.sh`. The user that Mosquitto will change to are the one provided in the configuration, `mosquitto`, or `nobody`, in order of availability. - The `pid_file` option will now always attempt to write a pid file, regardless of whether the `-d` argument is used when running the broker. - The `tls_version` option now defines the *minimum* TLS protocol version to be used, rather than the exact version. Closes #1258. - The `max_queued_messages` option has been increased from 100 to 1000 by default, and now also applies to QoS 0 messages, when a client is connected. - The mosquitto_sub, mosquitto_pub, and mosquitto_rr clients will now load OS provided CA certificates by default if `-L mqtts://...` is used, or if the port is set to 8883 and no other CA certificates are loaded. - Minimum support libwebsockets version is now 2.4.0 - The license has changed from "EPL-1.0 OR EDL-1.0" to "EPL-2.0 OR EDL-1.0". Broker features: - New plugin interface which is more flexible, easier to develop for and easier to extend. - New dynamic security plugin, which allows clients, groups, and roles to be defined and updated as the broker is running. - Performance improvements, particularly for higher numbers of clients. - When running as root, if dropping privileges to the "mosquitto" user fails, then try "nobody" instead. This reduces the burden on users installing Mosquitto themselves. - Add support for Unix domain socket listeners. - Add `bridge_outgoing_retain` option, to allow outgoing messages from a bridge to have the retain bit completely disabled, which is useful when bridging to e.g. Amazon or Google. - Add support for MQTT v5 bridges to handle the "retain-available" property being false. - Allow MQTT v5.0 outgoing bridges to fall back to MQTT v3.1.1 if connecting to a v3.x only broker. - DLT logging is now configurable at runtime with `log_dest dlt`. Closes #1735. - Add `mosquitto_broker_publish()` and `mosquitto_broker_publish_copy()` functions, which can be used by plugins to publish messages. - Add `mosquitto_client_protocol_version()` function which can be used by plugins to determine which version of MQTT a client has connected with. - Add `mosquitto_kick_client_by_clientid()` and `mosquitto_kick_client_by_username()` functions, which can be used by plugins to disconnect clients. - Add support for handling $CONTROL/ topics in plugins. - Add support for PBKDF2-SHA512 password hashing. - Enabling certificate based TLS encryption is now through certfile and keyfile, not capath or cafile. - Added support for controlling UNSUBSCRIBE calls in v5 plugin ACL checks. - Add "deny" acl type. Closes #1611. - The broker now sends the receive-maximum property for MQTT v5 CONNACKs. - Add the `bridge_max_packet_size` option. Closes #265. - Add the `bridge_bind_address` option. Closes #1311. - TLS certificates for the server are now reloaded on SIGHUP. - Default for max_queued_messages has been changed to 1000. - Add `ciphers_tls1.3` option, to allow setting TLS v1.3 ciphersuites. Closes #1825. - Bridges now obey MQTT v5 server-keepalive. - Add bridge support for the MQTT v5 maximum-qos property. - Log client port on new connections. Closes #1911. Broker fixes: - Send DISCONNECT with `malformed-packet` reason code on invalid PUBLISH, SUBSCRIBE, and UNSUBSCRIBE packets. - Document that X509_free() must be called after using mosquitto_client_certificate(). Closes #1842. - Fix listener not being reassociated with client when reloading a persistence file and `per_listener_settings true` is set and the client did not set a username. Closes #1891. - Fix bridge sock not being removed from sock hash on error. Closes #1897. - mosquitto_password now forbids the : character. Closes #1833. - Fix `log_timestamp_format` not applying to `log_dest topic`. Closes #1862. - Fix crash on Windows if loading a plugin fails. Closes #1866. - Fix file logging on Windows. Closes #1880. - Report an error if the config file is set to a directory. Closes #1814. - Fix bridges incorrectly setting Wills to manage remote notifications when `notifications_local_only` was set true. Closes #1902. Client library features: - Client no longer generates random client ids for v3.1.1 clients, these are now expected to be generated on the broker. This matches the behaviour for v5 clients. Closes #291. - Add support for connecting to brokers through Unix domain sockets. - Add `mosquitto_property_identifier()`, for retrieving the identifier integer for a property. - Add `mosquitto_property_identifier_to_string()` for converting a property identifier integer to the corresponding property name string. - Add `mosquitto_property_next()` to retrieve the next property in a list, for iterating over property lists. - mosquitto_pub now handles the MQTT v5 retain-available property by never setting the retain bit. - Added MOSQ_OPT_TCP_NODELAY, to allow disabling Nagle's algorithm on client sockets. Closes #1526. - Add `mosquitto_ssl_get()` to allow clients to access their SSL structure and perform additional verification. - Add MOSQ_OPT_BIND_ADDRESS to allow setting of a bind address independently of the `mosquitto_connect*()` call. - Add `MOSQ_OPT_TLS_USE_OS_CERTS` option, to instruct the client to load and trust OS provided CA certificates for use with TLS connections. Client library fixes: - Fix send quota being incorrecly reset on reconnect. Closes #1822. - Don't use logging until log mutex is initialised. Closes #1819. - Fix missing mach/mach_time.h header on OS X. Closes #1831. - Fix connect properties not being sent when the client automatically reconnects. Closes #1846. Client features: - Add timeout return code (27) for `mosquitto_sub -W ` and `mosquitto_rr -W `. Closes #275. - Add support for connecting to brokers through Unix domain sockets with the `--unix` argument. - Use cJSON library for producing JSON output, where available. Closes #1222. - Add support for outputting MQTT v5 property information to mosquitto_sub/rr JSON output. Closes #1416. - Add `--pretty` option to mosquitto_sub/rr for formatted/unformatted JSON output. - Add support for v5 property printing to mosquitto_sub/rr in non-JSON mode. Closes #1416. - Add `--nodelay` to all clients to allow them to use the MOSQ_OPT_TCP_NODELAY option. - Add `-x` to all clients to all the session-expiry-interval property to be easily set for MQTT v5 clients. - Add `--random-filter` to mosquitto_sub, to allow only a certain proportion of received messages to be printed. - mosquitto_sub %j and %J timestamps are now in a ISO 8601 compatible format. - mosquitto_sub now supports extra format specifiers for field width and precision for some parameters. - Add `--version` for all clients. - All clients now load OS provided CA certificates if used with `-L mqtts://...`, or if port is set to 8883 and no other CA certificates are used. Closes #1824. - Add the `--tls-use-os-certs` option to all clients. Client fixes: - mosquitto_sub will now exit if all subscriptions were denied. - mosquitto_pub now sends 0 length files without an error when using `-f`. - Fix description of `-e` and `-t` arguments in mosquitto_rr. Closes #1881. - mosquitto_sub will now quit with an error if the %U option is used on Windows, rather than just quitting. Closes #1908. @ text @d1 1 a1 1 $NetBSD: patch-mosquitto.conf,v 1.2 2020/04/16 15:19:11 jperkin Exp $ d17 1 a17 1 +pid_file @@VARBASE@@/run/mosquitto.pid @ 1.2 log @mosquitto: Various SunOS fixes and improvements. Includes SMF support. Submitted by Jorge Schrauwen in NetBSD/pkgsrc#59. While here fix a hardcoded /var. @ text @d1 1 a1 1 $NetBSD: patch-mosquitto.conf,v 1.1 2019/07/20 23:09:27 gdt Exp $ d10 1 a10 1 --- mosquitto.conf.orig 2019-06-18 11:45:59.000000000 +0000 d12 23 a34 9 @@@@ -986,3 +986,13 @@@@ # given multiple times, all of the files from the first instance will be # processed before the next instance. See the man page for examples. #include_dir + +### PKGSRC ADJUSTMENTS FOR TRADITIONAL UNIX NORMS + +pid_file @@VARBASE@@/run/mosquitto/mosquitto.pid + d36 3 a38 4 + +capath @@SSLCERTS@@ + +### LOCAL CONFIGURATION @ 1.1 log @net: Add mosquitto 1.6.3nb4 (nb4 because wip is nb4) Eclipse Mosquitto is an open source (EPL/EDL licensed) message broker that implements the MQTT protocol versions 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for "Internet of Things" messaging such as with low power sensors or mobile devices such as phones, embedded computers or microcontrollers like the Arduino. @ text @d1 1 a1 1 $NetBSD$ d19 1 a19 1 +pid_file /var/run/mosquitto/mosquitto.pid @