1MOSQUITTO.CONF(5)        File formats and conventions        MOSQUITTO.CONF(5)
2
3
4

NAME

6       mosquitto.conf - the configuration file for mosquitto
7

SYNOPSIS

9       mosquitto.conf
10

DESCRIPTION

12       mosquitto.conf is the configuration file for mosquitto. This file can
13       reside anywhere as long as mosquitto can read it. By default, mosquitto
14       does not need a configuration file and will use the default values
15       listed below. See mosquitto(8) for information on how to load a
16       configuration file.
17

FILE FORMAT

19       All lines with a # as the very first character are treated as a
20       comment.
21
22       Configuration lines start with a variable name. The variable value is
23       separated from the name by a single space.
24

AUTHENTICATION

26       The authentication options described below allow a wide range of
27       possibilities in conjunction with the listener options. This section
28       aims to clarify the possibilities.
29
30       The simplest option is to have no authentication at all. This is the
31       default if no other options are given. Unauthenticated encrypted
32       support is provided by using the certificate based SSL/TLS based
33       options cafile/capath, certfile and keyfile.
34
35       MQTT provides username/password authentication as part of the protocol.
36       Use the password_file option to define the valid usernames and
37       passwords. Be sure to use network encryption if you are using this
38       option otherwise the username and password will be vulnerable to
39       interception. Use the per_listener_settings to control whether
40       passwords are required globally or on a per-listener basis.
41
42       When using certificate based encryption there are three options that
43       affect authentication. The first is require_certificate, which may be
44       set to true or false. If false, the SSL/TLS component of the client
45       will verify the server but there is no requirement for the client to
46       provide anything for the server: authentication is limited to the MQTT
47       built in username/password. If require_certificate is true, the client
48       must provide a valid certificate in order to connect successfully. In
49       this case, the second and third options, use_identity_as_username and
50       use_subject_as_username, become relevant. If set to true,
51       use_identity_as_username causes the Common Name (CN) from the client
52       certificate to be used instead of the MQTT username for access control
53       purposes. The password is not used because it is assumed that only
54       authenticated clients have valid certificates. This means that any CA
55       certificates you include in cafile or capath will be able to issue
56       client certificates that are valid for connecting to your broker. If
57       use_identity_as_username is false, the client must authenticate as
58       normal (if required by password_file) through the MQTT options. The
59       same principle applies for the use_subject_as_username option, but the
60       entire certificate subject is used as the username instead of just the
61       CN.
62
63       When using pre-shared-key based encryption through the psk_hint and
64       psk_file options, the client must provide a valid identity and key in
65       order to connect to the broker before any MQTT communication takes
66       place. If use_identity_as_username is true, the PSK identity is used
67       instead of the MQTT username for access control purposes. If
68       use_identity_as_username is false, the client may still authenticate
69       using the MQTT username/password if using the password_file option.
70
71       Both certificate and PSK based encryption are configured on a
72       per-listener basis.
73
74       Authentication plugins can be created to augment the password_file,
75       acl_file and psk_file options with e.g. SQL based lookups.
76
77       It is possible to support multiple authentication schemes at once. A
78       config could be created that had a listener for all of the different
79       encryption options described above and hence a large number of ways of
80       authenticating.
81

GENERAL OPTIONS

83       acl_file file path
84           Set the path to an access control list file. If defined, the
85           contents of the file are used to control client access to topics on
86           the broker.
87
88           If this parameter is defined then only the topics listed will have
89           access. Topic access is added with lines of the format:
90
91           topic [read|write|readwrite] <topic>
92
93           The access type is controlled using "read", "write" or "readwrite".
94           This parameter is optional (unless <topic> includes a space
95           character) - if not given then the access is read/write. <topic>
96           can contain the + or # wildcards as in subscriptions.
97
98           The first set of topics are applied to anonymous clients, assuming
99           allow_anonymous is true. User specific topic ACLs are added after a
100           user line as follows:
101
102           user <username>
103
104           The username referred to here is the same as in password_file. It
105           is not the clientid.
106
107           It is also possible to define ACLs based on pattern substitution
108           within the topic. The form is the same as for the topic keyword,
109           but using pattern as the keyword.
110
111           pattern [read|write|readwrite] <topic>
112
113           The patterns available for substition are:
114
115           ·   %c to match the client id of the client
116
117           ·   %u to match the username of the client
118
119           The substitution pattern must be the only text for that level of
120           hierarchy. Pattern ACLs apply to all users even if the "user"
121           keyword has previously been given.
122
123           Example:
124
125           pattern write sensor/%u/data
126
127           Allow access for bridge connection messages:
128
129           pattern write $SYS/broker/connection/%c/state
130
131           If the first character of a line of the ACL file is a # it is
132           treated as a comment.
133
134           If per_listener_settings is true, this option applies to the
135           current listener being configured only. If per_listener_settings is
136           false, this option applies to all listeners.
137
138           Reloaded on reload signal. The currently loaded ACLs will be freed
139           and reloaded. Existing subscriptions will be affected after the
140           reload.
141
142       allow_anonymous [ true | false ]
143           Boolean value that determines whether clients that connect without
144           providing a username are allowed to connect. If set to false then
145           another means of connection should be created to control
146           authenticated client access.
147
148           Defaults to true if no other security options are set. If
149           password_file or psk_file is set, or if an authentication plugin is
150           loaded which implements username/password or TLS-PSK checks, then
151           allow_anonymous defaults to false.
152
153           If per_listener_settings is true, this option applies to the
154           current listener being configured only. If per_listener_settings is
155           false, this option applies to all listeners.
156
157           Reloaded on reload signal.
158
159       allow_duplicate_messages [ true | false ]
160           If a client is subscribed to multiple subscriptions that overlap,
161           e.g. foo/# and foo/+/baz , then MQTT expects that when the broker
162           receives a message on a topic that matches both subscriptions, such
163           as foo/bar/baz, then the client should only receive the message
164           once.
165
166           Mosquitto keeps track of which clients a message has been sent to
167           in order to meet this requirement. This option allows this
168           behaviour to be disabled, which may be useful if you have a large
169           number of clients subscribed to the same set of topics and want to
170           minimise memory usage.
171
172           It can be safely set to true if you know in advance that your
173           clients will never have overlapping subscriptions, otherwise your
174           clients must be able to correctly deal with duplicate messages even
175           when then have QoS=2.
176
177           Defaults to true.
178
179           This option applies globally.
180
181           Reloaded on reload signal.
182
183       allow_zero_length_clientid [ true | false ]
184           MQTT 3.1.1 and MQTT 5 allow clients to connect with a zero length
185           client id and have the broker generate a client id for them. Use
186           this option to allow/disallow this behaviour. Defaults to true.
187
188           See also the auto_id_prefix option.
189
190           If per_listener_settings is true, this option applies to the
191           current listener being configured only. If per_listener_settings is
192           false, this option applies to all listeners.
193
194           Reloaded on reload signal.
195
196       auth_opt_* value
197           Options to be passed to the auth plugin. See the specific plugin
198           instructions.
199
200           Applies to the current authentication plugin being configured.
201
202       auth_plugin file path
203           Specify an external module to use for authentication and access
204           control. This allows custom username/password and access control
205           functions to be created.
206
207           Can be specified multiple times to load multiple plugins. The
208           plugins will be processed in the order that they are specified.
209
210           If password_file, or acl_file are used in the config file alongsize
211           auth_plugin, the plugin checks will run after the built in checks.
212
213           Not currently reloaded on reload signal.
214
215       auth_plugin_deny_special_chars [ true | false ]
216           If true then before an ACL check is made, the username/client id of
217           the client needing the check is searched for the presence of either
218           a '+' or '#' character. If either of these characters is found in
219           either the username or client id, then the ACL check is denied
220           before it is sent to the plugin.
221
222           This check prevents the case where a malicious user could
223           circumvent an ACL check by using one of these characters as their
224           username or client id. This is the same issue as was reported with
225           mosquitto itself as CVE-2017-7650.
226
227           If you are entirely sure that the plugin you are using is not
228           vulnerable to this attack (i.e. if you never use usernames or
229           client ids in topics) then you can disable this extra check and
230           hence have all ACL checks delivered to your plugin by setting this
231           option to false.
232
233           Defaults to true.
234
235           Applies to the current authentication plugin being configured.
236
237           Not currently reloaded on reload signal.
238
239       auto_id_prefix prefix
240           If allow_zero_length_clientid is true, this option allows you to
241           set a string that will be prefixed to the automatically generated
242           client ids to aid visibility in logs. Defaults to auto-.
243
244           If per_listener_settings is true, this option applies to the
245           current listener being configured only. If per_listener_settings is
246           false, this option applies to all listeners.
247
248           Reloaded on reload signal.
249
250       autosave_interval seconds
251           The number of seconds that mosquitto will wait between each time it
252           saves the in-memory database to disk. If set to 0, the in-memory
253           database will only be saved when mosquitto exits or when receiving
254           the SIGUSR1 signal. Note that this setting only has an effect if
255           persistence is enabled. Defaults to 1800 seconds (30 minutes).
256
257           This option applies globally.
258
259           Reloaded on reload signal.
260
261       autosave_on_changes [ true | false ]
262           If true, mosquitto will count the number of subscription changes,
263           retained messages received and queued messages and if the total
264           exceeds autosave_interval then the in-memory database will be saved
265           to disk. If false, mosquitto will save the in-memory database to
266           disk by treating autosave_interval as a time in seconds.
267
268           This option applies globally.
269
270           Reloaded on reload signal.
271
272       check_retain_source [ true | false ]
273           This option affects the scenario when a client subscribes to a
274           topic that has retained messages. It is possible that the client
275           that published the retained message to the topic had access at the
276           time they published, but that access has been subsequently removed.
277           If check_retain_source is set to true, the default, the source of a
278           retained message will be checked for access rights before it is
279           republished. When set to false, no check will be made and the
280           retained message will always be published.
281
282           This option applies globally, regardless of the
283           per_listener_settings option.
284
285       clientid_prefixes prefix
286           If defined, only clients that have a clientid with a prefix that
287           matches clientid_prefixes will be allowed to connect to the broker.
288           For example, setting "secure-" here would mean a client
289           "secure-client" could connect but another with clientid "mqtt"
290           couldn't. By default, all client ids are valid.
291
292           This option applies globally.
293
294           Reloaded on reload signal. Note that currently connected clients
295           will be unaffected by any changes.
296
297       connection_messages [ true | false ]
298           If set to true, the log will include entries when clients connect
299           and disconnect. If set to false, these entries will not appear.
300
301           This option applies globally.
302
303           Reloaded on reload signal.
304
305       include_dir dir
306           External configuration files may be included by using the
307           include_dir option. This defines a directory that will be searched
308           for config files. All files that end in '.conf' will be loaded as a
309           configuration file. It is best to have this as the last option in
310           the main file. This option will only be processed from the main
311           configuration file. The directory specified must not contain the
312           main configuration file.
313
314           The configuration files in include_dir are loaded in case sensitive
315           alphabetical order, with the upper case of each letter ordered
316           before the lower case of the same letter.
317
318           Example Load Order for include_dir.  Given the files b.conf,
319           A.conf, 01.conf, a.conf, B.conf, and 00.conf inside include_dir,
320           the config files would be loaded in this order:
321
322               00.conf
323               01.conf
324               A.conf
325               a.conf
326               B.conf
327               b.conf
328
329           If this option is used multiple times, then each include_dir option
330           is processed completely in the order that they are written in the
331           main configuration file.
332
333           Example Load Order for Multiple include_dir.  Assuming a directory
334           one.d containing files B.conf and C.conf, and a second directory
335           two.d containing files A.conf and D.conf, and a config:
336
337               include_dir one.d
338               include_dir two.d
339
340           Then the config files would be loaded in this order:
341
342               # files from one.d
343               B.conf
344               C.conf
345               # files from two.d
346               A.conf
347               D.conf
348
349       log_dest destinations
350           Send log messages to a particular destination. Possible
351           destinations are: stdout stderr syslog topic.
352
353           stdout and stderr log to the console on the named output.
354
355           syslog uses the userspace syslog facility which usually ends up in
356           /var/log/messages or similar and topic logs to the broker topic
357           '$SYS/broker/log/<severity>', where severity is one of D, E, W, N,
358           I, M which are debug, error, warning, notice, information and
359           message. Message type severity is used by the subscribe and
360           unsubscribe log_type options and publishes log messages at
361           $SYS/broker/log/M/subscribe and $SYS/broker/log/M/unsubscribe.
362
363           The file destination requires an additional parameter which is the
364           file to be logged to, e.g. "log_dest file /var/log/mosquitto.log".
365           The file will be closed and reopened when the broker receives a HUP
366           signal. Only a single file destination may be configured.
367
368           Use "log_dest none" if you wish to disable logging. Defaults to
369           stderr. This option may be specified multiple times.
370
371           Note that if the broker is running as a Windows service it will
372           default to "log_dest none" and neither stdout nor stderr logging is
373           available.
374
375           Reloaded on reload signal.
376
377       log_facility local facility
378           If using syslog logging (not on Windows), messages will be logged
379           to the "daemon" facility by default. Use the log_facility option to
380           choose which of local0 to local7 to log to instead. The option
381           value should be an integer value, e.g. "log_facility 5" to use
382           local5.
383
384       log_timestamp [ true | false ]
385           Boolean value, if set to true a timestamp value will be added to
386           each log entry. The default is true.
387
388           Reloaded on reload signal.
389
390       log_timestamp_format format
391           Set the format of the log timestamp. If left unset, this is the
392           number of seconds since the Unix epoch. This option is a free text
393           string which will be passed to the strftime function as the format
394           specifier. To get an ISO 8601 datetime, for example:
395
396               log_timestamp_format %Y-%m-%dT%H:%M:%S
397
398
399           Reloaded on reload signal.
400
401       log_type types
402           Choose types of messages to log. Possible types are: debug, error,
403           warning, notice, information, subscribe, unsubscribe, websockets,
404           none, all.
405
406           Defaults to error, warning, notice and information. This option may
407           be specified multiple times. Note that the debug type (used for
408           decoding incoming/outgoing network packets) is never logged in
409           topics.
410
411           Reloaded on reload signal.
412
413       max_inflight_bytes count
414           Outgoing QoS 1 and 2 messages will be allowed in flight until this
415           byte limit is reached. This allows control of outgoing message rate
416           based on message size rather than message count. If the limit is
417           set to 100, messages of over 100 bytes are still allowed, but only
418           a single message can be in flight at once. Defaults to 0. (No
419           limit).
420
421           See also the max_inflight_messages option.
422
423           This option applies globally.
424
425           Reloaded on reload signal.
426
427       max_inflight_messages count
428           The maximum number of outgoing QoS 1 or 2 messages that can be in
429           the process of being transmitted simultaneously. This includes
430           messages currently going through handshakes and messages that are
431           being retried. Defaults to 20. Set to 0 for no maximum. If set to
432           1, this will guarantee in-order delivery of messages.
433
434           This option applies globally.
435
436           Reloaded on reload signal.
437
438       max_keepalive value
439           For MQTT v5 clients, it is possible to have the server send a
440           "server keepalive" value that will override the keepalive value set
441           by the client. This is intended to be used as a mechanism to say
442           that the server will disconnect the client earlier than it
443           anticipated, and that the client should use the new keepalive
444           value. The max_keepalive option allows you to specify that clients
445           may only connect with keepalive less than or equal to this value,
446           otherwise they will be sent a server keepalive telling them to use
447           max_keepalive. This only applies to MQTT v5 clients. The maximum
448           value allowable, and default value, is 65535. Do not set below 10
449           seconds.
450
451           This option applies globally.
452
453           Reloaded on reload signal.
454
455       max_packet_size value
456           For MQTT v5 clients, it is possible to have the server send a
457           "maximum packet size" value that will instruct the client it will
458           not accept MQTT packets with size greater than value bytes. This
459           applies to the full MQTT packet, not just the payload. Setting this
460           option to a positive value will set the maximum packet size to that
461           number of bytes. If a client sends a packet which is larger than
462           this value, it will be disconnected. This applies to all clients
463           regardless of the protocol version they are using, but v3.1.1 and
464           earlier clients will of course not have received the maximum packet
465           size information. Defaults to no limit.
466
467           This option applies to all clients, not just those using MQTT v5,
468           but it is not possible to notify clients using MQTT v3.1.1 or MQTT
469           v3.1 of the limit.
470
471           Setting below 20 bytes is forbidden because it is likely to
472           interfere with normal client operation even with small payloads.
473
474           This option applies globally.
475
476           Reloaded on reload signal.
477
478       max_queued_bytes count
479           The number of outgoing QoS 1 and 2 messages above those currently
480           in-flight will be queued (per client) by the broker. Once this
481           limit has been reached, subsequent messages will be silently
482           dropped. This is an important option if you are sending messages at
483           a high rate and/or have clients who are slow to respond or may be
484           offline for extended periods of time. Defaults to 0. (No maximum).
485
486           See also the max_queued_messages option. If both
487           max_queued_messages and max_queued_bytes are specified, packets
488           will be queued until the first limit is reached.
489
490           This option applies globally.
491
492           Reloaded on reload signal.
493
494       max_queued_messages count
495           The maximum number of QoS 1 or 2 messages to hold in the queue (per
496           client) above those messages that are currently in flight. Defaults
497           to 100. Set to 0 for no maximum (not recommended). See also the
498           queue_qos0_messages and max_queued_bytes options.
499
500           This option applies globally.
501
502           Reloaded on reload signal.
503
504       memory_limit limit
505           This option sets the maximum number of heap memory bytes that the
506           broker will allocate, and hence sets a hard limit on memory use by
507           the broker. Memory requests that exceed this value will be denied.
508           The effect will vary depending on what has been denied. If an
509           incoming message is being processed, then the message will be
510           dropped and the publishing client will be disconnected. If an
511           outgoing message is being sent, then the individual message will be
512           dropped and the receiving client will be disconnected. Defaults to
513           no limit.
514
515           This option is only available if memory tracking support is
516           compiled in.
517
518           Reloaded on reload signal. Setting to a lower value and reloading
519           will not result in memory being freed.
520
521       message_size_limit limit
522           This option sets the maximum publish payload size that the broker
523           will allow. Received messages that exceed this size will not be
524           accepted by the broker. This means that the message will not be
525           forwarded on to subscribing clients, but the QoS flow will be
526           completed for QoS 1 or QoS 2 messages. MQTT v5 clients using QoS 1
527           or QoS 2 will receive a PUBACK or PUBREC with the "implementation
528           specific error" reason code.
529
530           The default value is 0, which means that all valid MQTT messages
531           are accepted. MQTT imposes a maximum payload size of 268435455
532           bytes.
533
534           This option applies globally.
535
536           Reloaded on reload signal.
537
538       password_file file path
539           Set the path to a password file. If defined, the contents of the
540           file are used to control client access to the broker. The file can
541           be created using the mosquitto_passwd(1) utility. If mosquitto is
542           compiled without TLS support (it is recommended that TLS support is
543           included), then the password file should be a text file with each
544           line in the format "username:password", where the colon and
545           password are optional but recommended. If allow_anonymous is set to
546           false, only users defined in this file will be able to connect.
547           Setting allow_anonymous to true when password_fileis defined is
548           valid and could be used with acl_file to have e.g. read only
549           guest/anonymous accounts and defined users that can publish.
550
551           If per_listener_settings is true, this option applies to the
552           current listener being configured only. If per_listener_settings is
553           false, this option applies to all listeners.
554
555           Reloaded on reload signal. The currently loaded username and
556           password data will be freed and reloaded. Clients that are already
557           connected will not be affected.
558
559           See also mosquitto_passwd(1).
560
561       per_listener_settings [ true | false ]
562           If true, then authentication and access control settings will be
563           controlled on a per-listener basis. The following options are
564           affected:
565
566           password_file, acl_file, psk_file, allow_anonymous,
567           allow_zero_length_clientid, auth_plugin, auth_opt_*,
568           auto_id_prefix.
569
570           Note that if set to true, then a durable client (i.e. with clean
571           session set to false) that has disconnected will use the ACL
572           settings defined for the listener that it was most recently
573           connected to.
574
575           The default behaviour is for this to be set to false, which
576           maintains the settings behaviour from previous versions of
577           mosquitto.
578
579           Reloaded on reload signal.
580
581       persistence [ true | false ]
582           If true, connection, subscription and message data will be written
583           to the disk in mosquitto.db at the location dictated by
584           persistence_location. When mosquitto is restarted, it will reload
585           the information stored in mosquitto.db. The data will be written to
586           disk when mosquitto closes and also at periodic intervals as
587           defined by autosave_interval. Writing of the persistence database
588           may also be forced by sending mosquitto the SIGUSR1 signal. If
589           false, the data will be stored in memory only. Defaults to false.
590
591           The persistence file may change its format in a new version. The
592           broker can currently read all old formats, but will only save in
593           the latest format. It should always be safe to upgrade, but
594           cautious users may wish to take a copy of the persistence file
595           before installing a new version so that they can roll back to an
596           earlier version if necessary.
597
598           This option applies globally.
599
600           Reloaded on reload signal.
601
602       persistence_file file name
603           The filename to use for the persistent database. Defaults to
604           mosquitto.db.
605
606           This option applies globally.
607
608           Reloaded on reload signal.
609
610       persistence_location path
611           The path where the persistence database should be stored. Must end
612           in a trailing slash. If not given, then the current directory is
613           used.
614
615           This option applies globally.
616
617           Reloaded on reload signal.
618
619       persistent_client_expiration duration
620           This option allows persistent clients (those with clean session set
621           to false) to be removed if they do not reconnect within a certain
622           time frame. This is a non-standard option. As far as the MQTT spec
623           is concerned, persistent clients persist forever.
624
625           Badly designed clients may set clean session to false whilst using
626           a randomly generated client id. This leads to persistent clients
627           that will never reconnect. This option allows these clients to be
628           removed.
629
630           The expiration period should be an integer followed by one of h d w
631           m y for hour, day, week, month and year respectively. For example:
632
633           ·   persistent_client_expiration 2m
634
635           ·   persistent_client_expiration 14d
636
637           ·   persistent_client_expiration 1y
638
639           As this is a non-standard option, the default if not set is to
640           never expire persistent clients.
641
642           This option applies globally.
643
644           Reloaded on reload signal.
645
646       pid_file file path
647           Write a pid file to the file specified. If not given (the default),
648           no pid file will be written. If the pid file cannot be written,
649           mosquitto will exit. This option only has an effect is mosquitto is
650           run in daemon mode.
651
652           If mosquitto is being automatically started by an init script it
653           will usually be required to write a pid file. This should then be
654           configured as e.g. /var/run/mosquitto.pid
655
656           Not reloaded on reload signal.
657
658       psk_file file path
659           Set the path to a pre-shared-key file. This option requires a
660           listener to be have PSK support enabled. If defined, the contents
661           of the file are used to control client access to the broker. Each
662           line should be in the format "identity:key", where the key is a
663           hexadecimal string with no leading "0x". A client connecting to a
664           listener that has PSK support enabled must provide a matching
665           identity and PSK to allow the encrypted connection to proceed.
666
667           If per_listener_settings is true, this option applies to the
668           current listener being configured only. If per_listener_settings is
669           false, this option applies to all listeners.
670
671           Reloaded on reload signal. The currently loaded identity and key
672           data will be freed and reloaded. Clients that are already connected
673           will not be affected.
674
675       queue_qos0_messages [ true | false ]
676           Set to true to queue messages with QoS 0 when a persistent client
677           is disconnected. These messages are included in the limit imposed
678           by max_queued_messages. Defaults to false.
679
680           Note that the MQTT v3.1.1 spec states that only QoS 1 and 2
681           messages should be saved in this situation so this is a
682           non-standard option.
683
684           This option applies globally.
685
686           Reloaded on reload signal.
687
688       retain_available [ true | false ]
689           If set to false, then retained messages are not supported. Clients
690           that send a message with the retain bit will be disconnected if
691           this option is set to false. Defaults to true.
692
693           This option applies globally.
694
695           Reloaded on reload signal.
696
697       retained_persistence [ true | false ]
698           This is a synonym of the persistence option.
699
700           Reloaded on reload signal.
701
702       set_tcp_nodelay [ true | false ]
703           If set to true, the TCP_NODELAY option will be set on client
704           sockets to disable Nagle's algorithm. This has the effect of
705           reducing latency of some messages at potentially increasing the
706           number of TCP packets being sent. Defaults to false.
707
708           This option applies globally.
709
710           Reloaded on reload signal.
711
712       sys_interval seconds
713           The integer number of seconds between updates of the $SYS
714           subscription hierarchy, which provides status information about the
715           broker. If unset, defaults to 10 seconds.
716
717           Set to 0 to disable publishing the $SYS hierarchy completely.
718
719           This option applies globally.
720
721           Reloaded on reload signal.
722
723       upgrade_outgoing_qos [ true | false ]
724           The MQTT specification requires that the QoS of a message delivered
725           to a subscriber is never upgraded to match the QoS of the
726           subscription. Enabling this option changes this behaviour. If
727           upgrade_outgoing_qos is set true, messages sent to a subscriber
728           will always match the QoS of its subscription. This is a
729           non-standard option not provided for by the spec. Defaults to
730           false.
731
732           This option applies globally.
733
734           Reloaded on reload signal.
735
736       user username
737           When run as root, change to this user and its primary group on
738           startup. If mosquitto is unable to change to this user and group,
739           it will exit with an error. The user specified must have read/write
740           access to the persistence database if it is to be written, and read
741           access to certificate, password, and ACL files. If run as a
742           non-root user, this setting has no effect. Defaults to mosquitto.
743
744           This setting has no effect on Windows and so you should run
745           mosquitto as the user you wish it to run as.
746
747           Not reloaded on reload signal.
748

LISTENERS

750       The network ports that mosquitto listens on can be controlled using
751       listeners. The default listener options can be overridden and further
752       listeners can be created.
753
754   General Options
755       bind_address address
756           Listen for incoming network connections on the specified IP
757           address/hostname only. This is useful to restrict access to certain
758           network interfaces. To restrict access to mosquitto to the local
759           host only, use "bind_address localhost". This only applies to the
760           default listener. Use the listener option to control other
761           listeners.
762
763           It is recommended to use an explicit listener rather than rely on
764           the implicit default listener options like this.
765
766           Not reloaded on reload signal.
767
768       bind_interface device
769           Listen for incoming network connections only on the specified
770           interface. This is similar to the bind_address option but is useful
771           when an interface has multiple addresses or the address may change.
772
773           It is valid to use this option together with bind_address for the
774           default listener, or the bind address/host part of the listener
775           definition. Care should be taken to ensure that the address being
776           bound to is on the interface being bound to. If you set the
777           bind_interface to be eth0, and bind_address to 127.0.0.1, then the
778           broker will start correctly but you will be unable to connect.
779
780           This option is currently only available on Linux, and requires
781           elevated privileges.
782
783           Not reloaded on reload signal.
784
785       http_dir directory
786           When a listener is using the websockets protocol, it is possible to
787           serve http data as well. Set http_dir to a directory which contains
788           the files you wish to serve. If this option is not specified, then
789           no normal http connections will be possible.
790
791           Not reloaded on reload signal.
792
793       listener port [bind address/host]
794           Listen for incoming network connection on the specified port. A
795           second optional argument allows the listener to be bound to a
796           specific ip address/hostname. If this variable is used and neither
797           the global bind_address nor port options are used then the default
798           listener will not be started.
799
800           The bind address/host option allows this listener to be bound to a
801           specific IP address by passing an IP address or hostname. For
802           websockets listeners, it is only possible to pass an IP address
803           here.
804
805           This option may be specified multiple times. See also the
806           mount_point option.
807
808           Not reloaded on reload signal.
809
810       max_connections count
811           Limit the total number of clients connected for the current
812           listener. Set to -1 to have "unlimited" connections. Note that
813           other limits may be imposed that are outside the control of
814           mosquitto. See e.g.  limits.conf(5).
815
816           Not reloaded on reload signal.
817
818       maximum_qos count
819           Limit the QoS value allowed for clients connecting to this
820           listener. Defaults to 2, which means any QoS can be used. Set to 0
821           or 1 to limit to those QoS values. This makes use of an MQTT v5
822           feature to notify clients of the limitation. MQTT v3.1.1 clients
823           will not be aware of the limitation. Clients publshing to this
824           listener with a too-high QoS will be disconnected.
825
826           Not reloaded on reload signal.
827
828       max_topic_alias number
829           This option sets the maximum number topic aliases that an MQTT v5
830           client is allowed to create. This option applies per listener.
831           Defaults to 10. Set to 0 to disallow topic aliases. The maximum
832           value possible is 65535.
833
834           Not reloaded on reload signal.
835
836       mount_point topic prefix
837           This option is used with the listener option to isolate groups of
838           clients. When a client connects to a listener which uses this
839           option, the string argument is attached to the start of all topics
840           for this client. This prefix is removed when any messages are sent
841           to the client. This means a client connected to a listener with
842           mount point example can only see messages that are published in the
843           topic hierarchy example and below.
844
845           Not reloaded on reload signal.
846
847       port port number
848           Set the network port for the default listener to listen on.
849           Defaults to 1883.
850
851           Not reloaded on reload signal.
852
853           It is recommended to use an explicit listener rather than rely on
854           the implicit default listener options like this.
855
856       protocol value
857           Set the protocol to accept for the current listener. Can be mqtt,
858           the default, or websockets if available.
859
860           Websockets support is currently disabled by default at compile
861           time. Certificate based TLS may be used with websockets, except
862           that only the cafile, certfile, keyfile and ciphers options are
863           supported.
864
865           Not reloaded on reload signal.
866
867       socket_domain [ ipv4 | ipv6 ]
868           By default, a listener will attempt to listen on all supported IP
869           protocol versions. If you do not have an IPv4 or IPv6 interface you
870           may wish to disable support for either of those protocol versions.
871           In particular, note that due to the limitations of the websockets
872           library, it will only ever attempt to open IPv6 sockets if IPv6
873           support is compiled in, and so will fail if IPv6 is not available.
874
875           Set to ipv4 to force the listener to only use IPv4, or set to ipv6
876           to force the listener to only use IPv6. If you want support for
877           both IPv4 and IPv6, then do not use the socket_domain option.
878
879           Not reloaded on reload signal.
880
881       use_username_as_clientid [ true | false ]
882           Set use_username_as_clientid to true to replace the clientid that a
883           client connected with its username. This allows authentication to
884           be tied to the clientid, which means that it is possible to prevent
885           one client disconnecting another by using the same clientid.
886           Defaults to false.
887
888           If a client connects with no username it will be disconnected as
889           not authorised when this option is set to true. Do not use in
890           conjunction with clientid_prefixes.
891
892           See also use_identity_as_username.
893
894           Not reloaded on reload signal.
895
896       websockets_log_level level
897           Change the websockets logging level. This is a global option, it is
898           not possible to set per listener. This is an integer that is
899           interpreted by libwebsockets as a bit mask for its lws_log_levels
900           enum. See the libwebsockets documentation for more details.
901
902           To use this option, log_type websockets must also be enabled.
903           Defaults to 0.
904
905       websockets_headers_size size
906           Change the websockets headers size. This is a global option, it is
907           not possible to set per listener. This option sets the size of the
908           buffer used in the libwebsockets library when reading HTTP headers.
909           If you are passing large header data such as cookies then you may
910           need to increase this value. If left unset, or set to 0, then the
911           default of 1024 bytes will be used.
912
913   Certificate based SSL/TLS Support
914       The following options are available for all listeners to configure
915       certificate based SSL support. See also "Pre-shared-key based SSL/TLS
916       support".
917
918       cafile file path
919           At least one of cafile or capath must be provided to enable SSL
920           support.
921
922           cafile is used to define the path to a file containing the PEM
923           encoded CA certificates that are trusted.
924
925       capath directory path
926           At least one of cafile or capath must be provided to enable SSL
927           support.
928
929           capath is used to define a directory that contains PEM encoded CA
930           certificates that are trusted. For capath to work correctly, the
931           certificates files must have ".pem" as the file ending and you must
932           run "openssl rehash <path to capath>" each time you add/remove a
933           certificate.
934
935       certfile file path
936           Path to the PEM encoded server certificate.
937
938       ciphers cipher:list
939           The list of allowed ciphers, each separated with a colon. Available
940           ciphers can be obtained using the "openssl ciphers" command.
941
942       crlfile file path
943           If you have require_certificate set to true, you can create a
944           certificate revocation list file to revoke access to particular
945           client certificates. If you have done this, use crlfile to point to
946           the PEM encoded revocation file.
947
948       dhparamfile file path
949           To allow the use of ephemeral DH key exchange, which provides
950           forward security, the listener must load DH parameters. This can be
951           specified with the dhparamfile option. The dhparamfile can be
952           generated with the command e.g.
953
954               openssl dhparam -out dhparam.pem 2048
955
956       keyfile file path
957           Path to the PEM encoded keyfile.
958
959       require_certificate [ true | false ]
960           By default an SSL/TLS enabled listener will operate in a similar
961           fashion to a https enabled web server, in that the server has a
962           certificate signed by a CA and the client will verify that it is a
963           trusted certificate. The overall aim is encryption of the network
964           traffic. By setting require_certificate to true, a client
965           connecting to this listener must provide a valid certificate in
966           order for the network connection to proceed. This allows access to
967           the broker to be controlled outside of the mechanisms provided by
968           MQTT.
969
970       tls_engine engine
971           A valid openssl engine id. These can be listed with openssl engine
972           command.
973
974       tls_engine_kpass_sha1 engine_kpass_sha1
975           SHA1 of the private key password when using an TLS engine. Some TLS
976           engines such as the TPM engine may require the use of a password in
977           order to be accessed. This option allows a hex encoded SHA1 hash of
978           the password to the engine directly, instead of the user being
979           prompted for the password.
980
981       tls_keyform [ pem | engine ]
982           Specifies the type of private key in use when making TLS
983           connections.. This can be "pem" or "engine". This parameter is
984           useful when a TPM module is being used and the private key has been
985           created with it. Defaults to "pem", which means normal private key
986           files are used.
987
988       tls_version version
989           Configure the version of the TLS protocol to be used for this
990           listener. Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. If left
991           unset, the default of allowing all of TLS v1.3, v1.2 and v1.1 is
992           used.
993
994       use_identity_as_username [ true | false ]
995           If require_certificate is true, you may set
996           use_identity_as_username to true to use the CN value from the
997           client certificate as a username. If this is true, the
998           password_file option will not be used for this listener.
999
1000           This takes priority over use_subject_as_username if both are set to
1001           true.
1002
1003           See also use_subject_as_username
1004
1005       use_subject_as_username [ true | false ]
1006           If require_certificate is true, you may set use_subject_as_username
1007           to true to use the complete subject value from the client
1008           certificate as a username. If this is true, the password_file
1009           option will not be used for this listener.
1010
1011           The subject will be generated in a form similar to CN=test
1012           client,OU=Production,O=Server,L=Nottingham,ST=Nottinghamshire,C=GB.
1013
1014           See also use_identity_as_username
1015
1016   Pre-shared-key based SSL/TLS Support
1017       The following options are available for all listeners to configure
1018       pre-shared-key based SSL support. See also "Certificate based SSL/TLS
1019       support".
1020
1021       ciphers cipher:list
1022           When using PSK, the encryption ciphers used will be chosen from the
1023           list of available PSK ciphers. If you want to control which ciphers
1024           are available, use this option. The list of available ciphers can
1025           be optained using the "openssl ciphers" command and should be
1026           provided in the same format as the output of that command.
1027
1028       psk_hint hint
1029           The psk_hint option enables pre-shared-key support for this
1030           listener and also acts as an identifier for this listener. The hint
1031           is sent to clients and may be used locally to aid authentication.
1032           The hint is a free form string that doesn't have much meaning in
1033           itself, so feel free to be creative.
1034
1035           If this option is provided, see psk_file to define the pre-shared
1036           keys to be used or create a security plugin to handle them.
1037
1038       tls_version version
1039           Configure the version of the TLS protocol to be used for this
1040           listener. Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. If left
1041           unset, the default of allowing all of TLS v1.3, v1.2 and v1.1 is
1042           used.
1043
1044       use_identity_as_username [ true | false ]
1045           Set use_identity_as_username to have the psk identity sent by the
1046           client used as its username. The username will be checked as
1047           normal, so password_file or another means of authentication
1048           checking must be used. No password will be used.
1049

CONFIGURING BRIDGES

1051       Multiple bridges (connections to other brokers) can be configured using
1052       the following variables.
1053
1054       Bridges cannot currently be reloaded on reload signal.
1055
1056       address address[:port] [address[:port]], addresses address[:port]
1057       [address[:port]]
1058           Specify the address and optionally the port of the bridge to
1059           connect to. This must be given for each bridge connection. If the
1060           port is not specified, the default of 1883 is used.
1061
1062           If you use an IPv6 address, then the port is not optional.
1063
1064           Multiple host addresses can be specified on the address config. See
1065           the round_robin option for more details on the behaviour of bridges
1066           with multiple addresses.
1067
1068       bridge_attempt_unsubscribe [ true | false ]
1069           If a bridge has topics that have "out" direction, the default
1070           behaviour is to send an unsubscribe request to the remote broker on
1071           that topic. This means that changing a topic direction from "in" to
1072           "out" will not keep receiving incoming messages. Sending these
1073           unsubscribe requests is not always desirable, setting
1074           bridge_attempt_unsubscribe to false will disable sending the
1075           unsubscribe request. Defaults to true.
1076
1077       bridge_protocol_version version
1078           Set the version of the MQTT protocol to use with for this bridge.
1079           Can be one of mqttv31 or mqttv311. Defaults to mqttv31.
1080
1081       cleansession [ true | false ]
1082           Set the clean session option for this bridge. Setting to false (the
1083           default), means that all subscriptions on the remote broker are
1084           kept in case of the network connection dropping. If set to true,
1085           all subscriptions and messages on the remote broker will be cleaned
1086           up if the connection drops. Note that setting to true may cause a
1087           large amount of retained messages to be sent each time the bridge
1088           reconnects.
1089
1090           If you are using bridges with cleansession set to false (the
1091           default), then you may get unexpected behaviour from incoming
1092           topics if you change what topics you are subscribing to. This is
1093           because the remote broker keeps the subscription for the old topic.
1094           If you have this problem, connect your bridge with cleansession set
1095           to true, then reconnect with cleansession set to false as normal.
1096
1097       connection name
1098           This variable marks the start of a new bridge connection. It is
1099           also used to give the bridge a name which is used as the client id
1100           on the remote broker.
1101
1102       keepalive_interval seconds
1103           Set the number of seconds after which the bridge should send a ping
1104           if no other traffic has occurred. Defaults to 60. A minimum value
1105           of 5 seconds is allowed.
1106
1107       idle_timeout seconds
1108           Set the amount of time a bridge using the lazy start type must be
1109           idle before it will be stopped. Defaults to 60 seconds.
1110
1111       local_clientid id
1112           Set the clientid to use on the local broker. If not defined, this
1113           defaults to local.<remote_clientid>. If you are bridging a broker
1114           to itself, it is important that local_clientid and remote_clientid
1115           do not match.
1116
1117       local_password password
1118           Configure the password to be used when connecting this bridge to
1119           the local broker. This may be important when authentication and
1120           ACLs are being used.
1121
1122       local_username username
1123           Configure the username to be used when connecting this bridge to
1124           the local broker. This may be important when authentication and
1125           ACLs are being used.
1126
1127       notifications [ true | false ]
1128           If set to true, publish notification messages to the local and
1129           remote brokers giving information about the state of the bridge
1130           connection. Retained messages are published to the topic
1131           $SYS/broker/connection/<remote_clientid>/state unless otherwise set
1132           with notification_topics. If the message is 1 then the connection
1133           is active, or 0 if the connection has failed. Defaults to true.
1134
1135           This uses the Last Will and Testament (LWT) feature.
1136
1137       notifications_local_only [ true | false ]
1138           If set to true, only publish notification messages to the local
1139           broker giving information about the state of the bridge connection.
1140           Defaults to false.
1141
1142       notification_topic topic
1143           Choose the topic on which notifications will be published for this
1144           bridge. If not set the messages will be sent on the topic
1145           $SYS/broker/connection/<remote_clientid>/state.
1146
1147       remote_clientid id
1148           Set the client id for this bridge connection. If not defined, this
1149           defaults to 'name.hostname', where name is the connection name and
1150           hostname is the hostname of this computer.
1151
1152           This replaces the old "clientid" option to avoid confusion with
1153           local/remote sides of the bridge. "clientid" remains valid for the
1154           time being.
1155
1156       remote_password value
1157           Configure a password for the bridge. This is used for
1158           authentication purposes when connecting to a broker that supports
1159           MQTT v3.1 and up and requires a username and/or password to
1160           connect. This option is only valid if a remote_username is also
1161           supplied.
1162
1163           This replaces the old "password" option to avoid confusion with
1164           local/remote sides of the bridge. "password" remains valid for the
1165           time being.
1166
1167       remote_username name
1168           Configure a username for the bridge. This is used for
1169           authentication purposes when connecting to a broker that supports
1170           MQTT v3.1 and up and requires a username and/or password to
1171           connect. See also the remote_password option.
1172
1173           This replaces the old "username" option to avoid confusion with
1174           local/remote sides of the bridge. "username" remains valid for the
1175           time being.
1176
1177       restart_timeout base cap, restart_timeout constant
1178           Set the amount of time a bridge using the automatic start type will
1179           wait until attempting to reconnect.
1180
1181           This option can be configured to use a constant delay time in
1182           seconds, or to use a backoff mechanism based on "Decorrelated
1183           Jitter", which adds a degree of randomness to when the restart
1184           occurs, starting at the base and increasing up to the cap. Set a
1185           constant timeout of 20 seconds:
1186
1187               restart_timeout 20
1188
1189           Set backoff with a base (start value) of 10 seconds and a cap
1190           (upper limit) of 60 seconds:
1191
1192               restart_timeout 10 30
1193
1194           Defaults to jitter with a base of 5 seconds and cap of 30 seconds.
1195
1196       round_robin [ true | false ]
1197           If the bridge has more than one address given in the
1198           address/addresses configuration, the round_robin option defines the
1199           behaviour of the bridge on a failure of the bridge connection. If
1200           round_robin is false, the default value, then the first address is
1201           treated as the main bridge connection. If the connection fails, the
1202           other secondary addresses will be attempted in turn. Whilst
1203           connected to a secondary bridge, the bridge will periodically
1204           attempt to reconnect to the main bridge until successful.
1205
1206           If round_robin is true, then all addresses are treated as equals.
1207           If a connection fails, the next address will be tried and if
1208           successful will remain connected until it fails.
1209
1210       start_type [ automatic | lazy | once ]
1211           Set the start type of the bridge. This controls how the bridge
1212           starts and can be one of three types: automatic, lazy and once.
1213           Note that RSMB provides a fourth start type "manual" which isn't
1214           currently supported by mosquitto.
1215
1216           automatic is the default start type and means that the bridge
1217           connection will be started automatically when the broker starts and
1218           also restarted after a short delay (30 seconds) if the connection
1219           fails.
1220
1221           Bridges using the lazy start type will be started automatically
1222           when the number of queued messages exceeds the number set with the
1223           threshold option. It will be stopped automatically after the time
1224           set by the idle_timeout parameter. Use this start type if you wish
1225           the connection to only be active when it is needed.
1226
1227           A bridge using the once start type will be started automatically
1228           when the broker starts but will not be restarted if the connection
1229           fails.
1230
1231       threshold count
1232           Set the number of messages that need to be queued for a bridge with
1233           lazy start type to be restarted. Defaults to 10 messages.
1234
1235       topic pattern [[[ out | in | both ] qos-level] local-prefix
1236       remote-prefix]
1237           Define a topic pattern to be shared between the two brokers. Any
1238           topics matching the pattern (which may include wildcards) are
1239           shared. The second parameter defines the direction that the
1240           messages will be shared in, so it is possible to import messages
1241           from a remote broker using in, export messages to a remote broker
1242           using out or share messages in both directions. If this parameter
1243           is not defined, the default of out is used. The QoS level defines
1244           the publish/subscribe QoS level used for this topic and defaults to
1245           0.
1246
1247           The local-prefix and remote-prefix options allow topics to be
1248           remapped when publishing to and receiving from remote brokers. This
1249           allows a topic tree from the local broker to be inserted into the
1250           topic tree of the remote broker at an appropriate place.
1251
1252           For incoming topics, the bridge will prepend the pattern with the
1253           remote prefix and subscribe to the resulting topic on the remote
1254           broker. When a matching incoming message is received, the remote
1255           prefix will be removed from the topic and then the local prefix
1256           added.
1257
1258           For outgoing topics, the bridge will prepend the pattern with the
1259           local prefix and subscribe to the resulting topic on the local
1260           broker. When an outgoing message is processed, the local prefix
1261           will be removed from the topic then the remote prefix added.
1262
1263           When using topic mapping, an empty prefix can be defined using the
1264           place marker "". Using the empty marker for the topic itself is
1265           also valid. The table below defines what combination of empty or
1266           value is valid. The Full Local Topic and Full Remote Topic show the
1267           resulting topics that would be used on the local and remote ends of
1268           the bridge. For example, for the first table row if you publish to
1269           L/topic on the local broker, then the remote broker will receive a
1270           message on the topic R/topic.
1271
1272           ┌────────┬────────┬────────┬─────────────┬────────────┬─────────────┐
1273PatternLocalRemoteValidityFull LocalFull Remote
1274           │        │ PrefixPrefix │             │ TopicTopic
1275           ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1276           │pattern │ L/     │ R/     │ valid       │ L/pattern  │ R/pattern   │
1277           ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1278           │pattern │ L/     │ ""     │ valid       │ L/pattern  │ pattern     │
1279           ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1280           │pattern │ ""     │ R/     │ valid       │ pattern    │ R/pattern   │
1281           ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1282           │pattern │ ""     │ ""     │ valid (no   │ pattern    │ pattern     │
1283           │        │        │        │ remapping)  │            │             │
1284           ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1285           │""      │ local  │ remote │ valid       │ local      │ remote      │
1286           │        │        │        │ (remap      │            │             │
1287           │        │        │        │ single      │            │             │
1288           │        │        │        │ local topic │            │             │
1289           │        │        │        │ to remote)  │            │             │
1290           ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1291           │""      │ local  │ ""     │ invalid     │            │             │
1292           ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1293           │""      │ ""     │ remote │ invalid     │            │             │
1294           ├────────┼────────┼────────┼─────────────┼────────────┼─────────────┤
1295           │""      │ ""     │ ""     │ invalid     │            │             │
1296           └────────┴────────┴────────┴─────────────┴────────────┴─────────────┘
1297           To remap an entire topic tree, use e.g.:
1298
1299               topic # both 2 local/topic/ remote/topic/
1300
1301           This option can be specified multiple times per bridge.
1302
1303           Care must be taken to ensure that loops are not created with this
1304           option. If you are experiencing high CPU load from a broker, it is
1305           possible that you have a loop where each broker is forever
1306           forwarding each other the same messages.
1307
1308           See also the cleansession option if you have messages arriving on
1309           unexpected topics when using incoming topics.
1310
1311           Example Bridge Topic Remapping.  The configuration below connects a
1312           bridge to the broker at test.mosquitto.org. It subscribes to the
1313           remote topic $SYS/broker/clients/total and republishes the messages
1314           received to the local topic test/mosquitto/org/clients/total
1315
1316               connection test-mosquitto-org
1317               address test.mosquitto.org
1318               cleansession true
1319               topic clients/total in 0 test/mosquitto/org/ $SYS/broker/
1320
1321       try_private [ true | false ]
1322           If try_private is set to true, the bridge will attempt to indicate
1323           to the remote broker that it is a bridge not an ordinary client. If
1324           successful, this means that loop detection will be more effective
1325           and that retained messages will be propagated correctly. Not all
1326           brokers support this feature so it may be necessary to set
1327           try_private to false if your bridge does not connect properly.
1328
1329           Defaults to true.
1330
1331   SSL/TLS Support
1332       The following options are available for all bridges to configure
1333       SSL/TLS support.
1334
1335       bridge_alpn alpn
1336           Configure the application layer protocol negotiation option for the
1337           TLS session. Useful for brokers that support both websockets and
1338           MQTT on the same port.
1339
1340       bridge_cafile file path
1341           One of bridge_cafile or bridge_capath must be provided to allow
1342           SSL/TLS support.
1343
1344           bridge_cafile is used to define the path to a file containing the
1345           PEM encoded CA certificates that have signed the certificate for
1346           the remote broker.
1347
1348       bridge_capath file path
1349           One of bridge_capath or bridge_cafile must be provided to allow
1350           SSL/TLS support.
1351
1352           bridge_capath is used to define the path to a directory containing
1353           the PEM encoded CA certificates that have signed the certificate
1354           for the remote broker. For bridge_capath to work correctly, the
1355           certificate files must have ".crt" as the file ending and you must
1356           run "openssl rehash <path to bridge_capath>" each time you
1357           add/remove a certificate.
1358
1359       bridge_certfile file path
1360           Path to the PEM encoded client certificate for this bridge, if
1361           required by the remote broker.
1362
1363       bridge_identity identity
1364           Pre-shared-key encryption provides an alternative to certificate
1365           based encryption. A bridge can be configured to use PSK with the
1366           bridge_identity and bridge_psk options. This is the client identity
1367           used with PSK encryption. Only one of certificate and PSK based
1368           encryption can be used on one bridge at once.
1369
1370       bridge_insecure [ true | false ]
1371           When using certificate based TLS, the bridge will attempt to verify
1372           the hostname provided in the remote certificate matches the
1373           host/address being connected to. This may cause problems in testing
1374           scenarios, so bridge_insecure may be set to false to disable the
1375           hostname verification.
1376
1377           Setting this option to true means that a malicious third party
1378           could potentially impersonate your server, so it should always be
1379           set to false in production environments.
1380
1381       bridge_keyfile file path
1382           Path to the PEM encoded private key for this bridge, if required by
1383           the remote broker.
1384
1385       bridge_psk key
1386           Pre-shared-key encryption provides an alternative to certificate
1387           based encryption. A bridge can be configured to use PSK with the
1388           bridge_identity and bridge_psk options. This is the pre-shared-key
1389           in hexadecimal format with no "0x". Only one of certificate and PSK
1390           based encryption can be used on one bridge at once.
1391
1392       bridge_require_ocsp [ true | false ]
1393           When set to true, the bridge requires OCSP on the TLS connection it
1394           opens as client.
1395
1396       bridge_tls_version version
1397           Configure the version of the TLS protocol to be used for this
1398           bridge. Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. Defaults
1399           to tlsv1.2. The remote broker must support the same version of TLS
1400           for the connection to succeed.
1401

FILES

1403       mosquitto.conf
1404

BUGS

1406       mosquitto bug information can be found at
1407       https://github.com/eclipse/mosquitto/issues
1408

SEE ALSO

1410       mosquitto(8), mosquitto_passwd(1), mosquitto-tls(7), mqtt(7),
1411       limits.conf(5)
1412

AUTHOR

1414       Roger Light <roger@atchoo.org>
1415
1416
1417
1418Mosquitto Project                 08/19/2020                 MOSQUITTO.CONF(5)
Impressum