diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index e261776b..528cd2ae 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -2006,6 +2006,24 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/
Defaults to true.
+
+ [ lazy | immediate ]
+
+ If you change bridge options in the configuration file,
+ those configuration changes are applied during a bridge
+ reconnection. The option
+ determines when that reconnection happens, and can be set to either
+ lazy or immediate.
+
+ lazy is the default, and means
+ that any connected bridge will remain in its current state until
+ a natural reconnection happens, at which point the new configuration
+ will be used.
+
+ immediate forces a reconnection and so
+ uses the new configuration straight away.
+
+ SSL/TLS Support
@@ -2107,24 +2125,6 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/
can be used on one bridge at once.
-
- [ lazy | immediate ]
-
- If you change bridge options in the configuration file,
- those configuration changes are applied during a bridge
- reconnection. The option
- determines when that reconnection happens, and can be set to either
- lazy or immediate.
-
- lazy is the default, and means
- that any connected bridge will remain in its current state until
- a natural reconnection happens, at which point the new configuration
- will be used.
-
- immediate forces a reconnection and so
- uses the new configuration straight away.
-
- [ true | false ]
@@ -2145,6 +2145,27 @@ topic clients/total in 0 test/mosquitto/org/ $SYS/broker/
connection to succeed.
+
+ cipher:list
+
+
+ The list of allowed ciphers for this bridge, for
+ TLS v1.2 and earlier only, each separated with
+ a colon. Available ciphers can be obtained using
+ the "openssl ciphers" command.
+
+
+
+
+ cipher:list
+
+
+ The list of allowed ciphersuites for this bridge,
+ for TLS v1.3, each separated with a colon.
+
+
+
+
diff --git a/mosquitto.conf b/mosquitto.conf
index 09897c51..51c72fd3 100644
--- a/mosquitto.conf
+++ b/mosquitto.conf
@@ -300,6 +300,10 @@
# Path to the PEM encoded keyfile.
#keyfile
+# Configure the minimum version of the TLS protocol to be used for this listener.
+# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1.
+#tls_version tlsv1.2
+
# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
@@ -878,6 +882,9 @@
# requested. Note that WebSockets support for bridges is not yet available.
#bridge_alpn
+# Require the use of Online Certificate Status Protocol (OCSP) for this bridge
+#bridge_require_ocsp false
+
# When using certificate based encryption, bridge_insecure disables
# verification of the server hostname in the server certificate. This can be
# useful when testing initial server configurations, but makes it possible for
@@ -893,6 +900,22 @@
# Path to the PEM encoded client private key, if required by the remote broker.
#bridge_keyfile
+# Configure the version of the TLS protocol to be used for this bridge.
+# Possible values are tlsv1.3, tlsv1.2 and tlsv1.1. Defaults to tlsv1.2.
+# The remote broker must support the same version of TLS for the connection to succeed.
+#bridge_tls_version
+
+# If you wish to control which encryption ciphers are used, use the ciphers
+# option. The list of available ciphers can be optained using the "openssl
+# ciphers" command and should be provided in the same format as the output of
+# that command. This applies to TLS 1.2 and earlier versions only. Use
+# bridge_ciphers_tls1.3 for TLS v1.3.
+#bridge_ciphers
+
+# Choose which TLS v1.3 ciphersuites are used for this bridge.
+# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+#bridge_ciphers_tls1.3
+
# -----------------------------------------------------------------
# PSK based SSL/TLS support
# -----------------------------------------------------------------