Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
Change variable name for clarity. Remember to initialize bool (I'm bad at C).
Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
Add documentation to config man page
Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
Add test case for deny option
Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
Add deny acls to top of the list to preserve early exit
Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
change comments
Signed-off-by: Brandt Hill <brandtlarsonhill@gmail.com>
This adds the ability to separating bridge clean session settings between
the local and remote endpoints. Some broker implmentations refuse to allow
non-clean sessions, as they don't support storing messages to be sent to
the connecting broker. However, this doesn't mean that the local
broker can't be queueing messages to send _out_ to the remote broker.
This PR adds a new bridge connection setting, local_cleansession, that
allows controlling this split. Naming is chosen to be local_ in keeping
with the other local_ settings for bridges.
A test for the six cases of queued/not queued messages in both
directions is added, but v5 testing is currently disabled. The changes
to support the split are ~independent of protocol version.
Signed-off-by: Karl Palsson <karlp@etactica.com>
In order to connect to brokers that support both websockets and
mqtt on the same port (such as Amazon IoT), we need to set an
application for the SSL context. This change allows the specification
of an application by using the `bridge_alpn` configuration token.
Signed-off-by: John Hickey <jjh-github@daedalian.us>
Some OpenSSL engines (selectable via tls_engine option) may require a
password to make use of private keys created with them in the first place.
The TPM engine for example, will require a password to access the underlying
TPM's Storage Root Key (SRK), which is the root key of a hierarchy of keys
associated with a TPM; it is generated within a TPM and is a non-migratable
key. Each owned TPM contains a SRK, generated by the TPM at the request
of the Owner. [1]
By default, the engine will prompt the user to introduce the SRK password
before any private keys created with the engine can be used. This could
be inconvenient when running on an unattended system.
Here's where the new tls_engine_kpass_sha option comes in handy. The user
can specify a SHA1 hash of its engine private key password via command
line or config file and it will be passed on to the engine directly.
This commit adds support for both clients (libmosquitto) and broker.
[1] https://goo.gl/qQoXBY
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>
Add same OpenSSL engine support to mosquitto (server side) previously added to
client side only.
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>
- Clients can now offload crypto tasks to an external crypto device through
the OpenSSL ENGINE API.
- The keyfiles can now be treated as PEM or ENGINE keys.
- Two new functions were added to libmosquitto to set up the previously
mentioned features.
- Both mosquitto_sub and mosquitto_pub include support to turn on the mentioned
features through command line options.
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>
This comes in the form of:
* Per listener maximum_qos option, which can be in the range 0-2.
* Changes to mosquitto_publish*() to return MOSQ_ERR_QOS_NOT_SUPPORTED
if attempting to publish with a higher QoS than supported.
* Bridges will downgrade messages to match the maximum QoS.
More tests on the broker side (specifically bridges) are required. This
needs bridge support for MQTT 5 first.
This causes the client to exit immediately after its subscriptions are
acknowledged by the broker, and can be used to create a durable client
session without requiring messages to be delivered.
Closes#952.
Roger A. Light
Brandt Hill
Karl Palsson
Dan Langille
Jonas Helgemo
John Hickey
YoongHM
Pierre Fersing
Abilio Marques
Steven Lawrance
Nicolás Pernas Maradei