Client and doc ALPN additions

Add ALPN support for all clients, update documentation, and add to ChangeLog.

ChangeLog.txt

@@ -20,6 +20,7 @@ Broker features:
 - Disallow writing to $ topics where appropriate.
 - Fix mosquitto_passwd crashing on corrupt password file. Closes #1207.
 - Add support for OCSP stapling.
+- Add support for ALPN on bridge TLS connections. Closes #924.
 
 Client library features:
 - Add mosquitto_subscribe_multiple() for sending subscriptions to multiple
@@ -28,6 +29,7 @@ Client library features:
 - Add explicit support for TLS v1.3.
 - Drop support for TLS v1.0.
 - Add support for OCSP stapling to bridges.
+- Add support for ALPN on TLS connections. Closes #924.
 
 Client features:
 - Add mosquitto_rr client, which can be used for "request-response" messaging,
@@ -39,6 +41,7 @@ Client features:
   messages on a broker.
 - -V now accepts `5, `311`, `31`, as well as `mqttv5` etc.
 - Add TLS Engine support.
+- Add support for ALPN on TLS connections. Closes #924.
 - Add explicit support for TLS v1.3.
 - Drop support for TLS v1.0.
 

client/client_shared.c

@@ -159,6 +159,7 @@ void client_config_cleanup(struct mosq_config *cfg)
 	free(cfg->certfile);
 	free(cfg->keyfile);
 	free(cfg->ciphers);
+	free(cfg->tls_alpn);
 	free(cfg->tls_version);
 	free(cfg->tls_engine);
 	free(cfg->tls_engine_kpass_sha1);
@@ -870,6 +871,14 @@ int client_config_line_proc(struct mosq_config *cfg, int pub_or_sub, int argc, c
 			}
 			i++;
 #ifdef WITH_TLS
+		}else if(!strcmp(argv[i], "--tls-alpn")){
+			if(i==argc-1){
+				fprintf(stderr, "Error: --tls-alpn argument given but no protocol specified.\n\n");
+				return 1;
+			}else{
+				cfg->tls_alpn = strdup(argv[i+1]);
+			}
+			i++;
 		}else if(!strcmp(argv[i], "--tls-engine")){
 			if(i==argc-1){
 				fprintf(stderr, "Error: --tls-engine argument given but no engine_id specified.\n\n");
@@ -1068,6 +1077,11 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
 		mosquitto_lib_cleanup();
 		return 1;
 	}
+	if(cfg->tls_alpn && mosquitto_string_option(mosq, MOSQ_OPT_TLS_ALPN, cfg->tls_alpn)){
+		if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS ALPN protocol.\n");
+		mosquitto_lib_cleanup();
+		return 1;
+	}
 #  ifdef FINAL_WITH_TLS_PSK
 	if(cfg->psk && mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
 		if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");

client/client_shared.h

@@ -67,6 +67,7 @@ struct mosq_config {
 	char *keyfile;
 	char *ciphers;
 	bool insecure;
+	char *tls_alpn;
 	char *tls_version;
 	char *tls_engine;
 	char *tls_engine_kpass_sha1;

client/pub_client.c

@@ -266,6 +266,7 @@ void print_usage(void)
 #ifdef WITH_TLS
 	printf("                     [{--cafile file | --capath dir} [--cert file] [--key file]\n");
 	printf("                       [--ciphers ciphers] [--insecure]\n");
+	printf("                       [--tls-alpn protocol]\n");
 	printf("                       [--tls-engine engine] [--keyform keyform] [--tls-engine-kpass-sha1]]\n");
 #ifdef FINAL_WITH_TLS_PSK
 	printf("                     [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n");

client/rr_client.c

@@ -174,8 +174,10 @@ void print_usage(void)
 	printf("                    [--will-topic [--will-payload payload] [--will-qos qos] [--will-retain]]\n");
 #ifdef WITH_TLS
 	printf("                    [{--cafile file | --capath dir} [--cert file] [--key file]\n");
-	printf("                    [--ciphers ciphers] [--insecure]]\n");
-#ifdef WITH_TLS_PSK
+	printf("                      [--ciphers ciphers] [--insecure]\n");
+	printf("                      [--tls-alpn protocol]\n");
+	printf("                      [--tls-engine engine] [--keyform keyform] [--tls-engine-kpass-sha1]]\n");
+#ifdef FINAL_WITH_TLS_PSK
 	printf("                     [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n");
 #endif
 #endif

client/sub_client.c

@@ -185,8 +185,9 @@ void print_usage(void)
 	printf("                     [--will-topic [--will-payload payload] [--will-qos qos] [--will-retain]]\n");
 #ifdef WITH_TLS
 	printf("                     [{--cafile file | --capath dir} [--cert file] [--key file]\n");
-	printf("                      [--ciphers ciphers] [--insecure] [--tls-engine engine]\n");
-	printf("                      [--keyform keyform] [--tls-engine-kpass-sha1]]\n");
+	printf("                       [--ciphers ciphers] [--insecure]\n");
+	printf("                       [--tls-alpn protocol]\n");
+	printf("                       [--tls-engine engine] [--keyform keyform] [--tls-engine-kpass-sha1]]\n");
 #ifdef FINAL_WITH_TLS_PSK
 	printf("                     [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n");
 #endif

lib/mosquitto.h

@@ -2070,6 +2070,10 @@ libmosq_EXPORT void mosquitto_log_callback_set(struct mosquitto *mosq, void (*on
  *	          accessed, this option allows a hex encoded SHA1 hash of the
  *	          private key password to be passed to the engine directly.
  *	          Must be set before <mosquitto_connect>.
+ *	MOSQ_OPT_TLS_ALPN
+ *	          If the broker being connected to has multiple services available
+ *	          on a single TLS port, such as both MQTT and WebSockets, use this
+ *	          option to configure the ALPN option for the connection.
  */
 libmosq_EXPORT int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, const char *value);
 

man/mosquitto.conf.5.xml

@@ -1704,6 +1704,14 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
 			<para>The following options are available for all bridges to
 				configure SSL/TLS support.</para>
 			<variablelist>
+				<varlistentry>
+					<term><option>bridge_alpn</option> <replaceable>alpn</replaceable></term>
+					<listitem>
+						<para>Configure the application layer protocol negotiation
+							option for the TLS session.  Useful for brokers that support
+							both websockets and MQTT on the same port.</para>
+					</listitem>
+				</varlistentry>
 				<varlistentry>
 					<term><option>bridge_cafile</option> <replaceable>file path</replaceable></term>
 					<listitem>
@@ -1811,14 +1819,6 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
 							connection to succeed.</para>
 					</listitem>
 				</varlistentry>
-				<varlistentry>
-					<term><option>bridge_alpn</option> <replaceable>alpn</replaceable></term>
-					<listitem>
-						<para>Configure the application layer protocol negotiation
-							option for the TLS session.  Useful for brokers that support
-							both websockets and MQTT on the same port.</para>
-					</listitem>
-				</varlistentry>
 			</variablelist>
 		</refsect2>
 	</refsect1>

man/mosquitto_pub.1.xml

@@ -63,6 +63,7 @@
 					<arg><option>--key</option> <replaceable>file</replaceable></arg>
 					<arg><option>--ciphers</option> <replaceable>ciphers</replaceable></arg>
 					<arg><option>--tls-version</option> <replaceable>version</replaceable></arg>
+					<arg><option>--tls-alpn</option> <replaceable>protocol</replaceable></arg>
 					<arg><option>--tls-engine</option> <replaceable>engine</replaceable></arg>
 					<arg><option>--keyform</option>
 					<group choice='req'>
@@ -455,6 +456,14 @@
 					<para>The MQTT topic on which to publish the message. See <citerefentry><refentrytitle>mqtt</refentrytitle><manvolnum>7</manvolnum></citerefentry> for more information on MQTT topics.</para>
 				</listitem>
 			</varlistentry>
+			<varlistentry>
+				<term><option>--tls-alpn</option></term>
+				<listitem>
+					<para>Provide a protocol to use when connecting to a broker
+						that has multiple protocols available on a single port,
+						e.g. MQTT and WebSockets.</para>
+				</listitem>
+			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine</option></term>
 				<listitem>

man/mosquitto_rr.1.xml

@@ -70,6 +70,7 @@
 					<arg><option>--cert</option> <replaceable>file</replaceable></arg>
 					<arg><option>--key</option> <replaceable>file</replaceable></arg>
 					<arg><option>--tls-version</option> <replaceable>version</replaceable></arg>
+					<arg><option>--tls-alpn</option> <replaceable>protocol</replaceable></arg>
 					<arg><option>--insecure</option></arg>
 				</arg>
 				<arg>
@@ -472,6 +473,13 @@
 				</listitem>
 			</varlistentry>
 			<varlistentry>
+				<term><option>--tls-alpn</option></term>
+				<listitem>
+					<para>Provide a protocol to use when connecting to a broker
+						that has multiple protocols available on a single port,
+						e.g. MQTT and WebSockets.</para>
+				</listitem>
+			</varlistentry>
 				<term><option>--tls-version</option></term>
 				<listitem>
 					<para>Choose which TLS protocol version to use when

man/mosquitto_sub.1.xml

@@ -72,6 +72,7 @@
 					<arg><option>--cert</option> <replaceable>file</replaceable></arg>
 					<arg><option>--key</option> <replaceable>file</replaceable></arg>
 					<arg><option>--tls-version</option> <replaceable>version</replaceable></arg>
+					<arg><option>--tls-alpn</option> <replaceable>protocol</replaceable></arg>
 					<arg><option>--tls-engine</option> <replaceable>engine</replaceable></arg>
 					<arg><option>--keyform</option>
 					<group choice='req'>
@@ -565,6 +566,14 @@ mosquitto_sub -t 'bbc/#' -T bbc/bbc1 --remove-retained</programlisting>
 						topics or topic trees.</para>
 				</listitem>
 			</varlistentry>
+			<varlistentry>
+				<term><option>--tls-alpn</option></term>
+				<listitem>
+					<para>Provide a protocol to use when connecting to a broker
+						that has multiple protocols available on a single port,
+						e.g. MQTT and WebSockets.</para>
+				</listitem>
+			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine</option></term>
 				<listitem>

mosquitto.conf

@@ -939,6 +939,11 @@
 # point using encryption.
 #bridge_insecure false
 
+# If the remote broker has more than one protocol available on its port, e.g.
+# MQTT and WebSockets, then use bridge_alpn to configure which protocol is
+# requested. Note that WebSockets support for bridges is not yet available.
+#bridge_alpn
+
 # -----------------------------------------------------------------
 # PSK based SSL/TLS support
 # -----------------------------------------------------------------