Some OpenSSL engines (selectable via tls_engine option) may require a
password to make use of private keys created with them in the first place.
The TPM engine for example, will require a password to access the underlying
TPM's Storage Root Key (SRK), which is the root key of a hierarchy of keys
associated with a TPM; it is generated within a TPM and is a non-migratable
key. Each owned TPM contains a SRK, generated by the TPM at the request
of the Owner. [1]
By default, the engine will prompt the user to introduce the SRK password
before any private keys created with the engine can be used. This could
be inconvenient when running on an unattended system.
Here's where the new tls_engine_kpass_sha option comes in handy. The user
can specify a SHA1 hash of its engine private key password via command
line or config file and it will be passed on to the engine directly.
This commit adds support for both clients (libmosquitto) and broker.
[1] https://goo.gl/qQoXBY
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>
Add same OpenSSL engine support to mosquitto (server side) previously added to
client side only.
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>
This comes in the form of:
* Per listener maximum_qos option, which can be in the range 0-2.
* Changes to mosquitto_publish*() to return MOSQ_ERR_QOS_NOT_SUPPORTED
if attempting to publish with a higher QoS than supported.
* Bridges will downgrade messages to match the maximum QoS.
More tests on the broker side (specifically bridges) are required. This
needs bridge support for MQTT 5 first.
Adding OCSP Stapling support to mosquitto, so that the TLS client side
requests the certificate status and checks it.
This code uses the OpenSSL-based OCSP implementation and is somewhat
based on the libcurl code for OCSP stapling.
Signed-off-by: Dr. Lars Voelker <lars.voelker@bmw.de>
Auth plugins can be configured to disable the check for +# in
usernames/client ids with the auth_plugin_deny_special_chars option.
Thanks to wiebeytec.
Bug: https://github.com/eclipse/mosquitto/issues/462
This update adds an option to only publishes bridge
notification messages to the local side of the bridge.
It adds a config file option called notifications_local_only
that accepts a boolean value, defaults to false to be
consistent with existing behaviour.
Fixes#233
Signed-off-by: Ben Hardill <hardillb@uk.ibm.com>
Limiting queued message depth purely based on message count is hard to
control for memory constrained devices. The size of messages can vary
wildly, from a few bytes, to a few kilobytes. Support a new
max_queued_bytes option, and drop packets when the first limit is
reached. Option defaults to 0 (disabled) by default.
Support also a max_inflight_bytes variable, with similar behaviour.
Fixes (partof) https://github.com/eclipse/mosquitto/issues/100
This pulls up some helper routines for calculating whether to allow
inflight or queuing, resolving some inconsistences in connection
resumption.
Signed-off-by: Karl Palsson <karlp@etactica.com>
This change in behaviour can be justified by considering when the
timeout may have occurred.
* If a connection is unreliable and has dropped, but without one end
noticing, the messages will be retried on reconnection. Sending
additional PUBLISH or PUBREL would not have changed anything.
* If a client is overloaded/unable to respond/has a slow connection then
sending additional PUBLISH or PUBREL would not help the client catch
up. Once the backlog has cleared the client will respond. If it is not
able to catch up, sending additional duplicates would not help either.
