Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mosquitto-dev] TLS SNI server_name extension support


does mosquitto_client support the TLS server_name extension (SNI)? 

My use case:

I want to run a mosquitto broker via the MQTT protocol as well the WEBSOCKET protocol on port 443 to keep firewalls happy.

But, I do not want to waste IP-Addresses for each protocol. The mosquitto library should be used from iOS to connect to the broker via SNI.

The broker setup:

I implement VirtualHosting by putting a bunch of independent mosquitto brokers behind a TCP load balancer (HAProxy), doing the SSL termination at each broker instead of the LoadBalancer. So I am using HAProxy as a SSL Relay.

Therefore, the mosquitto client( or every other MQTT client) has to set the ‘server_name’ in order for HAProxy to route to the correct backend server.

Is this already implemented in mosquitto so? Would it be hard to do?

It looks like the Golang mqtt client might already support this by setting the TLSConfig:

Thank you for your help,


A HAProxy config might look like this:

The mosquitto client might connect to `` passing the server_name `` which will cause HAproxy to route the request to my first broker using the MQTT protocol.

Browsers already support SNI. So a browser might connect to `` as well with the server_name `` and will get the WEBSOCKET protocol.

frontend tlsrelay
  bind *:443
  maxconn 40000
  timeout client 3h
  option tcpka
  tcp-request inspect-delay 1s
  tcp-request content accept if { req_ssl_hello_type 1 }
  default_backend bk_tlsrelay

backend bk_tlsrelay
  option tcpka
  timeout server 3h
  option ssl-hello-chk

  acl acl_broker_0_mqtt req_ssl_sni -i
  acl acl_broker_0_websocket req_ssl_sni -i
  acl acl_broker_1_mqtt req_ssl_sni -i
  acl acl_broker_1_websocket req_ssl_sni -i

  server server_0_mqtt
  server server_0_websocket
  server server_1_mqtt
  server server_1_websocket

  use-server server_0_mqtt if acl_broker_0_mqtt
  use-server server_0_websocket if acl_broker_0_websocket
  use-server server_1_mqtt if acl_broker_1_mqtt
  use-server server_1_websocket if acl_broker_1_websocket

Back to the top