Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] TLS SNI server_name extension support

Hi Roger,

thank you for your quick reply, and thank you for this great software!

Your patch almost worked, but the OpenSSL macro did not exist and I need this as on the client side (so I can use an Iphone and connect to a TLS mosquitto instance).

Please see the further very small changes on top of your patch against 1.4.2:

Actually there are 2 macros, to set the TLS extension. Either on the ssl instance or the ssl_ctx. Trying to use ssl_ctx did not work for me. So I stayed with your approach using the ssl instance.
I do not know whether this should be before or after the *big instance. It worked in both cases. So I put it before. Also I removed the WITH_BROKER ifdef, since I wanted to use the library to connect
from a client to a server.

If you are interested, where this all ends up you can check out:



On 01 Jun 2015, at 16:00, Roger Light <roger@xxxxxxxxxx> wrote:

Hi Jan,

It seems like it's quite easy. This is completely untested, but try against 1.4.2.



On Mon, Jun 1, 2015 at 2:03 PM, Jan Weitz <me@xxxxxxxxxxx> wrote:

does mosquitto_client support the TLS server_name extension (SNI)? 

My use case:

I want to run a mosquitto broker via the MQTT protocol as well the WEBSOCKET protocol on port 443 to keep firewalls happy.

But, I do not want to waste IP-Addresses for each protocol. The mosquitto library should be used from iOS to connect to the broker via SNI.

The broker setup:

I implement VirtualHosting by putting a bunch of independent mosquitto brokers behind a TCP load balancer (HAProxy), doing the SSL termination at each broker instead of the LoadBalancer. So I am using HAProxy as a SSL Relay.

Therefore, the mosquitto client( or every other MQTT client) has to set the ‘server_name’ in order for HAProxy to route to the correct backend server.

Is this already implemented in mosquitto so? Would it be hard to do?

It looks like the Golang mqtt client might already support this by setting the TLSConfig:

Thank you for your help,


A HAProxy config might look like this:

The mosquitto client might connect to `` passing the server_name `` which will cause HAproxy to route the request to my first broker using the MQTT protocol.

Browsers already support SNI. So a browser might connect to `` as well with the server_name `` and will get the WEBSOCKET protocol.

frontend tlsrelay
  bind *:443
  maxconn 40000
  timeout client 3h
  option tcpka
  tcp-request inspect-delay 1s
  tcp-request content accept if { req_ssl_hello_type 1 }
  default_backend bk_tlsrelay

backend bk_tlsrelay
  option tcpka
  timeout server 3h
  option ssl-hello-chk

  acl acl_broker_0_mqtt req_ssl_sni -i
  acl acl_broker_0_websocket req_ssl_sni -i
  acl acl_broker_1_mqtt req_ssl_sni -i
  acl acl_broker_1_websocket req_ssl_sni -i

  server server_0_mqtt
  server server_0_websocket
  server server_1_mqtt
  server server_1_websocket

  use-server server_0_mqtt if acl_broker_0_mqtt
  use-server server_0_websocket if acl_broker_0_websocket
  use-server server_1_mqtt if acl_broker_1_mqtt
  use-server server_1_websocket if acl_broker_1_websocket

mosquitto-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

mosquitto-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top