MTX-3853 Update mosquitto to v 1.6.10

6 files changed, 548 insertions, 459 deletions

diff --git a/recipes-connectivity/mosquitto/mosquitto/config_mk.patch b/recipes-connectivity/mosquitto/mosquitto/config_mk.patch
deleted file mode 100644
index 437022c..0000000
--- a/recipes-connectivity/mosquitto/mosquitto/config_mk.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -Naur old/config.mk new/config.mk
---- old/config.mk	2017-04-17 14:33:32.504351936 -0500
-+++ new/config.mk	2017-04-17 14:34:27.061557282 -0500
-@@ -83,9 +83,9 @@
- # Strip executables and shared libraries on install.
- WITH_STRIP:=no
-
- # Build static libraries
--WITH_STATIC_LIBRARIES:=no
-+WITH_STATIC_LIBRARIES:=yes
-
- # Build with async dns lookup support for bridges (temporary). Requires glibc.
- #WITH_ADNS:=yes
-
-@@ -272,7 +272,7 @@
- endif
- 
- INSTALL?=install
--prefix=/usr/local
-+prefix=/usr
- mandir=${prefix}/share/man
- localedir=${prefix}/share/locale
- STRIP?=strip
-
-
-
-
diff --git a/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf b/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf
index 25821b8..6b861d6 100644
--- a/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf
+++ b/recipes-connectivity/mosquitto/mosquitto/mosquitto.conf
@@ -4,84 +4,136 @@
 #
 # Default values are shown, uncomment to change.
 #
-# Use the # character to indicate a comment, but only if it is the 
+# Use the # character to indicate a comment, but only if it is the
 # very first character on the line.
 
 # =================================================================
 # General configuration
 # =================================================================
 
-# Time in seconds to wait before resending an outgoing QoS=1 or 
-# QoS=2 message.
-#retry_interval 20
-
-# Time in seconds between updates of the $SYS tree.
-# Set to 0 to disable the publishing of the $SYS tree.
-#sys_interval 10
+# Use per listener security settings.
+#
+# It is recommended this option be set before any other options.
+#
+# If this option is set to true, then all authentication and access control
+# options are controlled on a per listener basis. The following options are
+# affected:
+#
+# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous
+# auto_id_prefix allow_zero_length_clientid
+#
+# Note that if set to true, then a durable client (i.e. with clean session set
+# to false) that has disconnected will use the ACL settings defined for the
+# listener that it was most recently connected to.
+#
+# The default behaviour is for this to be set to false, which maintains the
+# setting behaviour from previous versions of mosquitto.
+#per_listener_settings false
 
-# Time in seconds between cleaning the internal message store of 
-# unreferenced messages. Lower values will result in lower memory 
-# usage but more processor time, higher values will have the 
-# opposite effect.
-# Setting a value of 0 means the unreferenced messages will be 
-# disposed of as quickly as possible.
-#store_clean_interval 10
 
-# Write process id to a file. Default is a blank string which means 
-# a pid file shouldn't be written.
-# This should be set to /var/run/mosquitto.pid if mosquitto is
-# being run automatically on boot with an init script and 
-# start-stop-daemon or similar.
-pid_file /var/run/mosquitto.pid
+# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/#
+# and foo/+/baz , then MQTT expects that when the broker receives a message on
+# a topic that matches both subscriptions, such as foo/bar/baz, then the client
+# should only receive the message once.
+# Mosquitto keeps track of which clients a message has been sent to in order to
+# meet this requirement. The allow_duplicate_messages option allows this
+# behaviour to be disabled, which may be useful if you have a large number of
+# clients subscribed to the same set of topics and are very concerned about
+# minimising memory usage.
+# It can be safely set to true if you know in advance that your clients will
+# never have overlapping subscriptions, otherwise your clients must be able to
+# correctly deal with duplicate messages even when then have QoS=2.
+#allow_duplicate_messages false
 
-# When run as root, drop privileges to this user and its primary 
-# group.
-# Leave blank to stay as root, but this is not recommended.
-# If run as a non-root user, this setting has no effect.
-# Note that on Windows this has no effect and so mosquitto should 
-# be started by the user you wish it to run as.
-user root
+# This option controls whether a client is allowed to connect with a zero
+# length client id or not. This option only affects clients using MQTT v3.1.1
+# and later. If set to false, clients connecting with a zero length client id
+# are disconnected. If set to true, clients will be allocated a client id by
+# the broker. This means it is only useful for clients with clean session set
+# to true.
+#allow_zero_length_clientid true
 
-# The maximum number of QoS 1 and 2 messages currently inflight per 
+# If allow_zero_length_clientid is true, this option allows you to set a prefix
+# to automatically generated client ids to aid visibility in logs.
+# Defaults to 'auto-'
+#auto_id_prefix auto-
+
+# This option affects the scenario when a client subscribes to a topic that has
+# retained messages. It is possible that the client that published the retained
+# message to the topic had access at the time they published, but that access
+# has been subsequently removed. If check_retain_source is set to true, the
+# default, the source of a retained message will be checked for access rights
+# before it is republished. When set to false, no check will be made and the
+# retained message will always be published. This affects all listeners.
+#check_retain_source true
+
+# QoS 1 and 2 messages will be allowed inflight per client until this limit
+# is exceeded.  Defaults to 0. (No maximum)
+# See also max_inflight_messages
+#max_inflight_bytes 0
+
+# The maximum number of QoS 1 and 2 messages currently inflight per
 # client.
-# This includes messages that are partway through handshakes and 
-# those that are being retried. Defaults to 20. Set to 0 for no 
-# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 
+# This includes messages that are partway through handshakes and
+# those that are being retried. Defaults to 20. Set to 0 for no
+# maximum. Setting to 1 will guarantee in-order delivery of QoS 1
 # and 2 messages.
 #max_inflight_messages 20
 
-# The maximum number of QoS 1 and 2 messages to hold in a queue 
-# above those that are currently in-flight.  Defaults to 100. Set 
+# For MQTT v5 clients, it is possible to have the server send a "server
+# keepalive" value that will override the keepalive value set by the client.
+# This is intended to be used as a mechanism to say that the server will
+# disconnect the client earlier than it anticipated, and that the client should
+# use the new keepalive value. The max_keepalive option allows you to specify
+# that clients may only connect with keepalive less than or equal to this
+# value, otherwise they will be sent a server keepalive telling them to use
+# max_keepalive. This only applies to MQTT v5 clients. The maximum value
+# allowable is 65535. Do not set below 10.
+#max_keepalive 65535
+
+# For MQTT v5 clients, it is possible to have the server send a "maximum packet
+# size" value that will instruct the client it will not accept MQTT packets
+# with size greater than max_packet_size bytes. This applies to the full MQTT
+# packet, not just the payload. Setting this option to a positive value will
+# set the maximum packet size to that number of bytes. If a client sends a
+# packet which is larger than this value, it will be disconnected. This applies
+# to all clients regardless of the protocol version they are using, but v3.1.1
+# and earlier clients will of course not have received the maximum packet size
+# information. Defaults to no limit. Setting below 20 bytes is forbidden
+# because it is likely to interfere with ordinary client operation, even with
+# very small payloads.
+#max_packet_size 0
+
+# QoS 1 and 2 messages above those currently in-flight will be queued per
+# client until this limit is exceeded.  Defaults to 0. (No maximum)
+# See also max_queued_messages.
+# If both max_queued_messages and max_queued_bytes are specified, packets will
+# be queued until the first limit is reached.
+#max_queued_bytes 0
+
+# The maximum number of QoS 1 and 2 messages to hold in a queue per client
+# above those that are currently in-flight.  Defaults to 100. Set
 # to 0 for no maximum (not recommended).
 # See also queue_qos0_messages.
+# See also max_queued_bytes.
 #max_queued_messages 100
-
-# Set to true to queue messages with QoS 0 when a persistent client is
-# disconnected. These messages are included in the limit imposed by
-# max_queued_messages.
-# Defaults to false.
-# This is a non-standard option for the MQTT v3.1 spec but is allowed in
-# v3.1.1.
-#queue_qos0_messages false
+#
+# This option sets the maximum number of heap memory bytes that the broker will
+# allocate, and hence sets a hard limit on memory use by the broker.  Memory
+# requests that exceed this value will be denied. The effect will vary
+# depending on what has been denied. If an incoming message is being processed,
+# then the message will be dropped and the publishing client will be
+# disconnected. If an outgoing message is being sent, then the individual
+# message will be dropped and the receiving client will be disconnected.
+# Defaults to no limit.
+#memory_limit 0
 
 # This option sets the maximum publish payload size that the broker will allow.
 # Received messages that exceed this size will not be accepted by the broker.
 # The default value is 0, which means that all valid MQTT messages are
-# accepted. MQTT imposes a maximum payload size of 268435455 bytes. 
+# accepted. MQTT imposes a maximum payload size of 268435455 bytes.
 #message_size_limit 0
 
-# This option controls whether a client is allowed to connect with a zero
-# length client id or not. This option only affects clients using MQTT v3.1.1
-# and later. If set to false, clients connecting with a zero length client id
-# are disconnected. If set to true, clients will be allocated a client id by
-# the broker. This means it is only useful for clients with clean session set
-# to true.
-#allow_zero_length_clientid true
-
-# If allow_zero_length_clientid is true, this option allows you to set a prefix
-# to automatically generated client ids to aid visibility in logs.
-#auto_id_prefix
-
 # This option allows persistent clients (those with clean session set to false)
 # to be removed if they do not reconnect within a certain time frame.
 #
@@ -101,19 +153,34 @@ user root
 # The default if not set is to never expire persistent clients.
 #persistent_client_expiration
 
-# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/#
-# and foo/+/baz , then MQTT expects that when the broker receives a message on
-# a topic that matches both subscriptions, such as foo/bar/baz, then the client
-# should only receive the message once.
-# Mosquitto keeps track of which clients a message has been sent to in order to
-# meet this requirement. The allow_duplicate_messages option allows this
-# behaviour to be disabled, which may be useful if you have a large number of
-# clients subscribed to the same set of topics and are very concerned about
-# minimising memory usage.
-# It can be safely set to true if you know in advance that your clients will
-# never have overlapping subscriptions, otherwise your clients must be able to
-# correctly deal with duplicate messages even when then have QoS=2.
-#allow_duplicate_messages false
+# Write process id to a file. Default is a blank string which means
+# a pid file shouldn't be written.
+# This should be set to /var/run/mosquitto.pid if mosquitto is
+# being run automatically on boot with an init script and
+# start-stop-daemon or similar.
+#pid_file
+
+# Set to true to queue messages with QoS 0 when a persistent client is
+# disconnected. These messages are included in the limit imposed by
+# max_queued_messages and max_queued_bytes
+# Defaults to false.
+# This is a non-standard option for the MQTT v3.1 spec but is allowed in
+# v3.1.1.
+#queue_qos0_messages false
+
+# Set to false to disable retained message support. If a client publishes a
+# message with the retain bit set, it will be disconnected if this is set to
+# false.
+#retain_available true
+
+# Disable Nagle's algorithm on client sockets. This has the effect of reducing
+# latency of individual messages at the potential cost of increasing the number
+# of packets being sent.
+#set_tcp_nodelay false
+
+# Time in seconds between updates of the $SYS tree.
+# Set to 0 to disable the publishing of the $SYS tree.
+#sys_interval 10
 
 # The MQTT specification requires that the QoS of a message delivered to a
 # subscriber is never upgraded to match the QoS of the subscription. Enabling
@@ -122,12 +189,20 @@ user root
 # This is a non-standard option explicitly disallowed by the spec.
 #upgrade_outgoing_qos false
 
+# When run as root, drop privileges to this user and its primary
+# group.
+# Set to root to stay as root, but this is not recommended.
+# If run as a non-root user, this setting has no effect.
+# Note that on Windows this has no effect and so mosquitto should
+# be started by the user you wish it to run as.
+user root
+
 # =================================================================
 # Default listener
 # =================================================================
 
 # IP address/hostname to bind the default listener to. If not
-# given, the default listener will not be bound to a specific 
+# given, the default listener will not be bound to a specific
 # address and so will be accessible to all network interfaces.
 # bind_address ip-address/host name
 bind_address 127.0.0.1
@@ -135,11 +210,25 @@ bind_address 127.0.0.1
 # Port to use for the default listener.
 port 1883
 
-# The maximum number of client connections to allow. This is 
+# Bind the listener to a specific interface. This is similar to
+# bind_address above but is useful when an interface has multiple addresses or
+# the address may change. It is valid to use this with the bind_address option,
+# but take care that the interface you are binding to contains the address you
+# are binding to, otherwise you will not be able to connect.
+# Example: bind_interface eth0
+#bind_interface
+
+# When a listener is using the websockets protocol, it is possible to serve
+# http data as well. Set http_dir to a directory which contains the files you
+# wish to serve. If this option is not specified, then no normal http
+# connections will be possible.
+#http_dir
+
+# The maximum number of client connections to allow. This is
 # a per listener setting.
 # Default is -1, which means unlimited connections.
-# Note that other process limits mean that unlimited connections 
-# are not really possible. Typically the default maximum number of 
+# Note that other process limits mean that unlimited connections
+# are not really possible. Typically the default maximum number of
 # connections possible is around 1024.
 #max_connections -1
 
@@ -150,12 +239,6 @@ port 1883
 # only the cafile, certfile, keyfile and ciphers options are supported.
 protocol mqtt
 
-# When a listener is using the websockets protocol, it is possible to serve
-# http data as well. Set http_dir to a directory which contains the files you
-# wish to serve. If this option is not specified, then no normal http
-# connections will be possible.
-#http_dir
-
 # Set use_username_as_clientid to true to replace the clientid that a client
 # connected with with its username. This allows authentication to be tied to
 # the clientid, which means that it is possible to prevent one client
@@ -169,21 +252,21 @@ protocol mqtt
 # -----------------------------------------------------------------
 # Certificate based SSL/TLS support
 # -----------------------------------------------------------------
-# The following options can be used to enable SSL/TLS support for 
+# The following options can be used to enable SSL/TLS support for
 # this listener. Note that the recommended port for MQTT over TLS
 # is 8883, but this must be set manually.
 #
 # See also the mosquitto-tls man page.
 
-# At least one of cafile or capath must be defined. They both 
-# define methods of accessing the PEM encoded Certificate 
-# Authority certificates that have signed your server certificate 
+# At least one of cafile or capath must be defined. They both
+# define methods of accessing the PEM encoded Certificate
+# Authority certificates that have signed your server certificate
 # and that you wish to trust.
 # cafile defines the path to a file containing the CA certificates.
 # capath defines a directory that will be searched for files
 # containing the CA certificates. For capath to work correctly, the
 # certificate files must have ".crt" as the file ending and you must run
-# "c_rehash <path to capath>" each time you add/remove a certificate.
+# "openssl rehash <path to capath>" each time you add/remove a certificate.
 #cafile
 #capath
 
@@ -193,12 +276,24 @@ protocol mqtt
 # Path to the PEM encoded keyfile.
 #keyfile
 
-# This option defines the version of the TLS protocol to use for this listener.
-# The default value allows v1.2, v1.1 and v1.0, if they are all supported by
-# the version of openssl that the broker was compiled against. For openssl >=
-# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the
-# valid values are tlsv1.
-#tls_version
+
+# If you have require_certificate set to true, you can create a certificate
+# revocation list file to revoke access to particular client certificates. If
+# you have done this, use crlfile to point to the PEM encoded revocation file.
+#crlfile
+
+# If you wish to control which encryption ciphers are used, use the ciphers
+# option. The list of available ciphers can be obtained using the "openssl
+# ciphers" command and should be provided in the same format as the output of
+# that command.
+# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
+#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
+
+# To allow the use of ephemeral DH key exchange, which provides forward
+# security, the listener must load DH parameters. This can be specified with
+# the dhparamfile option. The dhparamfile can be generated with the command
+# e.g. "openssl dhparam -out dhparam.pem 2048"
+#dhparamfile
 
 # By default a TLS enabled listener will operate in a similar fashion to a
 # https enabled web server, in that the server has a certificate signed by a CA
@@ -209,22 +304,23 @@ protocol mqtt
 # outside of the mechanisms provided by MQTT.
 #require_certificate false
 
+# This option defines the version of the TLS protocol to use for this listener.
+# The default value allows all of v1.3, v1.2 and v1.1. The valid values are
+# tlsv1.3 tlsv1.2 and tlsv1.1.
+#tls_version
+
 # If require_certificate is true, you may set use_identity_as_username to true
 # to use the CN value from the client certificate as a username. If this is
 # true, the password_file option will not be used for this listener.
+# This takes priority over use_subject_as_username.
+# See also use_subject_as_username.
 #use_identity_as_username false
 
-# If you have require_certificate set to true, you can create a certificate
-# revocation list file to revoke access to particular client certificates. If
-# you have done this, use crlfile to point to the PEM encoded revocation file.
-#crlfile
-
-# If you wish to control which encryption ciphers are used, use the ciphers
-# option. The list of available ciphers can be optained using the "openssl
-# ciphers" command and should be provided in the same format as the output of
-# that command.
-# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
-#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
+# If require_certificate is true, you may set use_subject_as_username to true
+# to use the complete subject value from the client certificate as a username.
+# If this is true, the password_file option will not be used for this listener.
+# See also use_identity_as_username
+#use_subject_as_username false
 
 # -----------------------------------------------------------------
 # Pre-shared-key based SSL/TLS support
@@ -245,40 +341,60 @@ protocol mqtt
 # used or create a security plugin to handle them.
 #psk_hint
 
+# When using PSK, the encryption ciphers used will be chosen from the list of
+# available PSK ciphers. If you want to control which ciphers are available,
+# use the "ciphers" option.  The list of available ciphers can be obtained
+# using the "openssl ciphers" command and should be provided in the same format
+# as the output of that command.
+#ciphers
+
 # Set use_identity_as_username to have the psk identity sent by the client used
 # as its username. Authentication will be carried out using the PSK rather than
 # the MQTT username/password and so password_file will not be used for this
 # listener.
 #use_identity_as_username false
 
-# When using PSK, the encryption ciphers used will be chosen from the list of
-# available PSK ciphers. If you want to control which ciphers are available,
-# use the "ciphers" option.  The list of available ciphers can be optained
-# using the "openssl ciphers" command and should be provided in the same format
-# as the output of that command.
-#ciphers
 
 # =================================================================
 # Extra listeners
 # =================================================================
 
-# Listen on a port/ip address combination. By using this variable 
-# multiple times, mosquitto can listen on more than one port. If 
-# this variable is used and neither bind_address nor port given, 
+# Listen on a port/ip address combination. By using this variable
+# multiple times, mosquitto can listen on more than one port. If
+# this variable is used and neither bind_address nor port given,
 # then the default listener will not be started.
-# The port number to listen on must be given. Optionally, an ip 
-# address or host name may be supplied as a second argument. In 
-# this case, mosquitto will attempt to bind the listener to that 
-# address and so restrict access to the associated network and 
+# The port number to listen on must be given. Optionally, an ip
+# address or host name may be supplied as a second argument. In
+# this case, mosquitto will attempt to bind the listener to that
+# address and so restrict access to the associated network and
 # interface. By default, mosquitto will listen on all interfaces.
+# Note that for a websockets listener it is not possible to bind to a host
+# name.
 # listener port-number [ip address/host name]
 #listener
 
-# The maximum number of client connections to allow. This is 
+# Bind the listener to a specific interface. This is similar to
+# the [ip address/host name] part of the listener definition, but is useful
+# when an interface has multiple addresses or the address may change. It is
+# valid to use this with the [ip address/host name] part of the listener
+# definition, but take care that the interface you are binding to contains the
+# address you are binding to, otherwise you will not be able to connect.
+# Only available on Linux and requires elevated privileges.
+#
+# Example: bind_interface eth0
+#bind_interface
+
+# When a listener is using the websockets protocol, it is possible to serve
+# http data as well. Set http_dir to a directory which contains the files you
+# wish to serve. If this option is not specified, then no normal http
+# connections will be possible.
+#http_dir
+
+# The maximum number of client connections to allow. This is
 # a per listener setting.
 # Default is -1, which means unlimited connections.
-# Note that other process limits mean that unlimited connections 
-# are not really possible. Typically the default maximum number of 
+# Note that other process limits mean that unlimited connections
+# are not really possible. Typically the default maximum number of
 # connections possible is around 1024.
 #max_connections -1
 
@@ -294,12 +410,6 @@ protocol mqtt
 # cafile, certfile, keyfile and ciphers options are supported.
 protocol mqtt
 
-# When a listener is using the websockets protocol, it is possible to serve
-# http data as well. Set http_dir to a directory which contains the files you
-# wish to serve. If this option is not specified, then no normal http
-# connections will be possible.
-#http_dir
-
 # Set use_username_as_clientid to true to replace the clientid that a client
 # connected with with its username. This allows authentication to be tied to
 # the clientid, which means that it is possible to prevent one client
@@ -310,6 +420,13 @@ protocol mqtt
 # See also use_identity_as_username.
 #use_username_as_clientid
 
+# Change the websockets headers size. This is a global option, it is not
+# possible to set per listener. This option sets the size of the buffer used in
+# the libwebsockets library when reading HTTP headers. If you are passing large
+# header data such as cookies then you may need to increase this value. If left
+# unset, or set to 0, then the default of 1024 bytes will be used.
+#websockets_headers_size
+
 # -----------------------------------------------------------------
 # Certificate based SSL/TLS support
 # -----------------------------------------------------------------
@@ -329,7 +446,7 @@ protocol mqtt
 # capath defines a directory that will be searched for files
 # containing the CA certificates. For capath to work correctly, the
 # certificate files must have ".crt" as the file ending and you must run
-# "c_rehash <path to capath>" each time you add/remove a certificate.
+# "openssl rehash <path to capath>" each time you add/remove a certificate.
 #cafile
 #capath
 
@@ -339,6 +456,24 @@ protocol mqtt
 # Path to the PEM encoded keyfile.
 #keyfile
 
+
+# If you wish to control which encryption ciphers are used, use the ciphers
+# option. The list of available ciphers can be optained using the "openssl
+# ciphers" command and should be provided in the same format as the output of
+# that command.
+#ciphers
+
+# If you have require_certificate set to true, you can create a certificate
+# revocation list file to revoke access to particular client certificates. If
+# you have done this, use crlfile to point to the PEM encoded revocation file.
+#crlfile
+
+# To allow the use of ephemeral DH key exchange, which provides forward
+# security, the listener must load DH parameters. This can be specified with
+# the dhparamfile option. The dhparamfile can be generated with the command
+# e.g. "openssl dhparam -out dhparam.pem 2048"
+#dhparamfile
+
 # By default an TLS enabled listener will operate in a similar fashion to a
 # https enabled web server, in that the server has a certificate signed by a CA
 # and the client will verify that it is a trusted certificate. The overall aim
@@ -353,17 +488,6 @@ protocol mqtt
 # true, the password_file option will not be used for this listener.
 #use_identity_as_username false
 
-# If you have require_certificate set to true, you can create a certificate
-# revocation list file to revoke access to particular client certificates. If
-# you have done this, use crlfile to point to the PEM encoded revocation file.
-#crlfile
-
-# If you wish to control which encryption ciphers are used, use the ciphers
-# option. The list of available ciphers can be optained using the "openssl
-# ciphers" command and should be provided in the same format as the output of
-# that command.
-#ciphers
-
 # -----------------------------------------------------------------
 # Pre-shared-key based SSL/TLS support
 # -----------------------------------------------------------------
@@ -383,12 +507,6 @@ protocol mqtt
 # used or create a security plugin to handle them.
 #psk_hint
 
-# Set use_identity_as_username to have the psk identity sent by the client used
-# as its username. Authentication will be carried out using the PSK rather than
-# the MQTT username/password and so password_file will not be used for this
-# listener.
-#use_identity_as_username false
-
 # When using PSK, the encryption ciphers used will be chosen from the list of
 # available PSK ciphers. If you want to control which ciphers are available,
 # use the "ciphers" option.  The list of available ciphers can be optained
@@ -396,15 +514,22 @@ protocol mqtt
 # as the output of that command.
 #ciphers
 
+# Set use_identity_as_username to have the psk identity sent by the client used
+# as its username. Authentication will be carried out using the PSK rather than
+# the MQTT username/password and so password_file will not be used for this
+# listener.
+#use_identity_as_username false
+
+
 # =================================================================
 # Persistence
 # =================================================================
 
-# If persistence is enabled, save the in-memory database to disk 
-# every autosave_interval seconds. If set to 0, the persistence 
+# If persistence is enabled, save the in-memory database to disk
+# every autosave_interval seconds. If set to 0, the persistence
 # database will only be written when mosquitto exits. See also
 # autosave_on_changes.
-# Note that writing of the persistence database can be forced by 
+# Note that writing of the persistence database can be forced by
 # sending mosquitto a SIGUSR1 signal.
 #autosave_interval 1800
 
@@ -416,13 +541,13 @@ protocol mqtt
 #autosave_on_changes false
 
 # Save persistent message data to disk (true/false).
-# This saves information about all messages, including 
-# subscriptions, currently in-flight messages and retained 
+# This saves information about all messages, including
+# subscriptions, currently in-flight messages and retained
 # messages.
 # retained_persistence is a synonym for this option.
 #persistence false
 
-# The filename to use for the persistent database, not including 
+# The filename to use for the persistent database, not including
 # the path.
 #persistence_file mosquitto.db
 
@@ -432,21 +557,22 @@ protocol mqtt
 # similar.
 #persistence_location
 
+
 # =================================================================
 # Logging
 # =================================================================
 
-# Places to log to. Use multiple log_dest lines for multiple 
+# Places to log to. Use multiple log_dest lines for multiple
 # logging destinations.
 # Possible destinations are: stdout stderr syslog topic file
 #
 # stdout and stderr log to the console on the named output.
 #
-# syslog uses the userspace syslog facility which usually ends up 
+# syslog uses the userspace syslog facility which usually ends up
 # in /var/log/messages or similar.
 #
-# topic logs to the broker topic '$SYS/broker/log/<severity>', 
-# where severity is one of D, E, W, N, I, M which are debug, error, 
+# topic logs to the broker topic '$SYS/broker/log/<severity>',
+# where severity is one of D, E, W, N, I, M which are debug, error,
 # warning, notice, information and message. Message type severity is used by
 # the subscribe/unsubscribe log_types and publishes log messages to
 # $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
@@ -461,15 +587,9 @@ protocol mqtt
 # Use "log_dest none" if you wish to disable logging.
 log_dest file /var/log/mosquitto.log
 
-# If using syslog logging (not on Windows), messages will be logged to the
-# "daemon" facility by default. Use the log_facility option to choose which of
-# local0 to local7 to log to instead. The option value should be an integer
-# value, e.g. "log_facility 5" to use local5.
-#log_facility
-
 # Types of messages to log. Use multiple log_type lines for logging
 # multiple types of messages.
-# Possible types are: debug, error, warning, notice, information, 
+# Possible types are: debug, error, warning, notice, information,
 # none, subscribe, unsubscribe, websockets, all.
 # Note that debug type messages are for decoding the incoming/outgoing
 # network packets. They are not logged in "topics".
@@ -478,40 +598,58 @@ log_type warning
 log_type notice
 log_type information
 
+
 # If set to true, client connection and disconnection messages will be included
 # in the log.
 connection_messages true
 
+# If using syslog logging (not on Windows), messages will be logged to the
+# "daemon" facility by default. Use the log_facility option to choose which of
+# local0 to local7 to log to instead. The option value should be an integer
+# value, e.g. "log_facility 5" to use local5.
+#log_facility
+
 # If set to true, add a timestamp value to each log message.
 log_timestamp true
 
+# Set the format of the log timestamp. If left unset, this is the number of
+# seconds since the Unix epoch.
+# This is a free text string which will be passed to the strftime function. To
+# get an ISO 8601 datetime, for example:
+# log_timestamp_format %Y-%m-%dT%H:%M:%S
+#log_timestamp_format
+
+# Change the websockets logging level. This is a global option, it is not
+# possible to set per listener. This is an integer that is interpreted by
+# libwebsockets as a bit mask for its lws_log_levels enum. See the
+# libwebsockets documentation for more details. "log_type websockets" must also
+# be enabled.
+#websockets_log_level 0
+
+
 # =================================================================
 # Security
 # =================================================================
 
-# If set, only clients that have a matching prefix on their 
-# clientid will be allowed to connect to the broker. By default, 
+# If set, only clients that have a matching prefix on their
+# clientid will be allowed to connect to the broker. By default,
 # all clients may connect.
 # For example, setting "secure-" here would mean a client "secure-
 # client" could connect but another with clientid "mqtt" couldn't.
 #clientid_prefixes
 
-# Boolean value that determines whether clients that connect 
-# without providing a username are allowed to connect. If set to 
-# false then a password file should be created (see the 
-# password_file option) to control authenticated client access. 
-# Defaults to true.
+# Boolean value that determines whether clients that connect
+# without providing a username are allowed to connect. If set to
+# false then a password file should be created (see the
+# password_file option) to control authenticated client access.
+#
+# Defaults to true if no other security options are set. If `password_file` or
+# `psk_file` is set, or if an authentication plugin is loaded which implements
+# username/password or TLS-PSK checks, then `allow_anonymous` defaults to
+# false.
+#
 #allow_anonymous true
 
-# In addition to the clientid_prefixes, allow_anonymous and TLS 
-# authentication options, username based authentication is also 
-# possible. The default support is described in "Default 
-# authentication and topic access control" below. The auth_plugin 
-# allows another authentication method to be used.
-# Specify the path to the loadable plugin and see the 
-# "Authentication and topic access plugin options" section below.
-#auth_plugin
-
 # -----------------------------------------------------------------
 # Default authentication and topic access control
 # -----------------------------------------------------------------
@@ -522,11 +660,12 @@ log_timestamp true
 # plain text passwords are used, in which case the file should be a text file
 # with lines in the format:
 # username:password
-# The password (and colon) may be omitted if desired, although this 
+# The password (and colon) may be omitted if desired, although this
 # offers very little in the way of security.
-# 
+#
 # See the TLS client require_certificate and use_identity_as_username options
-# for alternative authentication options.
+# for alternative authentication options. If an auth_plugin is used as well as
+# password_file, the auth_plugin check will be made first.
 #password_file
 
 # Access may also be controlled using a pre-shared-key file. This requires
@@ -534,6 +673,7 @@ log_timestamp true
 # lines in the format:
 # identity:key
 # The key should be in hexadecimal format without a leading "0x".
+# If an auth_plugin is used as well, the auth_plugin check will be made first.
 #psk_file
 
 # Control access to topics on the broker using an access control list
@@ -544,14 +684,14 @@ log_timestamp true
 # Topic access is added with lines of the format:
 #
 # topic [read|write|readwrite] <topic>
-# 
+#
 # The access type is controlled using "read", "write" or "readwrite". This
 # parameter is optional (unless <topic> contains a space character) - if not
 # given then the access is read/write.  <topic> can contain the + or #
 # wildcards as in subscriptions.
-# 
+#
 # The first set of topics are applied to anonymous clients, assuming
-# allow_anonymous is true. User specific topic ACLs are added after a 
+# allow_anonymous is true. User specific topic ACLs are added after a
 # user line as follows:
 #
 # user <username>
@@ -583,18 +723,31 @@ log_timestamp true
 #
 # pattern write sensor/%u/data
 #
+# If an auth_plugin is used as well as acl_file, the auth_plugin check will be
+# made first.
 #acl_file
 
 # -----------------------------------------------------------------
-# Authentication and topic access plugin options
+# External authentication and topic access plugin options
 # -----------------------------------------------------------------
 
+# External authentication and access control can be supported with the
+# auth_plugin option. This is a path to a loadable plugin. See also the
+# auth_opt_* options described below.
+#
+# The auth_plugin option can be specified multiple times to load multiple
+# plugins. The plugins will be processed in the order that they are specified
+# here. If the auth_