MQTT TLS on port 8883 and open connection in 1883

Question

I want to setup a broker that is able to both accept "open/public" connections and "private" ones using TLS. For this I've setup the server to accept TLS connections but still who sniffes the port 1883 (which is open) receives the topics sent arround 8883 (TLS based). How to solve this?

My configuration file (located at /etc/mosquitto/conf.d/mosquitto.conf):

port 1883

# MQTT over TLS/SSL
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
tls_version tlsv1
# End of MQTT over TLS/SLL configuration


listener 9001
protocol websockets

# WebSockets over TLS/SSL
listener 9883
protocol websockets
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key

Answer 1

This is working as designed.

Adding listeners does not create separate topic spaces. If you want to restrict the none TLS listeners then you can add the ip address to the setup. You can also use the bind_address to option to change the default listener

e.g. to limit the open listener to localhost only you can do this:

port 1883
bind_address 127.0.0.1

# MQTT over TLS/SSL
listener 8883 0.0.0.0
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
tls_version tlsv1
# End of MQTT over TLS/SLL configuration


listener 9001 127.0.0.1
protocol websockets

# WebSockets over TLS/SSL
listener 9883 0.0.0.0
protocol websockets
cafile /etc/mosquitto/ca_certificates/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key