Skip to content

Releases: wolfSSL/wolfMQTT

wolfMQTT v2.1.0 (02JUL2026)

Choose a tag to compare

@embhorn embhorn released this 02 Jul 20:51
1358c8a

v2.1.0 (07/02/2026)

Release 2.1.0 has been developed according to wolfSSL's development and QA
process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

  • New Features

    • wolfMQTT Broker session persistence: pluggable persistence hooks via
      MqttBroker_SetPersistHooks with a POSIX backend
      (MqttBrokerNet_PersistPosix_Init / MqttBrokerNet_PersistPosix_Free),
      message ordering, an offline message queue, and AES-GCM encryption of
      persisted state at rest (#538)
    • New packet-validation helpers: MqttPacket_TopicNameValid,
      MqttPacket_TopicFilterValid, MqttPacket_TopicFilterIsWildcard,
      MqttPacket_FixedHeaderFlagsValid, and MqttPacket_SubAckReturnCodeValid
      (#552)
    • WOLFMQTT_MAX_QOS build cap to compile out the QoS 2 state machine and
      advertise v5 MAX_QOS in CONNACK (#537)
  • Security Hardening

    • Reject ill-formed UTF-8 in MQTT UTF-8 string fields per [MQTT-1.5.3-1].
      MqttDecode_String now validates each decoded string against RFC 3629
      and rejects encodings of surrogate code points (U+D800..U+DFFF) with
      MQTT_CODE_ERROR_MALFORMED_DATA. Receivers MUST close the network
      connection on malformed packets, which the broker's existing decode-
      error path enforces. The check covers ClientId, Will Topic, Topic Name,
      Topic Filter, Username, and v5 STRING/STRING_PAIR property values.
    • The broker now requires auth_user and auth_pass to be configured as
      a pair. Previously, setting only one (e.g. the -u CLI flag without
      -P) silently enabled single-factor authentication: the unconfigured
      side was never checked, so any password authenticated against a matching
      username (or any username against a matching password). MqttBroker_Start
      now rejects a partial credential configuration with
      MQTT_CODE_ERROR_BAD_ARG, and the connect-time gate fails closed as a
      defense in depth if only one credential is set. Leaving both NULL still
      disables authentication.
  • API / Behavior Changes

    • MqttDecode_String may now return MQTT_CODE_ERROR_MALFORMED_DATA
      on ill-formed UTF-8. This applies to client builds as well as broker
      builds — [MQTT-1.5.3-1] is normative for both. wolfMQTT clients that
      previously accepted PUBLISH messages with non-UTF-8 topics from
      misbehaving brokers will now error on those messages. There is no
      opt-out: the spec is a MUST.
    • MqttDecode_Publish now propagates the underlying error from
      MqttDecode_String (e.g. MALFORMED_DATA) instead of always
      returning MQTT_CODE_ERROR_OUT_OF_BUFFER on topic decode failure.
    • MqttDecode_Props similarly now propagates the underlying error from
      MqttDecode_String for v5 STRING and STRING_PAIR property types
      (Reason String, Content Type, User Property, etc.) instead of masking
      it as MQTT_CODE_ERROR_PROPERTY.
    • The CONNECT Password decode no longer goes through MqttDecode_String
      because [MQTT-3.1.3.5] defines Password as Binary Data, not a UTF-8
      string. A binary password containing bytes that are not valid UTF-8
      (e.g., 0xC0, 0xFF) would otherwise be incorrectly rejected.
    • MqttClient_Publish / MqttClient_Publish_ex now return the new
      MQTT_CODE_ERROR_PUBLISH_REJECTED (-21) when a v5 broker rejects a
      QoS>0 PUBLISH via a PUBACK (QoS 1), PUBREC, or PUBCOMP (QoS 2) reason
      code >= 0x80 (e.g. Not authorized, Quota exceeded, Topic Name invalid,
      Payload format invalid). Previously these were reported as
      MQTT_CODE_SUCCESS, so the application proceeded as if the broker had
      accepted the message. The specific reason is available in
      MqttPublish.resp.reason_code. For QoS 2, a PUBREC reason code >= 0x80
      now ends the exchange without sending PUBREL per [MQTT-4.3.3] instead of
      timing out. v3.1.1 publishes are unaffected, as is the return value of
      the fire-and-forget MqttClient_Publish_WriteOnly call itself. Callers
      that treat any non-success return as fatal may need to handle this code.
      In WOLFMQTT_MULTITHREAD builds where a dedicated thread drives reads,
      that reading thread now returns MQTT_CODE_ERROR_PUBLISH_REJECTED when it
      processes a QoS 2 PUBREC rejection (instead of advancing the handshake
      with an illegal PUBREL); the originating write-only publish's pending
      response is not auto-completed in that case, so it blocks until
      cmd_timeout_ms. A QoS 1 PUBACK or QoS 2 PUBCOMP rejection is NOT
      detected on the write-only path (the publish appears successful), matching
      prior behavior; use MqttClient_Publish/_ex for reliable detection.
    • An incoming PUBLISH received by a client with no message callback
      registered (msg_cb == NULL) now returns MQTT_CODE_ERROR_CALLBACK
      (-13) instead of MQTT_CODE_SUCCESS. Previously the payload was silently
      read and discarded, and for QoS 1/2 a PUBACK/PUBREC was still sent,
      falsely telling the broker the message was delivered while the application
      never saw it. MqttClient_HandlePacket no longer populates an ACK in this
      case, so no false acknowledgement is sent. This affects standard MQTT
      (MqttClient_Publish_ReadPayload) and MQTT-SN (SN_Client_HandlePacket).
      A registered msg_cb is now required to receive a PUBLISH; this includes
      the receive-into-object pattern via MqttClient_WaitMessage_ex /
      SN_Client_WaitMessage_ex, which previously returned success after
      decoding into the caller-supplied object without a callback. A NULL
      callback is still valid for a publish-only client that never receives
      messages; the error surfaces only if such a client is actually pushed a
      PUBLISH. The built-in broker is unaffected (it handles incoming PUBLISH
      through its own path, not this one).
  • Fixes

    • SN_Client_Unsubscribe now registers its pending UNSUBACK response under
      the real Packet Identifier instead of a hard-coded 0. In
      WOLFMQTT_MULTITHREAD builds where a dedicated reader thread processes the
      UNSUBACK first, MqttClient_RespList_Find matches on the decoded packet
      id, so the id-0 entry never matched and the response was consumed into the
      generic object, leaving the unsubscribing thread blocked until
      cmd_timeout_ms. The registration now matches SN_Client_Subscribe,
      SN_Client_Register, and SN_Client_Publish.
  • What's Changed

    • Fix BrokerHandle_Connect null check (#477)
    • Fenrir fixes (#478)
    • Add testing validation and fixes for wolfMQTT (#480)
    • Replace deprecated VeriSign CA with Amazon Root CA 1 + Starfield G2 (#481)
    • Update testing with a more flexible framework (#482)
    • Fix new Fenrir reports (#483)
    • Always check MqttDecode_Num's return code (#479)
    • Add Fenrir suggested test cases (#484)
    • Reject null chars in strings (#503)
    • Fix various spec compliance gaps (#504)
    • Fix MQTTv5 QoS 2 CONNACK interop and add WOLFMQTT_MAX_QOS build cap (#537)
    • Fix Coverity nightly: inline action, drop broken md5 hash lookup (#547)
    • Harden param checks in MqttDecode_FixedHeader and MqttDecode_ConnectAck (#546)
    • Harden Coverity tool download: curl -L --fail + gzip sanity check (#549)
    • Fix broker disconnect to better handle SIGPIPE (#548)
    • wolfMQTT broker: ordering, persistence, offline queue, AES-GCM at rest (#538)
    • Speed up CI and stabilize aws-ca-regression (#551)
    • MQTT-SN fixes (#550)
    • Broker, client, and MQTT v5 packet validation and reliability fixes (#552)
    • Fenrir fixes (#554)
  • New Contributors

wolfMQTT v2.0.0 (20MAR2026)

Choose a tag to compare

@embhorn embhorn released this 20 Mar 15:45
88d37ed

v2.0.0 (03/20/2026)

Release 2.0.0 has been developed according to wolfSSL's development and QA
process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

  • New Features

    • Lightweight MQTT Broker — New built-in MQTT broker implementation (#457)
    • MQTT v3.1.1 spec compliance checks (#462)
    • Secure and non-secure port listening support (#465)
    • WebSocket transport support (#466)
    • wolfIP (embedded TCP/IP stack) support (#463)
    • Retained messages, session persistence, graceful disconnect, QoS subscription updates (#465)
    • libFuzzer-based broker fuzzing infrastructure (#474)
    • wolfIP Integration — Added wolfIP support for both MQTT client and broker (#463)
    • lastError Field — Preserve TLS error code via new lastError in the network context (#458)
  • Bug Fixes

    • Fix race condition in wm_SemLock (#475)
    • Fix wildcard topic matching (#472)
    • Fix LWT (Last Will and Testament) length checks and payload free issues (#472, #473)
    • Fix subAck buffer size check and topic count validation (#472)
    • Fix MqttPacket_Write failure return handling (#473)
    • Fix MQTT-SN: null pointer dereference, non-blocking read, encode/decode issues (#473)
    • Fix MqttDecode_Auth reason code issue (#473)
    • Fix broker client connect status check (#472)
    • Fix SN_Client_WaitType issues (#456)
    • Fix curl transport: use internal loops for partial read/write handling (#459)
  • Security Hardening

    • Add overflow checks in network and socket IO (#467)
    • Add checks for negative return values in MqttDecode_String calls (#467)
    • Add encoding error checks (#467)
    • Add remain_len validation check (#471)
    • Static analysis fixes for MqttClient_Auth, MqttProps_Add, MqttDecode_SubscribeAck, MqttDecode_Props (#469)
    • Static analysis fixes for SN_Decode_Register, SN_Decode_GWInfo, SN_Client_WillTopicUpdate, SN_Encode_Publish, SN_Encode_RegAck, SN_Client_Connect (#468)
    • Add debug warning when using VERIFY_NONE (#475)
  • CI / Testing

    • Add CI workflows for codespell, multi-compiler, and sanitizer tests (#470)
    • Add Coverity workflow schedule (#450, #451)
    • Add WebSocket broker configurations to CI (#466)
    • Expanded broker edge case testing (#465)
    • Improved broker test execution speed (#465)
  • Other

    • Updated client certificates (#455)
    • Added wolfSSL as submodule option (#452)

wolfMQTT v1.21.0 (03DEC2025)

Choose a tag to compare

@embhorn embhorn released this 03 Dec 17:57
0afcd8d

Release 1.21.0 has been developed according to wolfSSL's development and QA
process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

What's Changed

wolfMQTT v1.20.0 (02MAY2025)

Choose a tag to compare

@embhorn embhorn released this 02 May 12:32
320ed37

v1.20.0 (05/02/2025)

Release 1.20.0 has been developed according to wolfSSL's development and QA
process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

wolfMQTT v1.19.2 (31JAN2025)

Choose a tag to compare

@embhorn embhorn released this 31 Jan 20:03
90790ba

v1.19.2 (01/31/2025)

Release 1.19.2 has been developed according to wolfSSL's development and QA
process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

wolfMQTT v1.19.1 (06NOV2024)

Choose a tag to compare

@embhorn embhorn released this 06 Nov 17:55
6db6c74

v1.19.1 (11/06/2024)

Release 1.19.1 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

wolfMQTT v1.19.0 (22MAR2024)

Choose a tag to compare

@embhorn embhorn released this 22 Mar 18:43
06a7812

v1.19.0 (3/22/2024)
Release 1.19.0 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

wolfMQTT v1.18.0 (22DEC2023)

Choose a tag to compare

@embhorn embhorn released this 22 Dec 18:06
91b01f4

v1.18.0 (12/22/2023)

Release 1.18.0 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

wolfMQTT v1.17.1 (29NOV2023)

Choose a tag to compare

@embhorn embhorn released this 29 Nov 20:09
bc7ac50

v1.17.1 (11/29/2023)

Release 1.17.1 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

  • Include stdint.h in userio_template.h by @lealem47 in #371
  • Improvements to multithread locking and tests. by @dgarske in #369
  • Cleanup executable status on src files. by @philljj in #372
  • Close socket on error in NetConnect by @embhorn in #375
  • Fixes for non-blocking with larger payload and improvements to the test and examples by @dgarske in #373
  • Add MQTT-SN CI tests by @embhorn in #376
  • Fix Wild read in MqttProps_Free by @embhorn in #377
  • Fix fuzzer issues in MqttDecode_Props by @embhorn in #378

wolfMQTT v1.17.0 (02NOV2023)

Choose a tag to compare

@embhorn embhorn released this 02 Nov 15:32
51b84ea

v1.17.0 (11/2/2023)

Release 1.17.0 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance