listener.wss.use_identity_as_username supported?

[mmanes]

Hi,

I'm attempting to perform certificate-only authentication and set ACL restrictions based on the CN of the client certificate. I have listener.wss.use_identity_as_username = on and listener.wss.require_certificate = on and can complete the SSL handshake successfully, but cannot get the username to change when using the wss:// listener, while the ssl:// listener seems to work fine.

I've tried disabling vnq_passwd and allow_anonymous, as well as enabling both and using a username/password.

In my latest config, this is the error I'm seeing:
vmq_mqtt_fsm:auth_on_publish:658 can't auth publish [<<"foo">>,{[],<<"agent-foo">>},0,[<<"25ba1b99-9bab-4d8c-8351-6dd816060d45">>],<<"this is msg #43!">>,false] due to chain_exhausted

In this attempt, 25ba1b99-9bab-4d8c-8351-6dd816060d45 is the CN of the cert, foo was the username and agent-foo was the client id.

Probably unrelated, but my vnq.acl consists of pattern write %u.

Does the wss listener support use_identity_as_username parameter?

Environment

• VerneMQ Version: 1.2.2-1 (Latest Docker image)
• OS: macOS

[ioolkos]

@mmanes thanks for reporting. I think this should work also for WSS.

@dergraf do you see what's happening? is it a problem with the publish auth rather than related to SSL config?

[larshesel]

@mmanes were you able to resolve the issue? If not could you post the complete vernemq.conf file? As @ioolkos mentions this should work.

[mmanes]

@larshesel No, I haven't resolved the issue. Here's my current conf, but I've also played around with various combinations of plugins.vmq_passwd and allow_anonymous:

## Allow anonymous users to connect, default is 'off'
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_anonymous = on

## Allow new client connections even when a VerneMQ cluster is inconsistent.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_register_during_netsplit = off

## Allow message publishs even when a VerneMQ cluster is inconsistent.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_publish_during_netsplit = off

## Allow new subscriptions even when a VerneMQ cluster is inconsistent.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_subscribe_during_netsplit = off

## Allow clients to unsubscribe when a VerneMQ cluster is inconsistent.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_unsubscribe_during_netsplit = off

## Allows a client to logon multiple times using the same client id
## (non-standard behaviour!).
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_multiple_sessions = off

## Set the time in seconds VerneMQ waits before a retry, in case a (QoS=1 or QoS=2) message
## delivery gets no answer.
##
## Default: 20
##
## Acceptable values:
##   - an integer
## retry_interval = 20

## Set the maximum size for client IDs. MQTT v3.1 specifies a
## limit of 23 characters
##
## Default: 100
##
## Acceptable values:
##   - an integer
max_client_id_size = 100

## This option allows persistent clients ( = clean session set to
## false) to be removed if they do not reconnect within 'persistent_client_expiration'.
## This is a non-standard option. As far as the MQTT specification is concerned,
## persistent clients persist forever.
## The expiration period should be an integer followed by one of 'd', 'w', 'm', 'y' for
## day, week, month, and year.
##
## Default: never
##
## Acceptable values:
##   - text
## persistent_client_expiration = 1w

## The maximum number of QoS 1 or 2 messages that can be in the process of being
## transmitted simultaneously. This includes messages currently going through handshakes
## and messages that are being retried. Defaults to 20. Set to 0 for no maximum. If set
## to 1, this will guarantee in-order delivery of messages.
##
## Default: 20
##
## Acceptable values:
##   - an integer
max_inflight_messages = 20

## The maximum number of messages to hold in the queue above
## those messages that are currently in flight. Defaults to 1000. This affects
## messages of any QoS. Set to -1 for no maximum (not recommended).
## This option allows to control how a specific client session can deal
## with message bursts. As a general rule of thumb set
## this number a bit higher than the expected message rate a single consumer is
## required to process. Note that setting this value to 0 will totally block
## delivery from any queue.
##
## Default: 1000
##
## Acceptable values:
##   - an integer
max_online_messages = 1000

## The maximum number of QoS 1 or 2 messages to hold in the offline queue.
## Defaults to 1000. Set to -1 for no maximum (not recommended). Set to 0
## if no messages should be stored offline.
##
## Default: 1000
##
## Acceptable values:
##   - an integer
max_offline_messages = 1000

## This option sets the maximum MQTT size that VerneMQ will
## allow.  Messages that exceed this size will not be accepted by
## VerneMQ. The default value is 0, which means that all valid MQTT
## messages are accepted. MQTT imposes a maximum payload size of
## 268435455 bytes.
##
## Default: 0
##
## Acceptable values:
##   - an integer
max_message_size = 0

## If a message is published with a QoS lower than the QoS of the subscription it is
## delivered to, VerneMQ can upgrade the outgoing QoS. This is a non-standard option.
##
## Default: off
##
## Acceptable values:
##   - on or off
upgrade_outgoing_qos = off

## listener.max_connections is an integer or 'infinity' defining
## the maximum number of concurrent connections. This option can be overridden
## on the protocol level by:
## - listener.tcp.max_connections
## - listener.ssl.max_connections
## - listener.ws.max_connections
## - listener.wss.max_connections
## or on the listener level by:
## - listener.tcp.my_tcp_listener.max_connections
## - listener.ssl.my_ssl_listener.max_connections
## - listener.ws.my_ws_listener.max_connections
## - listener.wss.my_wss_listener.max_connections
##
## Default: 10000
##
## Acceptable values:
##   - an integer
##   - the text "infinity"
listener.max_connections = 10000

## Set the nr of acceptors waiting to concurrently accept new connections.
## This can be specified either on the protocol level:
## - listener.tcp.nr_of_acceptors
## - listener.ssl.nr_of_acceptors
## - listener.ws.nr_of_acceptors
## - listener.wss.nr_of_acceptors
## or on the listener level:
## - listener.tcp.my_tcp_listener.nr_of_acceptors
## - listener.ssl.my_ssl_listener.nr_of_acceptors
## - listener.ws.my_ws_listener.nr_of_acceptors
## - listener.wss.my_wss_listener.nr_of_acceptors
##
## Default: 10
##
## Acceptable values:
##   - an integer
listener.nr_of_acceptors = 10

## listener.tcp.<name> is an IP address and TCP port that
## the broker will bind to. You can define multiple listeners e.g:
## - listener.tcp.default = 127.0.0.1:1883
## - listener.tcp.internal = 127.0.0.1:10883
## - listener.tcp.my_other_listener = 127.0.0.1:10884
## This also works for SSL listeners and WebSocket handlers:
## - listener.ssl.default = 127.0.0.1:8883
## - listener.ws.default = 127.0.0.1:800
## - listener.wss.default = 127.0.0.1:880
##
## Default: 127.0.0.1:1883
##
## Acceptable values:
##   - an IP/port pair, e.g. 127.0.0.1:10011
listener.tcp.default = 127.0.0.1:1883
listener.ssl.default = 0.0.0.0:8883

## listener.vmq.clustering is the IP address and TCP port that
## the broker will bind to accept connections from other cluster
## nodes e.g:
## - listener.vmq.clustering = 0.0.0.0:18883
## This also works for SSL listeners:
## - listener.vmqs.clustering = 0.0.0.0:18884
##
## Default: 0.0.0.0:44053
##
## Acceptable values:
##   - an IP/port pair, e.g. 127.0.0.1:10011
listener.vmq.clustering = 0.0.0.0:44053

## listener.http.default is the IP address and TCP port that
## the broker will bind to accept HTTP connections
## - listener.http.default = 0.0.0.0:8888
## This also works for SSL listeners:
## - listener.https.default= 0.0.0.0:8889
##
## Default: 127.0.0.1:8888
##
## Acceptable values:
##   - an IP/port pair, e.g. 127.0.0.1:10011
listener.http.default = 127.0.0.1:8888
listener.wss.default = 0.0.0.0:8084

## Set the mountpoint on the protocol level or on the listener level
## - listener.tcp.mountpoint
## - listener.ssl.mountpoint
## - listener.ws.mountpoint
## - listener.wss.mountpoint
## listener level:
## - listener.tcp.my_tcp_listener.mountpoint
## - listener.ssl.my_ssl_listener.mountpoint
## - listener.ws.my_ws_listener.mountpoint
## - listener.wss.my_wss_listener.mountpoint
##
## Default: off
##
## Acceptable values:
##   - text
listener.mountpoint = off

## The cafile is used to define the path to a file containing
## the PEM encoded CA certificates that are trusted. Set the cafile
## on the protocol level or on the listener level:
## - listener.ssl.cafile
## - listener.wss.cafile
## or on the listener level:
## - listener.ssl.my_ssl_listener.cafile
## - listener.wss.my_wss_listener.cafile
##
## Default:
##
## Acceptable values:
##   - the path to a file
listener.ssl.cafile = /etc/vernemq/cacert.pem
listener.wss.cafile = /etc/vernemq/cacert.pem

## Set the path to the PEM encoded server certificate
## on the protocol level or on the listener level:
## - listener.ssl.certfile
## - listener.wss.certfile
## or on the listener level:
## - listener.ssl.my_ssl_listener.certfile
## - listener.wss.my_wss_listener.certfile
##
## Default:
##
## Acceptable values:
##   - the path to a file
listener.ssl.certfile = /etc/vernemq/cert.pem
listener.wss.certfile = /etc/vernemq/cert.pem

## Set the path to the PEM encoded key file on the protocol
## level or on the listener level:
## - listener.ssl.keyfile
## - listener.wss.keyfile
## or on the listener level:
## - listener.ssl.my_ssl_listener.keyfile
## - listener.wss.my_wss_listener.keyfile
##
## Default:
##
## Acceptable values:
##   - the path to a file
listener.ssl.keyfile = /etc/vernemq/key.pem
listener.wss.keyfile = /etc/vernemq/key.pem

## Set the list of allowed ciphers (each separated with a colon),
## on the protocol level or on the listener level. Reasonable defaults
## are used if nothing is specified:
## - listener.ssl.ciphers
## - listener.wss.ciphers
## or on the listener level:
## - listener.ssl.my_ssl_listener.ciphers
## - listener.wss.my_wss_listener.ciphers
##
## Default:
##
## Acceptable values:
##   - text
## listener.ssl.ciphers =

## If you have 'listener.ssl.require_certificate' set to true,
## you can create a certificate revocation list file to revoke access
## to particular client certificates. If you have done this, use crlfile
## to point to the PEM encoded revocation file. This can be done on the
## protocol level or on the listener level.
## - listener.ssl.crlfile
## - listener.wss.crlfile
## or on the listener level:
## - listener.ssl.my_ssl_listener.crlfile
## - listener.wss.my_wss_listener.crlfile
##
## Default:
##
## Acceptable values:
##   - text
## listener.ssl.crlfile =

## Enable this option if you want to use SSL client certificates
## to authenticate your clients. This can be done on the protocol level
## or on the listener level.
## - listener.ssl.require_certificate
## - listener.wss.require_certificate
## or on the listener level:
## - listener.ssl.my_ssl_listener.require_certificate
## - listener.wss.my_wss_listener.require_certificate
##
## Default: off
##
## Acceptable values:
##   - on or off
## listener.ssl.require_certificate = off
listener.wss.require_certificate = on

## Configure the TLS protocol version (tlsv1, tlsv1.1, or tlsv1.2) to be
##
## Default: tlsv1.2
##
## Acceptable values:
##   - text
## listener.ssl.tls_version = tlsv1.2

## If 'listener.ssl.require_certificate' is enabled, you may enable
## 'listener.ssl.use_identity_as_username' to use the CN value from the client
## certificate as a username. If enabled other authentication plugins are not
## considered. The option can be specified either for all SSL listeners or for
## a specific listener:
## - listener.ssl.use_identity_as_username
## - listener.wss.use_identity_as_username
## or on the listener level:
## - listener.ssl.my_ssl_listener.use_identity_as_username
## - listener.wss.my_wss_listener.use_identity_as_username
##
## Default: off
##
## Acceptable values:
##   - on or off
listener.ssl.use_identity_as_username = on
listener.wss.use_identity_as_username = on
listener.wss.default.use_identity_as_username = on
listener.wss.mqttwss.use_identity_as_username = on

## Enable the $SYSTree Reporter.
##
## Default: on
##
## Acceptable values:
##   - on or off
systree_enabled = on

## The integer number of milliseconds between updates of the $SYS subscription hierarchy,
## which provides status information about the broker. If unset, defaults to 20 seconds.
## Set to 0 to disable publishing the $SYS hierarchy completely.
##
## Default: 20000
##
## Acceptable values:
##   - an integer
systree_interval = 20000

## Enable the Graphite Reporter. Ensure to also configure a
## proper graphite.host
##
## Default: off
##
## Acceptable values:
##   - on or off
graphite_enabled = off

## the graphite server host name
##
## Default: localhost
##
## Acceptable values:
##   - text
graphite_host = localhost

## the tcp port of the graphite server
##
## Default: 2003
##
## Acceptable values:
##   - an integer
graphite_port = 2003

## the interval we push metrics to the graphite server in ms
##
## Default: 20000
##
## Acceptable values:
##   - an integer
graphite_interval = 20000

## set the prefix that is applied to all metrics reported to graphite
##
## Default:
##
## Acceptable values:
##   - text
## graphite_prefix = my-prefix

## the graphite server api key, e.g. used by hostedgraphite.com
##
## Default:
##
## Acceptable values:
##   - text
## graphite_api_key = My-Api-Key

## Distribution policy for shared subscriptions. Default is
## 'prefer_local' which will ensure that local subscribers will be
## used if any are available. 'local_only' will select a random local
## subscriber if any are available. 'random' will randomly choose
## between all available subscribers.
##
## Default: prefer_local
##
## Acceptable values:
##   - text
shared_subscription_policy = prefer_local

## plugins.<plugin> enables/disables a plugin.
## Plugin specific settings are set via the plugin itself, i.e., to
## set the 'file' setting for the myplugin plugin, add a line like:
## myplugin.file = /path/to/file
##
## Acceptable values:
##   - on or off
## plugins.name = on

## plugins.<name>.path defines the location of the plugin
## associated with <name>. This is needed for plugins that are not
## shipped with VerneMQ.
##
## Acceptable values:
##   - the path to a directory
## plugins.mypluginname.path = /path/to/myplugin

## plugins.<name>.priority defines the load order of the
## plugins. Plugins are loaded by priority. If no priority is given
## the load order is undefined. Prioritized plugins will always be
## loaded before plugins with no defined priority.
##
## Acceptable values:
##   - an integer
## plugins.mypluginname.priority = 5

## File based authentication plugin.
##
## Default: on
##
## Acceptable values:
##   - on or off
plugins.vmq_passwd = off

## File based authorization plugin.
##
## Default: on
##
## Acceptable values:
##   - on or off
plugins.vmq_acl = on

## Lua based plugins.
##
## Default: off
##
## Acceptable values:
##   - on or off
plugins.vmq_diversity = off

## Webhook based plugins.
##
## Default: off
##
## Acceptable values:
##   - on or off
plugins.vmq_webhooks = off

## The VerneMQ bridge plugin.
##
## Default: off
##
## Acceptable values:
##   - on or off
plugins.vmq_bridge = off

## Set the path to an access control list file.
##
## Default: /etc/vernemq/vmq.acl
##
## Acceptable values:
##   - the path to a file
vmq_acl.acl_file = /etc/vernemq/vmq.acl

## set the acl reload interval in seconds, the value 0 disables
## the automatic reloading of the acl file.
##
## Default: 10
##
## Acceptable values:
##   - an integer
vmq_acl.acl_reload_interval = 10

## Set the path to a password file.
##
## Default: /etc/vernemq/vmq.passwd
##
## Acceptable values:
##   - the path to a file
vmq_passwd.password_file = /etc/vernemq/vmq.passwd

## set the password reload interval in seconds, the value 0
## disables the automatic reloading of the password file.
##
## Default: 10
##
## Acceptable values:
##   - an integer
vmq_passwd.password_reload_interval = 10

## Configure the vmq_diversity plugin script dir. The script dir
## is searched for Lua scripts which are automatically loaded when the
## plugin is enabled.
##
## Default: /usr/share/vernemq/lua
##
## Acceptable values:
##   - the path to a directory
vmq_diversity.script_dir = /usr/share/vernemq/lua

##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.auth_postgres.enabled = off

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.postgres.host = localhost

##
## Default: 5432
##
## Acceptable values:
##   - an integer
## vmq_diversity.postgres.port = 5432

##
## Default: root
##
## Acceptable values:
##   - text
## vmq_diversity.postgres.user = root

##
## Default: password
##
## Acceptable values:
##   - text
## vmq_diversity.postgres.password = password

##
## Default: vernemq_db
##
## Acceptable values:
##   - text
## vmq_diversity.postgres.database = vernemq_db

##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.auth_mysql.enabled = off

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.mysql.host = localhost

##
## Default: 3306
##
## Acceptable values:
##   - an integer
## vmq_diversity.mysql.port = 3306

##
## Default: root
##
## Acceptable values:
##   - text
## vmq_diversity.mysql.user = root

##
## Default: password
##
## Acceptable values:
##   - text
## vmq_diversity.mysql.password = password

##
## Default: vernemq_db
##
## Acceptable values:
##   - text
## vmq_diversity.mysql.database = vernemq_db

##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.auth_mongodb.enabled = off

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.mongodb.host = localhost

##
## Default: 27017
##
## Acceptable values:
##   - an integer
## vmq_diversity.mongodb.port = 27017

##
## Acceptable values:
##   - text
## vmq_diversity.mongodb.login =

##
## Acceptable values:
##   - text
## vmq_diversity.mongodb.password =

##
## Acceptable values:
##   - text
## vmq_diversity.mongodb.database =

##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.auth_redis.enabled = off

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.redis.host = localhost

##
## Default: 6379
##
## Acceptable values:
##   - an integer
## vmq_diversity.redis.port = 6379

##
## Default:
##
## Acceptable values:
##   - text
## vmq_diversity.redis.password =

##
## Default: 0
##
## Acceptable values:
##   - an integer
## vmq_diversity.redis.database = 0

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.memcache.host = localhost

##
## Default: 11211
##
## Acceptable values:
##   - an integer
## vmq_diversity.memcache.port = 11211

## vmq_diversity.<name>.plugin = <file> loads a specific lua
## script when `vmq_diversity` starts. The scripts are loaded in the
## order defined by the names given, i.e., the script with <name>
## 'script1' is started before the plugin with <name> 'script2'.
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.script1.file = path/to/my/script.lua

## To configure and register a webhook a hook and an endpoint
## need to be configured and this is achieved by associating both with
## a name. vmq_webhooks.<name>.hook = <hook> associates the hook
## <hook> with the name <name>. Webhooks are registered in the order
## of the name given to it. Therefore a webhook with name 'webhook1'
## is regisered before a webhook with the name 'webhook2'.
##
## Acceptable values:
##   - one of: auth_on_register, auth_on_publish, auth_on_subscribe, on_register, on_publish, on_subscribe, on_unsubscribe, on_deliver, on_offline_message, on_client_wakeup, on_client_offline, on_client_gone
## vmq_webhooks.webhook1.hook = auth_on_register

## Associate an endpoint with a name.
##
## Acceptable values:
##   - text
## vmq_webhooks.webhook1.endpoint = http://localhost/myendpoints

## Specify the address and port of the bridge to connect to. Several
## bridges can configured by using different bridge names (e.g. br0). If the
## connection supports SSL encryption bridge.ssl.<name> can be used.
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0 = 127.0.0.1:1889

## Set the clean session option for the bridge. By default this is disabled,
## which means that all subscriptions on the remote broker are kept in case of
## the network connection dropping. If enabled, all subscriptions and messages
## on the remote broker will be cleaned up if the connection drops.
##
## Default: off
##
## Acceptable values:
##   - on or off
## vmq_bridge.tcp.br0.cleansession = off

## Set the client id for this bridge connection. If not defined, this
## defaults to 'name.hostname', where name is the connection name and hostname
## is the hostname of this computer.
##
## Default: auto
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0.client_id = auto

## Set the number of seconds after which the bridge should send a ping if
## no other traffic has occurred.
##
## Default: 60
##
## Acceptable values:
##   - an integer
## vmq_bridge.tcp.br0.keepalive_interval = 60

## Configure a username for the bridge. This is used for authentication
## purposes when connecting to a broker that support MQTT v3.1 and requires a
## username and/or password to connect. See also the password option.
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0.username = my_remote_user

## Configure a password for the bridge. This is used for authentication
## purposes when connecting to a broker that support MQTT v3.1 and requires a
## username and/or password to connect. This option is only valid if a username
## is also supplied.
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0.password = my_remote_password

## Define one or more topic pattern to be shared between the two brokers.
## Any topics matching the pattern (including wildcards) are shared.
## The following format is used:
## pattern [[[ out | in | both ] qos-level] local-prefix remote-prefix]
## [ out | in | both ]: specifies that this bridge exports messages (out), imports
## messages (in) or shared in both directions (both). If undefined we default to
## export (out).
## qos-level: specifies the publish/subscribe QoS level used for this
## toppic. If undefined we default to QoS 0.
## local-prefix and remote-prefix: For incoming topics, the bridge
## will prepend the pattern with the remote prefix and subscribe to
## the resulting topic on the remote broker.  When a matching
## incoming message is received, the remote prefix will be removed
## from the topic and then the local prefix added.
## For outgoing topics, the bridge will prepend the pattern with the
## local prefix and subscribe to the resulting topic on the local
## broker. When an outgoing message is processed, the local prefix
## will be removed from the topic then the remote prefix added.
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0.topic.1 = topic

## Set the amount of time a bridge using the automatic start type will wait
## until attempting to reconnect. Defaults to 30 seconds.
##
## Default: 10
##
## Acceptable values:
##   - an integer
## vmq_bridge.tcp.br0.restart_timeout = 10

## If try_private is enabled, the bridge will attempt to indicate to the
## remote broker that it is a bridge not an ordinary client.
## Note that loop detection for bridges is not yet implemented.
##
## Default: on
##
## Acceptable values:
##   - on or off
## vmq_bridge.tcp.br0.try_private = on

## The cafile is used to define the path to a file containing
## the PEM encoded CA certificates that are trusted.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_bridge.ssl.sbr0.cafile = /etc/vernemq/cacerts.pem

## Define the path to a folder containing
## the PEM encoded CA certificates that are trusted.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_bridge.ssl.sbr0.capath = /etc/vernemq/cacerts

## Set the path to the PEM encoded server certificate.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_bridge.ssl.sbr0.certfile = /etc/vernemq/cert.pem

## Set the path to the PEM encoded key file.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_bridge.ssl.sbr0.keyfile = /etc/vernemq/key.pem

## When using certificate based TLS, the bridge will attempt to verify the
## hostname provided in the remote certificate matches the host/address being
## connected to. This may cause problems in testing scenarios, so this option
## may be enabled to disable the hostname verification.
## Setting this option to true means that a malicious third party could
## potentially inpersonate your server, so it should always be disabled in
## production environments.
##
## Default: off
##
## Acceptable values:
##   - on or off
## vmq_bridge.ssl.sbr0.insecure = off

## Configure the TLS protocol version (tlsv1, tlsv1.1, or tlsv1.2) to be
## used for this bridge.
##
## Default: tlsv1.2
##
## Acceptable values:
##   - text
## vmq_bridge.ssl.sbr0.tls_version = tlsv1.2

## Pre-shared-key encryption provides an alternative to certificate based
## encryption. This option specifies the identity used.
##
## Default:
##
## Acceptable values:
##   - text
## vmq_bridge.ssl.sbr0.identity =

## Pre-shared-key encryption provides an alternative to certificate based
## encryption. This option specifies the shared secret used in hexadecimal
## format without leading '0x'.
##
## Default:
##
## Acceptable values:
##   - text
## vmq_bridge.ssl.sbr0.psk =

## Where to emit the default log messages (typically at 'info'
## severity):
## off: disabled
## file: the file specified by log.console.file
## console: to standard output (seen when using `vmq attach-direct`)
## both: log.console.file and standard out.
##
## Default: file
##
## Acceptable values:
##   - one of: off, file, console, both
log.console = file

## The severity level of the console log, default is 'info'.
##
## Default: info
##
## Acceptable values:
##   - one of: debug, info, warning, error
log.console.level = debug

## When 'log.console' is set to 'file' or 'both', the file where
## console messages will be logged.
##
## Default: /var/log/vernemq/console.log
##
## Acceptable values:
##   - the path to a file
log.console.file = /var/log/vernemq/console.log

## The file where error messages will be logged.
##
## Default: /var/log/vernemq/error.log
##
## Acceptable values:
##   - the path to a file
log.error.file = /var/log/vernemq/error.log

## When set to 'on', enables log output to syslog.
##
## Default: off
##
## Acceptable values:
##   - on or off
log.syslog = off

## Whether to enable the crash log.
##
## Default: on
##
## Acceptable values:
##   - on or off
log.crash = on

## If the crash log is enabled, the file where its messages will
## be written.
##
## Default: /var/log/vernemq/crash.log
##
## Acceptable values:
##   - the path to a file
log.crash.file = /var/log/vernemq/crash.log

## Maximum size in bytes of individual messages in the crash log
##
## Default: 64KB
##
## Acceptable values:
##   - a byte size with units, e.g. 10GB
log.crash.maximum_message_size = 64KB

## Maximum size of the crash log in bytes, before it is rotated
##
## Default: 10MB
##
## Acceptable values:
##   - a byte size with units, e.g. 10GB
log.crash.size = 10MB

## The schedule on which to rotate the crash log. For more
## information see:
## https://github.com/basho/lager/blob/master/README.md#internal-log-rotation
##
## Default: $D0
##
## Acceptable values:
##   - text
log.crash.rotation = $D0

## The number of rotated crash logs to keep. When set to
## 'current', only the current open log file is kept.
##
## Default: 5
##
## Acceptable values:
##   - an integer
##   - the text "current"
log.crash.rotation.keep = 5

## Name of the Erlang node
##
## Default: VerneMQ@127.0.0.1
##
## Acceptable values:
##   - text
nodename = VerneMQ@127.0.0.1

## Cookie for distributed node communication.  All nodes in the
## same cluster should use the same cookie or they will not be able to
## communicate.
## IMPORTANT!!! SET the cookie to a private value! DO NOT LEAVE AT DEFAULT!
##
## Default: vmq
##
## Acceptable values:
##   - text
distributed_cookie = vmq

## Sets the number of threads in async thread pool, valid range
## is 0-1024. If thread support is available, the default is 64.
## More information at: http://erlang.org/doc/man/erl.html
##
## Default: 64
##
## Acceptable values:
##   - an integer
erlang.async_threads = 64

## The number of concurrent ports/sockets
## Valid range is 1024-134217727
##
## Default: 262144
##
## Acceptable values:
##   - an integer
erlang.max_ports = 262144

## Set scheduler forced wakeup interval. All run queues will be
## scanned each Interval milliseconds. While there are sleeping
## schedulers in the system, one scheduler will be woken for each
## non-empty run queue found. An Interval of zero disables this
## feature, which also is the default.
## This feature is a workaround for lengthy executing native code, and
## native code that do not bump reductions properly.
## More information: http://www.erlang.org/doc/man/erl.html#+sfwi
##
## Acceptable values:
##   - an integer
## erlang.schedulers.force_wakeup_interval = 500

## Enable or disable scheduler compaction of load. By default
## scheduler compaction of load is enabled. When enabled, load
## balancing will strive for a load distribution which causes as many
## scheduler threads as possible to be fully loaded (i.e., not run out
## of work). This is accomplished by migrating load (e.g. runnable
## processes) into a smaller set of schedulers when schedulers
## frequently run out of work. When disabled, the frequency with which
## schedulers run out of work will not be taken into account by the
## load balancing logic.
## More information: http://www.erlang.org/doc/man/erl.html#+scl
##
## Acceptable values:
##   - one of: true, false
## erlang.schedulers.compaction_of_load = false

## Enable or disable scheduler utilization balancing of load. By
## default scheduler utilization balancing is disabled and instead
## scheduler compaction of load is enabled which will strive for a
## load distribution which causes as many scheduler threads as
## possible to be fully loaded (i.e., not run out of work). When
## scheduler utilization balancing is enabled the system will instead
## try to balance scheduler utilization between schedulers. That is,
## strive for equal scheduler utilization on all schedulers.
## More information: http://www.erlang.org/doc/man/erl.html#+sub
##
## Acceptable values:
##   - one of: true, false
## erlang.schedulers.utilization_balancing = true

## This parameter defines the percentage of total server memory
## to assign to LevelDB. LevelDB will dynamically adjust its internal
## cache sizes to stay within this size.  The memory size can
## alternately be assigned as a byte count via leveldb.maximum_memory
## instead.
##
## Default: 70
##
## Acceptable values:
##   - an integer
leveldb.maximum_memory.percent = 70

########## Start ##########
erlang.distribution.port_range.minimum = 9100
erlang.distribution.port_range.maximum = 9109
listener.tcp.default = 172.17.0.2:1883
listener.ws.default = 172.17.0.2:8080
listener.vmq.clustering = 172.17.0.2:44053
listener.http.metrics = 172.17.0.2:8888
########## End ##########

[larshesel]

I don't see any real issue with the config file except that you have quite a lot of listeners configured. Are you 100% sure you're connecting to the one on port 8084?

Afaict these are the configured listeners:

listener.tcp.default = 127.0.0.1:1883
listener.tcp.default = 172.17.0.2:1883
listener.ws.default = 172.17.0.2:8080
listener.wss.default = 0.0.0.0:8084
listener.ssl.default = 0.0.0.0:8883

Which websocket/mqtt client are you using?

[mmanes]

I'm using the golang paho client library with the URL wss://127.0.0.1:8084/mqtt.

[larshesel]

I finally had time to look closer into this and I can reproduce this problem.

[larshesel]

We just merged a fix for this issue to master.