We are excited to announce the release of wolfMQTT v2.0.0, a major milestone that introduces a brand-new lightweight MQTT broker as its headline feature. This release represents a significant evolution of the wolfMQTT library, expanding it from a client-only library into a complete MQTT solution for embedded systems, IoT gateways, and edge computing applications.

Lightweight MQTT Broker
The centerpiece of wolfMQTT v2.0.0 is a fully featured, production-ready MQTT broker built right into the library. Designed with the same embedded-first philosophy that drives all wolfSSL products, the broker delivers a rich feature set while maintaining a small footprint suitable for resource-constrained environments.

Broker Highlights

• Full MQTT v3.1.1 and v5 Protocol Support — The broker handles both protocol versions, ensuring compatibility with a wide range of MQTT clients and devices.

• Retained Messages — The broker stores retained messages and automatically delivers them to new subscribers matching the topic filter. Message expiry intervals (MQTT v5) are supported, and retained messages can be cleared by publishing an empty payload with the retain flag set.

• Session Persistence — When clients connect with clean_session=0, subscriptions are preserved across disconnections. Reconnecting clients with the same client ID will have their previous subscriptions restored automatically.

• QoS 0, 1, and 2 — Full quality-of-service support with proper packet ID management, effective QoS calculation (minimum of publish QoS and subscription QoS), and complete PUBREC/PUBREL/PUBCOMP handling for QoS 2 flows.

• Last Will and Testament (LWT) — Clients can register will messages that are published automatically upon unexpected disconnection. The broker supports will delay intervals (MQTT v5) and will retain flags.

• Wildcard Topic Matching — Full support for MQTT single-level (+) and multi-level (#) wildcard subscriptions, with proper handling of $-prefixed system topics per the MQTT specification.

• Authentication — Username/password authentication with constant-time string comparison to prevent timing attacks. Credentials are securely wiped from memory using wc_ForceZero().

TLS and Dual-Port Listening
The broker supports simultaneous plain-text and TLS-encrypted listeners on separate ports (default 1883 and 8883). TLS configuration includes support for TLS 1.2 and 1.3, server certificates, and mutual TLS authentication with client certificate verification. A TLS-only mode is also available for environments that require encrypted connections exclusively.

WebSocket Transport
wolfMQTT v2.0.0 adds WebSocket transport support to the broker, enabling browser-based and web clients to connect using MQTT over WebSockets. This opens up new use cases for real-time dashboards, web-based device management, and hybrid IoT architectures.

wolfIP Integration
For deeply embedded systems, the broker integrates with wolfIP, wolfSSL’s lightweight embedded TCP/IP stack. This combination allows wolfMQTT to run on bare-metal systems without a full operating system or third-party networking stack. The broker provides a cooperative MqttBroker_Step() API for single-iteration execution, making it ideal for super-loop and RTOS-based embedded architectures.

Designed for Embedded Systems
The broker was built with embedded constraints in mind:

• Static Memory Mode — Pre-allocated arrays eliminate the need for dynamic memory allocation, with configurable limits for clients, subscriptions, retained messages, and buffer sizes.

• Dynamic Allocation Mode — For systems with more resources, dynamic allocation provides flexible sizing.

• Pluggable Network Backend — A callback-based network abstraction supports POSIX sockets, wolfIP, and custom implementations.

• Two Execution Models — Choose between a blocking MqttBroker_Run() main loop or a non-blocking MqttBroker_Step() for cooperative multitasking.

Easy to Configure
The broker includes a command-line interface for quick setup:

-p       Plain port (default: 1883)
-s       TLS port (default: 8883)
-t             Enable TLS support
-V        TLS version (12 or 13)
-c       Server certificate (PEM)
-K       Server private key (PEM)
-A       CA certificate for mutual TLS
-u       Username for authentication
-P       Password for authentication
-w       WebSocket listen port
-v      Log level: 1=error, 2=info, 3=debug

Build-time configuration is equally flexible, with granular feature toggles:

--enable-broker                    # Enable broker
--disable-broker-retained          # Disable retained messages
--disable-broker-will              # Disable LWT support
--disable-broker-wildcards         # Disable wildcard subscriptions
--disable-broker-auth              # Disable authentication
--disable-broker-insecure          # Disable plain-text listener

Security Hardening
This release includes significant security improvements across the entire library:

• Added overflow checks in network and socket IO

• Added validation checks for negative return values in decode functions

• Added encoding error checks throughout the packet processing pipeline

• Added remaining length validation

• Static analysis fixes across MQTT and MQTT-SN code paths

• Added a debug warning when using VERIFY_NONE for TLS

• Race condition fix in wm_SemLock

• Fuzzing Infrastructure

wolfMQTT v2.0.0 introduces a libFuzzer-based fuzzing infrastructure for the broker, enabling automated discovery of edge cases and potential security issues. This infrastructure was used during development to identify and fix multiple issues before release.

Additional Improvements

• wolfIP Client Support — In addition to the broker, wolfIP support has been added for the MQTT client, enabling client connections on bare-metal embedded systems.

• lastError Field — A new lastError field in the network context preserves TLS error codes for improved diagnostics.

• Bug Fixes — Numerous fixes for MQTT-SN encode/decode, wildcard matching, LWT handling, curl transport, and more.

• CI Enhancements — New CI workflows for codespell, multi-compiler testing, and sanitizer tests, plus expanded broker edge case testing.

About wolfMQTT
The wolfMQTT library is a client and broker implementation of the MQTT protocol, written in C and optimized for embedded and RTOS environments. It supports MQTT v3.1.1 and v5, MQTT Sensor Network (MQTT-SN), TLS encryption via wolfSSL, QoS levels 0–2, and a wide range of platforms including FreeRTOS, ThreadX/NetX, Zephyr, ChibiOS, MQX/RTCS, Harmony, and more.\

Download
wolfMQTT v2.0.0 is available now:
GitHub — Show us some love and give the wolfMQTT project a Star!
wolfSSL Downloads

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now