MQTT Security with TLS: Secure Mosquitto MQTT Broker
Introduction
As IoT projects move beyond simple experiments and begin handling real devices, security becomes a critical consideration. A temperature sensor might seem harmless, but many MQTT deployments control lighting systems, door locks, industrial equipment, irrigation systems, and other connected devices.
By default, MQTT traffic is transmitted in plain text. Anyone on the same network can potentially inspect messages, view sensitive information, or even publish malicious commands to devices.
This is why securing your MQTT broker should be one of the first steps after getting your MQTT infrastructure running.
In this tutorial, you’ll learn how to protect MQTT communication using TLS encryption and user authentication. By the end, your Mosquitto broker will only accept encrypted connections from authorized clients.
Why MQTT Security Matters
Imagine a smart home system using MQTT:
ESP32 → MQTT Broker → Smart Relay
If the broker is unsecured, an attacker on the network could:
- Read sensor data
- Publish fake commands
- Control connected devices
- Capture usernames and passwords
- Intercept private information
Even home lab projects benefit from basic security practices.
Understanding MQTT Security Layers
MQTT security typically consists of two layers:
Authentication
Authentication verifies who is connecting.
Examples:
- Username and password
- Client certificates
Encryption
Encryption protects data during transmission.
Examples:
- TLS
- SSL
Without encryption, messages can be intercepted.
What is TLS?
TLS (Transport Layer Security) encrypts communication between MQTT clients and the broker.
Benefits include:
- Data confidentiality
- Protection against eavesdropping
- Message integrity
- Identity verification
Instead of sending:
Temperature: 28.5°C
as plain text, TLS converts the data into encrypted packets that cannot be easily read by others.
MQTT Ports and Security
Common MQTT ports:
| Port | Purpose |
|---|---|
| 1883 | Standard MQTT |
| 8883 | MQTT over TLS |
After enabling TLS, clients should use port 8883.
Security Architecture
A secure MQTT deployment looks like:

All communication is encrypted.
Step 1: Create a Certificate Directory
Create a folder for certificates.
sudo mkdir /etc/mosquitto/certs
cd /etc/mosquitto/certs
Step 2: Generate a CA Certificate
Generate a private key.
openssl genrsa -out ca.key 2048
Create a CA certificate.
openssl req -new -x509 -days 3650 \
-key ca.key \
-out ca.crt
This certificate will be used to sign client and broker certificates.
Step 3: Generate Broker Certificate
Create broker private key.
openssl genrsa -out server.key 2048
Generate certificate request.
openssl req -new \
-key server.key \
-out server.csr
Sign the certificate.
openssl x509 \
-req \
-in server.csr \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-out server.crt \
-days 365
Step 4: Configure Mosquitto
Open configuration file.
sudo nano /etc/mosquitto/conf.d/tls.conf
Add:
listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
allow_anonymous false
Save the file.
Step 5: Create MQTT User Authentication
Create a password file.
sudo mosquitto_passwd -c \
/etc/mosquitto/passwd mqttuser
Enter a strong password.
Add to configuration:
password_file /etc/mosquitto/passwd
Step 6: Restart Mosquitto
sudo systemctl restart mosquitto
Verify:
sudo systemctl status mosquitto
Step 7: Test Secure MQTT Connection
Subscribe:
mosquitto_sub \
-h localhost \
-p 8883 \
--cafile ca.crt \
-u mqttuser \
-P yourpassword \
-t secure/test
Publish:
mosquitto_pub \
-h localhost \
-p 8883 \
--cafile ca.crt \
-u mqttuser \
-P yourpassword \
-t secure/test \
-m "Secure MQTT Message"
If configured correctly, the subscriber receives the encrypted message.
Securing ESP32 MQTT Connections
For production deployments:
- Store CA certificate in flash memory
- Verify broker certificate
- Use secure Wi-Fi credentials
- Avoid hardcoded passwords when possible
TLS increases security significantly compared to unsecured MQTT.
Security Best Practices
Use Strong Passwords
Avoid:
admin123
password
mqtt
Use long, unique passwords.
Disable Anonymous Access
Always use:
allow_anonymous false
Separate Topics
Good:
home/livingroom/temperature
factory/machine01/status
Avoid dumping everything into generic topics.
Keep Software Updated
Regularly update:
- Mosquitto
- Raspberry Pi OS
- Node-RED
- ESP32 libraries
Security vulnerabilities are often fixed through updates.
Common Security Mistakes
Using Port 1883 on Public Networks
Always use TLS when exposing MQTT externally.
Sharing Certificates
Each deployment should have its own certificates.
Weak Passwords
Strong authentication is essential.
Ignoring Updates
Outdated software increases risk.
Secure vs Unsecured MQTT comparison
Conclusion
MQTT is lightweight and efficient, but security should never be an afterthought. By enabling TLS encryption and user authentication, you can significantly reduce the risk of unauthorized access and protect data moving between IoT devices and your broker.
Whether you’re building a smart home, industrial monitoring system, or cloud-connected application, securing MQTT communication is a critical step toward a reliable and professional IoT deployment.
Frequently Asked Questions
Is MQTT secure by default?
No. Standard MQTT communication on port 1883 is not encrypted.
What is the difference between SSL and TLS?
TLS is the modern and more secure successor to SSL.
Which port is used for MQTT TLS?
Port 8883 is commonly used for MQTT over TLS.
Can ESP32 use MQTT with TLS?
Yes. ESP32 supports secure MQTT connections using certificates.
Should I disable anonymous MQTT access?
Yes. User authentication should be enabled whenever possible.
Is TLS necessary for home projects?
Even in home labs, TLS helps prevent unauthorized access and encourages good security practices.

