Skip to content

Mqtt Bridge Tls

DodaTech 1 min read

In this tutorial, you'll learn about MQTT Bridge TLS Connection Refused. We cover key concepts, practical examples, and best practices.

The Problem

MQTT bridge with TLS encryption fails to connect to remote broker.

Quick Fix

Wrong

connection remote-tls
address remote-broker.example.com:8883
# No TLS config — sends plain text to TLS port```

Connection refused. Broker expects TLS, bridge sends plain MQTT.


### Right

Mosquitto bridge with TLS

connection remote-tls address remote-broker.example.com:8883 bridge_protocol_version mqtt-v311 bridge_insecure false

tls_version tlsv1.2 bridge_cafile /etc/mosquitto/certs/ca.pem bridge_certfile /etc/mosquitto/certs/client.pem bridge_keyfile /etc/mosquitto/certs/client.key

try_private false start_type automatic cleansession false keepalive_interval 30

topic sensor/# out 2 topic command/# in 2


TLS bridge established. All traffic encrypted (AES-256-GCM).


## Prevention

MQTT bridge over TLS requires the bridge to initiate a TLS handshake. It needs: CA cert (verify server), client cert and key (for mutual TLS if broker requires). Port 8883 for MQTT+TLS. Set tls_version to match broker (TLS 1.2+). bridge_insecure false to verify server certificate. For self-signed certs, add bridge_cafile but keep bridge_insecure false.

DodaTech engineers apply these same patterns across Doda Browser, DodaZIP, and Durga Antivirus Pro for production IoT reliability.

## FAQ

<details style="margin-bottom:12px;border:1px solid #e2e8f0;border-radius:10px;overflow:hidden"><summary style="cursor:pointer;padding:14px 18px;font-weight:600;font-size:1.05rem;background:#f8fafc;border-bottom:1px solid #e2e8f0;color:#1e293b">### Self-signed certs OK?</summary><div style="padding:14px 18px;color:#475569;line-height:1.7;background:#fff"><p>Yes. Place self-signed CA PEM as bridge_cafile and keep bridge_insecure false. Set bridge_insecure true only for testing (NOT production).</p>
<h3 id="what-tls-version">What TLS version?</h3><p>TLS 1.2 minimum. TLS 1.0/1.1 deprecated. TLS 1.3 supported in Mosquitto 2.0+ (faster handshake).</p>
<h3 id="need-psk-config">Need PSK config?</h3><p>X.509 is standard. For Pre-Shared Key, use bridge_psk and bridge_psk_identity instead of cert files. PSK is simpler but less secure.</p>
</div></details>

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro