MQTT Authentication relies on TLS cache problem


  • A device send CONNECT message to HiveMQ broker with wrong credentials over TLS. Clean Session Flag is set to 1
  • HiveMQ broker sends CONNACK back to client with Return Code Response is 0x05
  • The device reconnect again with valid credentials. However, HiveMQ broker continues to refuse connection by sending CONNACK back to client with Return Code Response is 0x05. The ISSUE is here

If I reset device and then connect with valid credentials, the device connected to the broker successfully. The HiveMQ broker returns “0x00 Connection Accepted” in CONNACK .

I think that HiveMQ broker ignores the authentication result from extension and uses the cache information in TLS to decide whether device is authenticated or not (when reconnecting)

I used the HiveMQ extension, I am able to know that in the re-connection, my extension worked well.

Could you please tell me how to solve it?

Thank you in advance,
Best regards,


Would you be so kind and share more details about the setup you are testing with?
Are you using the latest version of HiveMQ. Which extensions are being loaded?

May we see an excerpt of your config.xml?
The and section are of particular interest.

Any relevant log output would also be helpful.

Finn from the HiveMQ team