TLS1.3 hivemq broker


How can we configure secure TLS 1.3 for hivemq broker ?

Thanks !

Hello Rahul,

You can achieve this by setting it in the <protocols> tag in your HiveMQ configuration:




- Yannick

1 Like

Hi @YannickWeber ,

Thanks for your support !

Do we have any specific mqtt client for to test TLSv1.3 because I feel like mqttfx does not support TLSv1.3 ??

Thanks !

Hello Rahul,

Option 1

If you are familiar with java coding you can always use our MQTT Client.


import com.hivemq.client.mqtt.MqttClient;
import com.hivemq.client.mqtt.mqtt5.Mqtt5BlockingClient;
import org.jetbrains.annotations.NotNull;

import java.nio.file.Path;
import java.util.List;

import static com.hivemq.client.mqtt.MqttGlobalPublishFilter.ALL;
import static java.nio.charset.StandardCharsets.UTF_8;

public class TlsClientExample {

    public static void main(final String @NotNull [] args) throws Exception {

        final String host = "your-host";
        final String username = "your-username";
        final String password = "your-password";

        final Path keystorePath = Path.of("/path/to/keystore.jks");
        final String privateKeyPassword = "private-key-password";
        final String keystorePassword = "keystore-password";
        final Path trustStorePath = Path.of("/path/to/truststore.jks");
        final String trustStorePassword = "trust-store-password";

        //create an MQTT client
        final Mqtt5BlockingClient client = MqttClient.builder()
                    .hostnameVerifier((hostname, session) -> true)
                    .trustManagerFactory(buildTrustManagerFactoryFromJKS(trustStorePath, trustStorePassword))
                    .keyManagerFactory(buildKeyManagerFactoryFromJKS(keystorePath, keystorePassword, privateKeyPassword))

        //connect to HiveMQ Cloud with TLS and username/pw

        System.out.println("Connected successfully");

        //subscribe to the topic "my/test/topic"

        //set a callback that is called when a message is received (using the async API style)
        client.toAsync().publishes(ALL, publish -> {
            System.out.println("Received message: " + publish.getTopic() + " -> " + UTF_8.decode(publish.getPayload().get()));

            //disconnect the client after a message was received

        //publish a message to the topic "my/test/topic"

    public static @NotNull KeyManagerFactory buildKeyManagerFactoryFromJKS(
            final @NotNull Path keyStorePath,
            final @NotNull String jksPassword,
            final @NotNull String clientKeyPassword) throws Exception {

        final KeyManagerFactory keyManagerFactory =
        final KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(new FileInputStream(keyStorePath.toFile()), jksPassword.toCharArray());
        keyManagerFactory.init(ks, clientKeyPassword.toCharArray());
        return keyManagerFactory;

    public static @NotNull TrustManagerFactory buildTrustManagerFactoryFromJKS(
            final @NotNull Path truststorePath,
            final @NotNull String password) throws Exception {

        final char[] checkedPassword = password.toCharArray();
        final TrustManagerFactory trustManagerFactory =
        final KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(new FileInputStream(truststorePath.toFile()), checkedPassword);
        return trustManagerFactory;

Option 2

Another option is to use our MQTT CLI:

mqtt pub -h localhost -p 8883 -i myClient --capath /path/to/ca.pem --tls-version TLSv1.3 --cert /path/to/cert.pem --key /path/to/key.pem

Option 3

A third option would be to try: CorreoMQTT. I am not quite sure if it supports TLSv1.3 but it is based on the hivemq-mqtt-client so there would be a chance.

- Yannick


Hi @YannickWeber ,

Thanks for your support !

Iā€™m able to connect the broker now with TLSv1.3 there is some additional JRE version which support the tls1.3.

This code will really help me to understand better.