Skip to content

fix(mqtt sink, mqtt source): honor tls.alpn_protocols instead of hardcoding "mqtt"#25807

Open
frank-hivewatch wants to merge 1 commit into
vectordotdev:masterfrom
hivewatch:fix/mqtt-alpn-protocols-25805
Open

fix(mqtt sink, mqtt source): honor tls.alpn_protocols instead of hardcoding "mqtt"#25807
frank-hivewatch wants to merge 1 commit into
vectordotdev:masterfrom
hivewatch:fix/mqtt-alpn-protocols-25805

Conversation

@frank-hivewatch

Copy link
Copy Markdown

Summary

The mqtt sink and source built the rumqttc TLS transport with a hardcoded ALPN list of ["mqtt"], ignoring the user-configured tls.alpn_protocols even though it is a documented and accepted TLS option. As a result, setting tls.alpn_protocols had no effect on MQTT connections.

The most common impact is that the MQTT sink/source cannot connect to AWS IoT Core over port 443. On its default endpoints, AWS IoT Core requires clients using X.509 client-certificate authentication on port 443 to negotiate the ALPN protocol name x-amzn-mqtt-ca; the bare mqtt name is only accepted for custom authentication. Port 443 is often the only reachable option for deployments behind firewalls that block the non-standard MQTT port 8883.

This PR threads the configured tls.alpn_protocols into the rumqttc TlsConfiguration::Simple { alpn, .. }, falling back to ["mqtt"] only when the option is unset — so existing behavior is preserved for anyone who did not set it.

Vector configuration

sinks:
  iot_core:
    type: mqtt
    inputs: [events]
    host: "REDACTED-ats.iot.us-west-2.amazonaws.com"
    port: 443
    topic: "example/topic"
    encoding:
      codec: json
    tls:
      enabled: true
      ca_file: /etc/vector/AmazonRootCA1.pem
      crt_file: /etc/vector/thing-cert.pem
      key_file: /etc/vector/thing-key.pem
      server_name: "REDACTED-ats.iot.us-west-2.amazonaws.com"
      alpn_protocols: ["x-amzn-mqtt-ca"]   # now honored (previously ignored)

How did you test this PR?

  • cargo check --no-default-features --features sinks-mqtt,sources-mqtt passes.
  • Confirmed the configured tls.alpn_protocols values are passed through as the ALPN
    protocol list (each protocol name as raw bytes), and that an unset option still yields
    the previous ["mqtt"] default.
  • The AWS IoT Core side was independently verified to accept the x-amzn-mqtt-ca ALPN on
    port 443 with the same X.509 client certificate via
    openssl s_client -connect <endpoint>:443 -alpn x-amzn-mqtt-ca -servername <endpoint> -CAfile AmazonRootCA1.pem -cert thingCert.crt -key privKey.key
    (Verify return code: 0), which is the negotiation Vector previously could not perform.

Change Type

  • Bug fix
  • New feature
  • Dependencies
  • Non-functional (chore, refactoring, docs)
  • Performance

Is this a breaking change?

  • Yes
  • No

Does this PR include user facing changes?

  • Yes. Please add a changelog fragment based on our guidelines.
  • No. A maintainer will apply the no-changelog label to this PR.

References

Notes

  • The same one-line hardcode existed in both src/sinks/mqtt/config.rs and
    src/sources/mqtt/config.rs; both are fixed here.
  • No dependency changes (Cargo.lock untouched).

…coding "mqtt"

The MQTT sink and source built the rumqttc TLS transport with a hardcoded
ALPN list of ["mqtt"], ignoring the user-configured tls.alpn_protocols even
though it is a documented, accepted option. This prevented connecting to
endpoints that require a specific ALPN protocol name, notably AWS IoT Core
over port 443, which requires "x-amzn-mqtt-ca" for X.509 mutual-TLS auth.

Both now read tls.alpn_protocols from the config and fall back to "mqtt"
only when it is unset, preserving existing behavior.

Fixes vectordotdev#25805
@frank-hivewatch
frank-hivewatch requested a review from a team as a code owner July 11, 2026 16:52
@github-actions github-actions Bot added domain: sources Anything related to the Vector's sources domain: sinks Anything related to the Vector's sinks labels Jul 11, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Thank you for your contribution! Before we can merge this PR, please sign our Contributor License Agreement.

To sign, copy and post the phrase below as a new comment on this PR.

Note: If the bot says your username was not found, the email used in your git commit may not be linked to your GitHub account. Fix this at github.com/settings/emails, then comment recheck to retry.


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@datadog-vectordotdev

Copy link
Copy Markdown

Pipelines

⚠️ Warnings

🚦 1 Pipeline job failed

CLA Assistant | CLAAssistant   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 401d86e | Docs | Give us feedback!

@frank-hivewatch

Copy link
Copy Markdown
Author

I have read the CLA Document and I hereby sign the CLA

@frank-hivewatch

Copy link
Copy Markdown
Author

recheck

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

domain: sinks Anything related to the Vector's sinks domain: sources Anything related to the Vector's sources

Projects

None yet

Development

Successfully merging this pull request may close these issues.

MQTT sink ignores tls.alpn_protocols and hardcodes ALPN to ["mqtt"]

2 participants