Version 1.20.0 contains one security fix and four new features:
Security fix
- In outgoing bridge connections, using
ca_fileorca_dirhad the issue that certificate validation was still also done using the system’s trusted certificates, instead of only with the custom CAs specified. This has been fixed. This ensures certificate pinning works as intended. Note that invalid certificates were still rejected, so the security impact is not high.
New features
- Bridge topic prefixing. This allows topic trees to be mapped in different sub-trees, locally or remotely.
- X509 client-certificate based authentication in outgoing bridge connections.
- Add ability to configure minimum TLS version for listeners and bridges, and log the version negotiated per client.
- Plugin interface allows silently dropping an incoming publish, with success ACK to client.
Internal changes
- Various internal changes to increase stability of future code changes.