emqx Files

Enhancements

Deployment

• #16491 Start releasing packages for macOS 15 (Sequoia)

Observability

• #16135 Added two new metrics and corresponding rates for the GET /monitor_current HTTP API: rules_matched and actions_executed. They track the number of rules that matched and act ion execution rate (i.e., success + failure), respectively.

• #16324 Added support for end-to-end tracing of messages published via HTTP API.

Security

• #16625 Added configuration options idp_signs_envelopes and idp_signs_assertions to SAML SSO backend to control signature verification behavior. Previously, SAML signature verification was not working correctly because the IdP certificate fingerprint was not being extracted from metadata and passed to esaml for verification.

Both options default to false for backwards compatibility with existing configurations. Users who want to enable signature verification should explicitly set these to true when their IdP is configured to sign SAML responses.

• #16456 Added support for TLS 1.3 session ticket resumption.

EMQX now supports TLS 1.3 session resumption using stateless session tickets, allowing clients to resume TLS sessions without server-side session state storage.

Node-level configuration: node.tls_stateless_tickets_seed is the secret key seed for generating TLS 1.3 stateless session tickets. Listener-level configuration: listeners.ssl.<name>.ssl_options.session_tickets enables TLS 1.3 session resumption using stateless session tickets. Possible values are disabled (default), stateless, and stateless_with_cert (includes certificate information).

Session tickets are only generated when node.tls_stateless_tickets_seed is configured (non-empty) and session_tickets is enabled in listener SSL options. If session_tickets is enabled but node.tls_stateless_tickets_seed is empty, session tickets will not be generated and an error log will be emitted when starting the listener.

Gateway

• #16220 Added the jt808.frame.parse_unknown_message option, enabling the JT808 gateway to transparently forward unknown messages.

• #16596 Added support for JT/T 808 protocol 2019.

• #16627 Add GBK character encoding support for JT/T 808 gateway.

The JT/T 808 protocol specifies GBK encoding for STRING type fields. A new frame.string_encoding configuration option is added:

• utf8 (default): Pass through strings as-is (backward-compatible)
• gbk: Convert GBK-encoded strings from devices to UTF-8 for MQTT, and UTF-8 from MQTT to GBK for devices

This affects string fields including license plates, driver names, text messages, area names, and client parameters. MQTT payloads always use UTF-8 encoding regardless of this setting.

Data Integration

• #16511 Added support for the IoTDB Table Model in the data integration.

Bug Fixes [39/760]

Core MQTT Functionalities

• #16349 Fixed a crash in MQTT v5 connections caused by a type mismatch when processing the request-response-information property.

• #16514 Fixed a bug that caused WebSocket connections to crash when receiving broker messages larger than the client's advertised Maximum-Packet-Size.

Rule Engine

• #16489 Fixed an issue where the following rule functions always returned undefined: msgid/0, qos/0, topic/0, topic/1, flags/0, flag/1, clientid/0, username/0, peerhost/0, payload/0, payload/1.

Note: This is a backward compatibility fix for EMQX v4. These functions are not documented in EMQX v5 and later. The encouraged usage is to directly reference fields from the rule evaluation context. For example, SELECT clientid ... instead of SELECT clientid().

Data Integration

• #16263 Previously, the Kafka consumer connector performed health checks by verifying partition leader connectivity for all partitions. In a clustered deployment, each EMQX node is assigned only a subset of partitions, causing leader connections for unassigned partitions to remain idle. Since Kafka closes idle connections after a timeout (10 minutes by default), this behavior could trigger false connectivity alarms.

The health check now verifies leader connectivity only for the partitions assigned to the current EMQX node, preventing unnecessary idle connections and false alarms.

• #16336 Fixed a race condition which may cause timeout when testing connectivity or stopping a connector from the dashboard.

• #16383 Previously, when using IoTDB Connector with its REST API driver, credentials would not be checked during health checks. Now, we send a no-op query during IoTDB connector health c heck. This enables early detection of misconfigured client credentials.

• #16415 Upgraded Apache Pulsar client to 2.1.2.

When Pulsar producer action's batch_size is configured to 1, the producer will now encode single messages instead of single-element batches. This enables consumers to share load using Key Share strategy.

• #16507 Previously, when an MQTT Source's Connector recovered after losing its connection, topics would not be re-subscribed and the Source would stop working until the Connector itself w as restarted. Now, the Source will re-subscribe upon reconnect.

• #16585 Fixed an issue with GreptimeDB TLS connection failures.

• #16618 The Kafka request timeout is now automatically set to at least twice the metadata request timeout (with a minimum of 30 seconds), reducing unnecessary reconnections and retries when metadata requests take longer than expected. This is especially beneficial when metadata request timeout is configured to a small value.

• #16622 Fixed an issue where, if an Action used async query mode and its Connector was disconnect after more than one health check, its Fallback Actions could be triggered twice.

Clustering

• #16269 Fixed an issue in the Cluster Link route replication protocol recovery sequence where re-bootstrapping was incorrectly skipped even though the remote side needed it.

• #16317 Fixed an issue in Cluster Link garbage-collection logic that could accidentally remove live routes from the internal routing table in the process of cleaning up stale route replic ation state. This problem occurred only when multiple independent Cluster Links were set up, and some of these links went down for relatively long periods of time.

• #16452 Upgraded gen_rpc to 3.5.1.

Prior to the gen_rpc upgrade, EMQX may experience a long tail of crash logs due to connection timeout if a peer node is unreachable. The new version of gen_rpc no longer has the long tail and converts crash logs to more readable error logs, and the frequent log "failed_to_connect_server" is also throttled to avoid log spamming.

• #16543 Improved robustness of cluster autoclean procedure.

Previously, if autoclean feature was disabled during initial start of the node, it would never activate after configuration change. This fix resolves this issue.

Access Control

• #16304 Fixed an issue where Multi-Factor Authentication (MFA) could not be enabled after upgrading EMQX from versions earlier than 5.3.0 due to incompatible login-user database records.

• #16541 Fixed an issue where OIDC issuer URLs were automatically normalized with a trailing slash when saved to the configuration file, causing issuer mismatch errors when the OIDC provid er's discovery document returned the issuer without a trailing slash.

Observability

• #16418 Reduced the volume of logs generated when a resource exception occurs (resource_exception). These logs are now throttled, and some potentially large terms are redacted from the m.

• #16535 Fixed formatter crash when logging gen_rpc errors.

Prior to this fix, EMQX would crash with "FORMATTER CRASH" errors when gen_rpc logged certain error messages (e.g., transmission timeout errors). The formatter now handles these error messages correctly without crashing.

Gateway

• #16609 Fixed JT/T 808 gateway parameter setting (0x8103) and query response (0x0104) message handling for CAN bus ID parameters (0x0110~0x01FF), which should use BYTE[8] data type with b ase64 encoding in JSON instead of string type.

• #16606 Fixed CoAP Gateway working in connection mode over DTLS.

Breaking Changes

Deployment

• #16491 Stop releasing packages for macOS 13 (Ventura)