# Standard MQTT listener (for testing without certs)
listener 1883 0.0.0.0
allow_anonymous true

# mTLS listener (requires client certificates)
listener 8883 0.0.0.0
protocol mqtt

# Certificate-based authentication
require_certificate true
use_identity_as_username true

# CA certificate to verify client certificates
cafile /mosquitto/config/ca.crt

# Optional: TLS version restrictions
tls_version tlsv1.2