From 695df7719dcf98320830eb47d8bb02948cc01de0 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Tue, 3 Feb 2026 08:55:44 +0000
Subject: [PATCH] Fix building with WITH_TLS=no

Closes #3469. Thanks to iTitou.
---
 ChangeLog.txt        |  3 +++
 apps/db_dump/json.c  |  4 ++++
 buildtest.py         |  2 +-
 src/bridge.c         |  2 ++
 src/conf.c           |  2 ++
 src/handle_connect.c |  7 ++++++-
 src/http_api.c       |  5 +++++
 src/proxy_v2.c       | 14 ++++++++++++++
 8 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index aad58436..d0b7a8a0 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -14,6 +14,9 @@
 - Fix incorrect linking of libmosquitto_common.so for the acl and password
   file plugins. Closes #3460.
 
+# Build
+- Fix building with WITH_TLS=no
+
 
 2.1.0 - 2026-01-29
 ==================
diff --git a/apps/db_dump/json.c b/apps/db_dump/json.c
index cf431142..cc8327de 100644
--- a/apps/db_dump/json.c
+++ b/apps/db_dump/json.c
@@ -104,11 +104,15 @@ void json_add_base_msg(struct P_base_msg *chunk)
 		cJSON_AddStringToObject(j_base_msg, "username", chunk->source.username);
 	}
 	if(chunk->F.payloadlen > 0){
+#ifdef WITH_TLS
 		char *payload;
 		if(mosquitto_base64_encode(chunk->payload, chunk->F.payloadlen, &payload) == MOSQ_ERR_SUCCESS){
 			cJSON_AddStringToObject(j_base_msg, "payload", payload);
 			mosquitto_free(payload);
 		}
+#else
+		fprintf(stderr, "Warning: payload not output due to missing base64 support.\n");
+#endif
 	}
 	if(chunk->properties){
 		cJSON *j_props = mosquitto_properties_to_json(chunk->properties);
diff --git a/buildtest.py b/buildtest.py
index c10ba85d..f53ca6ea 100755
--- a/buildtest.py
+++ b/buildtest.py
@@ -19,7 +19,7 @@ build_variants = [
     'WITH_SYSTEMD',
     'WITH_SYS_TREE',
     'WITH_THREADING',
-    #'WITH_TLS',
+    'WITH_TLS',
     'WITH_TLS_PSK',
     'WITH_UNIX_SOCKETS',
     'WITH_WEBSOCKETS',
diff --git a/src/bridge.c b/src/bridge.c
index cb425dde..911c6528 100644
--- a/src/bridge.c
+++ b/src/bridge.c
@@ -854,8 +854,10 @@ void bridge__cleanup(struct mosquitto *context)
 	mosquitto_FREE(context->bridge->local_clientid);
 	mosquitto_FREE(context->bridge->local_username);
 	mosquitto_FREE(context->bridge->local_password);
+#ifdef WITH_TLS
 	mosquitto_FREE(context->bridge->tls_certfile);
 	mosquitto_FREE(context->bridge->tls_keyfile);
+#endif
 
 	if(context->bridge->remote_clientid != context->id){
 		mosquitto_FREE(context->bridge->remote_clientid);
diff --git a/src/conf.c b/src/conf.c
index e36e5db4..c742f942 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -2978,6 +2978,7 @@ static int config__check_proxy(struct mosquitto__config *config)
 		struct mosquitto__listener *l = &config->listeners[i];
 
 		if(l->enable_proxy_protocol == 2){
+#ifdef WITH_TLS
 			if(l->use_subject_as_username){
 				log__printf(NULL, MOSQ_LOG_ERR, "Error: use_subject_as_username cannot be used with `enable_proxy_protocol 2`.");
 				return MOSQ_ERR_INVAL;
@@ -2987,6 +2988,7 @@ static int config__check_proxy(struct mosquitto__config *config)
 				log__printf(NULL, MOSQ_LOG_ERR, "Error: certfile and keyfile cannot be used with `enable_proxy_protocol 2`.");
 				return MOSQ_ERR_INVAL;
 			}
+#endif
 		}
 	}
 
diff --git a/src/handle_connect.c b/src/handle_connect.c
index 1d88132a..47bb12c0 100644
--- a/src/handle_connect.c
+++ b/src/handle_connect.c
@@ -1005,6 +1005,7 @@ static int handle_username_from_cert_options(struct mosquitto *context, char **u
 	}else
 #endif /* WITH_TLS */
 	{
+#ifdef WITH_TLS
 		if(context->listener->use_identity_as_username && context->listener->require_certificate){
 			mosquitto_FREE(*username);
 			mosquitto_FREE(*password);
@@ -1012,7 +1013,9 @@ static int handle_username_from_cert_options(struct mosquitto *context, char **u
 			if(!context->username){
 				return send__connack_bad_username_or_password_error(context, MOSQ_ERR_AUTH);
 			}
-		}else{
+		}else
+#endif
+		{
 			/* FIXME - these ensure the mosquitto_clientid() and
 			* mosquitto_client_username() functions work, but is hacky */
 			context->username = *username;
@@ -1076,12 +1079,14 @@ int handle__connect(struct mosquitto *context)
 		goto handle_connect_error;
 	}
 
+#ifdef WITH_TLS
 	if(context->in_packet.command == 0x16 && context->listener->ssl_ctx == NULL){ /* 0x16 is TLS handshake client hello */
 		log__printf(NULL, MOSQ_LOG_NOTICE, "Client from %s:%d appears to be using TLS to connect to a non-TLS listener.",
 				context->address, context->remote_port);
 		rc = MOSQ_ERR_PROTOCOL;
 		goto handle_connect_error;
 	}
+#endif
 
 	rc = read_protocol_name(context, protocol_name);
 	if(rc != MOSQ_ERR_SUCCESS){
diff --git a/src/http_api.c b/src/http_api.c
index a7a27699..2706503b 100644
--- a/src/http_api.c
+++ b/src/http_api.c
@@ -22,6 +22,7 @@ Contributors:
 
 #include <assert.h>
 #include <errno.h>
+#include <limits.h>
 #include <microhttpd.h>
 #include <string.h>
 #include <sys/stat.h>
@@ -210,8 +211,10 @@ static enum MHD_Result http_api__process_listeners(struct MHD_Connection *connec
 				break;
 		}
 
+#ifdef WITH_TLS
 		cJSON_AddBoolToObject(j_listener, "tls", listener->certfile && listener->keyfile);
 		cJSON_AddBoolToObject(j_listener, "mtls", listener->require_certificate);
+#endif
 		if(listener->security_options->allow_anonymous == -1){
 			cJSON_AddBoolToObject(j_listener, "allow_anonymous", db.config->security_options.allow_anonymous);
 		}else{
@@ -462,6 +465,7 @@ int http_api__start(struct mosquitto__listener *listener)
 	bind_address = listener->host;
 	port = listener->port;
 
+#ifdef WITH_TLS
 	if(listener->certfile && listener->keyfile){
 		if(mosquitto_read_file(listener->certfile, false, &x509_cert, NULL)){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server certificate \"%s\". Check certfile.", listener->certfile);
@@ -474,6 +478,7 @@ int http_api__start(struct mosquitto__listener *listener)
 		}
 		flags |= MHD_USE_TLS;
 	}
+#endif
 
 	if(bind_address){
 		char service[10];
diff --git a/src/proxy_v2.c b/src/proxy_v2.c
index 9e961ab4..a6235c8b 100644
--- a/src/proxy_v2.c
+++ b/src/proxy_v2.c
@@ -116,16 +116,25 @@ static int read_tlv_ssl(struct mosquitto *context, uint16_t len, bool *have_cert
 
 		switch(tlv->type){
 			case PP2_SUBTYPE_SSL_VERSION:
+#ifdef WITH_TLS
 				mosquitto_free(context->proxy.tls_version);
 				context->proxy.tls_version = mosquitto_strndup((const char *)&context->proxy.buf[context->proxy.pos], tlv_len);
+#else
+				return MOSQ_ERR_NOT_SUPPORTED;
+#endif
 				break;
 
 			case PP2_SUBTYPE_SSL_CIPHER:
+#ifdef WITH_TLS
 				mosquitto_free(context->proxy.cipher);
 				context->proxy.cipher = mosquitto_strndup((const char *)&context->proxy.buf[context->proxy.pos], tlv_len);
+#else
+				return MOSQ_ERR_NOT_SUPPORTED;
+#endif
 				break;
 
 			case PP2_SUBTYPE_SSL_CN:
+#ifdef WITH_TLS
 				if(context->listener->use_identity_as_username){
 					mosquitto_free(context->username);
 					context->username = mosquitto_strndup((const char *)&context->proxy.buf[context->proxy.pos], tlv_len);
@@ -133,6 +142,9 @@ static int read_tlv_ssl(struct mosquitto *context, uint16_t len, bool *have_cert
 						return MOSQ_ERR_NOMEM;
 					}
 				}
+#else
+				return MOSQ_ERR_NOT_SUPPORTED;
+#endif
 				break;
 		}
 		len = (uint16_t)(len - (sizeof(uint8_t) + sizeof(uint8_t) + sizeof(uint8_t) + tlv_len));
@@ -299,6 +311,7 @@ int proxy_v2__read(struct mosquitto *context)
 			return MOSQ_ERR_PROXY;
 		}
 
+#ifdef WITH_TLS
 		if(context->listener->require_certificate){
 			if(!have_certificate){
 				log__printf(NULL, MOSQ_LOG_NOTICE, "Connection from %s:%d rejected, client did not provide a certificate.",
@@ -312,6 +325,7 @@ int proxy_v2__read(struct mosquitto *context)
 			log__printf(NULL, MOSQ_LOG_NOTICE, "Connection from %s:%d negotiated %s cipher %s",
 					context->address, context->remote_port, context->proxy.tls_version, context->proxy.cipher);
 		}
+#endif
 		proxy_cleanup(context);
 
 #if defined(WITH_WEBSOCKETS) && WITH_WEBSOCKETS == WS_IS_BUILTIN