Running Ubuntu 22.04 on server and MacOS on client.
Set up mosquitto.conf with the following:
allow_anonymous false
password_file /etc/mosquitto/passwd
listener 1883
listener 8883 0.0.0.0
protocol mqtt
certfile /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/example.com/example.com.crt
cafile /usr/local/share/ca-certificates/lets-encrypt-r3.crt
keyfile /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/example.com/example.com.key
allow_anonymous false
Connecting to server with MQTT explorer works with the user/password I established in my passwd file.
mosquitto.log file shows the following:
1680357916: New connection from 2.3.4.5:61585 on port 8883.
1680357917: New client connected from 2.3.4.5:61585 as mqtt-explorer-e65374de (p2, c1, k60, u'user').
My question is, is there a way to verify that this connection is using TLS and not falling back to un-encrypted due to some silent handshake error?
It doesn't work that way, if you connect on port 8883 it will use TLS or fail to connect.
If you want to be totally sure nobody can connect with out using TLS then you can change the listener 1883 to listener 1883 127.0.0.1 then only clients on the same machine as the broker will be able to connect to the unencrypted port.