diff --git a/secure_mqtt.patch b/secure_mqtt.patch
new file mode 100644
index 00000000..3239ce21
--- /dev/null
+++ b/secure_mqtt.patch
@@ -0,0 +1,113 @@
+diff --git a/compose/compose.brick.yml b/compose/compose.brick.yml
+index 007ef16..f7c2537 100644
+--- a/compose/compose.brick.yml
++++ b/compose/compose.brick.yml
+@@ -1,6 +1,6 @@
+ services:
+     scylla-server:
+         environment:
+-            - SCYLLA_SIREN_HOST_URL=192.168.100.11:1883
++            - SCYLLA_SIREN_HOST_URL=192.168.100.11:8883
+             - SCYLLA_RATE_LIMIT_MODE=none
+ 
+diff --git a/compose/compose.calypso.yml b/compose/compose.calypso.yml
+index c27b441..75df348 100644
+--- a/compose/compose.calypso.yml
++++ b/compose/compose.calypso.yml
+@@ -8,4 +8,4 @@ services:
+           #- CALYPSO_CAN_ENCODE=false
+           #- CALYPSO_SOCKETCAN_IFACE=vcan0
+           # in sim or prod mode
+-          - CALYPSO_SIREN_HOST_URL=siren:1883
++          - CALYPSO_SIREN_HOST_URL=siren:8883
+diff --git a/compose/compose.client-dev.yml b/compose/compose.client-dev.yml
+index 9b4c46c..875434d 100644
+--- a/compose/compose.client-dev.yml
++++ b/compose/compose.client-dev.yml
+@@ -1,7 +1,7 @@
+ services:
+     scylla-server:
+         environment:
+-            - SCYLLA_SIREN_HOST_URL=siren:1883
++            - SCYLLA_SIREN_HOST_URL=siren:8883
+ 
+     siren:
+         extends:
+diff --git a/compose/compose.router.yml b/compose/compose.router.yml
+index 9a660e0..06be21f 100644
+--- a/compose/compose.router.yml
++++ b/compose/compose.router.yml
+@@ -3,7 +3,7 @@ services:
+     depends_on:
+       - siren
+     environment:
+-      - SCYLLA_SIREN_HOST_URL=siren:1883
++      - SCYLLA_SIREN_HOST_URL=siren:8883
+       - SCYLLA_BATCH_UPSERT_TIME=20
+     init: false
+ 
+diff --git a/compose/compose.tpu.yml b/compose/compose.tpu.yml
+index 88ea321..6dda3c2 100644
+--- a/compose/compose.tpu.yml
++++ b/compose/compose.tpu.yml
+@@ -1,7 +1,7 @@
+ services:
+     scylla-server:
+         environment:
+-            - SCYLLA_SIREN_HOST_URL=host.docker.internal:1883
++            - SCYLLA_SIREN_HOST_URL=host.docker.internal:8883
+             - SCYLLA_RATE_LIMIT_MODE=static
+             - SCYLLA_STATIC_RATE_LIMIT_VALUE=100
+         extra_hosts:
+diff --git a/scylla-server/src/main.rs b/scylla-server/src/main.rs
+index d51d3fc..033dd06 100755
+--- a/scylla-server/src/main.rs
++++ b/scylla-server/src/main.rs
+@@ -77,7 +77,7 @@ struct ScyllaArgs {
+         short = 'u',
+         long,
+         env = "SCYLLA_SIREN_HOST_URL",
+-        default_value = "localhost:1883"
++        default_value = "localhost:8883"
+     )]
+     siren_host_url: String,
+ 
+diff --git a/siren-base/compose.siren.yml b/siren-base/compose.siren.yml
+index 3e4e4c6..4d97b46 100644
+--- a/siren-base/compose.siren.yml
++++ b/siren-base/compose.siren.yml
+@@ -4,10 +4,10 @@ services:
+     restart: unless-stopped
+     image: eclipse-mosquitto:latest
+     ports:
+-      - 1883:1883
++      - 8883:8883
+       - 9002:9001 # win conflict on 9001
+     expose:
+-      - 1883
++      - 8883
+     volumes:
+       - ./mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf
+     cpu_shares: 2048
+diff --git a/siren-base/mosquitto/mosquitto.conf b/siren-base/mosquitto/mosquitto.conf
+index 19deeea..f691d2e 100755
+--- a/siren-base/mosquitto/mosquitto.conf
++++ b/siren-base/mosquitto/mosquitto.conf
+@@ -49,7 +49,7 @@ queue_qos0_messages false
+ # Listeners
+ # =================================================================
+ 
+-listener 1883
++listener 8883
+ 
+ socket_domain ipv4
+ 
+@@ -176,7 +176,7 @@ allow_anonymous true
+ connection tpu
+ # *** tpu ip
+ # *** diff from tpu
+-address 192.168.100.12
++address 192.168.100.12:8883
+ # *** diff from tpu (needed as topic key required)
+ topic reserved out 2 dummy dummyremote
+ 
diff --git a/siren-base/compose.siren.yml b/siren-base/compose.siren.yml
index 3e4e4c68..54b87366 100644
--- a/siren-base/compose.siren.yml
+++ b/siren-base/compose.siren.yml
@@ -10,5 +10,8 @@ services:
       - 1883
     volumes:
       - ./mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf
+      - ./mosquitto/certs/ca.crt:/mosquitto/config/certs/ca.crt:ro
+      - ./mosquitto/certs/base-station-broker.crt:/mosquitto/config/certs/base-station-broker.crt:ro
+      - ./mosquitto/certs/base-station-broker.key:/mosquitto/config/certs/base-station-broker.key:ro
     cpu_shares: 2048
     oom_kill_disable: true
diff --git a/siren-base/mosquitto/.gitignore b/siren-base/mosquitto/.gitignore
new file mode 100644
index 00000000..f9ee6285
--- /dev/null
+++ b/siren-base/mosquitto/.gitignore
@@ -0,0 +1,4 @@
+*.key
+*.crt
+*.pem
+*.p12
diff --git a/siren-base/mosquitto/mosquitto.conf b/siren-base/mosquitto/mosquitto.conf
old mode 100755
new mode 100644
index 3b737a5f..14f9586f
--- a/siren-base/mosquitto/mosquitto.conf
+++ b/siren-base/mosquitto/mosquitto.conf
@@ -178,7 +178,7 @@ allow_anonymous true
 connection tpu
 # *** tpu ip
 # *** diff from tpu
-address 192.168.100.12
+address 192.168.100.12:8883
 # *** diff from tpu (needed as topic key required)
 topic reserved out 2 dummy dummyremote
 
@@ -229,16 +229,18 @@ restart_timeout 5
 # Certificate based SSL/TLS support
 # -----------------------------------------------------------------
 
-#bridge_cafile
+bridge_cafile /mosquitto/config/ca.crt
 #bridge_capath
 
 #bridge_alpn
 
-#bridge_insecure false
+bridge_insecure false
 
-#bridge_certfile
+bridge_certfile /mosquitto/config/base-station-broker.crt
 
-#bridge_keyfile
+bridge_keyfile /mosquitto/config/base-station-broker.key
+
+bridge_tls_version tlsv1.2
 
 # -----------------------------------------------------------------
 # PSK based SSL/TLS support
@@ -254,4 +256,5 @@ restart_timeout 5
 
 #include_dir
 
-max_qos 2 # *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991
+# *** moved to bottom see bug https://github.com/eclipse/mosquitto/issues/2991
+max_qos 2