Skip to content

Always set and fix up TLS options in LDAP plugin #14937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 11, 2025
Merged

Always set and fix up TLS options in LDAP plugin #14937

merged 1 commit into from
Nov 11, 2025
+18 −16

Conversation

@lukebakken
Copy link
Collaborator

@lukebakken lukebakken commented Nov 11, 2025

There's an edge case in LDAP SSL configuration. If you set...

auth_ldap.use_ssl = true

...but nothing else, you'll eventually hit this error:

{error, {options, incompatible,
    [{verify, verify_peer}, {cacerts, undefined}]}}

This is due to the fact that without any SSL options, the rabbit_ssl_options:fix_client/1 function won't be hit, and thus system certs won't be added via public_key:cacerts_get/0 and cacerts option.

This PR adds verify, verify_peer as the default SSL option and ensures that rabbit_ssl_options:fix_client/1 is always called. Since verify_peer is the default since OTP 26, we can just add it here.

@lukebakken
Always set and fix up SSL options in LDAP plugin
0f3e5b4 
There's an edge case in LDAP SSL configuration. If you set...

```
auth_ldap.use_ssl = true
```

...but nothing else, you'll eventually hit this error:

```
{error, {options, incompatible,
    [{verify, verify_peer}, {cacerts, undefined}]}}
```

This is due to the fact that without any SSL options, the
`rabbit_ssl_options:fix_client/1` function won't be hit, and thus system
certs won't be added via `public_key:cacerts_get/0` and `cacerts`
option.

This PR adds `verify, verify_peer` as the default SSL option and ensures
that `rabbit_ssl_options:fix_client/1` is always called. Since
`verify_peer` is the default since OTP 26, we can just add it here.
@lukebakken lukebakken self-assigned this Nov 11, 2025
@lukebakken lukebakken marked this pull request as ready for review November 11, 2025 18:39
@michaelklishin michaelklishin added this to the 4.3.0 milestone Nov 11, 2025
@michaelklishin michaelklishin changed the title Always set and fix up SSL options in LDAP plugin Always set and fix up TLS options in LDAP plugin Nov 11, 2025
@michaelklishin michaelklishin merged commit d6bad82 into rabbitmq:main Nov 11, 2025
574 of 575 checks passed
@mergify mergify bot mentioned this pull request Nov 11, 2025
Merged
michaelklishin added a commit that referenced this pull request Nov 12, 2025
@michaelklishin
Merge pull request #14940 from rabbitmq/mergify/bp/v4.2.x/pr-14937
507324e 
Always set and fix up TLS options in LDAP plugin (backport #14937)
@lukebakken lukebakken deleted the lukebakken/ssl-defaults branch November 12, 2025 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelklishin michaelklishin michaelklishin approved these changes

@SimonUnge SimonUnge SimonUnge approved these changes

@the-mikedavis the-mikedavis Awaiting requested review from the-mikedavis

Assignees

@lukebakken lukebakken

Labels

backport-v4.2.x

Projects

None yet

Milestone

4.3.0

Development

Successfully merging this pull request may close these issues.

3 participants

@lukebakken @michaelklishin @SimonUnge