Different behavior around internode TLS on Erlang 26 #11074
-
Describe the bugWhen Erlang 26 is used, specified config file with Same configuration works when rabbitmq 3.12 & erlang 25 is used, but it fails in combinations rabbitmq 3.12 / erlang 26 and rabbitmq 3.13 / erlang 26. Also, rabbitmqctl and rabbitmq-diagnostics tools fails to connect on affected versions. Reproduction stepsPoC with steps to reproduce can be found at https://github.com/daleksic-godaddy/rabbitmq-erlang-26-ssl-dist-optfile-issue-poc/tree/old-docker-poc?tab=readme-ov-file Expected behavior
Additional contextNo response |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 5 replies
-
@daleksic-godaddy RabbitMQ does not implement TLS and is not responsible for handling of Port 5672 is not supposed to be used for TLS. The only user-facing TLS-related change that RabbitMQ had to adapt to is the new default at least one peer verification setting. RabbitMQ has retained the old default where it can control the value (this is not the case with TLS for inter-node communication), most of the changes I recall in this area have shipped in |
Beta Was this translation helpful? Give feedback.
-
Highly relevant erlang/otp#7497. |
Beta Was this translation helpful? Give feedback.
-
Hello, thanks for using RabbitMQ and for providing such a comprehensive report. I wish every RabbitMQ user were as thorough. I have the following project to form RabbitMQ clusters, and this branch will set one up using TLS - https://github.com/lukebakken/docker-rabbitmq-cluster/tree/tls I'm making sure it still works as intended, but you should be able to compare what I do with what you do to figure out the difference. |
Beta Was this translation helpful? Give feedback.
-
Hmm, something isn't quite right with your project, because running |
Beta Was this translation helpful? Give feedback.
-
@lukebakken I was able to fully replicate issue using Vagrant local environment, and also find the cause 🎉 . Here is the new PoC enviroment https://github.com/daleksic-godaddy/rabbitmq-erlang-26-ssl-dist-optfile-issue-poc/tree/60f91070f6d8bc6b0341e632b73361cf16dc8648 In a nutshell, difference is due to how ssl options are handled in Erlang 26. It seems that excess options are not ignored anymore in erlang26, therefore:
This config will work fine with Erlang 25, but it would fail on Erlang 26 as This then leads that Concerning part is that this is breaking change for folks that configured theirs setup with I would strongly suggest to add/update documentation to include:
Also, rabbitmq/rabbitmq-website#1791 to be resolved, would be highly appreciated, as I was also affected same issue where |
Beta Was this translation helpful? Give feedback.
@lukebakken I was able to fully replicate issue using Vagrant local environment, and also find the cause 🎉 .
Here is the new PoC enviroment https://github.com/daleksic-godaddy/rabbitmq-erlang-26-ssl-dist-optfile-issue-poc/tree/60f91070f6d8bc6b0341e632b73361cf16dc8648
In a nutshell, difference is due to how ssl options are handled in Erlang 26. It seems that excess options are not ignored anymore in erlang26, therefore: