Open ghost opened 2 years ago
michaelklishin
commented
2 years ago It's not enabled by default by Langohr. https://github.com/rabbitmq/rabbitmq-java-client/issues/229 and a few linked issues explain why enabling peer verification by default will be a usability disaster as well as a security improvement.
I don't see why your ssl-context would not be passed on to the Java client.
ghost
commented
2 years ago I think you are right that the ssl context is passed on and that peer verification settings are derived from there. However, this issue I meant to point out that the logs hint otherwise, which is misleading. I think it happens because this line https://github.com/michaelklishin/langohr/blob/master/src/clojure/langohr/core.clj#L342 uses com.rabbitmq.client.ConnectionFactory.useSslProtocol() with no args, and that instantiates a TrustEverythingManager that isn't used when an ssl-context is provided. I see it's a complex thing to addres, but it took me quite a lot of work to figure that out.
If logging for
com.rabbitmq.clientis enabled, this warning is printed when callinglangohr.core/connectwith:ssl true, even if I pass a custom:ssl-context:That's from the rabbitmq-java-client library: https://github.com/rabbitmq/rabbitmq-java-client/blob/e32bcbb2824f7616a13acd5827a87ca92e54f08f/src/main/java/com/rabbitmq/client/TrustEverythingTrustManager.java#L34
I think it's an invalid logging statement a la what was observed for the JMS client in https://github.com/rabbitmq/rabbitmq-jms-client/issues/74 and fixed in https://github.com/rabbitmq/rabbitmq-jms-client/pull/75.
I just want to make sure that peer authentication is in fact enabled using the default SSLContext in my client application; the logging statement worries me.