Anywhere SSl/TLS is configured in RabbitMQ, if the user does not configure cacertfile or cacerts, RabbitMQ should automatically use public_key:cacerts_get/0 to load the system certificates.
If, after doing all of that, RabbitMQ could set verify to verify_none. Otherwise, the ssl functions will fail as reported in https://github.com/erlang/otp/issues/8066
Note that I've never seen cacerts used in practice.
I don't think that we should widely fall back to verify_none. Certainly not for client connections. using public_key:cacerts_get/0 as a fallback is a good idea.
References:
API: https://www.erlang.org/doc/man/public_key#cacerts_get-0
Anywhere SSl/TLS is configured in RabbitMQ, if the user does not configure
cacertfile
orcacerts
, RabbitMQ should automatically usepublic_key:cacerts_get/0
to load the system certificates.If, after doing all of that, RabbitMQ could set
verify
toverify_none
. Otherwise, thessl
functions will fail as reported in https://github.com/erlang/otp/issues/8066Note that I've never seen
cacerts
used in practice.