Skip to content

Use OS trusted CA certs if not provided by the user #12557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Use OS trusted CA certs if not provided by the user #12557

wants to merge 1 commit into from

Conversation

@LoisSotoLopez
Copy link
Contributor

@LoisSotoLopez LoisSotoLopez commented Oct 21, 2024
edited
Loading

Proposed Changes

Provides a specific function to fix client ssl options, i.e.: apply all fixes that are applied for TLS listeneres and clients on previous versions but also sets cacerts option to CA certificates obtained by public_key:cacerts_get/0, only when no cacertfile or cacerts are provided.

Addressing #10519

Types of Changes

  • Bug fix (non-breaking change which fixes issue #NNNN)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause an observable behavior change in existing systems)
  • Documentation improvements (corrections, new content, etc)
  • Cosmetic change (whitespace, formatting, etc)
  • Build system and/or CI

Checklist

  • I have read the CONTRIBUTING.md document
  • I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
  • I have added tests that prove my fix is effective or that my feature works
  • All tests pass locally with my changes
  • If relevant, I have added necessary documentation to https://github.com/rabbitmq/rabbitmq-website
  • If relevant, I have added this change to the first version(s) in release-notes that I expect to introduce it

Further Comments

Should we also apply this fix for TLS server options? Or is it fine if we only use OS trusted CA certs for TLS client options, as done in the provided changes?

@LoisSotoLopez
Provide specific f. to fix client ssl options
6086f58 
Provides a specific function to fix client ssl options, i.e.: apply all
fixes that are applied for TLS listeneres and clients on previous
versions but also sets `cacerts` option to CA certificates obtained by
`public_key:cacerts_get`, only when no `cacertfile` or `cacerts` are
provided.
@michaelklishin michaelklishin mentioned this pull request Oct 21, 2024
Merged
michaelklishin added a commit that referenced this pull request Oct 22, 2024
@michaelklishin
Merge pull request #12564 from rabbitmq/cloudamqp-use-public-key-cace…
61f0730 
…rts-get

#12557: fall back to system-wide CA certificates (if available) when none are configured for AMQP 1.0 and AMQP 0-9-1 clients such as shovels
@michaelklishin
Copy link
Collaborator

michaelklishin commented Oct 22, 2024

Merged after a rebase in #12564.

@michaelklishin michaelklishin mentioned this pull request Oct 22, 2024
Closed
@michaelklishin
Copy link
Collaborator

michaelklishin commented Dec 11, 2024

Erlang 27.2 has some relevant improvements:

# public_key-1.17

The public_key-1.17 application can be applied independently of other
applications on a full OTP 27 installation.

## Improvements and New Features

- public_key:cacerts_load/1 can now be configured via the application
  environment.

  Own Id: OTP-19321
  Related Id(s): PR-8920

- On MacOS, CA certificates are now also loaded from the system keychain.

  Own Id: OTP-19375
  Related Id(s): PR-8844

lukebakken added a commit to amazon-mq/upstream-to-rabbitmq-server that referenced this pull request Nov 7, 2025
@lukebakken
Fix up oauth2_client ssl options
7110ccc 
This uses the same technique as PR rabbitmq#12557 and rabbitmq#12564 to ensure that when
neither `cacerts` nor `cacertfile` are set, the system certs are used.
@lukebakken lukebakken mentioned this pull request Nov 7, 2025
Merged
lukebakken added a commit to amazon-mq/upstream-to-rabbitmq-server that referenced this pull request Nov 10, 2025
@lukebakken
Fix up oauth2_client ssl options
c481f39 
This uses the same technique as PR rabbitmq#12557 and rabbitmq#12564 to ensure that when
neither `cacerts` nor `cacertfile` are set, the system certs are used.
mergify bot pushed a commit that referenced this pull request Nov 10, 2025
@lukebakken @mergify
Fix up oauth2_client ssl options
5499875 
This uses the same technique as PR #12557 and #12564 to ensure that when
neither `cacerts` nor `cacertfile` are set, the system certs are used.

(cherry picked from commit c481f39)
@mergify mergify bot mentioned this pull request Nov 10, 2025
Merged
mergify bot pushed a commit that referenced this pull request Nov 10, 2025
@lukebakken @mergify
Fix up oauth2_client ssl options
1b3369e 
This uses the same technique as PR #12557 and #12564 to ensure that when
neither `cacerts` nor `cacertfile` are set, the system certs are used.

(cherry picked from commit c481f39)
(cherry picked from commit 5499875)
@mergify mergify bot mentioned this pull request Nov 10, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LoisSotoLopez @michaelklishin