Comments (10)
I just came here to request the same thing.
I find startup logs for my rabbitmq workers difficult to parse because this large message spams the logs.
from bunny.
This "spam" is there to warn you that your connections might fail if target RabbitMQ node is configured in a certain way.
from bunny.
This is absolutely not correct as long as you verify the certificate chain correctly (which I assume you do).
The error message is generated if you don't use a client certificate to connect which none of the hosted rabbitmq services offer, but this does not make them weak against MITM attacks as long as the connection is correctly verified against the servers certificate store
from bunny.
I misremembered what the idea behind this was; this is to warn the user that connections might fail if RabbitMQ verifies client certificate chain. Maybe hosted RabbitMQ providers never enable such verification but there are installations that do.
from bunny.
I find it perfectly appropriate to log warnings like that. We have years of real world evidence that a lot users have a very vague understanding of TLS and what it really does. They end up with configurations that cannot possibly work (such as the client having no certificates but RabbitMQ nodes set up to require certificate presence and perform peer verification).
It is a warning, not an error; it is logged only once on node boot assuming that connections are long lived. Users of short lived connections can set log level to error
.
For other clients, there have been calls for more warnings and significantly more inconvenient TLS defaults.
from bunny.
Would it be acceptable to move the warning so its only logged when a connection is rejected and client certs are specified? This way it shows up only when its likely to be applicable.
I have a process that starts up 5 different bunny connections (each in a different thread). When I'm trying to diagnose startup issues, this message is a real problem. The long size of it combined with it showing up multiple times makes it really easy to miss other log lines that might be critical.
from bunny.
Reporting warnings after TLS-enabled connection failed is too late. Ruby's TLS implementation will throw an exception with some details but usually there isn't enough information to be useful to beginners. You'd need to see RabbitMQ logs for anything useful, I'm afraid, since RabbitMQ has a bit more context.
Anyhow, I have introduced a new option, :tls_silence_warnings
. It silences two warnings mean to help beginners:
- When TLS is enabled but no client certificate/key pair is provided (mentioned here)
- When peer verification is disabled (the one I referred to in an earlier comment)
I will cut 2.18.0
some time in the next 24 hours.
from bunny.
Thank you!
from bunny.
2.18.0
is out.
from bunny.
@michaelklishin awesome thanks for making those changes!
from bunny.
Related Issues (20)
- Gem includes test certificates HOT 3
- Cannot subscribe to existing queue with no configure permission HOT 2
- Redeliver publisher confirms acks again and again from 0 till current tag HOT 4
- Binding a queue to same exchange twice but using different routing keys not working as expected HOT 1
- any plans to support the new rabbitMQ stream plugin with RabbitMQ 3.9? HOT 4
- Queue subscribe: Calling thread is no longer blocked after connection failure HOT 2
- TLS 1.3 support HOT 2
- QueueDeclare / Timeout issue
- Bunny does not recover from Rabbitmq Broker restart but reconnects on manual restart of service
- Confusion of parameters
- NameError: uninitialized constant OpenSSL::SSL::TLS1_3_VERSION (bunny-2.20.0, ruby 2.6) HOT 4
- Bunny::Channel#quorum_queue does not result in a QQ declaration
- Conditionally alias constants for TLSv1.3 to support older OpenSSL releases
- OpenSSL error is causing unrecoverable issue HOT 1
- Bunny::Channel#default_exchange returns a new object each time
- Missing client notification when recovery fails (after specified recovery attempts) HOT 1
- Reader Loop: undefined method handle_frameset for nil:NilClass
- Heartbeat sender uses Time.now which is unreliable HOT 6
- Channel callback from delivery acknowledgement timeout.
- `basic_cancel` makes other channels wait
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bunny.