Silence warnings when TLS certificates are provided about bunny HOT 10 CLOSED

I just came here to request the same thing.

I find startup logs for my rabbitmq workers difficult to parse because this large message spams the logs.

from bunny.

This "spam" is there to warn you that your connections might fail if target RabbitMQ node is configured in a certain way.

from bunny.

This is absolutely not correct as long as you verify the certificate chain correctly (which I assume you do).
The error message is generated if you don't use a client certificate to connect which none of the hosted rabbitmq services offer, but this does not make them weak against MITM attacks as long as the connection is correctly verified against the servers certificate store

from bunny.

I misremembered what the idea behind this was; this is to warn the user that connections might fail if RabbitMQ verifies client certificate chain. Maybe hosted RabbitMQ providers never enable such verification but there are installations that do.

from bunny.

I find it perfectly appropriate to log warnings like that. We have years of real world evidence that a lot users have a very vague understanding of TLS and what it really does. They end up with configurations that cannot possibly work (such as the client having no certificates but RabbitMQ nodes set up to require certificate presence and perform peer verification).

It is a warning, not an error; it is logged only once on node boot assuming that connections are long lived. Users of short lived connections can set log level to error.

For other clients, there have been calls for more warnings and significantly more inconvenient TLS defaults.

from bunny.

Would it be acceptable to move the warning so its only logged when a connection is rejected and client certs are specified? This way it shows up only when its likely to be applicable.

I have a process that starts up 5 different bunny connections (each in a different thread). When I'm trying to diagnose startup issues, this message is a real problem. The long size of it combined with it showing up multiple times makes it really easy to miss other log lines that might be critical.

from bunny.

Reporting warnings after TLS-enabled connection failed is too late. Ruby's TLS implementation will throw an exception with some details but usually there isn't enough information to be useful to beginners. You'd need to see RabbitMQ logs for anything useful, I'm afraid, since RabbitMQ has a bit more context.

Anyhow, I have introduced a new option, :tls_silence_warnings. It silences two warnings mean to help beginners:

• When TLS is enabled but no client certificate/key pair is provided (mentioned here)
• When peer verification is disabled (the one I referred to in an earlier comment)

I will cut 2.18.0 some time in the next 24 hours.

from bunny.

Thank you!

from bunny.

2.18.0 is out.

from bunny.

@michaelklishin awesome thanks for making those changes!

from bunny.