[prev in list] [next in list] [prev in thread] [next in thread]
List: activemq-commits
Subject: [activemq-artemis] branch main updated: NO-JIRA add upgrade details for 2.18.0
From: jbertram () apache ! org
Date: 2021-08-25 17:14:52
Message-ID: 162991169250.11513.11330256668320937824 () gitbox ! apache ! org
[Download RAW message or body]
This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new 04232db NO-JIRA add upgrade details for 2.18.0
04232db is described below
commit 04232db99d865c7cceae1fe37479021e830958fd
Author: Justin Bertram <jbertram@apache.org>
AuthorDate: Wed Aug 25 12:14:09 2021 -0500
NO-JIRA add upgrade details for 2.18.0
---
docs/user-manual/en/versions.md | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/docs/user-manual/en/versions.md b/docs/user-manual/en/versions.md
index fab56c3..af2ee59 100644
--- a/docs/user-manual/en/versions.md
+++ b/docs/user-manual/en/versions.md
@@ -17,6 +17,29 @@ Highlights:
- Replication integrated with ZookeeperA
- Broker load balancer
+#### Upgrading from older versions
+
+Due to [ARTEMIS-3367](https://issues.apache.org/jira/browse/ARTEMIS-3367) the
+default setting for `verifyHost` on *core connectors* has been changed from
+`false` to `true`. This means that **core clients will now expect the `CN` or
+Subject Alternative Name values of the broker's SSL certificate to match the
+hostname in the client's URL**.
+
+This impacts all core-based clients including core JMS clients and core
+connections between cluster nodes. Although this is a "breaking" change, *not*
+performing hostname verification is a security risk (e.g. due to man-in-the-middle
+attacks). Enabling it by default aligns core client behavior with industry
+standards. To deal with this you can do one of the following:
+
+- Update your SSL certificates to use a hostname which matches the hostname
+ in the client's URL. This is the recommended option with regard to security.
+- Update any connector using `sslEnabled=true` to also use `verifyHost=false`.
+ Using this option means that you won't get the extra security of hostname
+ verification, but no certificates will need to change. This essentially
+ restores the previous default behavior.
+
+For additional details about please refer to section 3.1 of [RFC 2818 "HTTP over \
TLS"](https://datatracker.ietf.org/doc/html/rfc2818#section-3.1). +
## 2.17.0
[Full release notes](https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315920&version=12349326).
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic