'[activemq-artemis] branch main updated: NO-JIRA add upgrade details for 2.18.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-commits
Subject:    [activemq-artemis] branch main updated: NO-JIRA add upgrade details for 2.18.0
From:       jbertram () apache ! org
Date:       2021-08-25 17:14:52
Message-ID: 162991169250.11513.11330256668320937824 () gitbox ! apache ! org
[Download RAW message or body]

This is an automated email from the ASF dual-hosted git repository.

jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/main by this push:
     new 04232db  NO-JIRA add upgrade details for 2.18.0
04232db is described below

commit 04232db99d865c7cceae1fe37479021e830958fd
Author: Justin Bertram <jbertram@apache.org>
AuthorDate: Wed Aug 25 12:14:09 2021 -0500

    NO-JIRA add upgrade details for 2.18.0
---
 docs/user-manual/en/versions.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/docs/user-manual/en/versions.md b/docs/user-manual/en/versions.md
index fab56c3..af2ee59 100644
--- a/docs/user-manual/en/versions.md
+++ b/docs/user-manual/en/versions.md
@@ -17,6 +17,29 @@ Highlights:
 - Replication integrated with ZookeeperA
 - Broker load balancer
 
+#### Upgrading from older versions
+
+Due to [ARTEMIS-3367](https://issues.apache.org/jira/browse/ARTEMIS-3367) the 
+default setting for `verifyHost` on *core connectors* has been changed from
+`false` to `true`. This means that **core clients will now expect the `CN` or
+Subject Alternative Name values of the broker's SSL certificate to match the
+hostname in the client's URL**.
+
+This impacts all core-based clients including core JMS clients and core
+connections between cluster nodes. Although this is a "breaking" change, *not*
+performing hostname verification is a security risk (e.g. due to man-in-the-middle
+attacks). Enabling it by default aligns core client behavior with industry
+standards. To deal with this you can do one of the following:
+
+- Update your SSL certificates to use a hostname which matches the hostname
+  in the client's URL. This is the recommended option with regard to security.
+- Update any connector using `sslEnabled=true` to also use `verifyHost=false`.
+  Using this option means that you won't get the extra security of hostname
+  verification, but no certificates will need to change. This essentially 
+  restores the previous default behavior.
+
+For additional details about please refer to section 3.1 of [RFC 2818 "HTTP over \
TLS"](https://datatracker.ietf.org/doc/html/rfc2818#section-3.1). +
 ## 2.17.0
 
 [Full release notes](https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315920&version=12349326).



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic