Current Series Release Notes

Current Series Release Notes¶

17.3.0-5¶

Upgrade Notes¶

The deprecated heartbeat_in_pthread option in the [oslo_messaging_rabbit] section has been removed. Operators should remove this option from their configuration files.

Security Issues¶

Under TLS with ssl_ca_file, oslo.messaging validated the broker certificate chain but did not verify the RabbitMQ broker hostname. A man-in-the-middle attacker with a certificate trusted by that CA could impersonate the broker.

The RabbitMQ driver now verifies the broker hostname when ssl_ca_file is set and [oslo_messaging_rabbit] ssl_enforce_hostname_verification is enabled. Using ssl=true without ssl_ca_file still does not verify the broker hostname.

The ssl_enforce_hostname_verification option is deprecated and scheduled for removal after deployments finish migrating; hostname verification should remain enabled.

For transport URLs with multiple brokers and hostname verification enabled, Kombu 5.2.0 or newer substitutes the active broker hostname for TLS. Older Kombu versions log a warning and use the first configured broker hostname as a best effort; operators should upgrade Kombu or use a certificate (SAN or wildcard) that covers all configured broker hostnames.

this page last updated: 2026-05-12 12:59:08

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.