2025.2 Series Release Notes

2025.2 Series Release Notes¶

17.1.0-4¶

Security Issues¶

Under TLS with ssl_ca_file, oslo.messaging validated the broker certificate chain but did not verify the RabbitMQ broker hostname. A man-in-the-middle attacker with a certificate trusted by that CA could impersonate the broker.

The RabbitMQ driver now verifies the broker hostname when ssl_ca_file is set and [oslo_messaging_rabbit] ssl_enforce_hostname_verification is enabled. Using ssl=true without ssl_ca_file still does not verify the broker hostname.

The ssl_enforce_hostname_verification option defaults to false to preserve existing behavior until operators opt in. When enabled together with ssl_ca_file, hostname verification is enforced for RabbitMQ TLS connections.

For transport URLs with multiple brokers and hostname verification enabled, Kombu 5.2.0 or newer substitutes the active broker hostname for TLS. Older Kombu versions log a warning and use the first configured broker hostname as a best effort; operators should upgrade Kombu or use a certificate (SAN or wildcard) that covers all configured broker hostnames.

Bug Fixes¶

Bug 2131652: Fixed ignorance of Precondition Failed error by rabbitmq driver so that the error is properly raised to clients.

17.0.0¶

Upgrade Notes¶

The following options in [oslo_messaging_rabbit] secion have been removed.
- rabbit_quroum_max_memory_length
- rabbit_quroum_max_memory_bytes

Bug Fixes¶

Fixes delayed metrics processing in services using eventlet, caused by mixing a native thread with an eventlet-patched queue. See bug 2098714 for details.

this page last updated: 2026-06-03 02:51:42

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.