2026.1 Series Release Notes

2026.1 Series Release Notes¶

17.3.0-3¶

Security Issues¶

Under TLS with ssl_ca_file, oslo.messaging validated the broker certificate chain but did not verify the RabbitMQ broker hostname. A man-in-the-middle attacker with a certificate trusted by that CA could impersonate the broker.

The RabbitMQ driver now verifies the broker hostname when ssl_ca_file is set and [oslo_messaging_rabbit] ssl_enforce_hostname_verification is enabled. Using ssl=true without ssl_ca_file still does not verify the broker hostname.

The ssl_enforce_hostname_verification option defaults to false to preserve existing behavior until operators opt in. When enabled together with ssl_ca_file, hostname verification is enforced for RabbitMQ TLS connections.

For transport URLs with multiple brokers and hostname verification enabled, Kombu 5.2.0 or newer substitutes the active broker hostname for TLS. Older Kombu versions log a warning and use the first configured broker hostname as a best effort; operators should upgrade Kombu or use a certificate (SAN or wildcard) that covers all configured broker hostnames.

17.3.0¶

Deprecation Notes¶

The [oslo_messaging_rabbit] enforce_fips_mode option has been deprecated and has no effect.

Bug Fixes¶

Avoid deleting RabbitMQ quorum queues if they are failing on server side with Internal Server Error (error 541).

17.2.0¶

Upgrade Notes¶

Support for Python 3.9 has been removed. Now the minimum python version supported is 3.10.

Bug Fixes¶

Bug 2131652: Fixed ignorance of Precondition Failed error by rabbitmq driver so that the error is properly raised to clients.

Fixes a bug where calling some OpenStack utilites, such as nova-manage, within podman containers would fail when using Queue Manager. LP#2091703

this page last updated: 2026-06-03 02:51:42

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.