Merge pull request #2814 from rabbitmq/config_example

Add tls info on rabbit.conf example (cherry picked from commit 4d4ba53)
rabbitmq · Feb 13, 2021 · 947e4dc · 947e4dc
1 parent 7a7bcc3
commit 947e4dc
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/deps/rabbit/docs/rabbitmq.conf.example b/deps/rabbit/docs/rabbitmq.conf.example
@@ -85,15 +85,48 @@
 ##
 ## Related doc guide: https://rabbitmq.com/ssl.html.
 ##
+# listeners.ssl.1                  = 5671
+# 
 # ssl_options.verify               = verify_peer
 # ssl_options.fail_if_no_peer_cert = false
 # ssl_options.cacertfile           = /path/to/cacert.pem
 # ssl_options.certfile             = /path/to/cert.pem
 # ssl_options.keyfile              = /path/to/key.pem
 #
+## These are highly recommended but must be disabled if
+## TLSv1.3 is enabled.
 # ssl_options.honor_cipher_order   = true
 # ssl_options.honor_ecc_order      = true
-
+#
+## Limits what TLS versions the server enables for client TLS
+## connections. See https://www.rabbitmq.com/ssl.html#tls-versions for details.
+##
+## Cutting edge TLS version which requires recent client runtime
+## versions and has no cipher suite in common with earlier TLS versions.
+# ssl_options.versions.1 = tlsv1.3
+## Enables TLSv1.2 for best compatibility
+# ssl_options.versions.2 = tlsv1.2
+## Older TLS versions have known vulnerabilities and are being phased out
+## from wide use.
+
+## Limits what cipher suites the server will use for client TLS
+## connections. Narrowing this down can prevent some clients
+## from connecting.
+## If TLSv1.3 is enabled and cipher suites are overridden, TLSv1.3-specific
+## cipher suites must also be explicitly enabled.
+## See https://www.rabbitmq.com/ssl.html#cipher-suites and https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
+## for details.
+#
+## The example below uses TLSv1.3 cipher suites only
+#
+# ssl_options.ciphers.1  = TLS_AES_256_GCM_SHA384
+# ssl_options.ciphers.2  = TLS_AES_128_GCM_SHA256
+# ssl_options.ciphers.3  = TLS_CHACHA20_POLY1305_SHA256
+# ssl_options.ciphers.4  = TLS_AES_128_CCM_SHA256
+# ssl_options.ciphers.5  = TLS_AES_128_CCM_8_SHA256
+#
+## The example below uses TLSv1.2 cipher suites only
+#
 # ssl_options.ciphers.1  = ECDHE-ECDSA-AES256-GCM-SHA384
 # ssl_options.ciphers.2  = ECDHE-RSA-AES256-GCM-SHA384
 # ssl_options.ciphers.3  = ECDHE-ECDSA-AES256-SHA384

diff --git a/deps/rabbit/src/rabbit_channel_tracking.erl b/deps/rabbit/src/rabbit_channel_tracking.erl
@@ -100,7 +100,7 @@ handle_cast({connection_closed, ConnDetails}) ->
         ThisNode ->
             TrackedChs = get_tracked_channels_by_connection_pid(ConnPid),
             rabbit_log_connection:info(
-                "Closing all channels from connection '~p' "
+                "Closing all channels from connection '~s' "
                 "because it has been closed", [pget(name, ConnDetails)]),
             %% Shutting down channels will take care of unregistering the
             %% corresponding tracking.