You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2021/08/25 17:00:59 UTC
[activemq-website] branch main updated: Add upgrade instructions
for 2.18.0
This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/main by this push:
new 954c943 Add upgrade instructions for 2.18.0
954c943 is described below
commit 954c94314ba56a8508201c05a58e553c2cf6b6c2
Author: Justin Bertram <jb...@apache.org>
AuthorDate: Wed Aug 25 12:00:54 2021 -0500
Add upgrade instructions for 2.18.0
---
.../artemis/documentation/latest/versions.html | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/src/components/artemis/documentation/latest/versions.html b/src/components/artemis/documentation/latest/versions.html
index 59b3e73..54a0891 100644
--- a/src/components/artemis/documentation/latest/versions.html
+++ b/src/components/artemis/documentation/latest/versions.html
@@ -1246,6 +1246,26 @@ chapter in addition to any version-specific upgrade instructions outlined here.<
<li>Replication integrated with ZookeeperA</li>
<li>Broker load balancer</li>
</ul>
+<h4 id="upgrading-from-older-versions">Upgrading from older versions</h4>
+<p>Due to <a href="https://issues.apache.org/jira/browse/ARTEMIS-3367" target="_blank">ARTEMIS-3367</a> the
+default setting for <code>verifyHost</code> on <em>core connectors</em> has been changed from
+<code>false</code> to <code>true</code>. This means that <strong>core clients will now expect the <code>CN</code> or
+Subject Alternative Name values of the broker's SSL certificate to match the
+hostname in the client's URL</strong>.</p>
+<p>This impacts all core-based clients including core JMS clients and core
+connections between cluster nodes. Although this is a "breaking" change, <em>not</em>
+performing hostname verification is a security risk (e.g. due to man-in-the-middle
+attacks). Enabling it by default aligns core client behavior with industry
+standards. To deal with this you can do one of the following:</p>
+<ul>
+<li>Update your SSL certificates to use a hostname which matches the hostname
+in the client's URL. This is the recommended option with regard to security.</li>
+<li>Update any connector using <code>sslEnabled=true</code> to also use <code>verifyHost=false</code>.
+Using this option means that you won't get the extra security of hostname
+verification, but no certificates will need to change. This essentially
+restores the previous default behavior.</li>
+</ul>
+<p>For additional details about please refer to section 3.1 of <a href="https://datatracker.ietf.org/doc/html/rfc2818#section-3.1" target="_blank">RFC 2818 "HTTP over TLS"</a>.</p>
<h2 id="2170">2.17.0</h2>
<p><a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315920&version=12349326" target="_blank">Full release notes</a>.</p>
<p>Highlights:</p>