Update documentation regarding TLS default value changes in py-amqp

celery · Oct 19, 2022 · 7e8c4a2 · 7e8c4a2
1 parent 1da6c28
commit 7e8c4a2
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 5 deletions.
diff --git a/docs/history/whatsnew-5.1.rst b/docs/history/whatsnew-5.1.rst
@@ -208,6 +208,26 @@ Kombu
 
 Starting from v5.1, the minimum required version is Kombu 5.1.0.
 
+Py-AMQP
+~~~~~~~
+
+Starting from Celery 5.1, py-amqp will always validate certificates received from the server
+and it is no longer required to manually set ``cert_reqs`` to ``ssl.CERT_REQUIRED``.
+
+The previous default, ``ssl.CERT_NONE`` is insecure and we its usage should be discouraged.
+If you'd like to revert to the previous insecure default set ``cert_reqs`` to ``ssl.CERT_NONE``
+
+.. code-block:: python
+
+    import ssl
+
+    broker_use_ssl = {
+      'keyfile': '/var/ssl/private/worker-key.pem',
+      'certfile': '/var/ssl/amqp-server-cert.pem',
+      'ca_certs': '/var/ssl/myca.pem',
+      'cert_reqs': ssl.CERT_NONE
+    }
+
 Billiard
 ~~~~~~~~
 

diff --git a/docs/userguide/configuration.rst b/docs/userguide/configuration.rst
@@ -2698,12 +2698,14 @@ certificate authority:
       'cert_reqs': ssl.CERT_REQUIRED
     }
 
-.. warning::
+.. versionadded:: 5.1
+
+    Starting from Celery 5.1, py-amqp will always validate certificates received from the server
+    and it is no longer required to manually set ``cert_reqs`` to ``ssl.CERT_REQUIRED``.
+
+    The previous default, ``ssl.CERT_NONE`` is insecure and we its usage should be discouraged.
+    If you'd like to revert to the previous insecure default set ``cert_reqs`` to ``ssl.CERT_NONE``
 
-    Be careful using ``broker_use_ssl=True``. It's possible that your default
-    configuration won't validate the server cert at all. Please read Python
-    `ssl module security
-    considerations <https://docs.python.org/3/library/ssl.html#ssl-security>`_.
 
 ``redis``
 _________