Changes between 5.32.0 and 5.33.0
This is a maintenance release with bug fixes and dependency upgrades. It introduces minor breaking changes compared to 5.32.0 (see below for details). All users are encouraged to upgrade.
The RabbitMQ team normally maintain strict backward compatibility in minor versions. However, this release includes exceptional breaking changes that were necessary to patch security gaps and enforce secure-by-default behavior.
Breaking changes:
- Hostname verification is now enabled by default as soon as TLS is used.
ConnectionFactory#useSslProtocol()now utilizes the JVM's defaultSSLContext, which validates the server certificate.- Note: This should primarily affect test environments, as
useSslProtocol()was never intended for production use. - Action required: For test or development environments where certificate validation needs to be disabled, users can now explicitly switch to the new
ConnectionFactory#useTlsWithNoVerification()method.
- Note: This should primarily affect test environments, as
- JSON-RPC support classes now introduce an "allowlist". This change only impacts installations that explicitly utilize these classes.
Harden RPC support classes
GitHub PR: #2002
Enable hostname verification by default
GitHub issue: #2005
Introduce helper for dev/test TLS setup
GitHub PR: #2001
Enforce inbound frame max more strictly
Bump dependencies
GitHub issue: #1991
Dependency
Maven
<dependency>
<groupId>com.rabbitmq</groupId>
<artifactId>amqp-client</artifactId>
<version>5.33.0</version>
</dependency>Gradle
compile 'com.rabbitmq:amqp-client:5.33.0'