Always set and fix up SSL options in LDAP plugin

lukebakken · mergify[bot] · commit ef8a940e840d · 2025-11-11T22:32:34.000Z
There's an edge case in LDAP SSL configuration. If you set... ``` auth_ldap.use_ssl = true ``` ...but nothing else, you'll eventually hit this error: ``` {error, {options, incompatible, [{verify, verify_peer}, {cacerts, undefined}]}} ``` This is due to the fact that without any SSL options, the `rabbit_ssl_options:fix_client/1` function won't be hit, and thus system certs won't be added via `public_key:cacerts_get/0` and `cacerts` option. This PR adds `verify, verify_peer` as the default SSL option and ensures that `rabbit_ssl_options:fix_client/1` is always called. Since `verify_peer` is the default since OTP 26, we can just add it here. (cherry picked from commit 0f3e5b4)
diff --git a/deps/rabbit_common/src/rabbit_ssl_options.erl b/deps/rabbit_common/src/rabbit_ssl_options.erl
@@ -39,7 +39,6 @@ wrap_password_opt(Opts0) ->
     end.
 
 -spec fix(rabbit_types:infos()) -> rabbit_types:infos().
-
 fix(Config) ->
     fix_verify_fun(
       fix_ssl_protocol_versions(
diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
@@ -753,29 +753,32 @@ eldap_open(Servers, Opts) ->
             Error
     end.
 
+%% We must make sure not to add SSL options unless:
+%% a) we have at least R16A
+%% b) we have SSL turned on (or it breaks StartTLS...)
 ssl_conf() ->
-    %% We must make sure not to add SSL options unless a) we have at least R16A
-    %% b) we have SSL turned on (or it breaks StartTLS...)
-    case env(use_ssl, false) of
-        false -> [{ssl, false}];
-        true  -> %% Only the unfixed version can be []
-                 case env(ssl_options) of
-                     []        -> [{ssl, true}];
-                     undefined -> [{ssl, true}];
-                     _         -> [{ssl, true}, {sslopts, ssl_options()}]
-                 end
-    end.
+    ssl_conf(env(use_ssl, false)).
+
+ssl_conf(true) ->
+    [{ssl, true}, {sslopts, ssl_options()}];
+ssl_conf(false) ->
+    [{ssl, false}].
 
 ssl_options() ->
-    Opts0 = rabbit_ssl_options:fix_client(env(ssl_options)),
+    ssl_options(env(ssl_options)).
+
+ssl_options(undefined) ->
+    ssl_options([{verify, verify_peer}]);
+ssl_options(Opts0) ->
+    Opts1 = rabbit_ssl_options:fix_client(Opts0),
     case env(ssl_hostname_verification, undefined) of
         wildcard ->
             ?LOG_DEBUG("Enabling wildcard-aware hostname verification for LDAP client connections"),
             %% Needed for non-HTTPS connections that connect to servers that use wildcard certificates.
             %% See https://erlang.org/doc/man/public_key.html#pkix_verify_hostname_match_fun-1.
-            [{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]} | Opts0];
+            [{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]} | Opts1];
         _ ->
-            Opts0
+            Opts1
     end.
 
 at_least(Ver) ->
@@ -797,7 +800,7 @@ get_expected_env_str(Key, Default) ->
 
 env(Key) ->
     case application:get_env(rabbitmq_auth_backend_ldap, Key) of
-       {ok, V} -> V;
+        {ok, V} -> V;
         undefined -> undefined
     end.
 
