Pulp

For the [messaging] and [tasks] sections, Pulp has non-emptystring defaults set for TLS connections to use client certificates:

https://github.com/pulp/pulp/blob/2.8.0/server/pulp/server/config.py#L99
https://github.com/pulp/pulp/blob/2.8.0/server/pulp/server/config.py#L127-L128

This is a problem for two reasons:

0) Admins who wish to use client certificates to authenticate to the broker are going to have their own CA infrastructure, and so anyone using these settings are going to need to explicitly set them anyway (i.e., if I deploy a broker, I'm going to configure it to use my corporate CA and I will need to generate my own certs for Pulp to use.)

1) The more common deployment strategy is to use password authentication. However, when these certificates are configured (as they are by default) TLS certificate auth is attempted instead of password authentication (at least for RabbitMQ), and the authentication will fail (at least for RabbitMQ). This means that users who want to use the common case deployment need to both set the password, and uncomment the client certificate settings, and set those settings to the empty string. That's too many and's for the common case, IMO, especially since this is undocumented behavior.

It would be much more sane if the default for the client certificate were the empty string.

Unfortunately, this is a backwards incompatible change.