Report TLS in Erlang distribution in the CLI (#15406)

mkuratczyk · web-flow · commit 97c00a3be1b6 · 2026-02-06T15:29:00.000+01:00
follow-up to #15399 the initial PR solved the problem for the Management UI and API, but we also report listeners in the CLI. This change addresses this part.
diff --git a/deps/rabbit/src/rabbit_networking.erl b/deps/rabbit/src/rabbit_networking.erl
@@ -46,6 +46,8 @@
 
 -export([ensure_listener_table_for_this_node/0]).
 
+-export([clustering_tls_enabled/0]).
+
 -deprecated([{force_connection_event_refresh, 1, eventually}]).
 
 -export([
@@ -423,7 +425,11 @@ maybe_get_epmd_port(Name, Host) ->
                     {ok, IP} -> IP;
                     _ -> {0,0,0,0,0,0,0,0}
                 end,
-            tcp_listener_started(clustering, [], IPAddress, Port);
+            Proto = case clustering_tls_enabled() of
+                        true  -> 'clustering/ssl';
+                        false -> clustering
+                    end,
+            tcp_listener_started(Proto, [], IPAddress, Port);
         noport ->
             throw({error, no_epmd_port})
     end.
@@ -457,6 +463,7 @@ node_client_listeners(Node) ->
         [] -> [];
         Xs ->
             lists:filter(fun (#listener{protocol = clustering}) -> false;
+                             (#listener{protocol = 'clustering/ssl'}) -> false;
                              (_) -> true
                          end, Xs)
     end.
@@ -758,3 +765,11 @@ ipv6_status(TestPort) ->
 ensure_listener_table_for_this_node() ->
     _ = ets:new(?ETS_TABLE, [named_table, public, bag, {keypos, #listener.node}]),
     ok.
+
+-spec clustering_tls_enabled() -> boolean().
+clustering_tls_enabled() ->
+    case init:get_argument(proto_dist) of
+        {ok, [["inet_tls"]]} -> true;
+        {ok, [["inet6_tls"]]} -> true;
+        _ -> false
+    end.
diff --git a/deps/rabbitmq_cli/lib/rabbitmq/cli/core/listeners.ex b/deps/rabbitmq_cli/lib/rabbitmq/cli/core/listeners.ex
@@ -270,6 +270,7 @@ defmodule RabbitMQ.CLI.Core.Listeners do
   def protocol_label(:"http/prometheus"), do: "Prometheus exporter API over HTTP"
   def protocol_label(:"https/prometheus"), do: "Prometheus exporter API over TLS (HTTPS)"
   def protocol_label(:clustering), do: "inter-node and CLI tool communication"
+  def protocol_label(:"clustering/ssl"), do: "inter-node and CLI tool communication over TLS"
   def protocol_label(other), do: to_string(other)
 
   def normalize_protocol(proto) do
@@ -315,6 +316,10 @@ defmodule RabbitMQ.CLI.Core.Listeners do
       "ui" -> "http"
       "cli" -> "clustering"
       "distribution" -> "clustering"
+      "cli/ssl" -> "clustering/ssl"
+      "cli/tls" -> "clustering/ssl"
+      "distribution/ssl" -> "clustering/ssl"
+      "distribution/tls" -> "clustering/ssl"
       "webmqtt" -> "http/web-mqtt"
       "web-mqtt" -> "http/web-mqtt"
       "web_mqtt" -> "http/web-mqtt"
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_health_check_protocol_listener.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_health_check_protocol_listener.erl
@@ -109,6 +109,10 @@ normalize_protocol(Protocol) ->
         "ui" -> "http";
         "cli" -> "clustering";
         "distribution" -> "clustering";
+        "cli/ssl" -> "clustering/ssl";
+        "cli/tls" -> "clustering/ssl";
+        "distribution/ssl" -> "clustering/ssl";
+        "distribution/tls" -> "clustering/ssl";
         "webmqtt" -> "http/web-mqtt";
         "web-mqtt" -> "http/web-mqtt";
         "web_mqtt" -> "http/web-mqtt";
diff --git a/deps/rabbitmq_management_agent/src/rabbit_mgmt_format.erl b/deps/rabbitmq_management_agent/src/rabbit_mgmt_format.erl
@@ -275,18 +275,14 @@ tags_as_binaries(Tags) ->
 
 listener(#listener{node = Node, protocol = Protocol,
                    ip_address = IPAddress, port = Port, opts=Opts}) ->
-    TlsEnabled = has_tls_enabled(Protocol, Opts),
     [{node, Node},
-     {protocol, format_protocol(Protocol, TlsEnabled)},
+     {protocol, Protocol},
      {ip_address, ip(IPAddress)},
      {port, Port},
      {socket_opts, format_socket_opts(Opts)},
-     {tls, TlsEnabled}
+     {tls, has_tls_enabled(Protocol, Opts)}
     ].
 
-format_protocol(clustering, true) -> 'clustering/ssl';
-format_protocol(Protocol, _) -> Protocol.
-
 web_context(Props0) ->
     SslOpts0 = pget(ssl_opts, Props0, []),
 
@@ -298,14 +294,10 @@ web_context(Props0) ->
     Props1 = proplists:delete(ssl_opts, Props0),
     [{ssl_opts, format_socket_opts(SslOpts1)} | Props1].
 
+has_tls_enabled('clustering/ssl', _Opts) ->
+    true;
 has_tls_enabled(clustering, _Opts) ->
-    %% Erlang distribution TLS is configured externally via the -proto_dist
-    %% VM argument, not through RabbitMQ configuration.
-    case init:get_argument(proto_dist) of
-        {ok, [["inet_tls"]]} -> true;
-        {ok, [["inet6_tls"]]} -> true;
-        _ -> false
-    end;
+    false;
 has_tls_enabled(_Protocol, Opts) ->
     S = proplists:get_value(socket_opts, Opts, Opts),
     (proplists:get_value(ssl_opts, S, undefined) =/= undefined) orelse
