.

rabbit_base.py

@@ -8,10 +8,6 @@ ExchangeResolver = Callable[[str], str]  # exchangeName -> exchangeType
 
 
 def _parse_amqp_url(url: str) -> dict:
-    """
-    Convert an AMQP URL into kwargs for aio_pika.connect_robust,
-    so we don't pass the raw URL (and leak the password in logs).
-    """
     parts = urlsplit(url)
     return {
         "host": parts.hostname or "localhost",
@@ -19,7 +15,7 @@ def _parse_amqp_url(url: str) -> dict:
         "login": parts.username or "guest",
         "password": parts.password or "guest",
         "virtualhost": unquote(parts.path[1:] or "/"),
-        "ssl": parts.scheme == "amqps",  # bool for now; we may override with SSLContext
+        "ssl": parts.scheme == "amqps",
     }
 
 
@@ -38,14 +34,18 @@ class RabbitBase:
 
         conn_kwargs = _parse_amqp_url(str(settings.AMQP_URL))
 
-        # Proper way: override the boolean with an SSLContext to disable verification
+        # Build an SSLContext that DISABLES verification
+        ssl_ctx = None
         if conn_kwargs.get("ssl"):
-            ctx = ssl.create_default_context()
-            ctx.check_hostname = False
-            ctx.verify_mode = ssl.CERT_NONE
-            conn_kwargs["ssl"] = ctx  # <-- pass the context here, not via ssl_options
+            ssl_ctx = ssl.create_default_context()
+            ssl_ctx.check_hostname = False
+            ssl_ctx.verify_mode = ssl.CERT_NONE
 
-        self._conn = await aio_pika.connect_robust(**conn_kwargs)
+        # Pass ssl_context explicitly – this is what aio-pika supports
+        self._conn = await aio_pika.connect_robust(
+            **conn_kwargs,
+            ssl_context=ssl_ctx  # <- key bit
+        )
         self._chan = await self._conn.channel()
         await self._chan.set_qos(prefetch_count=settings.RABBIT_PREFETCH)