Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Vulnerability in RabbitMQ : disable cleartext authentication mechanisms in the amqp configuration

Tags:

rabbitmq

amqp

How to disable cleartext authentication mechanisms in the amqp configuration ?

like image 500
Muddassir Rahman Avatar asked May 14 '19 02:05

Muddassir Rahman


1 Answers

without going into TLS details, you must:

  • Disable normal authentication, by stop using non-TLS port 5672 by leaving config entry empty {tcp_listeners, []}

  • Enable TLS by adding config entry {ssl_listeners, [5671]}

  • Further configure TLS support details on server, like

      {ssl_options, [{cacertfile,"/path/to/ca_certificate_bundle.pem"},
                     {certfile,"/path/to/server_certificate.pem"},
                     {keyfile,"/path/to/server_key.pem"},
                     {depth, 2},
                     {verify,verify_peer},
                     {fail_if_no_peer_cert,false}]}
    
    
  • Make sure your client API supports TLS for peer verification (as well as securing the traffic). Here you have the .NET and Java client APIs details.

Notes:

  • Peer verification and passwords (for certificates) are supported and optional. You can have a password-less certificate and enable or disable peer verification.
  • Some clients have specific requirements about certificates types and content
like image 161
Lorenzo Solano Martinez Avatar answered Nov 20 '22 06:11

Lorenzo Solano Martinez