Vulnerability in RabbitMQ : disable cleartext authentication mechanisms in the amqp configuration

Question

How to disable cleartext authentication mechanisms in the amqp configuration ?

Answer 1

without going into TLS details, you must:

• Disable normal authentication, by stop using non-TLS port 5672 by leaving config entry empty {tcp_listeners, []}

• Enable TLS by adding config entry {ssl_listeners, [5671]}

• Further configure TLS support details on server, like

    {ssl_options, [{cacertfile,"/path/to/ca_certificate_bundle.pem"},
                   {certfile,"/path/to/server_certificate.pem"},
                   {keyfile,"/path/to/server_key.pem"},
                   {depth, 2},
                   {verify,verify_peer},
                   {fail_if_no_peer_cert,false}]}
  
  

• Make sure your client API supports TLS for peer verification (as well as securing the traffic). Here you have the .NET and Java client APIs details.

Notes:

• Peer verification and passwords (for certificates) are supported and optional. You can have a password-less certificate and enable or disable peer verification.
• Some clients have specific requirements about certificates types and content