是否可以配置 RabbitMQ 管理插件使用的密码套件?
Is it possible to configure cipher suites used by RabbitMQ Management Plugin?
我有一个 RabbitMQ 实例 3.7.7-management image running. It has the rabbitmq-management plugin enabled and configured to use HTTPS as per the documentation:
management.listener.port = 15671
management.listener.ssl = true
management.listener.ssl_opts.cacertfile = /path/to/cacert.pem
management.listener.ssl_opts.certfile = /path/to/cert.pem
management.listener.ssl_opts.keyfile = /path/to/key.pem
management.listener.ssl_opts.fail_if_no_peer_cert = false
management.listener.ssl_opts.versions.1 = tlsv1.2
当我使用 testssl.sh 测试工具评估 TLS 设置时,针对 SWEET32 漏洞的测试失败:
Testing vulnerabilities
...
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers
...
OpenVAS 框架也抱怨:
漏洞检测结果
'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
解决方案类型: 缓解措施
The configuration of this services should be changed so that it does not accept the listed cipher suites anymore.
是否可以配置 RabbitMQ 管理插件使用的密码套件?对于 RabbitMQ it is possible, but looking at rabbitmq_management.schema 来说,管理插件似乎是不可能的。或者是否有其他方法来修复该漏洞?
您将必须使用 advanced.config 文件来执行此操作。我假设您已经使用您显示的设置创建了 /etc/rabbitmq/rabbitmq.conf。使用这些内容创建 /etc/rabbitmq/advanced.config 文件并重新启动 RabbitMQ:
[
{rabbitmq_management, [
{listener, [
{ssl_opts, [
{ciphers, [
%% CIPHERS GO HERE
]}
]}
]}
]}
].
该设置应合并到 rabbitmq.conf 中指定的内容中。您可以在 /var/lib/rabbitmq/...
中查看生成的配置文件
如果这不起作用,请跟进邮件列表。
注意: RabbitMQ 团队监控 the rabbitmq-users mailing list 并且有时只在 Whosebug 上回答问题。
我有一个 RabbitMQ 实例 3.7.7-management image running. It has the rabbitmq-management plugin enabled and configured to use HTTPS as per the documentation:
management.listener.port = 15671
management.listener.ssl = true
management.listener.ssl_opts.cacertfile = /path/to/cacert.pem
management.listener.ssl_opts.certfile = /path/to/cert.pem
management.listener.ssl_opts.keyfile = /path/to/key.pem
management.listener.ssl_opts.fail_if_no_peer_cert = false
management.listener.ssl_opts.versions.1 = tlsv1.2
当我使用 testssl.sh 测试工具评估 TLS 设置时,针对 SWEET32 漏洞的测试失败:
Testing vulnerabilities
...
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers
...
OpenVAS 框架也抱怨:
漏洞检测结果
'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
解决方案类型: 缓解措施
The configuration of this services should be changed so that it does not accept the listed cipher suites anymore.
是否可以配置 RabbitMQ 管理插件使用的密码套件?对于 RabbitMQ it is possible, but looking at rabbitmq_management.schema 来说,管理插件似乎是不可能的。或者是否有其他方法来修复该漏洞?
您将必须使用 advanced.config 文件来执行此操作。我假设您已经使用您显示的设置创建了 /etc/rabbitmq/rabbitmq.conf。使用这些内容创建 /etc/rabbitmq/advanced.config 文件并重新启动 RabbitMQ:
[
{rabbitmq_management, [
{listener, [
{ssl_opts, [
{ciphers, [
%% CIPHERS GO HERE
]}
]}
]}
]}
].
该设置应合并到 rabbitmq.conf 中指定的内容中。您可以在 /var/lib/rabbitmq/...
如果这不起作用,请跟进邮件列表。
注意: RabbitMQ 团队监控 the rabbitmq-users mailing list 并且有时只在 Whosebug 上回答问题。