To fix the vulnerability in RabbitMQ : disable cleartext authentication mechanisms in the amqp configuration, follow these steps
Create self-signed certificate files
the easy way is cloning the repository
https://github.com/michaelklishin/tls-gen then
1. go to the cloned repository and goto basic directory
2. run
make PASSWORD={your_password} CN={your_domain}, see image below
3. ca, server and client certificate files will be created, see image below
Configure RabbitMQ configuration file
your
rabbitmq.conf should be configured like this
loopback_users.guest = false
listeners.ssl.default = 5671
ssl_options.cacertfile = path_to_ca_certificate.pem
ssl_options.certfile = path_to_server_certificate.pem
ssl_options.keyfile = path_to_server_key.pem
ssl_options.password = XXXXX
default_pass = XXXXX
default_user = XXXXX
* Note
-
listeners.tcp.default = 5672 must be removed
-
ssl_options.password must match the certificate password from the step above
- a related document is available at
https://www.rabbitmq.com/ssl.html
Configure the client
your client code (Golang) should be written like this
cfg := new(tls.Config)
cfg.InsecureSkipVerify = true
cfg.RootCAs = x509.NewCertPool()
ca, err := ioutil.ReadFile("path_to_ca_certificate.pem")
if err == nil {
cfg.RootCAs.AppendCertsFromPEM(ca)
} else {
return nil, err
}
cert, err := tls.LoadX509KeyPair(
"path_to_client_certificate.pem",
"path_to_client_key.pem",
)
if err == nil {
cfg.Certificates = append(cfg.Certificates, cert)
} else {
return nil, err
}
url := fmt.Sprintf(
"amqps://%s:%s@%s:%d",
"rabbit_user",
"rabbit_password",
"rabbit_host",
5671,
)
con, err := amqp.DialTLS(url, cfg)
if err != nil {
return nil, err
}
see related full Golang code at
https://tinyurl.com/y6u9ack9
