rabbitmq启用外接认证模式 解决 AMQP明文验证漏洞问题

1、漏洞复现

登入rabbimq-management 管理界面,f12打开开发者工具,在network一项捕获请求,请求头中的Cookie值为base64 加密密文,可以使用通用base解密,

例如:请求头中抓到 Cookie: m=2258:Z3Vlc3Q6Z3Vlc3Q%253D

对 m=2258:Z3Vlc3Q6Z3Vlc3Q%253D 解密为 guest:guest

2、认证模式
Mechanism Description
PLAIN SASL PLAIN 验证。在RabbitMQ服务器和客户端中,默认是启用的,其他大多数客户端也是默认的。
AMQPLAIN PLAIN的非标准版本,用于向后兼容。该功能在RabbitMQ服务器中默认启用。
EXTERNAL 身份验证使用带外机制进行,例如x509证书对等验证、客户端IP地址范围或类似的机制。这种机制通常由RabbitMQ插件提供。
RABBIT-CR-DEMO 演示challenge-response认证的非标准机制。该机制具有与PLAIN等价的安全性,在RabbitMQ服务器中默认不启用。

rabbitmq的auth_mechanisms配置中默认为PLAIN模式,与AMQPLAIN同为明文认证,解决AMQP明文验证漏洞需要修改为EXTERNAL

3、EXTERNAL认证配置

修改 RabbitMQ 配置文件 /etc/rabbitmq/rabbitmq.config,此文件默认不存在,需要手动创建

[{rabbit, [
    {ssl_listeners, [5671]},
    {ssl_options, [
        {cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
        {certfile,   "/etc/rabbitmq/ssl/rabbitmq-server.cert.pem"},
        {keyfile,    "/etc/rabbitmq/ssl/rabbitmq-server.key.pem"},
        {verify, verify_peer},
        {fail_if_no_peer_cert, true},
        {ciphers, [
            "ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
            "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
            "ECDHE-ECDSA-DES-CBC3-SHA","ECDH-ECDSA-AES256-GCM-SHA384",
            "ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
            "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384",
            "DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
            "AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
            "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
            "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
            "ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
            "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256",
            "DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
            "AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
            "ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
            "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
            "AES256-SHA","ECDHE-ECDSA-AES128-SHA",
            "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
            "ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"
        ]}
    ]},
    {auth_mechanisms,['EXTERNAL']},
    {ssl_cert_login_from,common_name}
]}].

主要配置项说明:

  • verify
    • verify_peer 客户端与服务端互相发送证书
    • verify_none 禁用证书交换与校验
  • fail_if_no_peer_cert
    • true 不接受没证书的客户端连接
    • false 接受没证书的客户端连接
  • auth_mechanisms 认证机制,此处使用 EXTERNAL 表示只使用插件提供认证功能
  • ssl_cert_login_from使用证书中的哪些信息登录,如果不配置这项是走的DN,配置走CN
    • common_name CN名称

启用插件

#启用rabbitmq_auth_mechanism_ssl作为EXTERNAL认证机制的实现
rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
#查看启动结果
rabbitmq-plugins list

重启rabbitmq 并添加rabbitmq-client用户

service rabbitmq-server restart
#添加证书登录用户(用户名要与客户端证书名称前缀一致),密码任意
rabbitmqctl add_user 'rabbitmq-client' '2a55f70a841f18b97c3a7db939b7adc9e34a0f1b'
#给rabbitmq-client用户虚拟主机/的所有权限,如需其他虚拟主机替换/
rabbitmqctl set_permissions -p "/" "rabbitmq-client" ".*" ".*" ".*"

代码中添加配置

@Configration
public class RabbitmqConfig{

    @Autowired
    RabbitProperties rabbitProperties;
    @Autowired
    CachingConnectionFactory cachingConnectionFactory;
    
    /**
     * 解决安全扫描 AMQP明文登录漏洞 仅当rabbitmq启用ssl时并且配置证书时,显式设置EXTERNAL认证机制
* EXTERNAL认证机制使用X509认证方式,服务端读取客户端证书中的CN作为登录名称,同时忽略密码 */ @PostConstruct public void rabbitmqSslExternalPostConstruct() { boolean rabbitSslEnabled = BooleanUtils.toBoolean(rabbitProperties.getSsl().getEnabled()); boolean rabbitSslKeyStoreExists = rabbitProperties.getSsl().getKeyStore() != null; if (rabbitSslEnabled && rabbitSslKeyStoreExists) { cachingConnectionFactory.getRabbitConnectionFactory().setSaslConfig(DefaultSaslConfig.EXTERNAL); } } }

application 配置文件修改

spring: 
  rabbitmq:
    host: ip
    port: 5671
    publisher-returns: true
    virtual-host: /
    ssl:
      enabled: true
      key-store: classpath:ssl/rabbitmq-client.keycert.p12
      key-store-password: rabbit
      trust-store: classpath:ssl/rabbitmqTrustStore
      trust-store-type: JKS
      verify-hostname: false
    listener:
      direct:
        acknowledge-mode: manual
4、参考文章

https://www.cnblogs.com/hellxz/p/15776987.html

-end-

你可能感兴趣的:(rabbitmq启用外接认证模式 解决 AMQP明文验证漏洞问题)