rabbitmq啟用外接認(rèn)證模式 解決 AMQP明文驗(yàn)證漏洞問(wèn)題

1、漏洞復(fù)現(xiàn)

登入rabbimq-management 管理界面,f12打開(kāi)開(kāi)發(fā)者工具,在network一項(xiàng)捕獲請(qǐng)求,請(qǐng)求頭中的Cookie值為base64 加密密文,可以使用通用base解密,

例如:請(qǐng)求頭中抓到 Cookie: m=2258:Z3Vlc3Q6Z3Vlc3Q%253D

對(duì) m=2258:Z3Vlc3Q6Z3Vlc3Q%253D 解密為 guest:guest

2、認(rèn)證模式
Mechanism Description
PLAIN SASL PLAIN 驗(yàn)證。在RabbitMQ服務(wù)器和客戶端中,默認(rèn)是啟用的,其他大多數(shù)客戶端也是默認(rèn)的。
AMQPLAIN PLAIN的非標(biāo)準(zhǔn)版本,用于向后兼容。該功能在RabbitMQ服務(wù)器中默認(rèn)啟用。
EXTERNAL 身份驗(yàn)證使用帶外機(jī)制進(jìn)行,例如x509證書(shū)對(duì)等驗(yàn)證、客戶端IP地址范圍或類似的機(jī)制。這種機(jī)制通常由RabbitMQ插件提供。
RABBIT-CR-DEMO 演示challenge-response認(rèn)證的非標(biāo)準(zhǔn)機(jī)制。該機(jī)制具有與PLAIN等價(jià)的安全性,在RabbitMQ服務(wù)器中默認(rèn)不啟用。

rabbitmq的auth_mechanisms配置中默認(rèn)為PLAIN模式,與AMQPLAIN同為明文認(rèn)證,解決AMQP明文驗(yàn)證漏洞需要修改為EXTERNAL

3、EXTERNAL認(rèn)證配置

修改 RabbitMQ 配置文件 /etc/rabbitmq/rabbitmq.config,此文件默認(rèn)不存在,需要手動(dòng)創(chuàng)建

[{rabbit, [
    {ssl_listeners, [5671]},
    {ssl_options, [
        {cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
        {certfile,   "/etc/rabbitmq/ssl/rabbitmq-server.cert.pem"},
        {keyfile,    "/etc/rabbitmq/ssl/rabbitmq-server.key.pem"},
        {verify, verify_peer},
        {fail_if_no_peer_cert, true},
        {ciphers, [
            "ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
            "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
            "ECDHE-ECDSA-DES-CBC3-SHA","ECDH-ECDSA-AES256-GCM-SHA384",
            "ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
            "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384",
            "DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
            "AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
            "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
            "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
            "ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
            "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256",
            "DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
            "AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
            "ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
            "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
            "AES256-SHA","ECDHE-ECDSA-AES128-SHA",
            "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
            "ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"
        ]}
    ]},
    {auth_mechanisms,['EXTERNAL']},
    {ssl_cert_login_from,common_name}
]}].

主要配置項(xiàng)說(shuō)明:

  • verify
    • verify_peer 客戶端與服務(wù)端互相發(fā)送證書(shū)
    • verify_none 禁用證書(shū)交換與校驗(yàn)
  • fail_if_no_peer_cert
    • true 不接受沒(méi)證書(shū)的客戶端連接
    • false 接受沒(méi)證書(shū)的客戶端連接
  • auth_mechanisms 認(rèn)證機(jī)制,此處使用 EXTERNAL 表示只使用插件提供認(rèn)證功能
  • ssl_cert_login_from使用證書(shū)中的哪些信息登錄,如果不配置這項(xiàng)是走的DN,配置走CN
    • common_name CN名稱

啟用插件

#啟用rabbitmq_auth_mechanism_ssl作為EXTERNAL認(rèn)證機(jī)制的實(shí)現(xiàn)
rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
#查看啟動(dòng)結(jié)果
rabbitmq-plugins list

重啟rabbitmq 并添加rabbitmq-client用戶

service rabbitmq-server restart
#添加證書(shū)登錄用戶(用戶名要與客戶端證書(shū)名稱前綴一致),密碼任意
rabbitmqctl add_user 'rabbitmq-client' '2a55f70a841f18b97c3a7db939b7adc9e34a0f1b'
#給rabbitmq-client用戶虛擬主機(jī)/的所有權(quán)限,如需其他虛擬主機(jī)替換/
rabbitmqctl set_permissions -p "/" "rabbitmq-client" ".*" ".*" ".*"

代碼中添加配置

@Configration
public class RabbitmqConfig{

    @Autowired
    RabbitProperties rabbitProperties;
    @Autowired
    CachingConnectionFactory cachingConnectionFactory;
    
    /**
     * 解決安全掃描 AMQP明文登錄漏洞 僅當(dāng)rabbitmq啟用ssl時(shí)并且配置證書(shū)時(shí),顯式設(shè)置EXTERNAL認(rèn)證機(jī)制<br/>
     * EXTERNAL認(rèn)證機(jī)制使用X509認(rèn)證方式,服務(wù)端讀取客戶端證書(shū)中的CN作為登錄名稱,同時(shí)忽略密碼
     */
    @PostConstruct
    public void rabbitmqSslExternalPostConstruct() {
        boolean rabbitSslEnabled = BooleanUtils.toBoolean(rabbitProperties.getSsl().getEnabled());
        boolean rabbitSslKeyStoreExists = rabbitProperties.getSsl().getKeyStore() != null;
        if (rabbitSslEnabled && rabbitSslKeyStoreExists) {
            cachingConnectionFactory.getRabbitConnectionFactory().setSaslConfig(DefaultSaslConfig.EXTERNAL);
        }
    }
}

application 配置文件修改

spring: 
  rabbitmq:
    host: ip
    port: 5671
    publisher-returns: true
    virtual-host: /
    ssl:
      enabled: true
      key-store: classpath:ssl/rabbitmq-client.keycert.p12
      key-store-password: rabbit
      trust-store: classpath:ssl/rabbitmqTrustStore
      trust-store-type: JKS
      verify-hostname: false
    listener:
      direct:
        acknowledge-mode: manual
4、參考文章

https://www.cnblogs.com/hellxz/p/15776987.html

-end-

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容