AMQP cleartext authentication
3,245 views
Skip to first unread message
Cameron Paige
Feb 29, 2016, 3:36:31 PM2/29/16
to rabbitmq-users
Hi,
I just received a vulnerability scan and it is coming back that the AMQP service allows cleartext authentication. Logically, I looked at switching to SSL for encryption but it's asking me to provide a path to the private key. My issue is that my client's enterprise CA won't provide me with a private key and even if they did, they wouldn't let me store that key on the server. So one thing I tried was disabling 5672 on the external interface and only allowing communication from within the local host since that's all our custom application requires. Unfortunately, it's still coming back with the vulnerability on the scan. Has anyone ran into this before? I'm running Windows 2012R2 if that helps any.
Thanks in advance.
I just received a vulnerability scan and it is coming back that the AMQP service allows cleartext authentication. Logically, I looked at switching to SSL for encryption but it's asking me to provide a path to the private key. My issue is that my client's enterprise CA won't provide me with a private key and even if they did, they wouldn't let me store that key on the server. So one thing I tried was disabling 5672 on the external interface and only allowing communication from within the local host since that's all our custom application requires. Unfortunately, it's still coming back with the vulnerability on the scan. Has anyone ran into this before? I'm running Windows 2012R2 if that helps any.
Thanks in advance.
Michael Klishin
Feb 29, 2016, 3:45:28 PM2/29/16
to rabbitm...@googlegroups.com, Cameron Paige
On 29 February 2016 at 23:36:34, Cameron Paige (golfbal...@gmail.com) wrote:
> Logically, I looked at switching to SSL for encryption but it's
> asking me to provide a path to the private key. My issue is that
> my client's enterprise CA won't provide me with a private key
> and even if they did, they wouldn't let me store that key on the
> server. So one thing I tried was disabling 5672 on the external
> interface and only allowing communication from within the local
> host since that's all our custom application requires. Unfortunately,
> it's still coming back with the vulnerability on the scan.
Having node-local private keys is certainly not unheard of even in pretty paranoid environments.
> Logically, I looked at switching to SSL for encryption but it's
> asking me to provide a path to the private key. My issue is that
> my client's enterprise CA won't provide me with a private key
> and even if they did, they wouldn't let me store that key on the
> server. So one thing I tried was disabling 5672 on the external
> interface and only allowing communication from within the local
> host since that's all our custom application requires. Unfortunately,
> it's still coming back with the vulnerability on the scan.
We’ve heard that in some countries, financial regulations requires this (as opposed to loading keys over the network).
You could use x509 certificates only for authentication but server key would still have to be loaded
from a local FS.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Michael Klishin
Mar 1, 2016, 6:21:03 PM3/1/16
to rabbitm...@googlegroups.com, Cameron Paige
On 29 February 2016 at 23:45:23, Michael Klishin (mkli...@pivotal.io) wrote:
> Having node-local private keys is certainly not unheard of
> even in pretty paranoid environments.
> We’ve heard that in some countries, financial regulations requires
> this (as opposed to loading keys over the network).
We did some more research and the runtime supports inline certificates and keys. In other
> Having node-local private keys is certainly not unheard of
> even in pretty paranoid environments.
> We’ve heard that in some countries, financial regulations requires
> this (as opposed to loading keys over the network).
words, technically RabbitMQ could load them from any source. We could develop a plugin
that loads keys over the network, provided there's enough demand.
Cameron Paige
Mar 1, 2016, 9:59:59 PM3/1/16
to rabbitmq-users, golfbal...@gmail.com
Thanks for the follow up Michael. Greatly appreciated. Unfortunately that still wouldn't solve our problem since our Enterprise CA won't provide us with the private key for our server certs. Not even sure if they'd provide us with a path to where they store the keys. Hate to say it but we're looking into MSMQ so we can leverage the windows cert store.
Michael Klishin
Mar 2, 2016, 3:02:00 AM3/2/16
to rabbitm...@googlegroups.com, Cameron Paige
On 2 March 2016 at 06:00:02, Cameron Paige (golfbal...@gmail.com) wrote:
> Unfortunately that still wouldn't solve our problem since
> our Enterprise CA won't provide us with the private key for our
> server certs. Not even sure if they'd provide us with a path to
> where they store the keys. Hate to say it but we're looking into
> MSMQ so we can leverage the windows cert store.
Well, that answers my questions of “where do you want to load keys from”. Thanks.
> Unfortunately that still wouldn't solve our problem since
> our Enterprise CA won't provide us with the private key for our
> server certs. Not even sure if they'd provide us with a path to
> where they store the keys. Hate to say it but we're looking into
> MSMQ so we can leverage the windows cert store.
Cameron Paige
Mar 2, 2016, 9:29:06 AM3/2/16
to Michael Klishin, rabbitm...@googlegroups.com
Yes, I'm definitely stuck between a rock and a hard place here. Is there any way to leverage the windows cert store so we don't need the private key? I really don't want to move to another product but our devs can't move on without remediating this vulnerability.
Thanks again.Michael Klishin
Mar 2, 2016, 9:32:57 AM3/2/16
to Cameron Paige, rabbitm...@googlegroups.com
On 2 March 2016 at 17:29:04, Cameron Paige (golfbal...@gmail.com) wrote:
> Is there any way to leverage the windows cert store so we don't
> need the private key? I really don't want to move to another product
> but our devs can't move on without remediating this vulnerability.
We need to investigate if that'd be possible. RabbitMQ is very much at the mercy of
> Is there any way to leverage the windows cert store so we don't
> need the private key? I really don't want to move to another product
> but our devs can't move on without remediating this vulnerability.
the Erlang TLS implementation and what kind of API Windows store provides.
If you have relevant Windows documentation links, please post them here.
In any case, with our current load I'd expect this to take a couple of months to be resolved.
Reply all
Reply to author
Forward
0 new messages