Vulnerability in RabbitMQ : disable cleartext authentication mechanisms in the amqp configuration, Golang

To fix the vulnerability in RabbitMQ : disable cleartext authentication mechanisms in the amqp configuration, follow these steps

Create self-signed certificate files

the easy way is cloning the repository https://github.com/michaelklishin/tls-gen  then

1. go to the cloned repository and goto basic directory

2. run make PASSWORD={your_password} CN={your_domain}, see image below

3. ca, server and client certificate files will be created, see image below

Configure RabbitMQ configuration file

your rabbitmq.conf should be configured like this

loopback_users.guest = false

listeners.ssl.default = 5671

ssl_options.cacertfile = path_to_ca_certificate.pem

ssl_options.certfile = path_to_server_certificate.pem

ssl_options.keyfile = path_to_server_key.pem

ssl_options.password = XXXXX

default_pass = XXXXX

default_user = XXXXX

* Note
- listeners.tcp.default = 5672 must be removed
- ssl_options.password must match the certificate password from the step above
- a related document is available at https://www.rabbitmq.com/ssl.html

Configure the client

your client code (Golang) should be written like this

cfg := new(tls.Config)

cfg.InsecureSkipVerify = true

cfg.RootCAs = x509.NewCertPool()

ca, err := ioutil.ReadFile("path_to_ca_certificate.pem")

if err == nil {

cfg.RootCAs.AppendCertsFromPEM(ca)

} else {

return nil, err

}

cert, err := tls.LoadX509KeyPair(

"path_to_client_certificate.pem",

"path_to_client_key.pem",

)

if err == nil {

cfg.Certificates = append(cfg.Certificates, cert)

} else {

return nil, err

}

url := fmt.Sprintf(

"amqps://%s:%s@%s:%d",

"rabbit_user",

"rabbit_password",

"rabbit_host",

5671,

)

con, err := amqp.DialTLS(url, cfg)

if err != nil {

return nil, err

}

see related full Golang code at https://tinyurl.com/y6u9ack9