RabbitMQ supports the use of weak and medium strength SSL ciphers

Description

RabbitMQ supports the use of weak and medium strength SSL ciphers on port 5671.
It should be configured to accept only ciphers with strong encryption.

Steps to Reproduce

Environment:
OS (CLI), HA cluster, cloud provider
------------------------------------

Steps to reproduce:
------------------
1.
2.
3.

Expected result:
---------------

Actual result:
-------------

Why Propose Close?

None

Activity

Show:
Isaac Shabtay
July 23, 2018, 1:54 PM

This may be a bigger problem than it looks like. It's not only a question of configuring RabbitMQ. It's also a question of whether our supported platforms can even use such ciphers. Most likely that recent platforms will work OK, but I'm not that sure about CentOS / RHEL 6.x and Ubuntu < 16.

Isaac Shabtay
July 25, 2018, 10:48 AM

did the customer specify which ciphers they refer to as weak & medium?

Isaac Shabtay
July 25, 2018, 11:07 AM

Another potential problem has to do with upgrades — not necessarily the agent itself, but the VM's and specifically the openssl version and ciphers installed on them.

Isaac Shabtay
August 12, 2018, 8:30 PM

Validation:

Run a script that obtains all supported ciphers supported by OpenSSL, and uses open ssl connect -cipher to establish connection on localhost:5671.

All ciphers that were accepted, belong to the list of "advanced" and "advanced+" ciphers published by OWASP.

Done

Assignee

Isaac Shabtay

Reporter

Jonathan Abramsohn

Severity

Medium

Target Version

4.5

Premium Only

no

Found In Version

4.3

QA Owner

Isaac Shabtay

Bug Type

legacy bug

Customer Encountered

Yes

Customer Name

c238

Release Notes

yes

Priority

None

Sprint

None

Priority

Unprioritized
Configure