楔子
近期公司程序被安全掃描出 遠程主機允許明文身份驗證 中風險漏洞,查了下修復方案發現網上的都是把 RabbitMQ 的認證機制改了,然后也沒提供 Java 客戶端連接測試結果,底下全是登錄失敗的回帖……
想到 RabbitMQ 官方提供了SSL連接方式,而且 SpringBoot AMQP 也支持 SSL 連接,所以嘗試以下將配置RabbitMQ開啟SSL 並使用 SpringBoot Demo 測試連接。最終修復了這個漏洞,同時 Java 客戶端連接正常。
文章修訂日志:
- 2022-01-07 21:59 寫文章時此配置還未安全掃描復測,如果測試通過,本人將更新此文章狀態為驗證通過。
- 2022-01-11 14:36 復測不通過,修正文章,調整認證機制為
EXTERNAL與 插件認證方式,等待復測。- 2022-01-11 17:28 復測通過。
- 2023-01-16 20:15 添加修改生成證書有效期10年步驟,默認證書1年有效期。
配置 RabbitMQ 開啟 SSL
本文基於 CentOS 7 + Git + OpenSSL + yum 安裝的 RabbitMQ,需要讀者提前安裝好,其他方式也可變通參考本文。
生成證書
#克隆生成證書的倉庫到當前目錄
git clone --depth 1 https://github.com/Berico-Technologies/CMF-AMQP-Configuration.git
cd CMF-AMQP-Configuration/ssl
#修改生成證書10年有效期
sed -i "s/valid=365/valid=3650/g" create_client_cert.sh
sed -i "s/valid=365/valid=3650/g" make_server_cert.sh
sed -i "s/valid=365/valid=3650/g" setup_ca.sh
sed -i "s/default_days = 365/default_days = 3650/g" openssl.cnf
#生成ca證書,“MyRabbitMQCA”為自定義名稱,名稱任意。在當前目錄下生成ca目錄
sh setup_ca.sh MyRabbitMQCA
#生成服務端證書,第一個參數是服務端證書前綴,第二個參數是密碼。密碼任意,在當前目錄下生成server目錄
sh make_server_cert.sh rabbitmq-server 123456
#生成客戶端證書,第一個參數是客戶端證書前綴(同時也是rabbitmq用戶名),第二個參數是密碼。密碼任意,在當前目錄下生成client目錄
sh create_client_cert.sh rabbitmq-client 654321
以上生成的客戶端證書的CN為
rabbitmq-client,此名稱會被 RabbitMQ服務端作為登錄名使用,需要提前創建此用戶以及給予權限。
配置 RabbitMQ 服務端的證書如下:
ca/cacert.pem #CA證書
server/rabbitmq-server.cert.pem #服務端公鑰
server/rabbitmq-server.key.pem #服務端私鑰
使用 RabbitMQ 服務端公鑰證書生成 JKS 證書
# -alias后為別稱,-file后是服務端公鑰位置,-keystore后是輸出JSK證書位置,此處相對路徑
keytool -import -alias rabbitmq-server \
-file server/rabbitmq-server.cert.pem \
-keystore rabbitmqTrustStore -storepass changeit
#輸入y回車
配置 RabbitMQ 客戶端的證書如下:
client/rabbitmq-client.keycert.p12 #PKCS12證書,包含客戶端所需公私鑰及中間證書
rabbitmqTrustStore #服務端JKS格式公鑰
默認 RabbitMQ 配置目錄在 /etc/rabbitmq,我們創建個證書目錄存放服務端證書
mkdir -p /etc/rabbitmq/ssl
#復制服務端必要證書
cp ca/cacert.pem \
server/rabbitmq-server.cert.pem \
server/rabbitmq-server.key.pem /etc/rabbitmq/ssl/
修改 RabbitMQ 配置文件
修改 RabbitMQ 配置文件 /etc/rabbitmq/rabbitmq.config,此文件默認不存在,需要手動創建
[{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/rabbitmq-server.cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/rabbitmq-server.key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{ciphers, [
"ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-DES-CBC3-SHA","ECDH-ECDSA-AES256-GCM-SHA384",
"ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384",
"DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
"AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256",
"DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
"AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
"AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
"ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"
]}
]},
{auth_mechanisms,['EXTERNAL']},
{ssl_cert_login_from,common_name}
]}].
主要配置項說明:
ssl_listeners指定 SSL協議的端口號,官方文檔5671ssl_optionsSSL 認證配置項
cacertfileCA 證書位置certfile公鑰證書位置keyfile密鑰證書位置verify
verify_peer客戶端與服務端互相發送證書verify_none禁用證書交換與校驗fail_if_no_peer_cert
true不接受沒證書的客戶端連接false接受沒證書的客戶端連接ciphers加密器(這個翻譯不知道算不算對?)auth_mechanisms認證機制,此處使用EXTERNAL表示只使用插件提供認證功能ssl_cert_login_from使用證書中的哪些信息登錄,如果不配置這項是走的DN,配置走CN
common_nameCN名稱
啟用插件
#啟用rabbitmq_auth_mechanism_ssl作為EXTERNAL認證機制的實現
rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
#查看啟動結果
rabbitmq-plugins list
重啟 RabbitMQ
#關閉
rabbitmqctl stop
#啟動
rabbitmq-server -detached
添加證書登錄用戶與授權
#添加證書登錄用戶(用戶名要與客戶端證書名稱前綴一致),密碼任意
rabbitmqctl add_user 'rabbitmq-client' '2a55f70a841f18b97c3a7db939b7adc9e34a0f1b'
#給rabbitmq-client用戶虛擬主機/的所有權限,如需其他虛擬主機替換/
rabbitmqctl set_permissions -p "/" "rabbitmq-client" ".*" ".*" ".*"
驗證開啟 SSL 是否成功
使用 Rabbitmq 自帶的診斷工具查看端口監聽狀態及使用協議
#查看監聽
rabbitmq-diagnostics listeners
#查看支持的TLS版本
rabbitmq-diagnostics --silent tls_versions
使用 OpenSSL CLI 工具驗證證書是否有效
cd 生成證書的ssl目錄
#使用客戶端證書+CA證書連接RabbitMQ驗證。本處MQ與生成證書是同一主機,其他情況請自行考慮。
openssl s_client -connect localhost:5671 \
-cert client/rabbitmq-client.cert.pem \
-key client/rabbitmq-client.key.pem \
-CAfile ca/cacert.pem
除了命令行查看外,還可以通過管理界面查看,不過只能確定開啟了 SSL 監聽,無法確認證書是否通過驗證。
編寫 SpringBoot 代碼連接測試
代碼結構
只是使用 start.spring.io 生成的 Maven 工程,依賴了 WEB 和 AMQP
2022.02.10更新:由於讀者反應測試代碼行為不正常(原因是目錄結構放得不對!),現已將測試代碼已上傳本人GitHub https://github.com/hellxz/rabbitmq-ssl-demo , 使用時注意替換證書文件!
代碼及配置
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.0</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-amqp</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.amqp</groupId>
<artifactId>spring-rabbit-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
啟動類 DemoApplication.java
package com.hellxz.rabbitmq.ssl;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}
RabbitMQ客戶端配置類 RabbitFanoutExchangeConfig.java
package com.hellxz.rabbitmq.ssl;
import javax.annotation.PostConstruct;
import org.apache.commons.lang3.BooleanUtils;
import org.springframework.amqp.core.Binding;
import org.springframework.amqp.core.BindingBuilder;
import org.springframework.amqp.core.FanoutExchange;
import org.springframework.amqp.core.Queue;
import org.springframework.amqp.rabbit.connection.CachingConnectionFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.amqp.RabbitProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.rabbitmq.client.DefaultSaslConfig;
@Configuration
public class RabbitFanoutExchangeConfig {
public static final String FANOUT_EXCHANGE = "fanout.exchange";
public static final String FANOUT_QUEUE1 = "fanout.queue1";
@Bean(name = FANOUT_EXCHANGE)
public FanoutExchange fanoutExchange() {
return new FanoutExchange(FANOUT_EXCHANGE, true, false);
}
@Bean(name = FANOUT_QUEUE1)
public Queue fanoutQueue1() {
return new Queue(FANOUT_QUEUE1, true, false, false);
}
@Bean
public Binding bindingSimpleQueue1(@Qualifier(FANOUT_QUEUE1) Queue fanoutQueue1,
@Qualifier(FANOUT_EXCHANGE) FanoutExchange fanoutExchange) {
return BindingBuilder.bind(fanoutQueue1).to(fanoutExchange);
}
@Autowired
RabbitProperties rabbitProperties;
@Autowired
CachingConnectionFactory cachingConnectionFactory;
/**
* 解決安全掃描 AMQP明文登錄漏洞 僅當rabbitmq啟用ssl時並且配置證書時,顯式設置EXTERNAL認證機制<br/>
* EXTERNAL認證機制使用X509認證方式,服務端讀取客戶端證書中的CN作為登錄名稱,同時忽略密碼
*/
@PostConstruct
public void rabbitmqSslExternalPostConstruct() {
boolean rabbitSslEnabled = BooleanUtils.toBoolean(rabbitProperties.getSsl().getEnabled());
boolean rabbitSslKeyStoreExists = rabbitProperties.getSsl().getKeyStore() != null;
if (rabbitSslEnabled && rabbitSslKeyStoreExists) {
cachingConnectionFactory.getRabbitConnectionFactory().setSaslConfig(DefaultSaslConfig.EXTERNAL);
}
}
}
這里添加
@PostConstruct作的處理是因為維護人員覺得把它做成可配置的收益不大,大部分人都不需要。
發消息測試類 TestController.java
package com.hellxz.rabbitmq.ssl;
import org.springframework.amqp.core.Message;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class TestController {
@Autowired
RabbitMQSenderService rabbitMQSenderService;
@GetMapping("/test")
public void sendMsg() {
Message msg = new Message("hello world".getBytes());
try {
rabbitMQSenderService.send(RabbitFanoutExchangeConfig.FANOUT_EXCHANGE,
RabbitFanoutExchangeConfig.FANOUT_QUEUE1, msg);
} catch (Exception e) {
e.printStackTrace();
}
}
}
發消息服務 RabbitMQSenderService.java
package com.hellxz.rabbitmq.ssl;
import java.util.UUID;
import org.springframework.amqp.core.Message;
import org.springframework.amqp.rabbit.connection.CorrelationData;
import org.springframework.amqp.rabbit.core.RabbitTemplate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component
public class RabbitMQSenderService {
@Autowired
private RabbitTemplate rabbitTemplate;
public void send(String exchange, String routingkey, Message message) {
CorrelationData correlationId = new CorrelationData(UUID.randomUUID().toString());
System.out.println("start send msg : " + message);
rabbitTemplate.convertAndSend(exchange, routingkey, message, correlationId);
System.out.println("end send msg : " + message);
}
}
消息接收者 RabbitMQReciver.java
package com.hellxz.rabbitmq.ssl;
import org.springframework.amqp.rabbit.annotation.RabbitListener;
import org.springframework.stereotype.Component;
@Component
class RabbitMQReciver {
@RabbitListener(queues = RabbitFanoutExchangeConfig.FANOUT_QUEUE1)
public void reciveLogAll(String msg) throws Exception {
System.out.println("received msg:" + msg);
}
}
配置文件 application.properties
server.port=8085
#基礎配置請根據實際配置,此種配置方式無需配置用戶名與密碼
spring.rabbitmq.host=192.168.56.104
#ssl協議端口
spring.rabbitmq.port=5671
spring.rabbitmq.virtual-host=/
#啟用rabbitmq客戶端SSL連接
spring.rabbitmq.ssl.enabled=true
#客戶端PKCS12證書及密碼
spring.rabbitmq.ssl.key-store=classpath:ssl/rabbitmq-client.keycert.p12
spring.rabbitmq.ssl.key-store-password=654321
#公鑰證書及類型
spring.rabbitmq.ssl.trust-store=classpath:ssl/rabbitmqTrustStore
spring.rabbitmq.ssl.trust-store-type=JKS
#不校驗主機名,默認開啟會導致連接失敗
spring.rabbitmq.ssl.verify-hostname=false
src/main/resources 下創建 ssl 目錄,將 客戶端證書和服務端 JKS 公鑰復制到 ssl 目錄中。
執行代碼驗證
運行 DemoApplication.java,查看控制台是否有報錯:
如圖,提示創建連接成功,說明已經連接成功了。
啟動成功的連接消息中 amqp://后的
guest並非真實的登錄名稱,僅僅是一個占位符Created new connection: rabbitConnectionFactory#476ec9d0:0/SimpleConnection@474c9131 [delegate=amqp://guest@192.168.56.104:5671/, localPort= 7956]實際訪問的用戶可以在服務端日志處察看到,筆者已測試刪除 guest 用戶后重新連接測試,測試通過服務端打印真實客戶端名稱。
我們再調用 TestController.java 中定義的 /test 接口
消息發送與消費成功。
參考
- https://www.rabbitmq.com/access-control.html#server-mechanism-configuration
- https://www.rabbitmq.com/access-control.html#client-mechanism-configuration
- https://www.rabbitmq.com/ssl.html
- https://www.rabbitmq.com/troubleshooting-ssl.html
- https://github.com/spring-projects/spring-boot/issues/6719#issuecomment-818858283
- https://github.com/spring-projects/spring-boot/issues/6719#issuecomment-259268574
- https://groups.google.com/g/rabbitmq-users/c/HouahhIBEdM?pli=1
- https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl#common-name
- https://www.rabbitmq.com/access-control.html#passwords-and-shell-escaping
- 加密器部分參考 https://www.cnblogs.com/ybyn/p/13959135.html
本文同步於本人博客園(hellxz.cnblogs.com) 與 CSDN(https://blog.csdn.net/u012586326),禁止轉載。