對照可接受的密碼清單檢閱 vRealize Automation 應用裝置 RabbitMQ 服務密碼,並停用視為弱式密碼的所有密碼。

執行這項作業的原因和時機

停用未提供驗證的加密套件,例如 NULL 加密套件、aNULL 或 eNULL。也請停用匿名 Diffie-Hellman 金鑰交換 (ADH)、匯出層級加密 (EXP,包含 DES 的加密)、小於 128 位元用於加密裝載流量的金鑰大小、針對裝載流量使用 MD5 做為雜湊機制、IDEA 加密套件,以及 RC4 加密套件。

程序

  1. 透過執行 # /usr/sbin/rabbitmqctl eval 'ssl:cipher_suites().' 命令評估支援的密碼套件。

    以下範例中傳回的密碼僅代表支援的密碼。RabbitMQ 伺服器不會使用或通告這些密碼,除非 rabbitmq.config 檔案中有所設定。

    ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
     "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
     "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384",
     "ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384",
     "DHE-RSA-AES256-GCM-SHA384","DHE-DSS-AES256-GCM-SHA384",
     "DHE-RSA-AES256-SHA256","DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
     "AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
     "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
     "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
     "ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
     "ECDH-RSA-AES128-SHA256","DHE-RSA-AES128-GCM-SHA256",
     "DHE-DSS-AES128-GCM-SHA256","DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
     "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
     "ECDHE-RSA-AES256-SHA","DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
     "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA",
     "ECDHE-ECDSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA","EDH-RSA-DES-CBC3-SHA",
     "EDH-DSS-DES-CBC3-SHA","ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA",
     "DES-CBC3-SHA","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA",
     "DHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
     "ECDH-RSA-AES128-SHA","AES128-SHA"]
    
  2. 選取符合您組織安全性需求的受支援密碼。

    例如,若要僅允許使用 ECDHE-ECDSA-AES128-GCM-SHA256 & ECDHE-ECDSA-AES256-GCM-SHA384,請檢閱 /etc/rabbitmq/rabbitmq.config 檔案並將以下行新增至 ssl 和 ssl_options。

    {ciphers, [“ECDHE-ECDSA-AES128-GCM-SHA256”, “ECDHE-ECDSA-AES256-GCM-SHA384”]}

  3. 使用下列命令重新啟動 RabbitMQ 伺服器。

    service rabbitmq-server restart