公司使用的消息中间件RabbitMQ经过安全扫描后发现存在Cleartext漏洞,该漏洞允许用户提供用户名和密码等敏感信息以明文形式传输。网上查了下解决方法,大多数方案都是修改RabbitMQ的配置,使用SSL方式连接MQ,但是这些修复方案都是结合SpringBoot测试验证的,而公司项目由于历史原因无法使用Springboot,因此需要用其他方法连接MQ客户端测试验证。
前置步骤
修复该漏洞需要RabbitMQ开启SSL,证书生成及MQ参数配置参考博客:https://www.cnblogs.com/ybyn/p/13959135.html
测试代码
import com.rabbitmq.client.Connection;
import com.rabbitmq.client.ConnectionFactory;
import com.rabbitmq.client.DefaultSaslConfig;
import com.rabbitmq.client.Channel;
import com.rabbitmq.client.MessageProperties;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import java.io.FileInputStream;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
public class RabbitMQ {
static String host = "xxx";
// ssl协议端口
static int port = 5671;
static String userName = "rabbitmq-client";
static String passWord = "123456";
static String virtualHost = "/";
public static void main(String[] args) throws Exception {
ConnectionFactory factory = new ConnectionFactory();
factory.setHost(host);
factory.setPort(port);
factory.setUsername(userName);
factory.setVirtualHost(virtualHost);
KeyStore keyStore = KeyStore.getInstance("PKCS12");
// 客户端PKCS12证书及密码
char[] keyPassphrase = passWord.toCharArray();
InputStream keyIn = new FileInputStream("/usr/rabbitmq-client.keycert.p12");
keyStore.load(keyIn, keyPassphrase);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyManagerFactory.init(keyStore, keyPassphrase);
// 公钥证书类型
KeyStore trustStoretype = KeyStore.getInstance("JKS");
// 公钥证书及密码
char[] trustPassphrase = passWord.toCharArray();
InputStream trustIn = new FileInputStream("/usr/rabbitTrustStore");
trustStoretype.load(trustIn, trustPassphrase);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
trustManagerFactory.init(trustStoretype);
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
factory.useSslProtocol(sslContext);
factory.setSaslConfig(DefaultSaslConfig.EXTERNAL);
// 测试发生消息
Connection connection = factory.newConnection();
Channel channel = connection.createChannel();
channel.basicPublish("ex", "queue", MessageProperties.PERSISTENT_TEXT_PLAIN, "hello".getBytes(StandardCharsets.UTF_8));
channel.close();
connection.close();
}
}
亲测能够正常收发消息,这里就不放验证截图了,至此已修复漏洞。