I have an instance of RabbitMQ 3.7.7-management image running. It has the rabbitmq-management plugin enabled and configured to use HTTPS as per the documentation:
management.listener.port = 15671
management.listener.ssl = true
management.listener.ssl_opts.cacertfile = /path/to/cacert.pem
management.listener.ssl_opts.certfile = /path/to/cert.pem
management.listener.ssl_opts.keyfile = /path/to/key.pem
management.listener.ssl_opts.fail_if_no_peer_cert = false
management.listener.ssl_opts.versions.1 = tlsv1.2
When I evaluate the TLS setup with testssl.sh testing tool, a test for SWEET32 vulnerability fails:
Testing vulnerabilities
...
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers
...
OpenVAS framework also complains:
Vulnerability Detection Result
'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
Solution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed cipher suites anymore.
Is it possible to configure what cipher suites will be used by the RabbitMQ Management Plugin? For RabbitMQ it is possible, but looking at rabbitmq_management.schema it seems that for the Management Plugin it's impossible. Or is there a different way to fix the vulnerability?
You will have to use the advanced.config file to do so. I'm assuming that you have already created /etc/rabbitmq/rabbitmq.conf with the settings you show. Create the /etc/rabbitmq/advanced.config file with these contents and re-start RabbitMQ:
[
{rabbitmq_management, [
{listener, [
{ssl_opts, [
{ciphers, [
%% CIPHERS GO HERE
]}
]}
]}
]}
].
The setting should be merged into what is specified in rabbitmq.conf. You can check the generated config files in /var/lib/rabbitmq/...