Support for Encrypted Private Key in RabbitMQ Configuration

[moerwald]

Describe the bug

The documentation doesn't mention this feature explicitly.

Question

Since my key.pem file is password-protected, I need a way to inject the password into RabbitMQ so that it can use the key. I attempted using ssl_options.password with an encrypted password, but I am unsure if this is officially supported.

• Does RabbitMQ support encrypted passwords for SSL private keys (ssl_options.password)?
• If not, is there an alternative method to securely provide the password for a protected private key file?
• Any recommendations on best practices for handling password-protected private keys in RabbitMQ?

My Sample Configuration

advanced.config

 {rabbit, [
    %% Password encryption
    {config_entry_decoder, [
      {passphrase, {file, "D:\\Path1\\Path2\\encodingFile"}}
    ]},
    ...
    {ssl_options, [
      %% AMQP-Certs
      {password, {encrypted,<<"SomeBase64EncodedPassword">>}}
     ]},
    ...
 ]}

rabbitmq.conf

collect_statistics_interval = 1000
listeners.ssl.default = 5672
listeners.tcp.default = 127.0.0.2:5672
log.file.rotation.date = $D0
log.file.rotation.size = 52428800
management.listener.port = 15672
management.listener.ssl = true
management.listener.ssl_opts.cacertfile = C:\ProgramData\RabbitMQ\certs\cacert.pem
management.listener.ssl_opts.certfile = C:\ProgramData\RabbitMQ\certs\cert.pem
management.listener.ssl_opts.keyfile = C:\ProgramData\RabbitMQ\certs\key.pem
management.rates_mode = none
ssl_options.cacertfile = C:\ProgramData\RabbitMQ\certs\cacert.pem
ssl_options.certfile = C:\ProgramData\RabbitMQ\certs\cert.pem
ssl_options.keyfile = C:\ProgramData\RabbitMQ\certs\key.pem
ssl_options.fail_if_no_peer_cert = false
ssl_options.honor_cipher_order = true
ssl_options.honor_ecc_order = true
ssl_options.verify = verify_peer
ssl_options.versions.1 = tlsv1.2

RabbitMQ-Version: 4.0.1

Reproduction steps

...

Expected behavior

---

Additional context

No response

[ansd]

A password can be provided as described in

rabbitmq-server/deps/rabbit/priv/schema/rabbit.schema

Lines 402 to 403 in 6e76def

	{mapping, "ssl_options.password", "rabbit.ssl_options.password",
	[{datatype, [tagged_binary, binary]}]}.

[moerwald]

I know that a password can be provided, but RabbitMQ in the old config file format supports "encoding" this password. I want to know if above config sample is supported or not.

[lukebakken]

Encrypting values in the rabbitmq.conf file is not yet supported (cc @michaelklishin). Doing so doesn't really make anything more secure, it just obfuscates the password value.

[moerwald]

@lukebakken I know that encrpyted values don't add any "secure" benefit to the password value. But since it was supported in the old config file format, I've the requirement to use it ...

Will the mix work? Use the encprypted password in rabbitmq.conf in combination with config_entry_decoder in the advanced.conf ?

[michaelklishin]

@moerwald not only it will, that's exactly how you do it but we haven't documented tagged value support in rabbitmq.conf.

Your {encrypted, <<"abc">>} value will become

sensitive.key = encrypted:abc

but only a handful of the keys were converted to support tagged_binary values. As @ansd demonstrated, ssl_options.password was one of them, so give it a shot.