mirror of
https://github.com/zulip/zulip.git
synced 2026-06-15 21:01:31 +08:00
a5496f4098
The RabbitMQ docs state ([1]):
RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to
determine whether they are allowed to communicate with each
other. [...] The cookie is just a string of alphanumeric
characters up to 255 characters in size. It is usually stored in a
local file.
...and goes on to state (emphasis ours):
If the file does not exist, Erlang VM will try to create one with
a randomly generated value when the RabbitMQ server starts
up. Using such generated cookie files are **appropriate in
development environments only.**
The auto-generated cookie does not use cryptographic sources of
randomness, and generates 20 characters of `[A-Z]`. Because of a
semi-predictable seed, the entropy of this password is thus less than
the idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits
of entropy, or potentially as low as 20 if the performance of the
server is known.
These sizes are well within the scope of remote brute-force attacks.
On provision, install, and upgrade, replace the default insecure
20-character Erlang cookie with a cryptographically secure
255-character string (the max length allowed).
[1] https://www.rabbitmq.com/clustering.html#erlang-cookie
|
||
|---|---|---|
| .. | ||
| __init__.py | ||
| build-pgroonga | ||
| check_rabbitmq_queue.py | ||
| clean_emoji_cache.py | ||
| clean_node_cache.py | ||
| clean_unused_caches.py | ||
| clean_venv_cache.py | ||
| clean_yarn_cache.py | ||
| create-production-venv | ||
| email-mirror-postfix | ||
| fix-standalone-certbot | ||
| hash_reqs.py | ||
| install | ||
| install-node | ||
| install-yarn | ||
| node_cache.py | ||
| puppet_cache.py | ||
| pythonrc.py | ||
| queue_workers.py | ||
| setup_path.py | ||
| setup_venv.py | ||
| setup-apt-repo | ||
| setup-yum-repo | ||
| sharding.py | ||
| unpack-zulip | ||
| upgrade-zulip | ||
| upgrade-zulip-from-git | ||
| upgrade-zulip-stage-2 | ||
| warn-rabbitmq-nodename-change | ||
| zulip_tools.py | ||