nmap identifying rabbitmq service as tcpwrapped

[kc0705]

We have recently upgraded the rabbitmq alpine image from version 3.7.7 to 3.8.9

While on 3.7.7 executing nmap -sV --script ssl-enum-ciphers -p 5671 <rabbitmq-ip> would enumerate the list of ciphers and the tls version configured, on 3.8.9 the same command fails to enumerate the list of ciphers and identifies the service as tcpwrapped.

Can you please help in pointing out the change in rabbitmq that is stopping nmap from identify the configured ciphers. Also, any alternate mechanism that I can use to identify the list of configured ciphers in versions 3.8.9 and above, would be helpful.

rabbitmq-diagnostics cipher-suites would list the ciphers but, I guess, this might be from reading the configuration and not the same as what nmap does (probes) to figure out.

====output from version 3.7.7 begins====
# nmap -sV --script ssl-enum-ciphers -p 5671 10.77.123.122
Starting Nmap 7.00 ( https://nmap.org/ ) at 2022-06-06 16:54 UTC
Nmap scan report for isenode2 (10.77.123.122)
Host is up (0.00017s latency).
PORT STATE SERVICE VERSION
5671/tcp open ssl/unknown
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (sect571r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (sect571r1) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange parameters of lower strength than certificate key
|_ least strength: A
MAC Address: 00:0C:29:1C:83:46 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.34 seconds
====output from version 3.7.7 ends====

====output from version 3.8.9 begins====
# nmap -sV --script ssl-enum-ciphers -p 5671 10.77.123.122
Starting Nmap 7.70 ( https://nmap.org/ ) at 2022-05-31 13:47 UTC
Nmap scan report for isenode2 (10.77.123.122)
Host is up (0.00029s latency).

PORT STATE SERVICE VERSION
5671/tcp open tcpwrapped
MAC Address: 00:0C:29:44:12:38 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.95 seconds
====output from version 3.8.9 ends====

[lukebakken]

Please share exactly how you are running the docker image, including configuration and certificates. All I should have to do to see the behavior is docker build... then docker run...

[kc0705]

Apart from moving 3.8.9, we have moved to using podman for build and run
Build: podman build -t ise-rabbitmq:3.8.9 -f rabbitmq/docker/dockerfile/Dockerfile rabbitmq/docker/
Save: podman save ise-rabbitmq:3.8.9 | gzip -c > ise-rabbitmq.tar
Dockerfile used:

FROM rabbitmq:3.8.9-alpine

RUN mkdir -p /etc/rabbitmq/cert && chown -R 325:300 /etc/rabbitmq/cert
ENV RABBITMQ_LOGS=
ENV RABBITMQ_SASL_LOGS=
RUN rabbitmq-plugins enable --offline rabbitmq_federation
RUN rabbitmq-plugins enable --offline rabbitmq_federation_management
RUN rabbitmq-plugins enable --offline rabbitmq_management
RUN rabbitmq-plugins enable --offline rabbitmq_event_exchange
RUN rm -f /etc/rabbitmq/conf.d/management_agent.disable_metrics_collector.conf 
EXPOSE 15671 15672

RUN addgroup -S ise
RUN adduser -S log-filter-user -G ise
RUN apk add python3
RUN mkdir -p /opt/log-filter/bin
RUN mkdir -p /opt/log-filter/config
RUN mkdir -p /opt/log-filter/logs
COPY log-filter/bin/. /opt/log-filter/bin
COPY log-filter/config/. /opt/log-filter/config
RUN chown -R log-filter-user /opt/log-filter/
RUN chmod -R 755 /opt/log-filter/
RUN chmod -R 777 /opt/log-filter/logs
COPY log-filter/bin/log-filter-service /usr/bin/log-filter-service
RUN chmod 755 /usr/bin/log-filter-service
RUN crontab -l >> tempcron
RUN cat /opt/log-filter/bin/cron.txt >> tempcron
RUN crontab tempcron
RUN rm -rf tempcron

CMD  log-filter-service; rabbitmq-server

On the target machine
Load: docker load -qi ise-rabbitmq.tar
Create Container: docker create --hostname $(hostname):4369 --name=$ise-rabbitmq-container -p 8672:5672 -p 8671:5671 -p 15672:15672 --user 325:300 -v data_vol:/var/lib/rabbitmq -v /opt/rabbitmq/config/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf -v /opt/rabbitmq/cert:/etc/rabbitmq/cert -v /opt/rabbitmq/config/advanced.config:/etc/rabbitmq/advanced.config -v /etc/localtime:/etc/localtime -v /opt/rabbitmq/logs:/var/log/rabbitmq -v /opt/rabbitmq/logs:/opt/log-filter/logs --network ise-rabbitmq-network ise-rabbitmq:3.8.9
Start Container: docker start ise-rabbitmq-container
Configuration files:

1. rabbitmq.conf

loopback_users.guest = false
listeners.tcp.default = 5672
listeners.ssl.default = 5671
hipe_compile = false
management.listener.port = 15672
management.listener.ssl = false

2. advanced.config
   advanced.txt

[lukebakken]

You're using nmap to scan the TLS port 5671, yet I don't see where you are configuring the certificates for RabbitMQ to use. In this case, my guess is that RabbitMQ is closing the port due to this mis-configuration.

This is probably due to a behavior change in either RabbitMQ, it's dependencies, or Erlang itself.

[kc0705]

The advanced.txt file that is attached contains the configuration details about the certificates. I have renamed the file to extension txt for the purpose of uploading it to this discussion as github does not allow me to attach a file with .config extension.

Also, the RabbitMQ works as expected with communication happening over 5671 port.

The issue here is only with identifying the TLS and Cipher Suites being employed by using nmap probes. The command nmap -sV --script ssl-enum-ciphers -p 5671 <rabbitmq-ip> which used to list the TLS version and Ciphers configured in 3.7.7 fail to do so when run against RabbitMQ version 3.8.9.

[lukebakken]

https://github.com/lukebakken/docker-library-rabbitmq-564#readme

The nmap command works using the latest version of RabbitMQ. Version 3.8.9 is out of support.

[lukebakken]

Using the following base image also works correctly:

FROM rabbitmq:3.9.20-management

For what it's worth, I do see the same behavior as you do when I change the Dockerfile to this:

FROM rabbitmq:3.8.9-management

Output on my machine:

$ nmap -sV --script ssl-enum-ciphers -p 5671 localhost
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-22 07:21 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000075s latency).
rDNS record for 127.0.0.1: shostakovich

PORT     STATE SERVICE    VERSION
5671/tcp open  tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.30 seconds

Again, you should be using a supported version of RabbitMQ, which is the latest version in the 3.9.x or 3.10.x series.

[michaelklishin]

The latest supported version is 3.10.5 ;)

[kc0705]

We will upgrade to the latest supported version i.e, 3.10.5.

On testing with 3.10.5, using nmap, we have the configured ciphers listed as below, with rabbitmq configured to use TLSv1.2

# nmap -sV --script ssl-enum-ciphers -p 5671 10.127.58.29
Starting Nmap 7.70 ( https://nmap.org ) at 2022-06-27 18:46 IST
Nmap scan report for kchaitan-029.demo.local (10.127.58.29)
Host is up (0.00029s latency).

PORT     STATE SERVICE     VERSION
5671/tcp open  ssl/unknown
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp521r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (dh 2048) of lower strength than certificate key
|_  least strength: A
MAC Address: 00:0C:29:30:F4:68 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.96 seconds

On testing with 3.10.5, using nmap, we have the configured ciphers listed as below, with rabbitmq configured to use TLSv1.3

# open^Cl ciphers -tls1_3 -s 'ALL:eNULL' | sed -e 's/:/ /g'
[root@kchaitan-027 ~]# nmap -sV --script ssl-enum-ciphers -p 5671 10.127.58.29
Starting Nmap 7.70 ( https://nmap.org ) at 2022-06-27 18:44 IST
Nmap scan report for kchaitan29.demo.local (10.127.58.29)
Host is up (0.00026s latency).

PORT     STATE SERVICE     VERSION
5671/tcp open  ssl/unknown
MAC Address: 00:0C:29:30:F4:68 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.68 seconds

It seems that nmap version 7.70 does not have the capabilites to probe TLSv1.3