SystemLink Forum

cancel
Showing results for 
Search instead for 
Did you mean: 

Apache Update, RabbitMQ TLS Versions

Solved!
Go to solution

We recently had a security audit that included a test of our SystemLink server. It turns out that the Apache server that is outdated (version 2.4.29) and has multiple security issues. I upgraded SystemLink to 2020 R3, but Apache was not upgraded. I am not sure how to rate those vulnerabilities or in what way the NI Webserver is different from Apache.

 

Additionally, the RabbitMQ/Cowboy server at port 5673 and 15672 was reported to allow weak encryption using TLS 1.0 and TLS 1.1 with weak ciphers. Since this is not an issue for Apache I was wondering if this is an issue in the configuration of the server?

 

Is there some action I can take to mitigate these vulnerabilities? Are those services used in a way that an exploit is unlikely?

Message 1 of 7
(3,760 Views)
Solution
Accepted by cordm

Hi cordm,

 

Thank you for escalating this concern.

 

Per the web server: We've identified a breakdown in our process that has prevented us from upgrading our web server more frequently. We have resolved this and I expect we'll ship an updated version of Apache httpd in our R4 release.

 

Per RabbitMQ: We've unforunately had to hold off upgrading this component due to legacy Windows 7 support. When we upgraded the version of RabbitMQ and TLS during development, SystemLink would crash on Windows 7 machines. Luckily our support for Windows 7 expires in 2021 and we intend on shipping an updated version of RabbitMQ in our first 2021 release.

 

Per mitigating concerns regarding the TLS version used by RabbitMQ, its best to make changes such that you no longer depend on AMQP. I would encourage you to move all your clients from AMQP to HTTP (I provided some rational in another thread) and disable the Enable AMQP Client Access flag in NI SystemLink Server Configuration > NI SystemLink Service Manager > Security

Mark
NI App Software R&D
0 Kudos
Message 2 of 7
(3,678 Views)

Thanks! SystemLink 2020 R4 was released in December and ships with apache 2.4.46.

0 Kudos
Message 3 of 7
(3,500 Views)

Hello Mark;

We are still seeing a TLS 1.0 vulnerability after installing R4 and disabling AMQP. Is the only other option to wait for the RabbitMQ upgrade?

Thanks

Gordon

0 Kudos
Message 4 of 7
(3,468 Views)

Hi Gordon, 

 

Thank you for escalating this concern. You are correct that version of RabbitMQ/Erlang shipping with SystemLink 2020R4 only supports TLS 1.0. We were prevented from upgrading this component sooner due to a cross-company requirement to support Windows 7 through 2020. Versions of RabbitMQ that support TLS 1.2 and 1.3 did not support Windows 7. Now that it is 2021 we are no longer constrained by this requirements, and we are upgrading to the latest version of RabbitMQ and Erlang to support TLS 1.2 and 1.3. This support will be delivered in our 2021R1 release expected this Spring. 

 

Cheers, 

Mark 

Mark
NI App Software R&D
0 Kudos
Message 5 of 7
(3,452 Views)

Thank you. We will install 2021 R1 as soon as it is available.

Gordon

0 Kudos
Message 6 of 7
(3,445 Views)

Hi Gordon, 

 

With help from the development team we were able to verify that our current version of RabbitMQ can and does use TLS 1.2. Additionally we can adjust the configuration to disable older versions of TLS. This is likely why TLS 1.1 is showing up in your audit.

 

  1. Open %programdata%/National Instruments/Skyline/RabbitMQ/rabbitmq.config
  2. Modify the configuration as shown in this sceenshot
    Screen Shot 2021-02-10 at 8.26.16 AM.png
    (Because this is hard to see I will also write out what you need to do. 
    1. Within the ssl_options array, add a new JSON object 
      {versions, ['tlsv1.2', 'tlsv1.3']} 
  3. Save the file and restart SystemLink Service Manager from the SystemLink Server Configuration utility that is installed on your SystemLink app server. 
Mark
NI App Software R&D
Message 7 of 7
(3,423 Views)