How Can I Disable client_renegotiation in SystemLink Server RabbitMQ?

Issue Details

Security scanner software returns the following vulnerability on TCP port 5673.  Can I configure SystemLink Server to not exhibit this vulnerability?

QID: 38596  TLS Protocol Session Renegotiation Security Vulnerability CVE-2009-3555

Solution

Follow these steps to modify the configuration of the RabbitMQ that SystemLink Server installs to disable client negotiation-- that should resolve the flagged vulnerability  QID:38596.

1. Open  C:\ProgramData\National Instruments\Skyline\RabbitMQ\systemlink.config  in a text editor, run as Administrator
       
2. Locate the snippet:
   

       {ssl_options,
       [
         {certfile, "C:/ProgramData/National Instruments/Skyline/Certificates/rabbitmq-server/rabbitmq-server.cer"},
         {keyfile, "C:/ProgramData/National Instruments/Skyline/Certificates/rabbitmq-server/key/rabbitmq-server.key"},
         {verify, verify_none},
         {fail_if_no_peer_cert, false}
       ]},

3. Add {client_renegotiation, false}, in between the lines {verify, verify_none}, and {fail_if_no_peer_cert, false} so the snippet above should become:
   

       {ssl_options,
       [
         {certfile, "C:/ProgramData/National Instruments/Skyline/Certificates/rabbitmq-server/rabbitmq-server.cer"},
         {keyfile, "C:/ProgramData/National Instruments/Skyline/Certificates/rabbitmq-server/key/rabbitmq-server.key"},
         {verify, verify_none},
         {client_renegotiation, false},
         {fail_if_no_peer_cert, false}
       ]},

       

4. Save and close the file. 
       
5. Reopen the file to verify that the changes were saved successfully.
        
6. Restart the SystemLink Server computer.
      
7. Run the security scanner again and see if this vulnerability disappears
   QID: 38596  TLS Protocol Session Renegotiation Security Vulnerability CVE-2009-3555.

Additional Information

NOTE: if you run rabbitmqconfig.exe manually, it will overwrite these changes in the configuration.