mirror of https://github.com/zulip/zulip.git
a5496f4098
The RabbitMQ docs state ([1]):
RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to
determine whether they are allowed to communicate with each
other. [...] The cookie is just a string of alphanumeric
characters up to 255 characters in size. It is usually stored in a
local file.
...and goes on to state (emphasis ours):
If the file does not exist, Erlang VM will try to create one with
a randomly generated value when the RabbitMQ server starts
up. Using such generated cookie files are **appropriate in
development environments only.**
The auto-generated cookie does not use cryptographic sources of
randomness, and generates 20 characters of `[A-Z]`. Because of a
semi-predictable seed, the entropy of this password is thus less than
the idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits
of entropy, or potentially as low as 20 if the performance of the
server is known.
These sizes are well within the scope of remote brute-force attacks.
On provision, install, and upgrade, replace the default insecure
20-character Erlang cookie with a cryptographically secure
255-character string (the max length allowed).
[1] https://www.rabbitmq.com/clustering.html#erlang-cookie
|
||
|---|---|---|
| .. | ||
| _static | ||
| _templates | ||
| contributing | ||
| development | ||
| documentation | ||
| git | ||
| images | ||
| overview | ||
| production | ||
| subsystems | ||
| testing | ||
| translating | ||
| tutorials | ||
| .gitignore | ||
| Makefile | ||
| README.md | ||
| THIRDPARTY | ||
| code-of-conduct.md | ||
| conf.py | ||
| index.md | ||
| requirements.readthedocs.txt | ||
README.md
Zulip Markdown documentation hosted elsewhere
The Markdown files in this directory ( /zulip/docs ) are not intended to be read on GitHub. Instead, visit our ReadTheDocs to read the Zulip documentation.