How to Configure HTTPS Protocols Used By Nexus

Nexus HTTPS Protocols

Enforcing Inbound Protocols With Bundled Jetty Server

Note: This section applies when you have configured Nexus to service HTTPS inbound connections using the bundled Jetty server as discussed in the book.

  1. In Nexus 2.8.x and greater, edit {NEXUS_HOME}/conf/jetty-https.xml. In Nexus 2.7.x and earlier, your jetty HTTPS configuration would have been in {NEXUS_HOME}/conf/jetty.xml.
  2. Find the SSLContextFactory configuration element and add/edit a Set configuration under this that excludes insecure protocols. For example:

      <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="keyStore">./conf/ssl/keystore.jks</Set>
        <Set name="trustStore">./conf/ssl/keystore.jks</Set>
        <Set name="keyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="keyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="trustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="ExcludeProtocols">
          <Array type="java.lang.String">
            <Item>SSL</Item>  
            <Item>SSLv2</Item>
            <Item>SSLv3</Item>
            <Item>SSLv2Hello</Item>
          </Array>
        </Set>
      </New>
    
  3. Restart Nexus and verify that your Nexus host does not handshake using any of the excluded protocols. The Nexus log file should contain a log line indicating which protocols are enabled. For example:

    INFO  [jetty-main-1] *SYSTEM org.eclipse.jetty.util.ssl.SslContextFactory - Enabled Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
    

Enforcing Inbound HTTP Protocols Using a Reverse Proxy or Proxy Server

If you access Nexus through a reverse proxy or HTTP proxy server, consult your networking team for instructions as configuration can vary.

Enforcing Outbound HTTPS Protocols

Nexus uses a custom connection factory and Apache HTTP Client for it's outbound communication.

In Nexus 2.10 and earlier, Nexus tries to negotiate the most secure protocol that both the Nexus JVM and the remote server can agree on.

In Nexus 2.11+, Nexus will default to negotiating a secure protocol with the remote that excludes known vulnerable protocols such as SSLv3 ( NEXUS-7659 )

Further, Nexus 2.11+ provides a configurable method to limit the outbound protocols Nexus will support ( NEXUS-7594 ).

  1. Edit NEXUS_HOME/bin/jsw/conf/wrapper.conf. Note the highest number n used for the java.additional.arguments.n properties.
  2. After the line found in step 1, add wrapper.java.additional.y=-Dhttps.protocols={list of protocols} where y is the next available unused number greater than n found in step 1 and {list of protocols} is the comma separated list of protocol suite names that are allowed to be supported by any outbound HTTPS connections made by Nexus. For example: wrapper.java.additional.5=-Dhttps.protocols=TLSv1.1,TLSv1.2

    Nexus will honour the protocols in same way as defined by the JDK documentation for the https.protocols property.
  3. Restart Nexus to pick up changes to wrapper.conf

Nexus 2.10 and earlier does not provide a configurable method to enforce outbound protocols.

General Java Networking Resources

Diagnosing TLS, SSL, and HTTPS in Java

Querying Remote SSL Protocol and Cipher Support

Listing Supported HTTPS Protocol Suite Names

The supported protocol suite names vary by JVM version. One method to get the list of suite names in your JVM is by using the following Groovy code:

groovy -e 'javax.net.ssl.SSLContext.getDefault().createSSLEngine().getSupportedProtocols().each{println(it)}'

This should print something like this:

SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk