How to Configure HTTPS Protocols Used By Nexus

<TABLE OF CONTENTS>

Enforcing Inbound HTTP Protocols Using a Reverse Proxy or Proxy Server

If you access Nexus through a reverse proxy or HTTP proxy server, consult your networking team for instructions as configuration can vary.

Enforcing Inbound Protocols With Bundled Jetty Server

Nexus Repository Manager 3

Note: This section applies ONLY when you have configured Sonatype Server products to service HTTPS inbound connections using the bundled Eclipse Jetty server.

Version 3.29.0 and Newer

As of version 3.29.0 the default TLS inbound Jetty based HTTPS configuration uses industry recommended secure ciphers and only explicitly allows TLSv1.2 protocol inbound connections. 

  • NEXUS-20267 - only allow the most secure cipher suites and TLS protocol versions for inbound HTTPS connections by default
  • NEXUS-25786 - explicitly disable TLS 1.0 and 1.1 for inbound HTTPS connections by default

Should you require to alter the ciphers, allowed protocols, or allow using weak exported keys, then please refer to the descriptions of each of the above issues for advice.

Nexus Repository Manager 2

  1. In Nexus 2.8.x and greater, edit {NEXUS_HOME}/conf/jetty-https.xml.
    In Nexus 2.7.x and earlier, edit {NEXUS_HOME}/conf/jetty.xml.
  2. Find the SSLContextFactory configuration element and add/edit a Set configuration under this that excludes insecure protocols. For example:

      <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="keyStore">./conf/ssl/keystore.jks</Set>
        <Set name="trustStore">./conf/ssl/keystore.jks</Set>
        <Set name="keyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="keyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="trustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="ExcludeProtocols">
          <Array type="java.lang.String">
            <Item>SSL</Item>  
            <Item>SSLv2</Item>
            <Item>SSLv3</Item>
            <Item>SSLv2Hello</Item>
          </Array>
        </Set>
      </New>
    

    Nexus Repo 2.15

    Nexus 2.15 uses Jetty 9.4.45, and Jetty 9 made some changes. Please read Eclipse Jetty Changes in Repository 2.15.0
    By default, Jetty 9 only enables TLSv1.2. Old protocols TLS v1.0, v1.1, and SSL v3 need to be enabled manually.
    TLS v1.0, v1.1
    Add TLS v1.0, v1.1 to:
    <Set name="IncludeProtocols">
    <Array type="java.lang.String">
    <Item>TLSv1</Item>
    <Item>TLSv1.1</Item>
    <Item>TLSv1.2</Item>
    </Array>
    </Set>

    SSLv3

    - add the SSLv3 to the <Set name="IncludeProtocols">
    - By default, jetty 9.4.45 excludes protocol SSLv3(source code), so just doing the above is not enough. You need to override excluded protocols

    <Set name="excludeProtocols">
    <Array type="java.lang.String">
    <Item>SSL</Item>
    <Item>SSLv2</Item>
    <Item>SSLv2Hello</Item>
    <!--<Item>SSLv3</Item>-->
    </Array>
    </Set>
    Enable Cipher suites for the old protocols in Jetty
    By default, Jetty 9.4.45 excludes cipher suites of old protocols (source code), so you need to override the ExcludeCipherSuites to enable cipher suites
    <Set name="ExcludeCipherSuites">
    <Array type="String">
    <Item>^.*_(MD5|SHA1)$</Item>
    <Item>^SSL_.*$</Item>
    <Item>^.*_NULL_.*$</Item>
    <Item>^.*_anon_.*$</Item>
    </Array>
    </Set>
  3. Enable Old protocols at the JVM level
    3.1) Locate the$JAVA_HOME/jre/lib/security/directory for thejava.securityfile in your Nexus Repo 2 server
    3.2) Check if the value of jdk.tls.disabledAlgorithms contains the protocol you want to enable. If it does, please continue the followings. It is not recommended to delete them from the java.security file directly

    3.3) Create a new file java.security.override in the {NEXUS_HOME}/conf directory to override jdk.tls.disabledAlgorithms. Example: the below enables TLSv1, and TLSv1.1 at the JVM level
    jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves
    3.4) Edit {NEXUS_HOME}/bin/jsw/conf/wrapper.conf. Note the highest number n used for the java.additional.arguments.n properties. add
    wrapper.java.additional.y=-Djava.security.properties=./conf/java.security.override
     where y is the next available unused number greater than n
  4. Restart Nexus and verify that your Nexus host does not handshake using any of the excluded protocols and use the protocols that are enabled. The Nexus log file should contain a log line indicating which protocols are enabled. For example:
    INFO [jetty-main-1] *SYSTEM org.eclipse.jetty.util.ssl.SslContextFactory - Enabled Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]

    Nexus Repo 2.15

    create or enable DEBUG level logger:org.eclipse.jetty.util.ssl.SslContextFactor
    DEBUG [jetty-main-1] org.eclipse.jetty.util.ssl.SslContextFactory - Selected Protocols [TLSv1, TLSv1.1, TLSv1.2] of [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
  5. Verify the protocols are enabled by one of the below tools
    5.1) sslscan
    sslscan <HTTPS URL>:<HTTPS PORT>
    example:
    % sslscan 127.0.0.1:8443
    Version: 2.0.15
    OpenSSL 3.0.7 1 Nov 2022
    Connected to 127.0.0.1

    Testing SSL server 127.0.0.1 on port 8443 using SNI name 127.0.0.1

    SSL/TLS Protocols:
    SSLv2 disabled
    SSLv3 disabled
    TLSv1.0 enabled
    TLSv1.1 enabled
    TLSv1.2 enabled
    TLSv1.3 disabled
    5.2) nmap
    nmap --script ssl-enum-ciphers -p <HTTPS PORT> <HTTPS URL>
    example:
    % nmap --script ssl-enum-ciphers -p 8443 127.0.0.1
    Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 07:37 EST
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.00019s latency).

    PORT STATE SERVICE

    8443/tcp openhttps-alt
    | ssl-enum-ciphers:
    | TLSv1.0:
    | ciphers:
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | compressors:
    | NULL
    | cipher preference: server

    | TLSv1.1:
    | ciphers:
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | compressors:
    | NULL
    | cipher preference: server

    | TLSv1.2:
    | ciphers:
    | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
    | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
    | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
    | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | compressors:
    | NULL
    | cipher preference: server
    |_least strength: A

    Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
    5.3) openssl
    openssl s_client -connect <HTTPS URL>:<HTTPS PORT> -<Protocol>
    example:
    % openssl s_client -connect 127.0.0.1:8443 -tls1_1
    CONNECTED(00000003)
    Can't use SSL_get_servername
    depth=0 C = US, ST = Unspecified, L = Unspecified, O = Sonatype, OU = Example, CN = 127.0.0.1
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = US, ST = Unspecified, L = Unspecified, O = Sonatype, OU = Example, CN = 127.0.0.1
    verify return:1
    ---
    Certificate chain
    0 s:C = US, ST = Unspecified, L = Unspecified, O = Sonatype, OU = Example, CN = 127.0.0.1
    i:C = US, ST = Unspecified, L = Unspecified, O = Sonatype, OU = Example, CN = 127.0.0.1
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ...

Enforcing Outbound HTTPS Protocols

Nexus Repository Manager 2

Nexus uses a custom connection factory and Apache HTTP Client for outbound communication.

In Nexus 2.11+, Nexus will default to negotiating a secure protocol with the remote that excludes known vulnerable protocols such as SSLv3 ( NEXUS-7659 )

Further, Nexus 2.11+ provides a configurable method to limit the outbound protocols Nexus will support ( NEXUS-7594 ).

  1. Edit NEXUS_HOME/bin/jsw/conf/wrapper.conf. Note the highest number n used for the java.additional.arguments.n properties.
  2. After the line found in step 1, add wrapper.java.additional.y=-Dhttps.protocols={list of protocols} where y is the next available unused number greater than n found in step 1 and {list of protocols} is the comma separated list of protocol suite names that are allowed to be supported by any outbound HTTPS connections made by Nexus. For example: wrapper.java.additional.5=-Dhttps.protocols=TLSv1.1,TLSv1.2

    Nexus will honour the protocols in same way as defined by the JDK documentation for the https.protocols property.
  3. Restart Nexus to pick up changes to wrapper.conf

Nexus 2.10 and earlier, Nexus tries to negotiate the most secure protocol that both the Nexus JVM and the remote server can agree on.

Nexus 2.10 and earlier does not provide a configurable method to enforce outbound protocols.

General Java Networking Resources

Diagnosing TLS, SSL, and HTTPS in Java

Querying Remote SSL Protocol and Cipher Support

Listing Supported HTTPS Protocol Suite Names

The supported protocol suite names vary by JVM version. One method to get the list of suite names in your JVM is by using the following Groovy code:

groovy -e 'javax.net.ssl.SSLContext.getDefault().createSSLEngine().getSupportedProtocols().each{println(it)}'

If groovy is not installed and JDK is available, we can use jrunscript as below

/usr/jdk64/jdk1.8.0_261/bin/jrunscript  -e 'var sp = javax.net.ssl.SSLContext.getDefault().createSSLEngine().getEnabledProtocols(); for (var i in sp) println(sp[i])'

These should print something like this:

SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Have more questions? Submit a request

0 Comments

Article is closed for comments.