How to Configure HTTPS Protocols Used By Nexus

Enforcing Inbound HTTP Protocols Using a Reverse Proxy or Proxy Server

If you access Nexus through a reverse proxy or HTTP proxy server, consult your networking team for instructions as configuration can vary.

Enforcing Inbound Protocols With Bundled Jetty Server

Nexus Repository Manager 3

Note: This section applies ONLY when you have configured Sonatype Server products to service HTTPS inbound connections using the bundled Eclipse Jetty server.

Version 3.29.0 and Newer

As of version 3.29.0 the default TLS inbound Jetty based HTTPS configuration uses industry recommended secure ciphers and only explicitly allows TLSv1.2 protocol inbound connections. 

  • NEXUS-20267 - only allow the most secure cipher suites and TLS protocol versions for inbound HTTPS connections by default
  • NEXUS-25786 - explicitly disable TLS 1.0 and 1.1 for inbound HTTPS connections by default

Should you require to alter the ciphers, allowed protocols, or allow using weak exported keys, then please refer to the descriptions of each of the above issues for advice.

Nexus Repository Manager 2

  1. In Nexus 2.8.x and greater, edit {NEXUS_HOME}/conf/jetty-https.xml.
    In Nexus 2.7.x and earlier, edit {NEXUS_HOME}/conf/jetty.xml.
  2. Find the SSLContextFactory configuration element and add/edit a Set configuration under this that excludes insecure protocols. For example:

      <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="keyStore">./conf/ssl/keystore.jks</Set>
        <Set name="trustStore">./conf/ssl/keystore.jks</Set>
        <Set name="keyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="keyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="trustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="ExcludeProtocols">
          <Array type="java.lang.String">
            <Item>SSL</Item>  
            <Item>SSLv2</Item>
            <Item>SSLv3</Item>
            <Item>SSLv2Hello</Item>
          </Array>
        </Set>
      </New>
    
  3. Restart Nexus and verify that your Nexus host does not handshake using any of the excluded protocols. The Nexus log file should contain a log line indicating which protocols are enabled. For example:

    INFO  [jetty-main-1] *SYSTEM org.eclipse.jetty.util.ssl.SslContextFactory - Enabled Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
    

Enforcing Outbound HTTPS Protocols

Nexus Repository Manager 2

Nexus uses a custom connection factory and Apache HTTP Client for outbound communication.

In Nexus 2.11+, Nexus will default to negotiating a secure protocol with the remote that excludes known vulnerable protocols such as SSLv3 ( NEXUS-7659 )

Further, Nexus 2.11+ provides a configurable method to limit the outbound protocols Nexus will support ( NEXUS-7594 ).

  1. Edit NEXUS_HOME/bin/jsw/conf/wrapper.conf. Note the highest number n used for the java.additional.arguments.n properties.
  2. After the line found in step 1, add wrapper.java.additional.y=-Dhttps.protocols={list of protocols} where y is the next available unused number greater than n found in step 1 and {list of protocols} is the comma separated list of protocol suite names that are allowed to be supported by any outbound HTTPS connections made by Nexus. For example: wrapper.java.additional.5=-Dhttps.protocols=TLSv1.1,TLSv1.2

    Nexus will honour the protocols in same way as defined by the JDK documentation for the https.protocols property.
  3. Restart Nexus to pick up changes to wrapper.conf

Nexus 2.10 and earlier, Nexus tries to negotiate the most secure protocol that both the Nexus JVM and the remote server can agree on.

Nexus 2.10 and earlier does not provide a configurable method to enforce outbound protocols.

General Java Networking Resources

Diagnosing TLS, SSL, and HTTPS in Java

Querying Remote SSL Protocol and Cipher Support

Listing Supported HTTPS Protocol Suite Names

The supported protocol suite names vary by JVM version. One method to get the list of suite names in your JVM is by using the following Groovy code:

groovy -e 'javax.net.ssl.SSLContext.getDefault().createSSLEngine().getSupportedProtocols().each{println(it)}'

This should print something like this:

SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Have more questions? Submit a request

0 Comments

Article is closed for comments.