.
Visit my.sonatype.com for documentation on Nexus Repository version 2.
Enforcing Inbound HTTP Protocols Using a Reverse Proxy or Proxy Server
If you access Nexus Repository through a reverse proxy or HTTP proxy server, consult your networking team for instructions as configuration can vary.
Enforcing Inbound Protocols With Bundled Jetty Server
Nexus Repository 3
Note: This section applies ONLY when you have configured Sonatype Server products to service HTTPS inbound connections using the bundled Eclipse Jetty server.
Nexus Repository 3.29.0 and Newer
As of Nexus Repository 3.29.0 the default TLS inbound Jetty based HTTPS configuration uses industry-recommended secure ciphers and only explicitly allows TLSv1.2 protocol inbound connections.
- Only allow the most secure cipher suites and TLS protocol versions for inbound HTTPS connections by default
- Explicitly disable TLS 1.0 and 1.1 for inbound HTTPS connections by default
Should you require to alter the ciphers, allowed protocols, or allow using weak exported keys, then please refer to the descriptions of each of the above issues for advice.
Nexus Repository 2
- In Nexus Repository 2.8.x and greater, edit
{NEXUS_HOME}/conf/jetty-https.xml
.
In Nexus Repository 2.7.x and earlier, edit{NEXUS_HOME}/conf/jetty.xml
. -
Find the SSLContextFactory configuration element and add/edit a Set configuration under this that excludes insecure protocols. For example:
<New class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="keyStore">./conf/ssl/keystore.jks</Set> <Set name="trustStore">./conf/ssl/keystore.jks</Set> <Set name="keyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="keyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="trustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSL</Item> <Item>SSLv2</Item> <Item>SSLv3</Item> <Item>SSLv2Hello</Item> </Array> </Set> </New>
Nexus Repository 2.15
Nexus Repository 2.15 uses Jetty 9.4.45, and Jetty 9 made some changes. Please read Eclipse Jetty Changes in Nexus Repository 2.15.0
By default, Jetty 9 only enables TLSv1.2. Old protocols TLS v1.0, v1.1, and SSL v3 need to be enabled manually.
TLS v1.0, v1.1
Add TLS v1.0, v1.1 to:<Set name="IncludeProtocols">
<Array type="java.lang.String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
</Array>
</Set>SSLv3
- add the SSLv3 to the <Set name="IncludeProtocols">
- By default, jetty 9.4.45 excludes protocol SSLv3 (source code), so just doing the above is not enough. You need to override excluded protocols<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSL</Item>
<Item>SSLv2</Item>
<Item>SSLv2Hello</Item>
<!--<Item>SSLv3</Item>-->
</Array>
</Set>
By default, Jetty 9.4.45 excludes cipher suites of old protocols (source code), so you need to override the ExcludeCipherSuites to enable cipher suites
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>^.*_(MD5|SHA1)$</Item>
<Item>^SSL_.*$</Item>
<Item>^.*_NULL_.*$</Item>
<Item>^.*_anon_.*$</Item>
</Array>
</Set> - Enable Old protocols at the JVM level
3.1) Locate the$JAVA_HOME/jre/lib/security/
directory for thejava.security
file in your Nexus Repository 2 server
3.2) Check if the value ofjdk.tls.disabledAlgorithms
contains the protocol you want to enable. If it does, please continue the following. It is not recommended to delete them from thejava.security
file directly
3.3) Create a new filejava.security.override
in the{NEXUS_HOME}/conf
directory to overridejdk.tls.disabledAlgorithms
. Example: the below enables TLSv1, and TLSv1.1 at the JVM level
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves{NEXUS_HOME}/bin/jsw/conf/wrapper.conf
. Note the highest numbern
used for thejava.additional.arguments.n
properties. add
wrapper.java.additional.y=-Djava.security.properties=./conf/java.security.override
y
is the next available unused number greater thann
- Restart Nexus Repository and verify that your Nexus Repository host does not handshake using any of the excluded protocols and use the protocols that are enabled. The Nexus Repository log file should contain a log line indicating which protocols are enabled. For example:
INFO [jetty-main-1] *SYSTEM org.eclipse.jetty.util.ssl.SslContextFactory - Enabled Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
Nexus Repository 2.15
create or enable DEBUG level logger:org.eclipse.jetty.util.ssl.SslContextFactorDEBUG [jetty-main-1] org.eclipse.jetty.util.ssl.SslContextFactory - Selected Protocols [TLSv1, TLSv1.1, TLSv1.2] of [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
- Verify the protocols are enabled by one of the below tools
5.1) sslscansslscan <HTTPS URL>:<HTTPS PORT>
example:
% sslscan 127.0.0.1:8443
5.2) nmap
Version: 2.0.15
OpenSSL 3.0.7 1 Nov 2022
Connected to 127.0.0.1
Testing SSL server 127.0.0.1 on port 8443 using SNI name 127.0.0.1
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 disabled
nmap --script ssl-enum-ciphers -p <HTTPS PORT> <HTTPS URL>
example:
% nmap --script ssl-enum-ciphers -p 8443 127.0.0.1
5.3) openssl
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 07:37 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).
PORT STATE SERVICE
8443/tcp openhttps-alt
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
openssl s_client -connect <HTTPS URL>:<HTTPS PORT> -<Protocol>
example:
% openssl s_client -connect 127.0.0.1:8443 -tls1_1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = Unspecified, L = Unspecified, O = Sonatype, OU = Example, CN = 127.0.0.1
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Unspecified, L = Unspecified, O = Sonatype, OU = Example, CN = 127.0.0.1
verify return:1
---
Certificate chain
0 s:C = US, ST = Unspecified, L = Unspecified, O = Sonatype, OU = Example, CN = 127.0.0.1
i:C = US, ST = Unspecified, L = Unspecified, O = Sonatype, OU = Example, CN = 127.0.0.1
---
Server certificate
-----BEGIN CERTIFICATE-----
...
Enforcing Outbound HTTPS Protocols
Nexus Repository 2
Nexus Repository uses a custom connection factory and Apache HTTP Client for outbound communication.
In Nexus Repository 2.11+, Nexus will default to negotiating a secure protocol with the remote that excludes known vulnerable protocols such as SSLv3
Further, Nexus Repository 2.11+ provides a configurable method to limit the outbound protocols Nexus Repository will support.
- Edit
NEXUS_HOME/bin/jsw/conf/wrapper.conf
. Note the highest numbern
used for thejava.additional.arguments.n
properties. - After the line found in step 1, add
wrapper.java.additional.y=-Dhttps.protocols={list of protocols}
wherey
is the next available unused number greater thann
found in step 1 and{list of protocols}
is the comma-separated list of protocol suite names that are allowed to be supported by any outbound HTTPS connections made by Nexus. For example: wrapper.java.additional.5=-Dhttps.protocols=TLSv1.1,TLSv1.2
Nexus Repository will honor the protocols in the same way as defined by the JDK documentation for thehttps.protocols
property. - Restart Nexus Repository to pick up changes to wrapper.conf
Nexus Repository 2.10 and earlier, Nexus tries to negotiate the most secure protocol that both the Nexus JVM and the remote server can agree on.
Nexus Repository 2.10 and earlier does not provide a configurable method to enforce outbound protocols.
General Java Networking Resources
Diagnosing TLS, SSL, and HTTPS in Java
Querying Remote SSL Protocol and Cipher Support
Listing Supported HTTPS Protocol Suite Names
The supported protocol suite names vary by JVM version. One method to get the list of suite names in your JVM is by using the following Groovy code:
groovy -e 'javax.net.ssl.SSLContext.getDefault().createSSLEngine().getSupportedProtocols().each{println(it)}'
If groovy is not installed and JDK is available, we can use jrunscript as below
/usr/jdk64/jdk1.8.0_261/bin/jrunscript -e 'var sp = javax.net.ssl.SSLContext.getDefault().createSSLEngine().getEnabledProtocols(); for (var i in sp) println(sp[i])'
These should print something like this:
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2