Nexus HTTPS Cipher Suites
Enforcing Inbound Cipher Suites With Bundled Jetty Server
Note: This section applies when you have configured Nexus to service HTTPS inbound connections using the bundled Jetty server as discussed in the book.
The general Eclipse Jetty instructions for specifying cipher suites apply.
If you only specify explicit cipher suites to include and don't specify any to exclude, then only the ones you include will be used.
- In Nexus 2.8.x and greater, edit
{NEXUS_HOME}/conf/jetty-https.xml. In Nexus 2.7.x and earlier, your jetty HTTPS configuration would have been in{NEXUS_HOME}/conf/jetty.xml. -
Find the SSLContextFactory configuration element and add/edit a Set configuration under this that defines your cipher suites. For example:
<New class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="keyStore">./conf/ssl/keystore.jks</Set> <Set name="trustStore">./conf/ssl/keystore.jks</Set> <Set name="keyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="keyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="trustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <!-- It is recommended to use the IncludeCipherSuites with the regex unless you've reasons you need to specify specific cipher suites. This configuration will adapt to any additions/removals of cipher suites to new versions of the JDK. --> <Set name="IncludeCipherSuites"> <Array type="String"> <Item>.*RC4.*</Item> </Array> </Set> </New> -
Restart Nexus and verify that your Nexus supports your defined cipher suites for incoming connections.
Enforcing Inbound HTTPS Cipher Suites Using a Reverse Proxy or Proxy Server
If you access Nexus through a reverse proxy or HTTP proxy server, consult your networking team for instructions as configuration can vary.
Enforcing Outbound Allowed HTTPS Cipher Suites
Nexus uses a custom connection factory and Apache HTTP Client for it's outbound communication.
In Nexus 2.10 and earlier, Nexus tries to negotiate the most secure cipher suite that both the Nexus JVM and the remote server can agree on.
Nexus 2.11+ provides a configurable method to limit the outbound cipher suites Nexus will support ( NEXUS-7594 ).
- Edit
NEXUS_HOME/bin/jsw/conf/wrapper.conf. Note the highest numbernused for thejava.additional.arguments.nproperties. - After the line found in step 1, add
wrapper.java.additional.y=-Dhttps.cipherSuites={list of cipher suite names}whereyis the next available unused number greater thannfound in step 1 and{list of list of cipher suite names}is the comma separated list of suite names that are allowed to be supported by any outbound HTTPS connections made by Nexus.
Nexus will honour the cipher suites in same way as defined by the JDK documentation for thehttps.cipherSuitesproperty. - Restart Nexus to pick up changes to wrapper.conf
Nexus 2.10 and earlier does not provide a configurable method to enforce outbound cipher suites.
General Java Networking Resources
Diagnosing TLS, SSL, and HTTPS in Java
Listing Supported HTTPS Cipher Suites
The supported cipher suite names vary by JVM version. Oracle has an article that documents which Cipher suites are supported per JVM version. This article lists the standard cipher suite names as of JDK 8.
One method to get the list of suite names in your JVM is by using the following Groovy code:
groovy -e 'javax.net.ssl.SSLContext.getDefault().createSSLEngine().getSupportedCipherSuites().sort().each{println(it)}'
An example excerpt of what this should print is:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA ...
0 Comments