How to Configure HTTPS Cipher Suites Used By Nexus

Nexus HTTPS Cipher Suites

Enforcing Inbound Cipher Suites With Bundled Jetty Server

Note: This section applies when you have configured Nexus to service HTTPS inbound connections using the bundled Jetty server as discussed in the book.

The general Eclipse Jetty instructions for specifying cipher suites apply.

If you only specify explicit cipher suites to include and don't specify any to exclude, then only the ones you include will be used.

  1. In Nexus 2.8.x and greater, edit {NEXUS_HOME}/conf/jetty-https.xml. In Nexus 2.7.x and earlier, your jetty HTTPS configuration would have been in {NEXUS_HOME}/conf/jetty.xml.
  2. Find the SSLContextFactory configuration element and add/edit a Set configuration under this that defines your cipher suites. For example:

      <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="keyStore">./conf/ssl/keystore.jks</Set>
        <Set name="trustStore">./conf/ssl/keystore.jks</Set>
        <Set name="keyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="keyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <Set name="trustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
        <!--
        It is recommended to use the IncludeCipherSuites with the regex unless you've reasons you
        need to specify specific cipher suites. This configuration will adapt to any
        additions/removals of cipher suites to new versions of the JDK.
        -->
        <Set name="IncludeCipherSuites">
          <Array type="String">
            <Item>.*RC4.*</Item>
          </Array>
        </Set>
      </New>
    
  3. Restart Nexus and verify that your Nexus supports your defined cipher suites for incoming connections.

Enforcing Inbound HTTPS Cipher Suites Using a Reverse Proxy or Proxy Server

If you access Nexus through a reverse proxy or HTTP proxy server, consult your networking team for instructions as configuration can vary.

Enforcing Outbound Allowed HTTPS Cipher Suites

Nexus uses a custom connection factory and Apache HTTP Client for it's outbound communication.

In Nexus 2.10 and earlier, Nexus tries to negotiate the most secure cipher suite that both the Nexus JVM and the remote server can agree on.

Nexus 2.11+ provides a configurable method to limit the outbound cipher suites Nexus will support ( NEXUS-7594 ).

  1. Edit NEXUS_HOME/bin/jsw/conf/wrapper.conf. Note the highest number n used for the java.additional.arguments.n properties.
  2. After the line found in step 1, add wrapper.java.additional.y=-Dhttps.cipherSuites={list of cipher suite names} where y is the next available unused number greater than n found in step 1 and {list of list of cipher suite names} is the comma separated list of suite names that are allowed to be supported by any outbound HTTPS connections made by Nexus.

    Nexus will honour the cipher suites in same way as defined by the JDK documentation for the https.cipherSuites property.
  3. Restart Nexus to pick up changes to wrapper.conf

Nexus 2.10 and earlier does not provide a configurable method to enforce outbound cipher suites.

General Java Networking Resources

Diagnosing TLS, SSL, and HTTPS in Java

Listing Supported HTTPS Cipher Suites

The supported cipher suite names vary by JVM version. Oracle has an article that documents which Cipher suites are supported per JVM version. This article lists the standard cipher suite names as of JDK 8.

One method to get the list of suite names in your JVM is by using the following Groovy code:

groovy -e 'javax.net.ssl.SSLContext.getDefault().createSSLEngine().getSupportedCipherSuites().sort().each{println(it)}'

An example excerpt of what this should print is:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
...
Have more questions? Submit a request

0 Comments

Article is closed for comments.