Visit my.sonatype.com for documentation on Nexus Repository version 2.
Configuring Inbound Eclipse Jetty Inbound Cipher Suites
Note: This article applies when you have configured Nexus Repository 2 to service HTTPS inbound connections using the bundled Eclipse Jetty server as discussed in the help documentation.
The general Eclipse Jetty instructions for specifying cipher suites apply.
Inbound Cipher Suites in Nexus Repository 2.15.0 or Newer
Nexus Repository 2.15.0 uses Eclipse Jetty 9 and is configured by default internally to not allow known insecure cipher suites as long as you are using the latest Java 8 version.
If you still wish to alter the allowed set of cipher suites, you can edit the SslContextFactory inside
{NEXUS_HOME}/conf/jetty-https.xml
according to the Jetty documentation.
Inbound Cipher Suites in Nexus Repository 2.14.21 or Older
Repository 2.14.21 and older use Eclipse Jetty 8.
If you only specify explicit cipher suites to include and don't specify any to exclude, then only the ones you include will be used.
-
Nexus Repository 2.8.x to 2.14.21: edit
{NEXUS_HOME}/conf/jetty-https.xml
.
Nexus Repository 2.7.x and earlier, edit{NEXUS_HOME}/conf/jetty.xml
. -
Find the SSLContextFactory configuration element and add/edit a Set configuration under this that defines your cipher suites. For example:
<New class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="keyStore">./conf/ssl/keystore.jks</Set> <Set name="trustStore">./conf/ssl/keystore.jks</Set> <Set name="keyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="keyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <Set name="trustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set> <!-- It is recommended to use the IncludeCipherSuites with the regex unless you've reasons you need to specify specific cipher suites. This configuration will adapt to any additions/removals of cipher suites to new versions of the JDK. --> <Set name="IncludeCipherSuites"> <Array type="String"> <Item>.*RC4.*</Item> </Array> </Set> </New>
-
Restart Nexus Repository 2 and verify that it supports your defined cipher suites for incoming connections.
Enforcing Inbound HTTPS Cipher Suites Using a Reverse Proxy or Proxy Server
If you access Nexus Repository 2 through a reverse proxy or HTTP proxy server, consult your networking team for instructions as configuration can vary.
Enforcing Outbound Allowed HTTPS Cipher Suites
Nexus Repository 2 uses a custom connection factory and Apache HTTP Client for it's outbound communication.
In Nexus Repository 2.10 and earlier, Nexus Repository 2 tries to negotiate the most secure cipher suite that both the Nexus Repository JVM and the remote server can agree on.
Nexus Repository 2.11+ provides a configurable method to limit the outbound cipher suites Nexus Repository will support.
- Edit
NEXUS_HOME/bin/jsw/conf/wrapper.conf
. Note the highest numbern
used for thejava.additional.arguments.n
properties. - After the line found in step 1, add
wrapper.java.additional.y=-Dhttps.cipherSuites={list of cipher suite names}
wherey
is the next available unused number greater thann
found in step 1 and{list of list of cipher suite names}
is the comma-separated list of suite names that are allowed to be supported by any outbound HTTPS connections made by Nexus Repository 2.
Nexus Repository 2 will honor the cipher suites in the same way as defined by the JDK documentation for thehttps.cipherSuites
property. - Restart Nexus Repository 2 to pick up changes to wrapper.conf
Nexus Repository 2.10 and earlier do not provide a configurable method to enforce outbound cipher suites.
General Java Networking Resources
Diagnosing TLS, SSL, and HTTPS in Java
Listing Supported HTTPS Cipher Suites
The supported cipher suite names vary by JVM version. Oracle has an article that documents which Cipher suites are supported per JVM version. This article lists the standard cipher suite names as of JDK 8.
One method to get the list of suite names in your JVM is by using the following Groovy code:
groovy -e 'javax.net.ssl.SSLContext.getDefault().createSSLEngine().getSupportedCipherSuites().sort().each{println(it)}'
An example excerpt of what this should print is:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA ...