Skip to main content

How to Configure HTTPS Cipher Suites Used By Nexus Repository 2

Peter
Updated

Visit my.sonatype.com for documentation on Nexus Repository version 2.

Configuring Inbound Eclipse Jetty Inbound Cipher Suites

Note: This article applies when you have configured Nexus Repository 2 to service HTTPS inbound connections using the bundled Eclipse Jetty server as discussed in the help documentation.

The general Eclipse Jetty instructions for specifying cipher suites apply.

Inbound Cipher Suites in Nexus Repository 2.15.0 or Newer

Nexus Repository 2.15.0 uses Eclipse Jetty 9 and is configured by default internally to not allow known insecure cipher suites as long as you are using the latest Java 8 version.

If you still wish to alter the allowed set of cipher suites, you can edit the SslContextFactory inside

{NEXUS_HOME}/conf/jetty-https.xml according to the Jetty documentation.

Inbound Cipher Suites in Nexus Repository 2.14.21 or Older

Repository 2.14.21 and older use Eclipse Jetty 8.

If you only specify explicit cipher suites to include and don't specify any to exclude, then only the ones you include will be used.

  1. Nexus Repository 2.8.x to 2.14.21: edit {NEXUS_HOME}/conf/jetty-https.xml.
    Nexus Repository 2.7.x and earlier, edit {NEXUS_HOME}/conf/jetty.xml.

  2. Find the SSLContextFactory configuration element and add/edit a Set configuration under this that defines your cipher suites. For example:

      <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
    <Set name="keyStore">./conf/ssl/keystore.jks</Set>
    <Set name="trustStore">./conf/ssl/keystore.jks</Set>
    <Set name="keyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
    <Set name="keyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
    <Set name="trustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
    <!--
    It is recommended to use the IncludeCipherSuites with the regex unless you've reasons you
    need to specify specific cipher suites. This configuration will adapt to any
    additions/removals of cipher suites to new versions of the JDK.
    -->
    <Set name="IncludeCipherSuites">
      <Array type="String">
        <Item>.*RC4.*</Item>
      </Array>
    </Set>
  </New>

  3. Restart Nexus Repository 2 and verify that it supports your defined cipher suites for incoming connections.

Enforcing Inbound HTTPS Cipher Suites Using a Reverse Proxy or Proxy Server

If you access Nexus Repository 2 through a reverse proxy or HTTP proxy server, consult your networking team for instructions as configuration can vary.

Enforcing Outbound Allowed HTTPS Cipher Suites

Nexus Repository 2 uses a custom connection factory and Apache HTTP Client for it's outbound communication.

In Nexus Repository 2.10 and earlier, Nexus Repository 2 tries to negotiate the most secure cipher suite that both the Nexus Repository JVM and the remote server can agree on.

Nexus Repository 2.11+ provides a configurable method to limit the outbound cipher suites Nexus Repository will support.

  1. Edit NEXUS_HOME/bin/jsw/conf/wrapper.conf. Note the highest number n used for the java.additional.arguments.n properties.
  2. After the line found in step 1, add wrapper.java.additional.y=-Dhttps.cipherSuites={list of cipher suite names} where y is the next available unused number greater than n found in step 1 and {list of list of cipher suite names} is the comma-separated list of suite names that are allowed to be supported by any outbound HTTPS connections made by Nexus Repository 2.

    Nexus Repository 2 will honor the cipher suites in the same way as defined by the JDK documentation for the https.cipherSuites property.
  3. Restart Nexus Repository 2 to pick up changes to wrapper.conf

Nexus Repository 2.10 and earlier do not provide a configurable method to enforce outbound cipher suites.

General Java Networking Resources

Diagnosing TLS, SSL, and HTTPS in Java

Listing Supported HTTPS Cipher Suites

The supported cipher suite names vary by JVM version. Oracle has an article that documents which Cipher suites are supported per JVM version. This article lists the standard cipher suite names as of JDK 8.

One method to get the list of suite names in your JVM is by using the following Groovy code:

groovy -e 'javax.net.ssl.SSLContext.getDefault().createSSLEngine().getSupportedCipherSuites().sort().each{println(it)}'

An example excerpt of what this should print is:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
...

Related articles