Symptom
Customers upgrading Sonatype Docker images or images based on them may discover that outbound TLS connections from Sonatype server products no longer work.
Sonatype server product application logs report TLS related exceptions complaining about constraints being violated.
A non-exhaustive list of examples of the messages that may be noticed are:
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
Cause
Official Sonatype Docker Images are continually reviewed and updated to reflect industry best practice for security.
This can mean that image dependencies like the OS used, patch levels, and Java runtime will be updated and inherit recommended security constraints.
In the case of TLS connections failing with noted symptoms, the TLS connection being attempted are failing because the remote party does not conform to the industry best practices for secure connections.
Major Base Image Changes 2019
To improve our default docker image container security, we made changes from using CentOS to instead using the Red Hat Universal Base Image (UBI) .
This change was made starting in these versions:
Nexus Repository Manager 2.14.14
Nexus Repository Manager 3.18.0
Resolution
A serious attempt should be made to correct the remote side of the TLS connection to conform to security standards rather than weakening the minimum security requirements in general.
Workaround: Weakening Java Cryptographic Security Requirements
We realize in some cases a short term workaround may be needed until the remote side can correct its security policies.
The underlying Sonatype docker images pick up security policy enforcements of the Fedora project ( and consequently either CentOS or Red Hat Universal Base Image (UBI) ).
Fedora project sets a consistent security level for all applications, including Java based ones, using a system level java security policy file as described in this document:
https://fedoraproject.org/wiki/Changes/JavaCryptoPolicies
In the case of Java applications like those offered by Sonatype docker images, the system level file is located at:
/etc/crypto-policies/back-ends/java.config
This overriding OS level policy file may be news if you are used to adjusting java runtime security policy using a JRE specific file at <java-home>/lib/security/java.security .
Adjust Java cryptographic requirements as needed using the following document, replacing mention of lib/security/java.security with /etc/crypto-policies/back-ends/java.config :
https://www.java.com/en/configure_crypto.html