Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-10987

NoClassDefFoundError for SSLSocketImpl on non-Oracle JVM prevents proxying https remote

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.10, 2.11, 2.12.0, 2.12.1, 2.13, 2.14
    • Fix Version/s: 2.14.2
    • Component/s: Transport
    • Labels:
      None
    • Story Points:
      2
    • Sprint:
      Sprint 81

      Description

      Description

      The fix for NEXUS-6838 introduced a hard dependency on sun.security.ssl.SSLSocketImpl. JREs with alternative JSSE implementations like the IBM JRE do not ship this class.

      This dependency leads to a NoClassDefFoundError on attempts to configure a proxy repository with a HTTPS URL, and thus renders the proxy repository feature unusable for https URLs on non-Oracle JVMs.

      Symptoms

      1. Browsing remote for proxy repositories with https remote does not work
      2. Logfile shows
      SEVERE: Unhandled exception or error intercepted
      java.lang.NoClassDefFoundError: sun/security/ssl/SSLSocketImpl
              at org.sonatype.nexus.apachehttpclient.NexusSSLConnectionSocketFactory.connectSocket(NexusSSLConnectionSocketFactory.java:114)
              at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:123)
              at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)
              at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
              at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
              at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
      

      Steps to reproduce:

      1. download and install IBM JRE
      2. start nexus 2.x with IBM JRE
      3. configure a proxy repository with a https remote
      4. navigate to "browse remote" and try to browse the content

      Suggested fix

      Use the plattform independent way to set the host for SNI as documented by Oracle: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExamples

      Quick fix

      Remove dependency on Oracle JRE by using reflection to access SSLSocketImpl.

      The quick fix makes https usable for non-Oracle JREs, but removes SNI support for these JREs.


      ---
      The quick was implemented in this issue - SNI still does not work for any JVM other than Oracle JVMs. See NEXUS-6844.

      ---

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jtom Joe Tom
              Reporter:
              martin.kutter@fen-net.de Martin Kutter
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title