Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-10987

NoClassDefFoundError for SSLSocketImpl on non-Oracle JVM prevents proxying https remote

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • 2.14.2
    • 2.10, 2.11, 2.12.0, 2.12.1, 2.13, 2.14
    • Transport
    • None
    • 2
    • Sprint 81

    Description

      Description

      The fix for NEXUS-6838 introduced a hard dependency on sun.security.ssl.SSLSocketImpl. JREs with alternative JSSE implementations like the IBM JRE do not ship this class.

      This dependency leads to a NoClassDefFoundError on attempts to configure a proxy repository with a HTTPS URL, and thus renders the proxy repository feature unusable for https URLs on non-Oracle JVMs.

      Symptoms

      1. Browsing remote for proxy repositories with https remote does not work
      2. Logfile shows
      SEVERE: Unhandled exception or error intercepted
      java.lang.NoClassDefFoundError: sun/security/ssl/SSLSocketImpl
              at org.sonatype.nexus.apachehttpclient.NexusSSLConnectionSocketFactory.connectSocket(NexusSSLConnectionSocketFactory.java:114)
              at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:123)
              at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)
              at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
              at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
              at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
      

      Steps to reproduce:

      1. download and install IBM JRE
      2. start nexus 2.x with IBM JRE
      3. configure a proxy repository with a https remote
      4. navigate to "browse remote" and try to browse the content

      Suggested fix

      Use the plattform independent way to set the host for SNI as documented by Oracle: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExamples

      Quick fix

      Remove dependency on Oracle JRE by using reflection to access SSLSocketImpl.

      The quick fix makes https usable for non-Oracle JREs, but removes SNI support for these JREs.


      ---
      The quick was implemented in this issue - SNI still does not work for any JVM other than Oracle JVMs. See NEXUS-6844.

      ---

      Attachments

        Issue Links

          Activity

            People

              jtom Joe Tom
              martin.kutter@fen-net.de Martin Kutter
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                tigCommentSecurity.panel-title