Details
-
Improvement
-
Resolution: Fixed
-
Major
-
3.28.1, 2.14.21
-
Yes
-
4
Description
Booting up 3.28.1 configure to directly serve HTTPS, I'm seeng TLSv1.0 and TLSv1.1 enabled by default.
$ sslscan localhost:8443 Version: 2.0.6-static OpenSSL 1.1.1h 22 Sep 2020 Connected to 127.0.0.1 Testing SSL server localhost on port 8443 using SNI name localhost SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 disabled
Jetty 9.4 documents that these protocols are not enabled by default.
https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#tls-and-ssl-versions
However in effect what they mean to state is that by default Jetty excludes TLSv1 or TLSv1.1 ciphers that could be used to establish these protocol connections.
Expected
Explicitly only allow TLSv1.2 to be used for inbound Jetty connector HTTPS connections, despite whatever ciphers the JVM has available.
Workaround
This is partially a by-product of our shipped jetty-https.xml containing non-default, insecure cipher suites instead of using the Jetty defaults.
If NEXUS-20267 is fixed, then only TLSv2 ciphers will be reported as supported by Jetty when using a non-customized modern JVM version. This will likely be "good enough" for most security scanning software to pass.
However, depending on how the JVM is configured/customized Jetty may still allow some non TLS1.2 protocol inbound connections using ciphers that are not "normal". ie. You have customized the available ciphers and security settings at the JVM level for some other reasons.
In order to explicitly tell Jetty/NXRM to only allow TLSv1.2 protocol for inbound connections, despite the ciphers available in the JVM, then one can add the section below to the jetty-https.xml configuration as a child element under the <New id="sslContextFactory" ... element:
<Set name="IncludeProtocols">
<Array type="java.lang.String">
<Item>TLSv1.2</Item>
</Array>
</Set>
You can confirm your changes have been applied by adding a property to etc/nexus.properties to dump Jetty config after startup:
jetty.dump.start=true
2020-11-10 09:19:56,074-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - | | +> Protocol Selections 2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - | | | +> Enabled size=1 2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - | | | | +> TLSv1.2 2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - | | | +> Disabled size=4 2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - | | | +> SSLv2Hello - ConfigExcluded:'SSLv2Hello', ConfigIncluded:NotSelected 2020-11-10 09:19:56,076-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - | | | +> SSLv3 - ConfigExcluded:'SSLv3', ConfigIncluded:NotSelected JVM:disabled 2020-11-10 09:19:56,076-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - | | | +> TLSv1 - ConfigIncluded:NotSelected 2020-11-10 09:19:56,076-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - | | | +> TLSv1.1 - ConfigIncluded:NotSelected
Attachments
Issue Links
- is related to
-
-
- Closed
-