Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25786

explicitly disable TLS 1.0 and 1.1 for inbound HTTPS connections by default


    • Yes
    • 4


      Booting up 3.28.1 configure to directly serve HTTPS, I'm seeng TLSv1.0 and TLSv1.1 enabled by default.

      $ sslscan localhost:8443
      Version: 2.0.6-static
      OpenSSL 1.1.1h  22 Sep 2020
      Connected to
      Testing SSL server localhost on port 8443 using SNI name localhost
        SSL/TLS Protocols:
      SSLv2     disabled
      SSLv3     disabled
      TLSv1.0   enabled
      TLSv1.1   enabled
      TLSv1.2   enabled
      TLSv1.3   disabled

      Jetty 9.4 documents that these protocols are not enabled by default.


      However in effect what they mean to state is that by default Jetty excludes TLSv1 or TLSv1.1 ciphers that could be used to establish these protocol connections.



      Explicitly only allow TLSv1.2 to be used for inbound Jetty connector HTTPS connections, despite whatever ciphers the JVM has available. 


      This is partially a by-product of our shipped jetty-https.xml containing non-default, insecure cipher suites instead of using the Jetty defaults.

      If NEXUS-20267 is fixed, then only TLSv2 ciphers will be reported as supported by Jetty when using a non-customized modern JVM version. This will likely be "good enough" for most security scanning software to pass.

      However, depending on how the JVM is configured/customized Jetty may still allow some non TLS1.2 protocol inbound connections using ciphers that are not "normal". ie. You have customized the available ciphers and security settings at the JVM level for some other reasons.

      In order to explicitly tell Jetty/NXRM to only allow TLSv1.2 protocol for inbound connections, despite the ciphers available in the JVM, then one can add the section below to the jetty-https.xml configuration as a child element under the <New id="sslContextFactory" ... element:

        <Set name="IncludeProtocols">
          <Array type="java.lang.String">

      You can confirm your changes have been applied by adding a property to etc/nexus.properties to dump Jetty config after startup:

      Tell Jetty to dump config after startup
      Jetty debug dump in nexus.log after startup, confirming only TLSv1.2 is enabled
      2020-11-10 09:19:56,074-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        +> Protocol Selections
      2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |  +> Enabled size=1
      2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |  |  +> TLSv1.2
      2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |  +> Disabled size=4
      2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |     +> SSLv2Hello - ConfigExcluded:'SSLv2Hello', ConfigIncluded:NotSelected
      2020-11-10 09:19:56,076-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |     +> SSLv3 - ConfigExcluded:'SSLv3', ConfigIncluded:NotSelected JVM:disabled
      2020-11-10 09:19:56,076-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |     +> TLSv1 - ConfigIncluded:NotSelected
      2020-11-10 09:19:56,076-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |     +> TLSv1.1 - ConfigIncluded:NotSelected


        Issue Links



              Unassigned Unassigned
              rseddon Rich Seddon
              Peter Lynch Peter Lynch
              0 Vote for this issue
              5 Start watching this issue