Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25786

explicitly disable TLS 1.0 and 1.1 for inbound HTTPS connections by default

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.28.1
    • Fix Version/s: 3.29.0
    • Component/s: Transport
    • Release Note:
      Yes
    • Notability:
      4

      Description

      Booting up 3.28.1 configure to directly serve HTTPS, I'm seeng TLSv1.0 and TLSv1.1 enabled by default.

      $ sslscan localhost:8443
      Version: 2.0.6-static
      OpenSSL 1.1.1h  22 Sep 2020
      
      Connected to 127.0.0.1
      
      Testing SSL server localhost on port 8443 using SNI name localhost
      
        SSL/TLS Protocols:
      SSLv2     disabled
      SSLv3     disabled
      TLSv1.0   enabled
      TLSv1.1   enabled
      TLSv1.2   enabled
      TLSv1.3   disabled
      

      Jetty 9.4 documents that these protocols are not enabled by default.

      https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#tls-and-ssl-versions

      However in effect what they mean to state is that by default Jetty excludes TLSv1 or TLSv1.1 ciphers that could be used to establish these protocol connections.

      https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L120

      Expected

      Explicitly only allow TLSv1.2 to be used for inbound Jetty connector HTTPS connections, despite whatever ciphers the JVM has available. 
       

      Workaround

      This is partially a by-product of our shipped jetty-https.xml containing non-default, insecure cipher suites instead of using the Jetty defaults.

      If NEXUS-20267 is fixed, then only TLSv2 ciphers will be reported as supported by Jetty when using a non-customized modern JVM version. This will likely be "good enough" for most security scanning software to pass.

      However, depending on how the JVM is configured/customized Jetty may still allow some non TLS1.2 protocol inbound connections using ciphers that are not "normal". ie. You have customized the available ciphers and security settings at the JVM level for some other reasons.

      In order to explicitly tell Jetty/NXRM to only allow TLSv1.2 protocol for inbound connections, despite the ciphers available in the JVM, then one can add the section below to the jetty-https.xml configuration as a child element under the <New id="sslContextFactory" ... element:

        <Set name="IncludeProtocols">
          <Array type="java.lang.String">
            <Item>TLSv1.2</Item>
          </Array>
       </Set>
      

      You can confirm your changes have been applied by adding a property to etc/nexus.properties to dump Jetty config after startup:

      Tell Jetty to dump config after startup
      jetty.dump.start=true
      
      Jetty debug dump in nexus.log after startup, confirming only TLSv1.2 is enabled
      2020-11-10 09:19:56,074-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        +> Protocol Selections
      2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |  +> Enabled size=1
      2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |  |  +> TLSv1.2
      2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |  +> Disabled size=4
      2020-11-10 09:19:56,075-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |     +> SSLv2Hello - ConfigExcluded:'SSLv2Hello', ConfigIncluded:NotSelected
      2020-11-10 09:19:56,076-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |     +> SSLv3 - ConfigExcluded:'SSLv3', ConfigIncluded:NotSelected JVM:disabled
      2020-11-10 09:19:56,076-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |     +> TLSv1 - ConfigIncluded:NotSelected
      2020-11-10 09:19:56,076-0400 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.component.Dumpable - |  |        |     +> TLSv1.1 - ConfigIncluded:NotSelected
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Joe Tom Joe Tom
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title