Details
-
Improvement
-
Resolution: Fixed
-
Major
-
3.28.1, 2.14.21
-
Yes
-
3
Description
Sonatype has documented how to protect NXRM Jetty based TLS connections against the Logjam attack in a KB article:
However, Sonatype could configure NXRM by default to enforce a minimum 2048 bit key exchange.
Problem
Notice a "default" connector fails the weak DH key test.
nmap --script ssl-dh-params -p 8443 192.168.2.73 Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-17 17:53 AST Nmap scan report for nexus.example.com (192.168.2.73) Host is up (0.00020s latency). PORT STATE SERVICE 8443/tcp open https-alt | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups | of insufficient strength, especially those using one of a few commonly | shared groups, may be susceptible to passive eavesdropping attacks. | Check results: | WEAK DH GROUP 1 | Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | Modulus Type: Safe prime | Modulus Source: RFC2409/Oakley Group 2 | Modulus Length: 1024 | Generator Length: 8 | Public Key Length: 1024 | References: |_ https://weakdh.org
Workaround:
Add this to bin/nexus.vmoptions:
-Djdk.tls.ephemeralDHKeySize=2048
Expected
NXRM default shipped configuration should pass the weak DH key test, make 2048 key strength a minimum requirement.