Sonatype has documented how to protect NXRM Jetty based TLS connections against the Logjam attack in a KB article:
However, Sonatype could configure NXRM by default to enforce a minimum 2048 bit key exchange.
Notice a "default" connector fails the weak DH key test.
nmap --script ssl-dh-params -p 8443 192.168.2.73
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-17 17:53 AST
Nmap scan report for nexus.example.com (192.168.2.73)
Host is up (0.00020s latency).
PORT STATE SERVICE
8443/tcp open https-alt
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
Add this to bin/nexus.vmoptions:
NXRM default shipped configuration should pass the weak DH key test, make 2048 key strength a minimum requirement.