Sonatype has documented how to protect NXRM Jetty based TLS connections against the Logjam attack in a KB article:
However, Sonatype could configure NXRM by default to enforce a minimum 2048 bit key exchange.
Notice a "default" connector fails the weak DH key test.
nmap --script ssl-dh-params -p 8443 192.168.2.73 Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-17 17:53 AST Nmap scan report for nexus.example.com (192.168.2.73) Host is up (0.00020s latency). PORT STATE SERVICE 8443/tcp open https-alt | ssl-dh-params: | VULNERABLE: | Diffie-Hellman Key Exchange Insufficient Group Strength | State: VULNERABLE | Transport Layer Security (TLS) services that use Diffie-Hellman groups | of insufficient strength, especially those using one of a few commonly | shared groups, may be susceptible to passive eavesdropping attacks. | Check results: | WEAK DH GROUP 1 | Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | Modulus Type: Safe prime | Modulus Source: RFC2409/Oakley Group 2 | Modulus Length: 1024 | Generator Length: 8 | Public Key Length: 1024 | References: |_ https://weakdh.org
Add this to bin/nexus.vmoptions:
NXRM default shipped configuration should pass the weak DH key test, make 2048 key strength a minimum requirement.