Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25909

Protect inbound HTTPS connections against Weak Diffie-Hellman Keys and Logjam by default

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.28.1
    • Fix Version/s: 3.30.0
    • Component/s: Transport
    • Release Note:
      Yes
    • Notability:
      3

      Description

      Sonatype has documented how to protect NXRM Jetty based TLS connections against the Logjam attack in a KB article:

      https://support.sonatype.com/hc/en-us/articles/360000216307-Protect-Sonatype-Server-Products-against-Weak-Diffie-Hellman-Keys-and-Logjam

      However, Sonatype could configure NXRM by default to enforce a minimum 2048 bit key exchange.

      Problem

      Notice a "default" connector fails the weak DH key test.

      nmap --script ssl-dh-params -p 8443 192.168.2.73
      Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-17 17:53 AST
      Nmap scan report for nexus.example.com (192.168.2.73)
      Host is up (0.00020s latency).
      
      PORT     STATE SERVICE
      8443/tcp open  https-alt
      | ssl-dh-params: 
      |   VULNERABLE:
      |   Diffie-Hellman Key Exchange Insufficient Group Strength
      |     State: VULNERABLE
      |       Transport Layer Security (TLS) services that use Diffie-Hellman groups
      |       of insufficient strength, especially those using one of a few commonly
      |       shared groups, may be susceptible to passive eavesdropping attacks.
      |     Check results:
      |       WEAK DH GROUP 1
      |             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
      |             Modulus Type: Safe prime
      |             Modulus Source: RFC2409/Oakley Group 2
      |             Modulus Length: 1024
      |             Generator Length: 8
      |             Public Key Length: 1024
      |     References:
      |_      https://weakdh.org
      

      Workaround:

      Add this to bin/nexus.vmoptions:

      -Djdk.tls.ephemeralDHKeySize=2048
      

      Expected

      NXRM default shipped configuration should pass the weak DH key test, make 2048 key strength a minimum requirement.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                tigCommentSecurity.panel-title