Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30835

configure TLSv1.3 support by default

    Details

    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.37.3
    • Fix Version/s: None
    • Component/s: Transport
    • Notability:
      4

      Description

      From https://github.com/eclipse/jetty.project/issues/5073#issuecomment-662466381

      In Java 8u251 Oracle backported the ALPN support from Java 9+ into Java 8.
      This ALPN support layer only works with Jetty 9.4.28.v20200408 or newer (see Issue #4443)

      In Java 8u261 Oracle backported the TLS 1.3 features from Java 11+ into Java 8.
      This TLS 1.3 support layer only works with Jetty 9.4.12.v20180830 or newer (seeIssue #2711)

      Modern HTTP clients may support only TLSv1.3, so communication to Nexus Repository may break as by default inside the jetty-https.xml the 'IncludeProtocols' section only has a reference to supporting TLSv1.2 ( due to Jetty project did not support it in older versions repository used ).

      Also for outbound requests, when running repository in Java 8, support for TLSv1.3 needs to be configured explicitly by modifying a java system property:

      See https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#enabling-tls-1.3

      For when repository eventually supports running on Java 11, TLSv1.3 is enabled by default: https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2

      Expected

      Modify Repository default shipping configuration to support TLS1.3 for inbound and outbound requests ( which will in turn expect end user to run repository with Java 8u261 / Java 11 or greater ).

      Workaround

      1. Find the correct jetty-https.xml path from from nexus.properties:
        [root@node-nxrm ~]# grep 'nexus-args' /opt/sonatype/sonatype-work/nexus3/etc/nexus.properties
        nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${karaf.data}/etc/jetty/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
        
      2. Edit jetty-https.xml file and search "IncludeProtocols" line:
            <Set name="IncludeProtocols">
              <Array type="java.lang.String">
                <Item>TLSv1.2</Item>
              </Array>
            </Set>
        
      3. Add "<Item>TLSv1.3</Item>" line before or after TLSv1.2 line.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jsensharma Jay Kumar SenSharma
              Last Updated By:
              Hajime Osako Hajime Osako
              Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title