Details
-
Improvement
-
Resolution: Unresolved
-
Major
-
None
-
3.37.3
-
4
Description
From https://github.com/eclipse/jetty.project/issues/5073#issuecomment-662466381
In Java 8u251 Oracle backported the ALPN support from Java 9+ into Java 8.
This ALPN support layer only works with Jetty 9.4.28.v20200408 or newer (see Issue #4443)In Java 8u261 Oracle backported the TLS 1.3 features from Java 11+ into Java 8.
This TLS 1.3 support layer only works with Jetty 9.4.12.v20180830 or newer (seeIssue #2711)
Modern HTTP clients may support only TLSv1.3, so communication to Nexus Repository may break as by default inside the jetty-https.xml the 'IncludeProtocols' section only has a reference to supporting TLSv1.2 ( due to Jetty project did not support it in older versions repository used ).
Also for outbound requests, when running repository in Java 8, support for TLSv1.3 needs to be configured explicitly by modifying a java system property:
For when repository eventually supports running on Java 11, TLSv1.3 is enabled by default: https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2
Expected
Modify Repository default shipping configuration to support TLS1.3 for inbound and outbound requests ( which will in turn expect end user to run repository with Java 8u261 / Java 11 or greater ).
Workaround
- Find the correct jetty-https.xml path from from nexus.properties:
[root@node-nxrm ~]# grep 'nexus-args' /opt/sonatype/sonatype-work/nexus3/etc/nexus.properties nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${karaf.data}/etc/jetty/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml - Edit jetty-https.xml file and search "IncludeProtocols" line:
<Set name="IncludeProtocols"> <Array type="java.lang.String"> <Item>TLSv1.2</Item> </Array> </Set> - Add "<Item>TLSv1.3</Item>" line before or after TLSv1.2 line.
Attachments
Issue Links
- is related to
-
-
- New
-