Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-7652

SSL certificates added using load from server option only use direct socket connection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.8, 2.10
    • Fix Version/s: 2.11, 3.0.0-m3
    • Component/s: SSL
    • Labels:
    • Story Points:
      0.5
    • Sprint:
      Sprint 30

      Description

      Configure Nexus to use proxy server which can write it's own SSL certificate in place of the actual remote certificate. ( ie. Charles proxy ). For example, configure it to SSL proxy https://nvd.nist.gov

      In Nexus, Go to SSL Certificates and click Add... Load From Server...
      Enter nvd.nist.gov and click Load Certificate button.
      Nexus UI sends a request similar to:

      'http://localhost:8081/nexus/service/siesta/ssl/certificates?_dc=1415038245066&host=nvd.nist.gov&port=443'

      Nexus certificates resource tries to make a direct socket connection to the remote instead of https connection. This is by design.

      Now enter https://nvd.nist.gov and click Load Certificate button. Nexus still tries to make a direct socket connection.

      Notice the url sent to Nexus backend is still:

      'http://localhost:8081/nexus/service/siesta/ssl/certificates?_dc=1415038245066&host=nvd.nist.gov&port=443'

      It seems to be missing the 'protocolHint' parameter.

      https://github.com/sonatype/nexus-pro/blob/nexus-2.10.x/plugins/security/nexus-ssl-plugin/src/main/java/com/sonatype/nexus/ssl/plugin/internal/rest/CertificatesResource.java#L91-91

      Nexus 2.8.0 does the same thing.

      The problem this creates is it is very common proxy servers overwrite remote certs. Without using https instead of direct socket, it is easy to trust the wrong cert. or not be able to trust the correct cert unless you manually get the pem file externally and upload it.

      Expected: When http or https is specified, the internal http client with correct proxy settings should be used to get the remote cert and present that to the end user.

        Attachments

          Activity

            People

            Assignee:
            plynch Peter Lynch
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title