Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.8, 2.10
-
Component/s: SSL
-
Labels:
-
Story Points:0.5
-
Sprint:Sprint 30
Description
Configure Nexus to use proxy server which can write it's own SSL certificate in place of the actual remote certificate. ( ie. Charles proxy ). For example, configure it to SSL proxy https://nvd.nist.gov
In Nexus, Go to SSL Certificates and click Add... Load From Server...
Enter nvd.nist.gov and click Load Certificate button.
Nexus UI sends a request similar to:
'http://localhost:8081/nexus/service/siesta/ssl/certificates?_dc=1415038245066&host=nvd.nist.gov&port=443'
Nexus certificates resource tries to make a direct socket connection to the remote instead of https connection. This is by design.
Now enter https://nvd.nist.gov and click Load Certificate button. Nexus still tries to make a direct socket connection.
Notice the url sent to Nexus backend is still:
'http://localhost:8081/nexus/service/siesta/ssl/certificates?_dc=1415038245066&host=nvd.nist.gov&port=443'
It seems to be missing the 'protocolHint' parameter.
Nexus 2.8.0 does the same thing.
The problem this creates is it is very common proxy servers overwrite remote certs. Without using https instead of direct socket, it is easy to trust the wrong cert. or not be able to trust the correct cert unless you manually get the pem file externally and upload it.
Expected: When http or https is specified, the internal http client with correct proxy settings should be used to get the remote cert and present that to the end user.