Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-7659

disable SSLv3 for outbound requests by default

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 2.11, 3.0.0-m3
    • 2.10
    • Transport
    • None
    • 2
    • Yes
    • Sprint 30

    Description

      Oracle recommends that users and developers disable use of the SSLv3 protocol.

      http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

      Referenced from release notes:

      http://www.oracle.com/technetwork/java/javase/7u71-relnotes-2296187.html
      http://www.oracle.com/technetwork/java/javase/8u25-relnotes-2296185.html

      At the bottom of the article is a suggested approach in code to use to disable SSLv3 explicitly by default. Nexus should do this as well by default for outbound requests.

      Only apply this default exclusion in case where https.protocols system property is not set. ( per NEXUS-7594 )

      Attachments

        Issue Links

          depends on

          Improvement - An improvement or enhancement to an existing feature or task. NEXUS-7594 allow configuring https.protocols and https.cipherSuites on Nexus outbound HTTP client connections

          • Major - Major loss of function.
          • Closed
          relates

          Improvement - An improvement or enhancement to an existing feature or task. NEXUS-7594 allow configuring https.protocols and https.cipherSuites on Nexus outbound HTTP client connections

          • Major - Major loss of function.
          • Closed

          Activity

            People

              plynch Peter Lynch
              plynch Peter Lynch
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                tigCommentSecurity.panel-title