Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-7659

disable SSLv3 for outbound requests by default

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.10
    • Fix Version/s: 2.11, 3.0.0-m3
    • Component/s: Transport
    • Labels:
      None
    • Story Points:
      2
    • Release Note:
      Yes
    • Sprint:
      Sprint 30

      Description

      Oracle recommends that users and developers disable use of the SSLv3 protocol.

      http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

      Referenced from release notes:

      http://www.oracle.com/technetwork/java/javase/7u71-relnotes-2296187.html
      http://www.oracle.com/technetwork/java/javase/8u25-relnotes-2296185.html

      At the bottom of the article is a suggested approach in code to use to disable SSLv3 explicitly by default. Nexus should do this as well by default for outbound requests.

      Only apply this default exclusion in case where https.protocols system property is not set. ( per NEXUS-7594 )

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              plynch Peter Lynch
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title