Beginning on March 31st, 2022, the Nexus IQ Data Services will stop accepting weak Transport Layer Security (TLS) cipher suites for HTTPS requests. From then on, only the following cipher suites can be used to initiate secure connections:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 aka ECDHE-RSA-AES128-GCM-SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 aka ECDHE-RSA-AES256-GCM-SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 aka ECDHE-RSA-CHACHA20-POLY1305
Background
In September 2021, we started requiring TLS 1.2 for HTTPS requests to increase security for the Data Services. The change to the accepted cipher suites further aids this goal by discontinuing support for ciphers that are deemed weak by today’s cryptographic standards.
According to our logs, more than 99.9% of existing traffic to the Nexus IQ Data Services already employs one of the six strong cipher suites listed above, making this change in configuration mostly a formality.
Impact
The Nexus IQ Data Services provide component information for all editions of Nexus IQ Server and the Repository Health Check feature in Nexus Repository Manager. For these products to successfully connect to the IQ Data Services going forward, they need to employ a somewhat modern Java runtime environment such as
- Java 7 build 191 or newer
- Java 8 or newer
Given that Java 8 is required by Nexus IQ Server since version 1.42 and by Nexus Repository Manager since version 2.14.11, most of our end users do not need to take any further action.
If the Java runtime used by your organization to run our products is too old, you will encounter SSL exceptions with a message like “Received close_notify during handshake”. Updating to Java 8 or newer is the recommended course of action. Otherwise, depending on the exact build number of the Java runtime, you might be able to resolve the issue by explicitly configuring the cipher suites via the following two system properties:
https.cipherSuitesjdk.tls.client.cipherSuites
These system properties would need to be set to the value TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256