Proxy repository with 2way SSL

508 views
Skip to first unread message

Serge Krawczenko

unread,
Feb 5, 2018, 11:27:05 AM2/5/18
to Nexus Users
Trying to configure remote repository that requires client side certificate.

I have pair of nexus nodes, first one has hosted repository and reverse proxy with SSL and CA.

Second nexus is where the proxied repo is being configured, CA is added to trust store and remote repository is marked as Active.

The question is where to provision the client side certificate required by remote side?

There is no such a functionality in the Web interface. Imported it into keystore.jks, java keystore, still ssl handshake error. 

Please advise for both version 2 and 3. Thanks a lot.

Peter Lynch

unread,
Feb 5, 2018, 1:55:13 PM2/5/18
to Serge Krawczenko, Nexus Users
On Mon, Feb 5, 2018 at 12:27 PM, Serge Krawczenko <skraw...@gmail.com> wrote:
Trying to configure remote repository that requires client side certificate.

I have pair of nexus nodes, first one has hosted repository and reverse proxy with SSL and CA.

Second nexus is where the proxied repo is being configured, CA is added to trust store and remote repository is marked as Active.

The question is where to provision the client side certificate required by remote side?


Are you asking about PKI certificate authentication? If so, Nexus does not support that in isolation:

 
There is no such a functionality in the Web interface. Imported it into keystore.jks, java keystore, still ssl handshake error. 

Please advise for both version 2 and 3. Thanks a lot.

If instead you are only asking that the proxy repository trust the identity of the remote https:// connection, then refer to these docs:



--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/7ff65ce8-5c49-4210-ac94-de9888205a74%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

Serge Krawczenko

unread,
Feb 6, 2018, 8:21:25 AM2/6/18
to Peter Lynch, Nexus Users
Peter, thank you for your response.

Let me explain.

First nexus that hosts repository has apache httpd with SSL on front of it.
Second nexus proxies requests to this repo.
In basic configuration, i manage to add CA into second nexus Java cacerts and it works correctly with remote repo.

However, for various reasons, i need to implement two-way ssl between these nexus nodes.
That actually implies 'SSLVerifyClient require' option at the front apache httpd.
"client" or 'second' nexus will validate 'server' or 'first' nexus certificate, then 'first' nexus (apache actually) 
will request valid certificate from the 'second' nexus.

This is standard SSL/TLS feature.
Not sure if relevant here, but i managed to set it up between Artifactory and Nexus: remote repository configuration in Artifactory allows to place specific certificate for given URL.
Therefore, this option must be available in Spring or whatever framework is used by Nexus.

My question is: since there's no Web gui function for this, is there any way to configure specific certificate for specific remote repository URL manually?
Regardless of Nexus version.

With gratitude,
Serge.



Peter Lynch

unread,
Feb 6, 2018, 10:47:02 AM2/6/18
to Serge Krawczenko, Nexus Users
On Tue, Feb 6, 2018 at 9:21 AM, Serge Krawczenko <skraw...@gmail.com> wrote:
Peter, thank you for your response.

Let me explain.

First nexus that hosts repository has apache httpd with SSL on front of it.
Second nexus proxies requests to this repo.
In basic configuration, i manage to add CA into second nexus Java cacerts and it works correctly with remote repo.

However, for various reasons, i need to implement two-way ssl between these nexus nodes.
That actually implies 'SSLVerifyClient require' option at the front apache httpd.
"client" or 'second' nexus will validate 'server' or 'first' nexus certificate, then 'first' nexus (apache actually) 
will request valid certificate from the 'second' nexus.

This is standard SSL/TLS feature.
Not sure if relevant here, but i managed to set it up between Artifactory and Nexus: remote repository configuration in Artifactory allows to place specific certificate for given URL.
Therefore, this option must be available in Spring or whatever framework is used by Nexus.

My question is: since there's no Web gui function for this, is there any way to configure specific certificate for specific remote repository URL manually?

There is no UI to set this up. Nexus will load certificates from the JVM keystore though - did you try importing the client cert into the Java keystore used by the client Nexus? I would expect that to work in your scenario.

Serge Krawczenko

unread,
Feb 7, 2018, 8:40:44 AM2/7/18
to Peter Lynch, Nexus Users
Thanks again, still it seems like something is wrong.

What i've done

- added -Djavax.net.ssl.keyStore and  -Djavax.net.ssl.keyStorePassword
- imported all required certs into keystore and ca into trust store
- doublechecked their presence with keytool -list
- turned on -Djavax.net.debug=ssl

then caught the moment of failure:

 *** ECDH ServerKeyExchange
jvm 1    | Signature Algorithm SHA512withRSA
jvm 1    | Server key: Sun EC public key, 256 bits
jvm 1    |   public x coord: 60915594404272064353207961992993588027361236305734841476208335393254555682414
jvm 1    |   public y coord: 30785886758139729296042367288826305848299120986688732920275692654667754989981
jvm 1    |   parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
jvm 1    | proxy-3-thread-3, READ: TLSv1.2 Handshake, length = 160
jvm 1    | *** CertificateRequest
jvm 1    | Cert Types: RSA, DSS, ECDSA
jvm 1    | Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
jvm 1    | Cert Authorities:
jvm 1    | <CN=CA, O=mycompany, L=SFO, C=US>
jvm 1    | *** ServerHelloDone
jvm 1    | Warning: no suitable certificate found - continuing without client authentication
jvm 1    | *** Certificate chain
jvm 1    | <Empty>
jvm 1    | ***
jvm 1    | *** ECDHClientKeyExchange


There's not much to google about it but it might be insufficient parameters for java ssl framework or httpclient
Something like it is not using keystore in case of two-way SSL exchange. 
But i'm not a java developer at all to investigate deeper, i'd appreciate if someone could build a lab and reproduce.
Tested with Nexus 2.14



Peter Lynch

unread,
Feb 7, 2018, 9:17:31 AM2/7/18
to Serge Krawczenko, Nexus Users
Its possible there is a bug but we should gather more info from you. This is not a common setup. I suggest that the latest version of Nexus 3.x be the primary test platform though since that is where the bulk of our development efforts are focused and we are unlikely to make drastic transport changes in Nexus 2 to support this scenario should there be a bug.

If you create an issue at https://issues.sonatype.org in the NEXUS project we can look into this further.

When creating the ticket:

- Attach the repro steps for creating the certificates involved, reference this thread can help.
- include the complete nexus log with javax.net.debug output ( please zip the entire log files)
- include client and remote Nexus support zips

The issue will be private to you and Sonatype by default.

Thanks!

Serge Krawczenko

unread,
Feb 7, 2018, 11:17:32 AM2/7/18
to Peter Lynch, Nexus Users
Retested with same results on Nexus3. Looks like same libraries are used in 3rd version.
Will submit as  a potential bug, but likely  SSL library issue.


Message has been deleted

Rich Seddon

unread,
Mar 28, 2018, 3:54:58 PM3/28/18
to Nexus Users, ply...@sonatype.com
Unfortunately this is a confirmed bug:


Please follow the above issue for updates.

R. Brian DiAngelo

unread,
Mar 30, 2018, 8:54:44 AM3/30/18
to Serge Krawczenko, Nexus Users
I can't see that issue.  Did they delete it?

Brian

On Wed, Mar 28, 2018 at 6:30 AM, Serge Krawczenko <skraw...@gmail.com> wrote:
I've submitted a ticket quite long ago, it is still unassigned

It's sad guys have no time to check.


On Fri, Mar 23, 2018 at 10:49 PM, R. Brian DiAngelo <r.brian....@gmail.com> wrote:
All,

I'm having similar issue whereby nexus repository A is unable to proxy to a remote nexus repository B using 2-way SSL.  It appears issue is that nexus repository A is not presenting client certificate to nexus B (in ssl debug seeing  Warning: no suitable certificate found - continuing without client authentication). 

I know keystore and truststore are loaded with correct certs.  Also, was able to verify successful 2-way SSL connection between nexus repository A and B using openssl s_client with cert and key exported from keystore

I am running nexus-3.9.0-01.

Is there any progress resolving this issue.  This is becoming a major showstopper.

Thanks,
Brian
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.

Serge Krawczenko

unread,
Mar 30, 2018, 8:54:44 AM3/30/18
to R. Brian DiAngelo, Nexus Users
I've submitted a ticket quite long ago, it is still unassigned

It's sad guys have no time to check.

On Fri, Mar 23, 2018 at 10:49 PM, R. Brian DiAngelo <r.brian....@gmail.com> wrote:
All,

I'm having similar issue whereby nexus repository A is unable to proxy to a remote nexus repository B using 2-way SSL.  It appears issue is that nexus repository A is not presenting client certificate to nexus B (in ssl debug seeing  Warning: no suitable certificate found - continuing without client authentication). 

I know keystore and truststore are loaded with correct certs.  Also, was able to verify successful 2-way SSL connection between nexus repository A and B using openssl s_client with cert and key exported from keystore

I am running nexus-3.9.0-01.

Is there any progress resolving this issue.  This is becoming a major showstopper.

Thanks,
Brian

On Wednesday, February 7, 2018 at 11:17:32 AM UTC-5, Serge Krawczenko wrote:
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/b42e27a9-e7c5-4e5a-92c0-24ec5cebf622%40glists.sonatype.com.

Serge Krawczenko

unread,
Mar 30, 2018, 8:54:44 AM3/30/18
to R. Brian DiAngelo, Nexus Users
This is probably due to security level i set...I hope sonatype is able to see it.




Rich Seddon

unread,
Mar 30, 2018, 9:44:10 AM3/30/18
to Serge Krawczenko, R. Brian DiAngelo, Nexus Users
By default issues submitted to our Jira are not shared with the public.   We will make them public if they are of general interest, and they do not have end user configuration on them that people might not want to share.  The issue above does have attachments, so it has been left as private.  

Follow this issue for updates on this problem:




To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CAAfOBQ4HMXbbyjaWR52McU2OAQ1_U%2B2bKQ7xwUfH-B413m7irw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages