HTTP/HTTPS Redirection and SSL Config
510 views
Skip to first unread message
tiger...@ahamobile.com
Jan 13, 2016, 1:04:01 PM1/13/16
to SonarQube
Hello All
I installed Sonar 5.2 with Linux native package (http://downloads.sourceforge.net/project/sonar-pkg/rpm/sonar.repo) and configure it to bind on HTTPS port 443 (through authbind).
I have two questions:
Tiger
I installed Sonar 5.2 with Linux native package (http://downloads.sourceforge.net/project/sonar-pkg/rpm/sonar.repo) and configure it to bind on HTTPS port 443 (through authbind).
I have two questions:
- How to redirect HTTP to HTTPS?
- How improve the SSLLab Rating (https://www.ssllabs.com/ssltest/)? There are two SSL issues I'd like to address:
- This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
- The server does not support Forward Secrecy with the reference browsers.
Tiger
Simon Brandhof
Jan 18, 2016, 4:58:45 PM1/18/16
to tiger...@ahamobile.com, SonarQube
Hi Tiger,
- How to redirect HTTP to HTTPS?
No it's not possible natively. You should install a proxy.
- How improve the SSLLab Rating (https://www.ssllabs.com/ssltest/)? There are two SSL issues I'd like to address:
- This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
- The server does not support Forward Secrecy with the reference browsers.
https://nemo.sonarqube.org is grade A at ssllabs.com with current development version of SonarQube. I recommend to upgrade to version 5.3 and use the latest version of Java 8.
For disabling the weak Diffie-Hellman ciphers, you should use the property "sonar.web.https.ciphers" defined in conf/sonar.properties.
Regards
Simon Brandhof
Jan 18, 2016, 5:18:10 PM1/18/16
to tiger...@ahamobile.com, SonarQube
In fact I'm not sure that nemo.sonarqube.org uses the native HTTPS support of SonarQube. I will get back to you when I have some news from our ops team.
Tech Lead & Co-Founder
http://twitter.com/SimonBrandhof
http://twitter.com/SimonBrandhof
Michel Pawlak
Jan 19, 2016, 6:32:54 AM1/19/16
to SonarQube, tiger...@ahamobile.com
Hi,
These two vulnerabilities ar not related at all to the version of SQ, but to the list of encryption cyphers that are allowed by the server. At least since mid January 2015 and version 4.5.4), we can specify ciphers that are allowed in SonarQube. we have to configure properly sonar.web.https.ciphers in sonar.properties otherwise, as stated in the file, default values for the JVM will be used, which can lead to vulnerabilities.
@Simon, is there a specific reason for telling Tiger to update to 5.3 in this context? Isn't it sufficient to specify the ciphers that have to be allowed?
Back to the two vulnerabilities Tiger is facing:
- "This server supports weak Diffie-Hellman (DH) key exchange parameters" indicates that the server is vulnerable to the Logjam attack (see https://weakdh.org/). Qualys has published a guide in order to help you deploy correctly Diffie-Hellman, you should read it : https://weakdh.org/sysadmin.html
- "The server does not support Forward Secrecy with the reference browsers" means that you have to support ECDHE (as for the Logjam vulnerability by the way) (see https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy)
@Tiger, what I would do is select the right ciphers to allow based on these two posts:
Simon Brandhof
Jan 20, 2016, 9:02:35 AM1/20/16
to Michel Pawlak, SonarQube, tiger...@ahamobile.com
@Simon, is there a specific reason for telling Tiger to update to 5.3 in this context? Isn't it sufficient to specify the ciphers that have to be allowed?
Hi Michel, each new version may fix vulnerability issues and upgrade Tomcat for instance. I didn't check 5.3 compared to 5.2, so no specific reason to upgrade indeed.
Reply all
Reply to author
Forward
0 new messages