Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-6140

Ability to restrict HTTPS ciphers

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.5.4, 5.1
    • Component/s: Web
    • Labels:
      None

      Description

      SQ 4.5.2 dropped the support of SSLv3 because of the Poodle vulnerability (see https://jira.codehaus.org/browse/SONAR-5860). That does not mean that HTTPS is now fully secured. The ciphers used by SQ Tomcat are the JVM defaults. Unfortunately some of them are known to be weak, even if they were considered as strong quite recently. That's for example the case of RC4, which is recommended to be disabled by Microsoft:

      What does that mean ?
      SQ should allow to use a restricted list of ciphers. This property already exists in Tomcat (see "ciphers" at http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) but it can't be set by SQ settings.
      Ciphers are provided by JVM, so it's a good reason to always use a recent version of Java. For example Java 7 does not support the recommended AES-GCM ciphers, but Java 8 does (http://stackoverflow.com/a/21290409/229031). An alternative is to install JVM extensions like https://www.bouncycastle.org/

      Solution
      Add the property sonar.web.https.ciphers :

      # HTTPS - comma separated list of encryption ciphers to support for HTTPS connections.
      # If specified, only the ciphers that are listed and supported by the SSL implementation will be used.
      # By default, the default ciphers for the JVM will be used. Note that this usually means that the weak
      # export grade ciphers, for instance RC4, will be included in the list of available ciphers.
      # The ciphers are specified using the JSSE cipher naming convention (see
      # https://www.openssl.org/docs/apps/ciphers.html)
      # Example: sonar.web.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
      #sonar.web.https.ciphers=
      

      Links

      The ciphers should be logged at server startup:

      2015.01.31 22:34:36 INFO  web[o.s.s.a.EmbeddedTomcat]  HTTP connector enabled on port 9000
      2015.01.31 22:34:36 INFO  web[o.s.s.a.EmbeddedTomcat]  HTTPS connector enabled on port 8443 | ciphers=JVM Defaults
      2015.01.31 22:34:37 INFO  app[o.s.p.m.Monitor] Process[web] is up
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                simon.brandhof Simon Brandhof (Inactive)
                Reporter:
                simon.brandhof Simon Brandhof (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: