Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-6140

Ability to restrict HTTPS ciphers


    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.5.4, 5.1
    • Component/s: Web
    • Labels:


      SQ 4.5.2 dropped the support of SSLv3 because of the Poodle vulnerability (see https://jira.codehaus.org/browse/SONAR-5860). That does not mean that HTTPS is now fully secured. The ciphers used by SQ Tomcat are the JVM defaults. Unfortunately some of them are known to be weak, even if they were considered as strong quite recently. That's for example the case of RC4, which is recommended to be disabled by Microsoft:

      What does that mean ?
      SQ should allow to use a restricted list of ciphers. This property already exists in Tomcat (see "ciphers" at http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) but it can't be set by SQ settings.
      Ciphers are provided by JVM, so it's a good reason to always use a recent version of Java. For example Java 7 does not support the recommended AES-GCM ciphers, but Java 8 does (http://stackoverflow.com/a/21290409/229031). An alternative is to install JVM extensions like https://www.bouncycastle.org/

      Add the property sonar.web.https.ciphers :

      # HTTPS - comma separated list of encryption ciphers to support for HTTPS connections.
      # If specified, only the ciphers that are listed and supported by the SSL implementation will be used.
      # By default, the default ciphers for the JVM will be used. Note that this usually means that the weak
      # export grade ciphers, for instance RC4, will be included in the list of available ciphers.
      # The ciphers are specified using the JSSE cipher naming convention (see
      # https://www.openssl.org/docs/apps/ciphers.html)
      # Example: sonar.web.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


      The ciphers should be logged at server startup:

      2015.01.31 22:34:36 INFO  web[o.s.s.a.EmbeddedTomcat]  HTTP connector enabled on port 9000
      2015.01.31 22:34:36 INFO  web[o.s.s.a.EmbeddedTomcat]  HTTPS connector enabled on port 8443 | ciphers=JVM Defaults
      2015.01.31 22:34:37 INFO  app[o.s.p.m.Monitor] Process[web] is up


          Issue Links



              • Assignee:
                simon.brandhof Simon Brandhof (Inactive)
                simon.brandhof Simon Brandhof (Inactive)
              • Votes:
                1 Vote for this issue
                5 Start watching this issue


                • Due: