SQ 4.5.2 dropped the support of SSLv3 because of the Poodle vulnerability (see https://jira.codehaus.org/browse/SONAR-5860). That does not mean that HTTPS is now fully secured. The ciphers used by SQ Tomcat are the JVM defaults. Unfortunately some of them are known to be weak, even if they were considered as strong quite recently. That's for example the case of RC4, which is recommended to be disabled by Microsoft:
What does that mean ?
SQ should allow to use a restricted list of ciphers. This property already exists in Tomcat (see "ciphers" at http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) but it can't be set by SQ settings.
Ciphers are provided by JVM, so it's a good reason to always use a recent version of Java. For example Java 7 does not support the recommended AES-GCM ciphers, but Java 8 does (http://stackoverflow.com/a/21290409/229031). An alternative is to install JVM extensions like https://www.bouncycastle.org/
Add the property sonar.web.https.ciphers :
- Recommendation from Mozilla (https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29)
- Recommendation from OWASP (https://www.owasp.org/index.php/Talk:Securing_tomcat)
- SSL/TLS, ciphers, perfect forward secrecy and Tomcat (https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/)
- Best Practices for Securing Apache Tomcat 7 (http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-tomcat-7)
- How to disable weak ciphers in Tomcat (https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html)
- Atlassian documentation for Stash (https://confluence.atlassian.com/display/STASHKB/List+ciphers+used+by+JVM#)
The ciphers should be logged at server startup: