OkHttpConnector: Enforce use of TLSv1.2 to match current Github and Github Enterprise TLS support. #420
Conversation
and Github Enterprise TLS support.
|
CC @KostyaSha @lanwen @stephenc who maintain the dependent plugins |
|
@oleg-nenashev i don't maintain it since cloudbees .... |
|
Well, I added you to CC so that you know where to redirect the issues 🤷♂️ |
|
@kohsuke Do you agree if I merge this PR and cut a release? |
| private SSLSocketFactory TlsSocketFactory() { | ||
| SSLContext sc; | ||
| try { | ||
| sc = SSLContext.getInstance("TLSv1.2"); |
There was a problem hiding this comment.
@randomvariable how does this affect people that are behind a HTTPS proxy where they connect to github via that proxyusing say TLS 1.1 or SSL and then the proxy does the connection. Does this lock them out as they will not be able to handshake with the proxy?
There was a problem hiding this comment.
I guess it will affect, also people can change connector on their side AFAIR.
|
Are there plans to cut a new version of the plugin? |
On Feb 8, 2018, Github changed their TLS settings to be 1.2 only.
Most recent Jenkins installs are OK as Java 1.8 defaults to TLS 1.2, however some people see intermittent
or continuous failures with connecting to Github in a variety of configurations:
e.g. https://issues.jenkins-ci.org/browse/JENKINS-49761?jql=project%20%3D%20JENKINS%20AND%20component%20%3D%20github-api-plugin
This PR creates a new TLS v1.2 only SSLContext and attaches its socket factory to the urlFactory passed to OkHttpConnector, which is used by most Github plugins in Jenkins.