Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26580

For JNLP slaves the master-slave communication should be encrypted

      For more details about the requirements and possible implementation refer to:
      https://groups.google.com/forum/#!topic/jenkinsci-dev/Q1KMOSE1IEc

          [JENKINS-26580] For JNLP slaves the master-slave communication should be encrypted

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java
          core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
          core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
          pom.xml
          http://jenkins-ci.org/commit/jenkins/af1a53d91c4863f27e4fad295911f131beb64b9a
          Log:
          Merge pull request #2010 from jenkinsci/jnlp3

          [FIXED JENKINS-26580][FIXED JENKINS-28289] Activate JNLP3 support
          (cherry picked from commit 6d3e05439643097d2f172761ea82a32a857d058a)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java pom.xml http://jenkins-ci.org/commit/jenkins/af1a53d91c4863f27e4fad295911f131beb64b9a Log: Merge pull request #2010 from jenkinsci/jnlp3 [FIXED JENKINS-26580] [FIXED JENKINS-28289] Activate JNLP3 support (cherry picked from commit 6d3e05439643097d2f172761ea82a32a857d058a)

          Fixing this on master caused JENKINS-33886, not backporting this into LTS.

          Oliver Gondža added a comment - Fixing this on master caused JENKINS-33886 , not backporting this into LTS.

          Oleg Nenashev added a comment -

          The change has been reverted from 1.651.1: https://github.com/jenkinsci/jenkins/commit/343e65f28d15dc8c025a4aa98cd3c0169ebd224f
          I suspect JNLP3 has been never enabled by default in 1.651.x

          Oleg Nenashev added a comment - The change has been reverted from 1.651.1: https://github.com/jenkinsci/jenkins/commit/343e65f28d15dc8c025a4aa98cd3c0169ebd224f I suspect JNLP3 has been never enabled by default in 1.651.x

          Aaron Curley added a comment -

          Hi all,

          Correct me if I'm mistaken (since I've only taken a cursory look at the JNLP3 implementation, and that look was a few months ago) but aren't we currently using a custom-built "secure" transport protocol? (i.e. we built our own protocol using cryptographic primitives?)

          If so, this seems like an incorrect approach. It is generally recognized in our industry that "rolling your own cryptographic protocol" is a clear path to subtle cryptographic vulnerabilities.

          Isn't this something that we could just use TLS for? Provided we use strong settings (TLSv1.2, good ciphers, etc) wouldn't that give us a much better guarantee of security (than something custom-built)?

          Aaron Curley added a comment - Hi all, Correct me if I'm mistaken (since I've only taken a cursory look at the JNLP3 implementation, and that look was a few months ago) but aren't we currently using a custom-built "secure" transport protocol? (i.e. we built our own protocol using cryptographic primitives?) If so, this seems like an incorrect approach. It is generally recognized in our industry that "rolling your own cryptographic protocol" is a clear path to subtle cryptographic vulnerabilities. Isn't this something that we could just use TLS for? Provided we use strong settings (TLSv1.2, good ciphers, etc) wouldn't that give us a much better guarantee of security (than something custom-built)?

          Oleg Nenashev added a comment -

          aaron312 Remoting 3 is going to include JNLP4 based on TLS. It's already integrated, but we have not released it yet

          Oleg Nenashev added a comment - aaron312 Remoting 3 is going to include JNLP4 based on TLS. It's already integrated, but we have not released it yet

          Aaron Curley added a comment -

          Great! Good to know.

          Aaron Curley added a comment - Great! Good to know.

          Hi oleg_nenashev,

          Can you please reference Jenkins Master/Slave software version that contains the fix for this issue and the location where fixed version(s) can be downloaded from?

          Thanks,
          Marko

          Marko Andrijevic added a comment - Hi oleg_nenashev , Can you please reference Jenkins Master/Slave software version that contains the fix for this issue and the location where fixed version(s) can be downloaded from? Thanks, Marko

          Oleg Nenashev added a comment -

          marko_andrijevic So the fix is...

          1) Download Jenkins 2.32.1+
          2) Update Remoting on agents to 3.0+
          3) Disable JNLP1/JNLP2/CLI1 protocols in the Global Security Configuration

          BTW, JENKINS-45841 will disable old protocols by default in new installations

          Oleg Nenashev added a comment - marko_andrijevic So the fix is... 1) Download Jenkins 2.32.1+ 2) Update Remoting on agents to 3.0+ 3) Disable JNLP1/JNLP2/CLI1 protocols in the Global Security Configuration BTW, JENKINS-45841 will disable old protocols by default in new installations

          Thank you very much for fast response Oleg! Can you please also let me know how can I verify that TLS is really in use in Master/Slave communication? I'm already using Wireshark to inspect communication, but since this is a binary protocol, I can't tell for sure if the content is encrypted or just difficult to read.

          Regards,
          Marko

          Marko Andrijevic added a comment - Thank you very much for fast response Oleg! Can you please also let me know how can I verify that TLS is really in use in Master/Slave communication? I'm already using Wireshark to inspect communication, but since this is a binary protocol, I can't tell for sure if the content is encrypted or just difficult to read. Regards, Marko

          Oleg Nenashev added a comment -

          marko_andrijevic JNLP4 works only through TLS. If you disable other protocols, it should be enough.

          Oleg Nenashev added a comment - marko_andrijevic JNLP4 works only through TLS. If you disable other protocols, it should be enough.

            akshay_abd akshay_abd
            akshay_abd akshay_abd
            Votes:
            6 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: