Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26580

For JNLP slaves the master-slave communication should be encrypted

      For more details about the requirements and possible implementation refer to:
      https://groups.google.com/forum/#!topic/jenkinsci-dev/Q1KMOSE1IEc

          [JENKINS-26580] For JNLP slaves the master-slave communication should be encrypted

          akshay_abd added a comment -

          Added a pull request to the remoting project:

          https://github.com/jenkinsci/remoting/pull/28

          This is a refactor-only pull request. It should make it easier for developers to add support for more protocols in the slave.

          akshay_abd added a comment - Added a pull request to the remoting project: https://github.com/jenkinsci/remoting/pull/28 This is a refactor-only pull request. It should make it easier for developers to add support for more protocols in the slave.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          pom.xml
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/engine/EngineUtil.java
          src/main/java/hudson/remoting/engine/JnlpProtocol.java
          src/main/java/hudson/remoting/engine/JnlpProtocol1.java
          src/main/java/hudson/remoting/engine/JnlpProtocol2.java
          src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java
          src/test/java/hudson/remoting/engine/EngineUtilTest.java
          src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java
          src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java
          http://jenkins-ci.org/commit/remoting/90dd966a0c40c900dd58347fbfbc7958d8b40b65
          Log:
          JENKINS-26580 Refactor slave JNLP engine to make it easier to add more protocols in the future. The engine will now call a factory that returns a list of protocols to try in order. Developers can implement new protocols in separate classes and add them to the factory to be used. Added tests for existing protocols. I noticed the Engine class doesn't have a corresponding Test class. It would be nice to add one, but I think it needs more refactoring before it would be realistic to add tests for it.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: pom.xml src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/engine/EngineUtil.java src/main/java/hudson/remoting/engine/JnlpProtocol.java src/main/java/hudson/remoting/engine/JnlpProtocol1.java src/main/java/hudson/remoting/engine/JnlpProtocol2.java src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java src/test/java/hudson/remoting/engine/EngineUtilTest.java src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java http://jenkins-ci.org/commit/remoting/90dd966a0c40c900dd58347fbfbc7958d8b40b65 Log: JENKINS-26580 Refactor slave JNLP engine to make it easier to add more protocols in the future. The engine will now call a factory that returns a list of protocols to try in order. Developers can implement new protocols in separate classes and add them to the factory to be used. Added tests for existing protocols. I noticed the Engine class doesn't have a corresponding Test class. It would be nice to add one, but I think it needs more refactoring before it would be realistic to add tests for it.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          src/main/java/hudson/remoting/engine/JnlpProtocol1.java
          src/main/java/hudson/remoting/engine/JnlpProtocol2.java
          http://jenkins-ci.org/commit/remoting/9a427e0614c7fea4a7d77cd7a4ded90ff2023c9b
          Log:
          JENKINS-26580 Add more documentation for the JNLP protocols.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/engine/JnlpProtocol1.java src/main/java/hudson/remoting/engine/JnlpProtocol2.java http://jenkins-ci.org/commit/remoting/9a427e0614c7fea4a7d77cd7a4ded90ff2023c9b Log: JENKINS-26580 Add more documentation for the JNLP protocols.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/engine/EngineUtil.java
          src/main/java/hudson/remoting/engine/JnlpProtocol.java
          src/main/java/hudson/remoting/engine/JnlpProtocol1.java
          src/main/java/hudson/remoting/engine/JnlpProtocol2.java
          src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java
          src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
          src/test/java/hudson/remoting/engine/EngineUtilTest.java
          src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java
          src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java
          src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
          http://jenkins-ci.org/commit/remoting/82096802749f87044727605efb978b19ae636382
          Log:
          JENKINS-26580 Updates based on feedback.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/engine/EngineUtil.java src/main/java/hudson/remoting/engine/JnlpProtocol.java src/main/java/hudson/remoting/engine/JnlpProtocol1.java src/main/java/hudson/remoting/engine/JnlpProtocol2.java src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java src/test/java/hudson/remoting/engine/EngineUtilTest.java src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java http://jenkins-ci.org/commit/remoting/82096802749f87044727605efb978b19ae636382 Log: JENKINS-26580 Updates based on feedback.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          src/main/java/hudson/remoting/Engine.java
          http://jenkins-ci.org/commit/remoting/9fb70849ac5edd38e26ca6f9200f2c3aa753e398
          Log:
          JENKINS-26580 Fixed indentation.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/Engine.java http://jenkins-ci.org/commit/remoting/9fb70849ac5edd38e26ca6f9200f2c3aa753e398 Log: JENKINS-26580 Fixed indentation.

          Kieran Shaw added a comment -

          I'm not sure if I can help in terms of code, but I just thought I'd throw in my 2 cents worth...

          This would be a really great fix for us. We have some offsite Jenkins nodes that do the initial connection through https but then as far as I can tell all following communication on the 49187 port is unprotected. This makes the security people around me very nervous so it would be great for this fix to be available.

          I'm a little surprised at how hard it is to find information about this on the Jenkins website, I suspect I'm not the only one who used to think that this was already encrypted as the slave startup line is something like:

          java -jar slave.jar -jnlpUrl https://ci.example.com:443/computer/myslave/slave-agent.jnlp -secret sadkfjasfdkjashfdakjfha

          That jnlpUrl being https probably makes most people think the connection is more secure than it really is

          Kieran Shaw added a comment - I'm not sure if I can help in terms of code, but I just thought I'd throw in my 2 cents worth... This would be a really great fix for us. We have some offsite Jenkins nodes that do the initial connection through https but then as far as I can tell all following communication on the 49187 port is unprotected. This makes the security people around me very nervous so it would be great for this fix to be available. I'm a little surprised at how hard it is to find information about this on the Jenkins website, I suspect I'm not the only one who used to think that this was already encrypted as the slave startup line is something like: java -jar slave.jar -jnlpUrl https://ci.example.com:443/computer/myslave/slave-agent.jnlp -secret sadkfjasfdkjashfdakjfha That jnlpUrl being https probably makes most people think the connection is more secure than it really is

          akshay_abd added a comment -

          I've created a pull request on the remoting repo that adds JNLP3:

          https://github.com/jenkinsci/remoting/pull/41

          I'm still writing tests for the changes to jenkins-core, I'll create a pull request for that soon too.

          It would be nice to get a few security folks to review these changes. Also in a follow-up CL I'll be enabling JNLP3, probably through a flag, getting folks to try it and help with end-to-end testing would be appreciated.

          akshay_abd added a comment - I've created a pull request on the remoting repo that adds JNLP3: https://github.com/jenkinsci/remoting/pull/41 I'm still writing tests for the changes to jenkins-core, I'll create a pull request for that soon too. It would be nice to get a few security folks to review these changes. Also in a follow-up CL I'll be enabling JNLP3, probably through a flag, getting folks to try it and help with end-to-end testing would be appreciated.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          src/main/java/hudson/remoting/ChannelBuilder.java
          src/main/java/hudson/remoting/ChunkedOutputStream.java
          src/main/java/hudson/remoting/Engine.java
          src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
          src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java
          src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java
          src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java
          src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java
          src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java
          http://jenkins-ci.org/commit/remoting/e044831cb9a2e262bf34514ba2978a06978606cd
          Log:
          JENKINS-26580 Initial implementation of JNLP3-connect protocol

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/ChannelBuilder.java src/main/java/hudson/remoting/ChunkedOutputStream.java src/main/java/hudson/remoting/Engine.java src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java http://jenkins-ci.org/commit/remoting/e044831cb9a2e262bf34514ba2978a06978606cd Log: JENKINS-26580 Initial implementation of JNLP3-connect protocol

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          .gitignore
          pom.xml
          src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
          src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java
          src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java
          src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java
          src/main/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3Util.java
          src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol3Test.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java
          src/test/java/org/jenkinsci/remoting/engine/PropertiesStringMatcher.java
          src/test/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphersTest.java
          src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java
          src/test/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphersTest.java
          src/test/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3UtilTest.java
          http://jenkins-ci.org/commit/remoting/b0233c308e68aa8dc0b415b40f315db314214cf0
          Log:
          JENKINS-26580 Updated Jnlp3 implementation and added tests.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: .gitignore pom.xml src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3Util.java src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol3Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java src/test/java/org/jenkinsci/remoting/engine/PropertiesStringMatcher.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphersTest.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphersTest.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3UtilTest.java http://jenkins-ci.org/commit/remoting/b0233c308e68aa8dc0b415b40f315db314214cf0 Log: JENKINS-26580 Updated Jnlp3 implementation and added tests.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java
          http://jenkins-ci.org/commit/remoting/fcdd388944231273253794e647da575aaafbd692
          Log:
          JENKINS-26580 Updated Jnlp3 documentation.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java http://jenkins-ci.org/commit/remoting/fcdd388944231273253794e647da575aaafbd692 Log: JENKINS-26580 Updated Jnlp3 documentation.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
          core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
          pom.xml
          http://jenkins-ci.org/commit/jenkins/9bb35a78b8298930adf978046e9f6c53c6853e27
          Log:
          JENKINS-26580 Initial implementation of JNLP3-connect protocol

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java pom.xml http://jenkins-ci.org/commit/jenkins/9bb35a78b8298930adf978046e9f6c53c6853e27 Log: JENKINS-26580 Initial implementation of JNLP3-connect protocol

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
          http://jenkins-ci.org/commit/jenkins/e9f5caa13fa1a3d1bf602ec9d67dac75f3310889
          Log:
          JENKINS-26580 Updated implementation of Jnlp3 protocol

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java http://jenkins-ci.org/commit/jenkins/e9f5caa13fa1a3d1bf602ec9d67dac75f3310889 Log: JENKINS-26580 Updated implementation of Jnlp3 protocol

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java
          core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
          core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
          pom.xml
          http://jenkins-ci.org/commit/jenkins/6d3e05439643097d2f172761ea82a32a857d058a
          Log:
          Merge pull request #2010 from jenkinsci/jnlp3

          [FIXED JENKINS-26580] Activate JNLP3 support

          Compare: https://github.com/jenkinsci/jenkins/compare/9bb8decf1103...6d3e05439643

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java pom.xml http://jenkins-ci.org/commit/jenkins/6d3e05439643097d2f172761ea82a32a857d058a Log: Merge pull request #2010 from jenkinsci/jnlp3 [FIXED JENKINS-26580] Activate JNLP3 support Compare: https://github.com/jenkinsci/jenkins/compare/9bb8decf1103...6d3e05439643

          dogfood added a comment -

          Integrated in jenkins_main_trunk #4494
          JENKINS-26580 Initial implementation of JNLP3-connect protocol (Revision 9bb35a78b8298930adf978046e9f6c53c6853e27)
          JENKINS-26580 Updated implementation of Jnlp3 protocol (Revision e9f5caa13fa1a3d1bf602ec9d67dac75f3310889)

          Result = UNSTABLE
          akshay_abd : 9bb35a78b8298930adf978046e9f6c53c6853e27
          Files :

          • core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
          • pom.xml
          • core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java

          akshay_abd : e9f5caa13fa1a3d1bf602ec9d67dac75f3310889
          Files :

          • core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java

          dogfood added a comment - Integrated in jenkins_main_trunk #4494 JENKINS-26580 Initial implementation of JNLP3-connect protocol (Revision 9bb35a78b8298930adf978046e9f6c53c6853e27) JENKINS-26580 Updated implementation of Jnlp3 protocol (Revision e9f5caa13fa1a3d1bf602ec9d67dac75f3310889) Result = UNSTABLE akshay_abd : 9bb35a78b8298930adf978046e9f6c53c6853e27 Files : core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java pom.xml core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java akshay_abd : e9f5caa13fa1a3d1bf602ec9d67dac75f3310889 Files : core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java
          core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java
          core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
          core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
          pom.xml
          http://jenkins-ci.org/commit/jenkins/af1a53d91c4863f27e4fad295911f131beb64b9a
          Log:
          Merge pull request #2010 from jenkinsci/jnlp3

          [FIXED JENKINS-26580][FIXED JENKINS-28289] Activate JNLP3 support
          (cherry picked from commit 6d3e05439643097d2f172761ea82a32a857d058a)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java pom.xml http://jenkins-ci.org/commit/jenkins/af1a53d91c4863f27e4fad295911f131beb64b9a Log: Merge pull request #2010 from jenkinsci/jnlp3 [FIXED JENKINS-26580] [FIXED JENKINS-28289] Activate JNLP3 support (cherry picked from commit 6d3e05439643097d2f172761ea82a32a857d058a)

          Fixing this on master caused JENKINS-33886, not backporting this into LTS.

          Oliver Gondža added a comment - Fixing this on master caused JENKINS-33886 , not backporting this into LTS.

          Oleg Nenashev added a comment -

          The change has been reverted from 1.651.1: https://github.com/jenkinsci/jenkins/commit/343e65f28d15dc8c025a4aa98cd3c0169ebd224f
          I suspect JNLP3 has been never enabled by default in 1.651.x

          Oleg Nenashev added a comment - The change has been reverted from 1.651.1: https://github.com/jenkinsci/jenkins/commit/343e65f28d15dc8c025a4aa98cd3c0169ebd224f I suspect JNLP3 has been never enabled by default in 1.651.x

          Aaron Curley added a comment -

          Hi all,

          Correct me if I'm mistaken (since I've only taken a cursory look at the JNLP3 implementation, and that look was a few months ago) but aren't we currently using a custom-built "secure" transport protocol? (i.e. we built our own protocol using cryptographic primitives?)

          If so, this seems like an incorrect approach. It is generally recognized in our industry that "rolling your own cryptographic protocol" is a clear path to subtle cryptographic vulnerabilities.

          Isn't this something that we could just use TLS for? Provided we use strong settings (TLSv1.2, good ciphers, etc) wouldn't that give us a much better guarantee of security (than something custom-built)?

          Aaron Curley added a comment - Hi all, Correct me if I'm mistaken (since I've only taken a cursory look at the JNLP3 implementation, and that look was a few months ago) but aren't we currently using a custom-built "secure" transport protocol? (i.e. we built our own protocol using cryptographic primitives?) If so, this seems like an incorrect approach. It is generally recognized in our industry that "rolling your own cryptographic protocol" is a clear path to subtle cryptographic vulnerabilities. Isn't this something that we could just use TLS for? Provided we use strong settings (TLSv1.2, good ciphers, etc) wouldn't that give us a much better guarantee of security (than something custom-built)?

          Oleg Nenashev added a comment -

          aaron312 Remoting 3 is going to include JNLP4 based on TLS. It's already integrated, but we have not released it yet

          Oleg Nenashev added a comment - aaron312 Remoting 3 is going to include JNLP4 based on TLS. It's already integrated, but we have not released it yet

          Aaron Curley added a comment -

          Great! Good to know.

          Aaron Curley added a comment - Great! Good to know.

          Hi oleg_nenashev,

          Can you please reference Jenkins Master/Slave software version that contains the fix for this issue and the location where fixed version(s) can be downloaded from?

          Thanks,
          Marko

          Marko Andrijevic added a comment - Hi oleg_nenashev , Can you please reference Jenkins Master/Slave software version that contains the fix for this issue and the location where fixed version(s) can be downloaded from? Thanks, Marko

          Oleg Nenashev added a comment -

          marko_andrijevic So the fix is...

          1) Download Jenkins 2.32.1+
          2) Update Remoting on agents to 3.0+
          3) Disable JNLP1/JNLP2/CLI1 protocols in the Global Security Configuration

          BTW, JENKINS-45841 will disable old protocols by default in new installations

          Oleg Nenashev added a comment - marko_andrijevic So the fix is... 1) Download Jenkins 2.32.1+ 2) Update Remoting on agents to 3.0+ 3) Disable JNLP1/JNLP2/CLI1 protocols in the Global Security Configuration BTW, JENKINS-45841 will disable old protocols by default in new installations

          Thank you very much for fast response Oleg! Can you please also let me know how can I verify that TLS is really in use in Master/Slave communication? I'm already using Wireshark to inspect communication, but since this is a binary protocol, I can't tell for sure if the content is encrypted or just difficult to read.

          Regards,
          Marko

          Marko Andrijevic added a comment - Thank you very much for fast response Oleg! Can you please also let me know how can I verify that TLS is really in use in Master/Slave communication? I'm already using Wireshark to inspect communication, but since this is a binary protocol, I can't tell for sure if the content is encrypted or just difficult to read. Regards, Marko

          Oleg Nenashev added a comment -

          marko_andrijevic JNLP4 works only through TLS. If you disable other protocols, it should be enough.

          Oleg Nenashev added a comment - marko_andrijevic JNLP4 works only through TLS. If you disable other protocols, it should be enough.

            akshay_abd akshay_abd
            akshay_abd akshay_abd
            Votes:
            6 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: