-
Improvement
-
Resolution: Fixed
-
Major
-
Powered by SuggestiMate
For more details about the requirements and possible implementation refer to:
https://groups.google.com/forum/#!topic/jenkinsci-dev/Q1KMOSE1IEc
- depends on
-
JENKINS-31718 JNLP slaves can fail to correctly negotiate a transport
-
- Closed
-
- is related to
-
JENKINS-33886 Can only connect one JNLP3 slave per IP address
-
- Resolved
-
-
JENKINS-45841 Disable JNLP1/JNLP2/CLI1 by default on new installations
-
- Resolved
-
- links to
[JENKINS-26580] For JNLP slaves the master-slave communication should be encrypted
Code changed in jenkins
User: Akshay Dayal
Path:
pom.xml
src/main/java/hudson/remoting/Engine.java
src/main/java/hudson/remoting/engine/EngineUtil.java
src/main/java/hudson/remoting/engine/JnlpProtocol.java
src/main/java/hudson/remoting/engine/JnlpProtocol1.java
src/main/java/hudson/remoting/engine/JnlpProtocol2.java
src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java
src/test/java/hudson/remoting/engine/EngineUtilTest.java
src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java
src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java
http://jenkins-ci.org/commit/remoting/90dd966a0c40c900dd58347fbfbc7958d8b40b65
Log:
JENKINS-26580 Refactor slave JNLP engine to make it easier to add more protocols in the future. The engine will now call a factory that returns a list of protocols to try in order. Developers can implement new protocols in separate classes and add them to the factory to be used. Added tests for existing protocols. I noticed the Engine class doesn't have a corresponding Test class. It would be nice to add one, but I think it needs more refactoring before it would be realistic to add tests for it.
Code changed in jenkins
User: Akshay Dayal
Path:
src/main/java/hudson/remoting/engine/JnlpProtocol1.java
src/main/java/hudson/remoting/engine/JnlpProtocol2.java
http://jenkins-ci.org/commit/remoting/9a427e0614c7fea4a7d77cd7a4ded90ff2023c9b
Log:
JENKINS-26580 Add more documentation for the JNLP protocols.
Code changed in jenkins
User: Akshay Dayal
Path:
src/main/java/hudson/remoting/Engine.java
src/main/java/hudson/remoting/engine/EngineUtil.java
src/main/java/hudson/remoting/engine/JnlpProtocol.java
src/main/java/hudson/remoting/engine/JnlpProtocol1.java
src/main/java/hudson/remoting/engine/JnlpProtocol2.java
src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java
src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
src/test/java/hudson/remoting/engine/EngineUtilTest.java
src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java
src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java
src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
http://jenkins-ci.org/commit/remoting/82096802749f87044727605efb978b19ae636382
Log:
JENKINS-26580 Updates based on feedback.
Code changed in jenkins
User: Akshay Dayal
Path:
src/main/java/hudson/remoting/Engine.java
http://jenkins-ci.org/commit/remoting/9fb70849ac5edd38e26ca6f9200f2c3aa753e398
Log:
JENKINS-26580 Fixed indentation.
I'm not sure if I can help in terms of code, but I just thought I'd throw in my 2 cents worth...
This would be a really great fix for us. We have some offsite Jenkins nodes that do the initial connection through https but then as far as I can tell all following communication on the 49187 port is unprotected. This makes the security people around me very nervous so it would be great for this fix to be available.
I'm a little surprised at how hard it is to find information about this on the Jenkins website, I suspect I'm not the only one who used to think that this was already encrypted as the slave startup line is something like:
java -jar slave.jar -jnlpUrl https://ci.example.com:443/computer/myslave/slave-agent.jnlp -secret sadkfjasfdkjashfdakjfha
That jnlpUrl being https probably makes most people think the connection is more secure than it really is
I've created a pull request on the remoting repo that adds JNLP3:
https://github.com/jenkinsci/remoting/pull/41
I'm still writing tests for the changes to jenkins-core, I'll create a pull request for that soon too.
It would be nice to get a few security folks to review these changes. Also in a follow-up CL I'll be enabling JNLP3, probably through a flag, getting folks to try it and help with end-to-end testing would be appreciated.
Code changed in jenkins
User: Akshay Dayal
Path:
src/main/java/hudson/remoting/ChannelBuilder.java
src/main/java/hudson/remoting/ChunkedOutputStream.java
src/main/java/hudson/remoting/Engine.java
src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java
src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java
src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java
src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java
src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java
http://jenkins-ci.org/commit/remoting/e044831cb9a2e262bf34514ba2978a06978606cd
Log:
JENKINS-26580 Initial implementation of JNLP3-connect protocol
Code changed in jenkins
User: Akshay Dayal
Path:
.gitignore
pom.xml
src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java
src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java
src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java
src/main/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3Util.java
src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol3Test.java
src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java
src/test/java/org/jenkinsci/remoting/engine/PropertiesStringMatcher.java
src/test/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphersTest.java
src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java
src/test/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphersTest.java
src/test/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3UtilTest.java
http://jenkins-ci.org/commit/remoting/b0233c308e68aa8dc0b415b40f315db314214cf0
Log:
JENKINS-26580 Updated Jnlp3 implementation and added tests.
Code changed in jenkins
User: Akshay Dayal
Path:
src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java
http://jenkins-ci.org/commit/remoting/fcdd388944231273253794e647da575aaafbd692
Log:
JENKINS-26580 Updated Jnlp3 documentation.
Code changed in jenkins
User: Akshay Dayal
Path:
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
pom.xml
http://jenkins-ci.org/commit/jenkins/9bb35a78b8298930adf978046e9f6c53c6853e27
Log:
JENKINS-26580 Initial implementation of JNLP3-connect protocol
Code changed in jenkins
User: Akshay Dayal
Path:
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
http://jenkins-ci.org/commit/jenkins/e9f5caa13fa1a3d1bf602ec9d67dac75f3310889
Log:
JENKINS-26580 Updated implementation of Jnlp3 protocol
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java
core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
pom.xml
http://jenkins-ci.org/commit/jenkins/6d3e05439643097d2f172761ea82a32a857d058a
Log:
Merge pull request #2010 from jenkinsci/jnlp3
[FIXED JENKINS-26580] Activate JNLP3 support
Compare: https://github.com/jenkinsci/jenkins/compare/9bb8decf1103...6d3e05439643
Integrated in jenkins_main_trunk #4494
JENKINS-26580 Initial implementation of JNLP3-connect protocol (Revision 9bb35a78b8298930adf978046e9f6c53c6853e27)
JENKINS-26580 Updated implementation of Jnlp3 protocol (Revision e9f5caa13fa1a3d1bf602ec9d67dac75f3310889)
Result = UNSTABLE
akshay_abd : 9bb35a78b8298930adf978046e9f6c53c6853e27
Files :
- core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
- pom.xml
- core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
akshay_abd : e9f5caa13fa1a3d1bf602ec9d67dac75f3310889
Files :
- core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java
core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java
core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
pom.xml
http://jenkins-ci.org/commit/jenkins/af1a53d91c4863f27e4fad295911f131beb64b9a
Log:
Merge pull request #2010 from jenkinsci/jnlp3
[FIXED JENKINS-26580][FIXED JENKINS-28289] Activate JNLP3 support
(cherry picked from commit 6d3e05439643097d2f172761ea82a32a857d058a)
Fixing this on master caused JENKINS-33886, not backporting this into LTS.
The change has been reverted from 1.651.1: https://github.com/jenkinsci/jenkins/commit/343e65f28d15dc8c025a4aa98cd3c0169ebd224f
I suspect JNLP3 has been never enabled by default in 1.651.x
Hi all,
Correct me if I'm mistaken (since I've only taken a cursory look at the JNLP3 implementation, and that look was a few months ago) but aren't we currently using a custom-built "secure" transport protocol? (i.e. we built our own protocol using cryptographic primitives?)
If so, this seems like an incorrect approach. It is generally recognized in our industry that "rolling your own cryptographic protocol" is a clear path to subtle cryptographic vulnerabilities.
Isn't this something that we could just use TLS for? Provided we use strong settings (TLSv1.2, good ciphers, etc) wouldn't that give us a much better guarantee of security (than something custom-built)?
aaron312 Remoting 3 is going to include JNLP4 based on TLS. It's already integrated, but we have not released it yet
Hi oleg_nenashev,
Can you please reference Jenkins Master/Slave software version that contains the fix for this issue and the location where fixed version(s) can be downloaded from?
Thanks,
Marko
marko_andrijevic So the fix is...
1) Download Jenkins 2.32.1+
2) Update Remoting on agents to 3.0+
3) Disable JNLP1/JNLP2/CLI1 protocols in the Global Security Configuration
BTW, JENKINS-45841 will disable old protocols by default in new installations
Thank you very much for fast response Oleg! Can you please also let me know how can I verify that TLS is really in use in Master/Slave communication? I'm already using Wireshark to inspect communication, but since this is a binary protocol, I can't tell for sure if the content is encrypted or just difficult to read.
Regards,
Marko
marko_andrijevic JNLP4 works only through TLS. If you disable other protocols, it should be enough.
Added a pull request to the remoting project:
https://github.com/jenkinsci/remoting/pull/28
This is a refactor-only pull request. It should make it easier for developers to add support for more protocols in the slave.