Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26580

For JNLP slaves the master-slave communication should be encrypted

      For more details about the requirements and possible implementation refer to:
      https://groups.google.com/forum/#!topic/jenkinsci-dev/Q1KMOSE1IEc

          [JENKINS-26580] For JNLP slaves the master-slave communication should be encrypted

          akshay_abd created issue -
          Jesse Glick made changes -
          Labels New: jnlp remoting security
          Jesse Glick made changes -
          Priority Original: Minor [ 4 ] New: Major [ 3 ]

          akshay_abd added a comment -

          Added a pull request to the remoting project:

          https://github.com/jenkinsci/remoting/pull/28

          This is a refactor-only pull request. It should make it easier for developers to add support for more protocols in the slave.

          akshay_abd added a comment - Added a pull request to the remoting project: https://github.com/jenkinsci/remoting/pull/28 This is a refactor-only pull request. It should make it easier for developers to add support for more protocols in the slave.
          akshay_abd made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          pom.xml
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/engine/EngineUtil.java
          src/main/java/hudson/remoting/engine/JnlpProtocol.java
          src/main/java/hudson/remoting/engine/JnlpProtocol1.java
          src/main/java/hudson/remoting/engine/JnlpProtocol2.java
          src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java
          src/test/java/hudson/remoting/engine/EngineUtilTest.java
          src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java
          src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java
          http://jenkins-ci.org/commit/remoting/90dd966a0c40c900dd58347fbfbc7958d8b40b65
          Log:
          JENKINS-26580 Refactor slave JNLP engine to make it easier to add more protocols in the future. The engine will now call a factory that returns a list of protocols to try in order. Developers can implement new protocols in separate classes and add them to the factory to be used. Added tests for existing protocols. I noticed the Engine class doesn't have a corresponding Test class. It would be nice to add one, but I think it needs more refactoring before it would be realistic to add tests for it.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: pom.xml src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/engine/EngineUtil.java src/main/java/hudson/remoting/engine/JnlpProtocol.java src/main/java/hudson/remoting/engine/JnlpProtocol1.java src/main/java/hudson/remoting/engine/JnlpProtocol2.java src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java src/test/java/hudson/remoting/engine/EngineUtilTest.java src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java http://jenkins-ci.org/commit/remoting/90dd966a0c40c900dd58347fbfbc7958d8b40b65 Log: JENKINS-26580 Refactor slave JNLP engine to make it easier to add more protocols in the future. The engine will now call a factory that returns a list of protocols to try in order. Developers can implement new protocols in separate classes and add them to the factory to be used. Added tests for existing protocols. I noticed the Engine class doesn't have a corresponding Test class. It would be nice to add one, but I think it needs more refactoring before it would be realistic to add tests for it.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          src/main/java/hudson/remoting/engine/JnlpProtocol1.java
          src/main/java/hudson/remoting/engine/JnlpProtocol2.java
          http://jenkins-ci.org/commit/remoting/9a427e0614c7fea4a7d77cd7a4ded90ff2023c9b
          Log:
          JENKINS-26580 Add more documentation for the JNLP protocols.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/engine/JnlpProtocol1.java src/main/java/hudson/remoting/engine/JnlpProtocol2.java http://jenkins-ci.org/commit/remoting/9a427e0614c7fea4a7d77cd7a4ded90ff2023c9b Log: JENKINS-26580 Add more documentation for the JNLP protocols.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          src/main/java/hudson/remoting/Engine.java
          src/main/java/hudson/remoting/engine/EngineUtil.java
          src/main/java/hudson/remoting/engine/JnlpProtocol.java
          src/main/java/hudson/remoting/engine/JnlpProtocol1.java
          src/main/java/hudson/remoting/engine/JnlpProtocol2.java
          src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java
          src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
          src/test/java/hudson/remoting/engine/EngineUtilTest.java
          src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java
          src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java
          src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
          src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
          http://jenkins-ci.org/commit/remoting/82096802749f87044727605efb978b19ae636382
          Log:
          JENKINS-26580 Updates based on feedback.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/engine/EngineUtil.java src/main/java/hudson/remoting/engine/JnlpProtocol.java src/main/java/hudson/remoting/engine/JnlpProtocol1.java src/main/java/hudson/remoting/engine/JnlpProtocol2.java src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java src/test/java/hudson/remoting/engine/EngineUtilTest.java src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java http://jenkins-ci.org/commit/remoting/82096802749f87044727605efb978b19ae636382 Log: JENKINS-26580 Updates based on feedback.

          Code changed in jenkins
          User: Akshay Dayal
          Path:
          src/main/java/hudson/remoting/Engine.java
          http://jenkins-ci.org/commit/remoting/9fb70849ac5edd38e26ca6f9200f2c3aa753e398
          Log:
          JENKINS-26580 Fixed indentation.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/Engine.java http://jenkins-ci.org/commit/remoting/9fb70849ac5edd38e26ca6f9200f2c3aa753e398 Log: JENKINS-26580 Fixed indentation.

          Kieran Shaw added a comment -

          I'm not sure if I can help in terms of code, but I just thought I'd throw in my 2 cents worth...

          This would be a really great fix for us. We have some offsite Jenkins nodes that do the initial connection through https but then as far as I can tell all following communication on the 49187 port is unprotected. This makes the security people around me very nervous so it would be great for this fix to be available.

          I'm a little surprised at how hard it is to find information about this on the Jenkins website, I suspect I'm not the only one who used to think that this was already encrypted as the slave startup line is something like:

          java -jar slave.jar -jnlpUrl https://ci.example.com:443/computer/myslave/slave-agent.jnlp -secret sadkfjasfdkjashfdakjfha

          That jnlpUrl being https probably makes most people think the connection is more secure than it really is

          Kieran Shaw added a comment - I'm not sure if I can help in terms of code, but I just thought I'd throw in my 2 cents worth... This would be a really great fix for us. We have some offsite Jenkins nodes that do the initial connection through https but then as far as I can tell all following communication on the 49187 port is unprotected. This makes the security people around me very nervous so it would be great for this fix to be available. I'm a little surprised at how hard it is to find information about this on the Jenkins website, I suspect I'm not the only one who used to think that this was already encrypted as the slave startup line is something like: java -jar slave.jar -jnlpUrl https://ci.example.com:443/computer/myslave/slave-agent.jnlp -secret sadkfjasfdkjashfdakjfha That jnlpUrl being https probably makes most people think the connection is more secure than it really is

            akshay_abd akshay_abd
            akshay_abd akshay_abd
            Votes:
            6 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: