Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51577

Windows service wrapper for slave.jar can not connect to a SSL configured master

    XMLWordPrintable

    Details

    • Similar Issues:
    • Released As:
      Jenkins 2.177

      Description

      TLS1.0 is considered broken and obsolete and a growing number of servers no longer support the protocol by default. The Jenkins master web server is one of them, and disabled TLS1.0 in some recent update, when the server is set up for HTTPS communication.

       

      The Windows service wrapper used to start slave.jar as a service on Windows is written in .NET. For some reason Microsoft has set TLS1.0 as default protocol for the .NET Framework. Thus the service wrapper can not connect to a HTTPS configured master and download updates of slave.jar.

       

      If a recent enough .NET Framework is installed in the Windows environment, the default behavior can be changed both run-time/per-process and with system settings: https://johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

       

      It would be great if the service wrapper could be updated to override the default system settings.

        Attachments

          Activity

          njesper Jesper Andersson created issue -
          njesper Jesper Andersson made changes -
          Field Original Value New Value
          Summary Windows service wrapper for slave.jar will not connect to a SSL configured master with TLS1.1/1.2 by default Windows service wrapper for slave.jar can not connect to a SSL configured master
          oleg_nenashev Oleg Nenashev made changes -
          Assignee Oleg Nenashev [ oleg_nenashev ]
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Thanks for the follow-up Jesper Andersson! I will try to take a look

          Show
          oleg_nenashev Oleg Nenashev added a comment - Thanks for the follow-up Jesper Andersson ! I will try to take a look
          oleg_nenashev Oleg Nenashev made changes -
          Labels winsw
          oleg_nenashev Oleg Nenashev made changes -
          Component/s windows-slave-installer-module [ 21834 ]
          Hide
          rdonchen_intel Roman Donchenko added a comment -

          Note that it's possible to fix this without modifying WinSW itself. You can add:

          <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=false"/>
          

          to the <runtime> section of jenkins-slave.exe.config. This will enable TLS 1.2 (and disable SSL 3.0) if WinSW is executed with .NET Framework 4.6 or later.

          Show
          rdonchen_intel Roman Donchenko added a comment - Note that it's possible to fix this without modifying WinSW itself. You can add: <AppContextSwitchOverrides value= "Switch.System.Net.DontEnableSchUseStrongCrypto=false" /> to the <runtime> section of jenkins-slave.exe.config . This will enable TLS 1.2 (and disable SSL 3.0) if WinSW is executed with .NET Framework 4.6 or later.
          oleg_nenashev Oleg Nenashev made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          oleg_nenashev Oleg Nenashev made changes -
          Status In Progress [ 3 ] In Review [ 10005 ]
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          https://github.com/jenkinsci/jenkins/pull/4010 is a PR against the core.

           

          Show
          oleg_nenashev Oleg Nenashev added a comment - https://github.com/jenkinsci/jenkins/pull/4010  is a PR against the core.  
          oleg_nenashev Oleg Nenashev made changes -
          Released As Jenkins 2.177
          Resolution Fixed [ 1 ]
          Status In Review [ 10005 ] Resolved [ 5 ]

            People

            Assignee:
            oleg_nenashev Oleg Nenashev
            Reporter:
            njesper Jesper Andersson
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: