Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26580

For JNLP slaves the master-slave communication should be encrypted

    Details

    • Similar Issues:

      Description

      For more details about the requirements and possible implementation refer to:
      https://groups.google.com/forum/#!topic/jenkinsci-dev/Q1KMOSE1IEc

        Attachments

          Issue Links

            Activity

            Hide
            akshay_abd akshay_abd added a comment -

            Added a pull request to the remoting project:

            https://github.com/jenkinsci/remoting/pull/28

            This is a refactor-only pull request. It should make it easier for developers to add support for more protocols in the slave.

            Show
            akshay_abd akshay_abd added a comment - Added a pull request to the remoting project: https://github.com/jenkinsci/remoting/pull/28 This is a refactor-only pull request. It should make it easier for developers to add support for more protocols in the slave.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Akshay Dayal
            Path:
            pom.xml
            src/main/java/hudson/remoting/Engine.java
            src/main/java/hudson/remoting/engine/EngineUtil.java
            src/main/java/hudson/remoting/engine/JnlpProtocol.java
            src/main/java/hudson/remoting/engine/JnlpProtocol1.java
            src/main/java/hudson/remoting/engine/JnlpProtocol2.java
            src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java
            src/test/java/hudson/remoting/engine/EngineUtilTest.java
            src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java
            src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java
            http://jenkins-ci.org/commit/remoting/90dd966a0c40c900dd58347fbfbc7958d8b40b65
            Log:
            JENKINS-26580 Refactor slave JNLP engine to make it easier to add more protocols in the future. The engine will now call a factory that returns a list of protocols to try in order. Developers can implement new protocols in separate classes and add them to the factory to be used. Added tests for existing protocols. I noticed the Engine class doesn't have a corresponding Test class. It would be nice to add one, but I think it needs more refactoring before it would be realistic to add tests for it.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: pom.xml src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/engine/EngineUtil.java src/main/java/hudson/remoting/engine/JnlpProtocol.java src/main/java/hudson/remoting/engine/JnlpProtocol1.java src/main/java/hudson/remoting/engine/JnlpProtocol2.java src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java src/test/java/hudson/remoting/engine/EngineUtilTest.java src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java http://jenkins-ci.org/commit/remoting/90dd966a0c40c900dd58347fbfbc7958d8b40b65 Log: JENKINS-26580 Refactor slave JNLP engine to make it easier to add more protocols in the future. The engine will now call a factory that returns a list of protocols to try in order. Developers can implement new protocols in separate classes and add them to the factory to be used. Added tests for existing protocols. I noticed the Engine class doesn't have a corresponding Test class. It would be nice to add one, but I think it needs more refactoring before it would be realistic to add tests for it.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Akshay Dayal
            Path:
            src/main/java/hudson/remoting/engine/JnlpProtocol1.java
            src/main/java/hudson/remoting/engine/JnlpProtocol2.java
            http://jenkins-ci.org/commit/remoting/9a427e0614c7fea4a7d77cd7a4ded90ff2023c9b
            Log:
            JENKINS-26580 Add more documentation for the JNLP protocols.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/engine/JnlpProtocol1.java src/main/java/hudson/remoting/engine/JnlpProtocol2.java http://jenkins-ci.org/commit/remoting/9a427e0614c7fea4a7d77cd7a4ded90ff2023c9b Log: JENKINS-26580 Add more documentation for the JNLP protocols.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Akshay Dayal
            Path:
            src/main/java/hudson/remoting/Engine.java
            src/main/java/hudson/remoting/engine/EngineUtil.java
            src/main/java/hudson/remoting/engine/JnlpProtocol.java
            src/main/java/hudson/remoting/engine/JnlpProtocol1.java
            src/main/java/hudson/remoting/engine/JnlpProtocol2.java
            src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java
            src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
            src/test/java/hudson/remoting/engine/EngineUtilTest.java
            src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java
            src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java
            src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
            src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
            src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
            http://jenkins-ci.org/commit/remoting/82096802749f87044727605efb978b19ae636382
            Log:
            JENKINS-26580 Updates based on feedback.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/Engine.java src/main/java/hudson/remoting/engine/EngineUtil.java src/main/java/hudson/remoting/engine/JnlpProtocol.java src/main/java/hudson/remoting/engine/JnlpProtocol1.java src/main/java/hudson/remoting/engine/JnlpProtocol2.java src/main/java/hudson/remoting/engine/JnlpProtocolFactory.java src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java src/test/java/hudson/remoting/engine/EngineUtilTest.java src/test/java/hudson/remoting/engine/JnlpProtocol1Test.java src/test/java/hudson/remoting/engine/JnlpProtocol2Test.java src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java http://jenkins-ci.org/commit/remoting/82096802749f87044727605efb978b19ae636382 Log: JENKINS-26580 Updates based on feedback.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Akshay Dayal
            Path:
            src/main/java/hudson/remoting/Engine.java
            http://jenkins-ci.org/commit/remoting/9fb70849ac5edd38e26ca6f9200f2c3aa753e398
            Log:
            JENKINS-26580 Fixed indentation.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/Engine.java http://jenkins-ci.org/commit/remoting/9fb70849ac5edd38e26ca6f9200f2c3aa753e398 Log: JENKINS-26580 Fixed indentation.
            Hide
            kieranshaw Kieran Shaw added a comment -

            I'm not sure if I can help in terms of code, but I just thought I'd throw in my 2 cents worth...

            This would be a really great fix for us. We have some offsite Jenkins nodes that do the initial connection through https but then as far as I can tell all following communication on the 49187 port is unprotected. This makes the security people around me very nervous so it would be great for this fix to be available.

            I'm a little surprised at how hard it is to find information about this on the Jenkins website, I suspect I'm not the only one who used to think that this was already encrypted as the slave startup line is something like:

            java -jar slave.jar -jnlpUrl https://ci.example.com:443/computer/myslave/slave-agent.jnlp -secret sadkfjasfdkjashfdakjfha

            That jnlpUrl being https probably makes most people think the connection is more secure than it really is

            Show
            kieranshaw Kieran Shaw added a comment - I'm not sure if I can help in terms of code, but I just thought I'd throw in my 2 cents worth... This would be a really great fix for us. We have some offsite Jenkins nodes that do the initial connection through https but then as far as I can tell all following communication on the 49187 port is unprotected. This makes the security people around me very nervous so it would be great for this fix to be available. I'm a little surprised at how hard it is to find information about this on the Jenkins website, I suspect I'm not the only one who used to think that this was already encrypted as the slave startup line is something like: java -jar slave.jar -jnlpUrl https://ci.example.com:443/computer/myslave/slave-agent.jnlp -secret sadkfjasfdkjashfdakjfha That jnlpUrl being https probably makes most people think the connection is more secure than it really is
            Hide
            akshay_abd akshay_abd added a comment -

            I've created a pull request on the remoting repo that adds JNLP3:

            https://github.com/jenkinsci/remoting/pull/41

            I'm still writing tests for the changes to jenkins-core, I'll create a pull request for that soon too.

            It would be nice to get a few security folks to review these changes. Also in a follow-up CL I'll be enabling JNLP3, probably through a flag, getting folks to try it and help with end-to-end testing would be appreciated.

            Show
            akshay_abd akshay_abd added a comment - I've created a pull request on the remoting repo that adds JNLP3: https://github.com/jenkinsci/remoting/pull/41 I'm still writing tests for the changes to jenkins-core, I'll create a pull request for that soon too. It would be nice to get a few security folks to review these changes. Also in a follow-up CL I'll be enabling JNLP3, probably through a flag, getting folks to try it and help with end-to-end testing would be appreciated.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Akshay Dayal
            Path:
            src/main/java/hudson/remoting/ChannelBuilder.java
            src/main/java/hudson/remoting/ChunkedOutputStream.java
            src/main/java/hudson/remoting/Engine.java
            src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
            src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java
            src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java
            src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java
            src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
            src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
            src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
            src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java
            src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java
            http://jenkins-ci.org/commit/remoting/e044831cb9a2e262bf34514ba2978a06978606cd
            Log:
            JENKINS-26580 Initial implementation of JNLP3-connect protocol

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/hudson/remoting/ChannelBuilder.java src/main/java/hudson/remoting/ChunkedOutputStream.java src/main/java/hudson/remoting/Engine.java src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java http://jenkins-ci.org/commit/remoting/e044831cb9a2e262bf34514ba2978a06978606cd Log: JENKINS-26580 Initial implementation of JNLP3-connect protocol
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Akshay Dayal
            Path:
            .gitignore
            pom.xml
            src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java
            src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java
            src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java
            src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java
            src/main/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3Util.java
            src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
            src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java
            src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java
            src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol3Test.java
            src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java
            src/test/java/org/jenkinsci/remoting/engine/PropertiesStringMatcher.java
            src/test/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphersTest.java
            src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java
            src/test/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphersTest.java
            src/test/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3UtilTest.java
            http://jenkins-ci.org/commit/remoting/b0233c308e68aa8dc0b415b40f315db314214cf0
            Log:
            JENKINS-26580 Updated Jnlp3 implementation and added tests.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: .gitignore pom.xml src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol1.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol2.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocolFactory.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphers.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtils.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphers.java src/main/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3Util.java src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol1Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol2Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocol3Test.java src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolTest.java src/test/java/org/jenkinsci/remoting/engine/PropertiesStringMatcher.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/ChannelCiphersTest.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/CipherUtilsTest.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/HandshakeCiphersTest.java src/test/java/org/jenkinsci/remoting/engine/jnlp3/Jnlp3UtilTest.java http://jenkins-ci.org/commit/remoting/b0233c308e68aa8dc0b415b40f315db314214cf0 Log: JENKINS-26580 Updated Jnlp3 implementation and added tests.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Akshay Dayal
            Path:
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java
            http://jenkins-ci.org/commit/remoting/fcdd388944231273253794e647da575aaafbd692
            Log:
            JENKINS-26580 Updated Jnlp3 documentation.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3.java http://jenkins-ci.org/commit/remoting/fcdd388944231273253794e647da575aaafbd692 Log: JENKINS-26580 Updated Jnlp3 documentation.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Akshay Dayal
            Path:
            core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
            core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
            pom.xml
            http://jenkins-ci.org/commit/jenkins/9bb35a78b8298930adf978046e9f6c53c6853e27
            Log:
            JENKINS-26580 Initial implementation of JNLP3-connect protocol

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java pom.xml http://jenkins-ci.org/commit/jenkins/9bb35a78b8298930adf978046e9f6c53c6853e27 Log: JENKINS-26580 Initial implementation of JNLP3-connect protocol
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Akshay Dayal
            Path:
            core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
            http://jenkins-ci.org/commit/jenkins/e9f5caa13fa1a3d1bf602ec9d67dac75f3310889
            Log:
            JENKINS-26580 Updated implementation of Jnlp3 protocol

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Akshay Dayal Path: core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java http://jenkins-ci.org/commit/jenkins/e9f5caa13fa1a3d1bf602ec9d67dac75f3310889 Log: JENKINS-26580 Updated implementation of Jnlp3 protocol
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java
            core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java
            core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
            core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java
            core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
            core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
            pom.xml
            http://jenkins-ci.org/commit/jenkins/6d3e05439643097d2f172761ea82a32a857d058a
            Log:
            Merge pull request #2010 from jenkinsci/jnlp3

            [FIXED JENKINS-26580] Activate JNLP3 support

            Compare: https://github.com/jenkinsci/jenkins/compare/9bb8decf1103...6d3e05439643

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java pom.xml http://jenkins-ci.org/commit/jenkins/6d3e05439643097d2f172761ea82a32a857d058a Log: Merge pull request #2010 from jenkinsci/jnlp3 [FIXED JENKINS-26580] Activate JNLP3 support Compare: https://github.com/jenkinsci/jenkins/compare/9bb8decf1103...6d3e05439643
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #4494
            JENKINS-26580 Initial implementation of JNLP3-connect protocol (Revision 9bb35a78b8298930adf978046e9f6c53c6853e27)
            JENKINS-26580 Updated implementation of Jnlp3 protocol (Revision e9f5caa13fa1a3d1bf602ec9d67dac75f3310889)

            Result = UNSTABLE
            akshay_abd : 9bb35a78b8298930adf978046e9f6c53c6853e27
            Files :

            • core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
            • pom.xml
            • core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java

            akshay_abd : e9f5caa13fa1a3d1bf602ec9d67dac75f3310889
            Files :

            • core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #4494 JENKINS-26580 Initial implementation of JNLP3-connect protocol (Revision 9bb35a78b8298930adf978046e9f6c53c6853e27) JENKINS-26580 Updated implementation of Jnlp3 protocol (Revision e9f5caa13fa1a3d1bf602ec9d67dac75f3310889) Result = UNSTABLE akshay_abd : 9bb35a78b8298930adf978046e9f6c53c6853e27 Files : core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java pom.xml core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java akshay_abd : e9f5caa13fa1a3d1bf602ec9d67dac75f3310889 Files : core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java
            core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java
            core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java
            core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java
            core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java
            core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java
            pom.xml
            http://jenkins-ci.org/commit/jenkins/af1a53d91c4863f27e4fad295911f131beb64b9a
            Log:
            Merge pull request #2010 from jenkinsci/jnlp3

            [FIXED JENKINS-26580][FIXED JENKINS-28289] Activate JNLP3 support
            (cherry picked from commit 6d3e05439643097d2f172761ea82a32a857d058a)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol2.java core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol3.java core/src/main/java/jenkins/slaves/JnlpSlaveHandshake.java pom.xml http://jenkins-ci.org/commit/jenkins/af1a53d91c4863f27e4fad295911f131beb64b9a Log: Merge pull request #2010 from jenkinsci/jnlp3 [FIXED JENKINS-26580] [FIXED JENKINS-28289] Activate JNLP3 support (cherry picked from commit 6d3e05439643097d2f172761ea82a32a857d058a)
            Hide
            olivergondza Oliver Gondža added a comment -

            Fixing this on master caused JENKINS-33886, not backporting this into LTS.

            Show
            olivergondza Oliver Gondža added a comment - Fixing this on master caused JENKINS-33886 , not backporting this into LTS.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            The change has been reverted from 1.651.1: https://github.com/jenkinsci/jenkins/commit/343e65f28d15dc8c025a4aa98cd3c0169ebd224f
            I suspect JNLP3 has been never enabled by default in 1.651.x

            Show
            oleg_nenashev Oleg Nenashev added a comment - The change has been reverted from 1.651.1: https://github.com/jenkinsci/jenkins/commit/343e65f28d15dc8c025a4aa98cd3c0169ebd224f I suspect JNLP3 has been never enabled by default in 1.651.x
            Hide
            aaron312 Aaron Curley added a comment -

            Hi all,

            Correct me if I'm mistaken (since I've only taken a cursory look at the JNLP3 implementation, and that look was a few months ago) but aren't we currently using a custom-built "secure" transport protocol? (i.e. we built our own protocol using cryptographic primitives?)

            If so, this seems like an incorrect approach. It is generally recognized in our industry that "rolling your own cryptographic protocol" is a clear path to subtle cryptographic vulnerabilities.

            Isn't this something that we could just use TLS for? Provided we use strong settings (TLSv1.2, good ciphers, etc) wouldn't that give us a much better guarantee of security (than something custom-built)?

            Show
            aaron312 Aaron Curley added a comment - Hi all, Correct me if I'm mistaken (since I've only taken a cursory look at the JNLP3 implementation, and that look was a few months ago) but aren't we currently using a custom-built "secure" transport protocol? (i.e. we built our own protocol using cryptographic primitives?) If so, this seems like an incorrect approach. It is generally recognized in our industry that "rolling your own cryptographic protocol" is a clear path to subtle cryptographic vulnerabilities. Isn't this something that we could just use TLS for? Provided we use strong settings (TLSv1.2, good ciphers, etc) wouldn't that give us a much better guarantee of security (than something custom-built)?
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Aaron Curley Remoting 3 is going to include JNLP4 based on TLS. It's already integrated, but we have not released it yet

            Show
            oleg_nenashev Oleg Nenashev added a comment - Aaron Curley Remoting 3 is going to include JNLP4 based on TLS. It's already integrated, but we have not released it yet
            Hide
            aaron312 Aaron Curley added a comment -

            Great! Good to know.

            Show
            aaron312 Aaron Curley added a comment - Great! Good to know.
            Hide
            marko_andrijevic Marko Andrijevic added a comment -

            Hi Oleg Nenashev,

            Can you please reference Jenkins Master/Slave software version that contains the fix for this issue and the location where fixed version(s) can be downloaded from?

            Thanks,
            Marko

            Show
            marko_andrijevic Marko Andrijevic added a comment - Hi Oleg Nenashev , Can you please reference Jenkins Master/Slave software version that contains the fix for this issue and the location where fixed version(s) can be downloaded from? Thanks, Marko
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Marko Andrijevic So the fix is...

            1) Download Jenkins 2.32.1+
            2) Update Remoting on agents to 3.0+
            3) Disable JNLP1/JNLP2/CLI1 protocols in the Global Security Configuration

            BTW, JENKINS-45841 will disable old protocols by default in new installations

            Show
            oleg_nenashev Oleg Nenashev added a comment - Marko Andrijevic So the fix is... 1) Download Jenkins 2.32.1+ 2) Update Remoting on agents to 3.0+ 3) Disable JNLP1/JNLP2/CLI1 protocols in the Global Security Configuration BTW, JENKINS-45841 will disable old protocols by default in new installations
            Hide
            marko_andrijevic Marko Andrijevic added a comment -

            Thank you very much for fast response Oleg! Can you please also let me know how can I verify that TLS is really in use in Master/Slave communication? I'm already using Wireshark to inspect communication, but since this is a binary protocol, I can't tell for sure if the content is encrypted or just difficult to read.

            Regards,
            Marko

            Show
            marko_andrijevic Marko Andrijevic added a comment - Thank you very much for fast response Oleg! Can you please also let me know how can I verify that TLS is really in use in Master/Slave communication? I'm already using Wireshark to inspect communication, but since this is a binary protocol, I can't tell for sure if the content is encrypted or just difficult to read. Regards, Marko
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Marko Andrijevic JNLP4 works only through TLS. If you disable other protocols, it should be enough.

            Show
            oleg_nenashev Oleg Nenashev added a comment - Marko Andrijevic JNLP4 works only through TLS. If you disable other protocols, it should be enough.

              People

              • Assignee:
                akshay_abd akshay_abd
                Reporter:
                akshay_abd akshay_abd
              • Votes:
                6 Vote for this issue
                Watchers:
                15 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: