FileDownloader disables TLSv1.3 #1170
Comments
|
Yeah it's a 7 years old change #714 and the intention was to disable TLS 1.1, not to disable TLS 1.3. Maybe there's a better way of doing it? |
|
I'm not sure why it has been added. If GitHub disables weak ciphers and versions, the negotiation should automatically use TLSv1.2? Even with weak ciphers and older versions enabled, it should automatically choose the correct (newer) version. Can we just drop it and see if someone complains? |
|
Seems like JDK 1.7 didn't have TLSv1.2 enabled by default at first, but later received an update to change that, see https://stackoverflow.com/a/46582752/2373138. https://www.oracle.com/java/technologies/javase/7u131-relnotes.html
|
|
@pitgrap Do you remember any of this stuff? |
This disables TLSv1.3 and changes global state that shouldn't be changed. Fixes eirslett#1170.
|
I've opened #1171 to change it. |
|
Wow, 7 years old change. I can't remember, but the commit message says: "force tls1.2 (important for jdk 1.7 and github), this will fix tests on appveyor". |
|
Really nostalgic, isn't it! |
Do you want to request a feature or report a bug?
Bug
What is the current behavior?
FileDownloader restricts TLS to TLSv1.2.
This is a problem for setups that only allow TLSv1.3. Even worse, it doesn't just restrict the TLS version this plugin uses, but also all plugins that run after it in the same JVM instance, because it modifies global properties.
Connections to TLSv1.3 only hosts will fail with
Received fatal alert: protocol_version.If the current behavior is a bug, please provide the steps to reproduce.
Use the plugin with a host that only supports TLSv1.3 or use a plugin that makes HTTPS requests to a TLSv1.3 only host after running this plugin and downloading a file with
FileDownloader.What is the expected behavior?
TLSv1.3 should be used.
Please mention your frontend-maven-plugin and operating system version.
1.15.1 / Debian 11
The text was updated successfully, but these errors were encountered: