Proposal - Disabling JNLP1/2 and CLI1 protocols by default in new Installations

175 views
Skip to first unread message

Oleg Nenashev

unread,
Jul 28, 2017, 3:53:50 AM7/28/17
to Jenkins Developers, Sam Gleske, Stephen Connolly
Hi all,

It is almost one year since the release of JNLP4 protocol in Remoting 3.0. This protocol is available in Jenkins LTS since 2.32.1, and so far it demonstrates good stability being compared to JNLP2 and especially to JNLP3. The protocol was enabled by default in 2.46.x, and we do not have confirmed JNLP4 issues since that.

I propose to disable the previous protocols. I have created JENKINS-45841 for it.

Why?

  • JNLP2 stability concerns
  • JNLP1/JNLP2/CLI1 are known to be unencrypted
    • Sam Gleske also made it explicit in UI, Jenkins 2.41+ (pull request)
    • It is not a security issue, they have been never claimed to be encrypted
    • Jenkins CERT team agreed that disabling protocols is reasonable from the security hardening standpoint

How?

  • UPD: When installation wizard is enabled && it runs in the new installation mode, disable the old protocols during the instance initialization
    • It is similar to what we do for Remoting CLI disabling and the default security initialization in Jenkins 2.0
  • ADD: administrative monitor, which warns about obsolete Remoting protocols and points to the errata documents (like this one)
  • ADD: Explicit deprecation notice to the built-in HTML documentation

Compatibility concerns

  • Old instances won't be affected, protocols will be still enabled for them
  • "New" Jenkins instances installed via setup wizard may be affected in age cases. Examples:
    • Agents with Remoting older than 3.0 will be unable to connect.
      • One may bundle old Remoting in his custom Docker images, AMIs, etc.
    • Swarm Plugin: old versions of Swarm Client (before 3.3) will be unable to connect, because Remoting 2.x is bundled
    • **Very** old jenkins-cli.jar without CLI2 support will be unable to connect

Not affected:

  • Newly installed instances created from scratch
  • Instances using the "-Djenkins.install.runSetupWizard=false" flag (all configuration-as-code instances)
  • SSH Slaves Plugin, any newly installed agent type, community-provided Docker packages for agents, etc.

Announcement

  • It's a potentially breaking change, hence it should be announced in blog posts
  • The change and the corner cases should be addressed in the upgrade guide, which should be published within the blogpost

I think it's a good time to finally do this change. WDYT?


Thanks in advance,

Oleg Nenashev

Stephen Connolly

unread,
Jul 28, 2017, 4:02:28 AM7/28/17
to jenkin...@googlegroups.com
+1

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7a7e2b81-8795-48bd-b1c2-d0ee31123df3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Sent from my phone

Baptiste Mathus

unread,
Jul 28, 2017, 8:59:53 AM7/28/17
to Jenkins Developers
Having seen recently a customer simply switch from JNLP2 to JNLP4 and get their instance back to working, after they had disabled JNLP4 after some mistake I'm +1 to help drive users more towards the "right"/recommended version.

+1

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
--
Sent from my phone

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMw-mrET-X9xO4Y2B%3Dy2MfQ%3DyduKedp9wLiFL-Xk_eKYjQ%40mail.gmail.com.

Oleg Nenashev

unread,
Aug 2, 2017, 1:28:58 PM8/2/17
to Jenkins Developers, m...@batmat.net
Added the proposal sign-off to the today's Governance meeting agenda.
The pull requests are up and running: https://github.com/jenkinsci/jenkins/pull/2950

BR, Oleg

пятница, 28 июля 2017 г., 14:59:53 UTC+2 пользователь Baptiste Mathus написал:
+1

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
--
Sent from my phone

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

Sam Gleske

unread,
Apr 29, 2018, 3:46:01 AM4/29/18
to Oleg Nenashev, Jenkins Developers, Stephen Connolly
I agree with this sentiment.  As one who has argued for a decently secured agent to master protocol for years I think by even leaving an option to have them configured is just yet another checkbox in which a user can make a mistake.  I've tried clarifying their function in the help text https://github.com/jenkinsci/jenkins/pull/2682 ; however, every company I join seems to have the worst configurations enabled.  Even companies where Jenkins is secured with HTTPS it comes as a surprise to the owners that the protocols they selected have no bearing on the security of the web UI frontend.

I would personally propose removing the options of having them enabled at all.  Though, if they can be disabled by default I guess that's a compromise I'd be willing to accept.  Still think it would be better to remove them, though.  If a user truly needs to have them enabled than we can provide a way to have them enabled via JVM properties.  Not very user friendly, but then again if a user wants to lower the integrity of the security of their installation we shouldn't make it easy or user friendly (but still provide it as an option for those daring enough to do it).

Oleg Nenashev

unread,
Apr 30, 2018, 3:48:11 AM4/30/18
to Jenkins Developers
I would personally propose removing the options of having them enabled at all.  Though, if they can be disabled by default I guess that's a compromise I'd be willing to accept. 
  • Protocols are already disabled by default on new installations (since 2.75)
  • There is a PR from Vincent Latombe which disables them on old installations as well (with opt-in option): https://github.com/jenkinsci/jenkins/pull/3188 . Not ready for merge, needs some minor fixes

There is a related story about detaching Remoting protocol handlers to plugins (JENKINS-44100 and PR #2875). Obsolete protocols could be detached to a separate plugin if it helps to move this story forward. BTW, it just needs a here who has time for it. Unfortunately, I don't.


BR, Oleg

Reply all
Reply to author
Forward
0 new messages