Update Sites gives Unable to tunnel through proxy

Issue

CloudBees Core CI is configured to work with a proxy under Manage Jenkins -> Manage Plugins -> Advanced tab providing the corresponded username/password. The JDK was recently upgraded to a version equal or higher than 1.8.0_111-b14.

After we click on the Check now button to get the updates, a stacktrace similar to the one below is shown in the GUI.

2020-09-25 10:13:00.023+0000 [id=529]	INFO	hudson.util.Retrier#start: The attempt #1 to do the action check updates server failed with an allowed exception:
java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
	at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2124)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
	at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.loadJSON(CloudBeesUpdateSite.java:539)
	at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.updateDirectlyNow(CloudBeesUpdateSite.java:529)

Notice that this particular issue should not be exposed if credentials are not needed, and thus the credentials for the proxy are not filled in Jenkins side

Environment

Resolution

In the JDK release notes for Java 1.8.0_111-b14 we can read the following lines.

In some environments, certain authentication schemes may be undesirable when proxying HTTPS. Accordingly, the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime, by adding Basic to the jdk.http.auth.tunneling.disabledSchemes networking property. Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line.

Additionally, the jdk.http.auth.tunneling.disabledSchemes and jdk.http.auth.proxying.disabledSchemes networking properties, and system properties of the same name, can be used to disable other authentication schemes that may be active when setting up a tunnel for HTTPS, or proxying plain HTTP, respectively.

The proxy feature in Jenkins still uses Basic Authentication. As per the release notes, the issue could be workaround by injecting -Djdk.http.auth.tunneling.disabledSchemes=""

NOTE: Under certain unknown circunstances, it might also needed to add -Dhttp.auth.preference="basic" as well to fully workaround this issue.
How to add Java arguments to Jenkins?