Issue
As of v10.0 to 10.1 CloudBees CD/RO only accepts TLS 1.2 in the CloudBees CD/RO Server Certificate, and doesn´t allow previous TLS versions when connecting from agents.
When upgrading CloudBees CD/RO from previous versions of the application, you could suffer some connectivity issues from agents to the server if the certificate doesn´t support TLS 1.2. In the same way, when you are using certificates signed from your organisation Certificate Authority, you need to validate TLS 1.2 is properly enabled in your certificate.
| TLS 1.3 is not accepted due to perl incompatibilities and will be implemented in a future releases. |
Environment
-
CloudBees CD/RO Server
-
CloudBees CD/RO versions that only allows TLS 1.2
-
CloudBees CD/RO 10.1.x
-
CloudBees CD/RO 10.0.x
-
-
CloudBees CD/RO versions that allows TLS 1.2 and previous versions:
-
CloudBees CD/RO 9.x
-
CloudBees CD/RO 8.x
-
-
-
CloudBees CD/RO Agent
-
Windows and Linux Agents: TLS 1.2 is supported from CloudBees CD/RO agents v6.0.4/6.3 and newer
-
Mac OS: TLS 1.2 is supported from CloudBees CD/RO agents v8.5 and newer
== Resolution
-
To validate the SSL handshake for this specific TLS version we need to execute from our CloudBees CD/RO Server:
Linux Systems
CloudBees CD/RO 10.0.x and lower:
COMMANDER_HOME=/opt/electriccloud/electriccommander&& LD_LIBRARY_PATH=$COMMANDER_HOME/lib&& OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf"&& echo -e "quit\n" | $COMMANDER_HOME/bin/openssl s_client -connect localhost:8443 -tls1_2
CloudBees CD/RO 10.1.x:
COMMANDER_HOME=/opt/cloudbees/sda&& LD_LIBRARY_PATH=$COMMANDER_HOME/lib&& OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf"&& echo -e "quit\n" | $COMMANDER_HOME/bin/openssl s_client -connect localhost:8443 -tls1_2
Windows Systems
CloudBees CD/RO 10.0.x and lower:
cd "C:\Program Files\Electric Cloud\ElectricCommander\bin" set OPENSSL_CONF=C:\ProgramData\Electric Cloud\ElectricCommander\conf\agentssl.cnf set COMMANDER_HOME=C:\Program Files\Electric Cloud\ElectricCommander\ set LD_LIBRARY_PATH=%COMMANDER_HOME%bin openssl s_client -connect localhost:8443 -tls1_2
CloudBees CD/RO 10.1.x:
cd "C:\Program Files\CloudBees\Software Delivery Automation" set OPENSSL_CONF=C:\ProgramData\CloudBees\Software Delivery Automation\conf\agentssl.cnf set COMMANDER_HOME=C:\Program Files\CloudBees\Software Delivery Automation\ set LD_LIBRARY_PATH=%COMMANDER_HOME%bin openssl s_client -connect localhost:8443 -tls1_2
In case the SSL handshake is properly executed we will receive a message similar to:
---
SSL handshake has read 2204 bytes and written 326 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 343FCBC5D64DFE053C4111B96E529FD6F4A3562DB1A66C4622901A722F3B92BD
Session-ID-ctx:
Master-Key: 90557A4C15104BA7DFF27E46CAC636B2B91C40A36EC3B7D1961A8B947A7150ED66EEA4EE119E5D754BAD6696CEBC6D39
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1615578628
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: yes
---
DONE
If the SSL certificate in the CloudBees CD/RO Server doesn´t support TLS 1.2, we will receive a message similar to:
---
SSL handshake has read 7 bytes and written 106 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1615578979
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
In this case we will need to change our CloudBees CD/RO Server Certificate for one with TLS 1.2 support, as explained in CloudBees CD/RO Certificate Fails Security Scan
Please, be aware if you are running in a cluster environment then your Load Balancer system could be overriding the CloudBees CD/RO certificate. In this case you will need to validate the TLS certificate in the CloudBees CD/RO Server, but pointing both, your CloudBees CD/RO Server FQDN and your LoadBalancer FQDN.
If your CloudBees CD/RO Server accepts TLS 1.2 but not your load balancer cert, please contact your IT team to upgrade the Load Balancer certificate.