Issue
As of v10.0 to 10.1 CloudBees CD/RO only accepts TLS 1.2 in the CloudBees CD/RO Server Certificate, and doesn´t allow previous TLS versions when connecting from agents.
When upgrading CloudBees CD/RO from previous versions of the application, you could suffer some connectivity issues from agents to the server if the certificate doesn´t support TLS 1.2. In the same way, when you are using certificates signed from your organisation Certificate Authority, you need to validate TLS 1.2 is properly enabled in your certificate.
TLS 1.3 is not accepted due to perl incompatibilities and will be implemented in a future releases. |
Environment
-
CloudBees CD/RO Server
-
CloudBees CD/RO versions that only allows TLS 1.2
-
CloudBees CD/RO 10.1.x
-
CloudBees CD/RO 10.0.x
-
-
CloudBees CD/RO versions that allows TLS 1.2 and previous versions:
-
CloudBees CD/RO 9.x
-
CloudBees CD/RO 8.x
-
-
-
CloudBees CD/RO Agent
-
Windows and Linux Agents: TLS 1.2 is supported from CloudBees CD/RO agents v6.0.4/6.3 and newer
-
Mac OS: TLS 1.2 is supported from CloudBees CD/RO agents v8.5 and newer
== Resolution
-
To validate the SSL handshake for this specific TLS version we need to execute from our CloudBees CD/RO Server:
Linux Systems
CloudBees CD/RO 10.0.x and lower:
COMMANDER_HOME=/opt/electriccloud/electriccommander&& LD_LIBRARY_PATH=$COMMANDER_HOME/lib&& OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf"&& echo -e "quit\n" | $COMMANDER_HOME/bin/openssl s_client -connect localhost:8443 -tls1_2
CloudBees CD/RO 10.1.x:
COMMANDER_HOME=/opt/cloudbees/sda&& LD_LIBRARY_PATH=$COMMANDER_HOME/lib&& OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf"&& echo -e "quit\n" | $COMMANDER_HOME/bin/openssl s_client -connect localhost:8443 -tls1_2
Windows Systems
CloudBees CD/RO 10.0.x and lower:
cd "C:\Program Files\Electric Cloud\ElectricCommander\bin" set OPENSSL_CONF=C:\ProgramData\Electric Cloud\ElectricCommander\conf\agentssl.cnf set COMMANDER_HOME=C:\Program Files\Electric Cloud\ElectricCommander\ set LD_LIBRARY_PATH=%COMMANDER_HOME%bin openssl s_client -connect localhost:8443 -tls1_2
CloudBees CD/RO 10.1.x:
cd "C:\Program Files\CloudBees\Software Delivery Automation" set OPENSSL_CONF=C:\ProgramData\CloudBees\Software Delivery Automation\conf\agentssl.cnf set COMMANDER_HOME=C:\Program Files\CloudBees\Software Delivery Automation\ set LD_LIBRARY_PATH=%COMMANDER_HOME%bin openssl s_client -connect localhost:8443 -tls1_2
In case the SSL handshake is properly executed we will receive a message similar to:
--- SSL handshake has read 2204 bytes and written 326 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 343FCBC5D64DFE053C4111B96E529FD6F4A3562DB1A66C4622901A722F3B92BD Session-ID-ctx: Master-Key: 90557A4C15104BA7DFF27E46CAC636B2B91C40A36EC3B7D1961A8B947A7150ED66EEA4EE119E5D754BAD6696CEBC6D39 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1615578628 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: yes --- DONE
If the SSL certificate in the CloudBees CD/RO Server doesn´t support TLS 1.2, we will receive a message similar to:
--- SSL handshake has read 7 bytes and written 106 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1615578979 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ---
In this case we will need to change our CloudBees CD/RO Server Certificate for one with TLS 1.2 support, as explained in CloudBees CD/RO Certificate Fails Security Scan
Please, be aware if you are running in a cluster environment then your Load Balancer system could be overriding the CloudBees CD/RO certificate. In this case you will need to validate the TLS certificate in the CloudBees CD/RO Server, but pointing both, your CloudBees CD/RO Server FQDN and your LoadBalancer FQDN.
If your CloudBees CD/RO Server accepts TLS 1.2 but not your load balancer cert, please contact your IT team to upgrade the Load Balancer certificate.