Community
Participate
Working Groups
Created attachment 281365 [details] Java program to examine supported/enabled TLS versions on sockets JGit configures a socket factory via SSLContext.getInstance("TLS"); for HTTPS connections. Running on an IBM JDK, this results in using sockets that have only TLSv1 enabled, which is pretty useless since it's refused by most (if not all) servers nowadays. Running on an Oracle JDK or OpenJDK, the sockets have all available TLS protocol versions enabled. There is a IBM-specific system property to make at least plain "TLS" behave like in Oracle/OpenJDK, but setting a system property in code is not good for a library like JGit. Running the attached SSLTest program on IBM JDK gives: $ ~/bin/ibmjdk/bin/java -version java version "1.8.0_231" Java(TM) SE Runtime Environment (build 8.0.6.0 - pxa6480sr6-20191107_01(SR6)) IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20191106_432135 (JIT enabled, AOT enabled) OpenJ9 - f0b6be7 OMR - 18d8f94 IBM - 233dfb5) JCL - 20191016_01 based on Oracle jdk8u231-b10 $ ~/bin/ibmjdk/bin/java SSLTest TLS supported protocols: [TLSv1, TLSv1.1, TLSv1.2] TLS enabled protocols: [TLSv1] TLSv1.1 supported protocols: [TLSv1, TLSv1.1, TLSv1.2] TLSv1.1 enabled protocols: [TLSv1.1] TLSv1.2 supported protocols: [TLSv1, TLSv1.1, TLSv1.2] TLSv1.2 enabled protocols: [TLSv1.2] *** TLSv1.3 NOT AVAILABLE $ ~/bin/ibmjdk/bin/java -Dcom.ibm.jsse2.overrideDefaultTLS=true SSLTest TLS supported protocols: [TLSv1, TLSv1.1, TLSv1.2] TLS enabled protocols: [TLSv1, TLSv1.1, TLSv1.2] TLSv1.1 supported protocols: [TLSv1, TLSv1.1, TLSv1.2] TLSv1.1 enabled protocols: [TLSv1.1] TLSv1.2 supported protocols: [TLSv1, TLSv1.1, TLSv1.2] TLSv1.2 enabled protocols: [TLSv1.2] *** TLSv1.3 NOT AVAILABLE $ Running the same on OpenJDK gives: $ java -version openjdk version "11.0.1" 2018-10-16 LTS OpenJDK Runtime Environment 18.9 (build 11.0.1+13-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode, sharing) $ java SSLTest TLS supported protocols: [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello] TLS enabled protocols: [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1] TLSv1.1 supported protocols: [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello] TLSv1.1 enabled protocols: [TLSv1.1, TLSv1] TLSv1.2 supported protocols: [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello] TLSv1.2 enabled protocols: [TLSv1.2, TLSv1.1, TLSv1] TLSv1.3 supported protocols: [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello] TLSv1.3 enabled protocols: [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1] $ (On OpenJDK 1.8, TLSv1.3 is not available) Interestingly the sockets returned by IBM JDK _do_ support all available TLS protocol versions, but they have only the specified one enabled, and plain "TLS" on IBM JDK means "TLSv1". JGit should normalize this differing behavior by explicitly enabling all supported TLS protocols on SSL sockets. See also: * https://www.eclipse.org/forums/index.php/t/1101861/ * https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html * https://issues.apache.org/jira/browse/HTTPCLIENT-1784
Gerrit change https://git.eclipse.org/r/155130 was merged to [master]. Commit: http://git.eclipse.org/c/jgit/jgit.git/commit/?id=d661b9f43a091a5b6b5d843f77e79856675435fb
This problem can also be hit with the Java built-in HTTP connections if one is using an IBM JDK and has set http.sslVerify=false in the git config. See https://www.eclipse.org/forums/index.php/t/1103487/ . If you hit this in an EGit version older than 5.7.0, either update to the newest EGit, or if that is not possible, set -Dcom.ibm.jsse2.overrideDefaultTLS=true in eclipse.ini (the Eclipse's start configuration, located in the directory where you have installed Eclipse).
