FileDownloader disables TLSv1.3

[kelunik]

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

FileDownloader restricts TLS to TLSv1.2.

This is a problem for setups that only allow TLSv1.3. Even worse, it doesn't just restrict the TLS version this plugin uses, but also all plugins that run after it in the same JVM instance, because it modifies global properties.

Connections to TLSv1.3 only hosts will fail with Received fatal alert: protocol_version.

If the current behavior is a bug, please provide the steps to reproduce.

Use the plugin with a host that only supports TLSv1.3 or use a plugin that makes HTTPS requests to a TLSv1.3 only host after running this plugin and downloading a file with FileDownloader.

What is the expected behavior?

TLSv1.3 should be used.

Please mention your frontend-maven-plugin and operating system version.

1.15.1 / Debian 11

[eirslett]

Yeah it's a 7 years old change #714 and the intention was to disable TLS 1.1, not to disable TLS 1.3. Maybe there's a better way of doing it?

[kelunik]

I'm not sure why it has been added. If GitHub disables weak ciphers and versions, the negotiation should automatically use TLSv1.2? Even with weak ciphers and older versions enabled, it should automatically choose the correct (newer) version.

Can we just drop it and see if someone complains?

[kelunik]

Seems like JDK 1.7 didn't have TLSv1.2 enabled by default at first, but later received an update to change that, see https://stackoverflow.com/a/46582752/2373138.

https://www.oracle.com/java/technologies/javase/7u131-relnotes.html

TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases.

[eirslett]

@pitgrap Do you remember any of this stuff?

[kelunik]

I've opened #1171 to change it.

[pitgrap]

Wow, 7 years old change. I can't remember, but the commit message says: "force tls1.2 (important for jdk 1.7 and github), this will fix tests on appveyor".
As @kelunik already analysed, that the default has changed, I guess we can just remove it.

[eirslett]

Really nostalgic, isn't it!