Getting TLS incompatibility errors when trying to upload artefacts to clojars.org/repo

[RamAnvesh]

This is apparently happening because the server doesn't support TLS 1.2/1.3 which are the only allowed protocols in our network.

A TLS checker tool says clojar.org has TLS 1.2 enabled, but repo.clojars.org doesn't have any TLS version 🤔 .

Can you please let me know what is the best way to upload artefacts without encountering these errors?

[tobias]

Hi @RamAnvesh! Thanks for the report!

I just upgraded the SSL policy for clojars.org to support TLS 1.2 - 1.3 a few minutes ago, so it should be in better shape:

(from https://www.ssllabs.com/ssltest/analyze.html?d=clojars.org&s=3.138.63.125&latest)

or repo.clojars.org, my testing shows it only supports TLS 1.2:

(from https://www.ssllabs.com/ssltest/analyze.html?d=repo.clojars.org&s=151.101.1.128&hideResults=on).

But it looks like you are getting different results. What tool are you using to check the protocols?

[RamAnvesh]

https://www.site24x7.com/tools/tls-checker.html

Please try with Mumbaitest location

On Mon, 24 Jun, 2024, 16:39 Toby Crawley, @.***> wrote:

Hi @RamAnvesh https://github.com/RamAnvesh! Thanks for the report!

I just upgraded the SSL policy for clojars.org to support TLS 1.2 - 1.3 a few minutes ago, so it should be in better shape.

or repo.clojars.org, my testing shows it only supports TLS 1.2:

image.png (view on web) https://github.com/clojars/clojars-web/assets/2631/b478840a-4f94-4730-aef1-9c5b35b68cf4

(from https://www.ssllabs.com/ssltest/analyze.html?d=repo.clojars.org&s=151.101.1.128&hideResults=on ).

But it looks like you are getting different results. What tool are you using to check the protocols?

— Reply to this email directly, view it on GitHub https://github.com/clojars/clojars-web/issues/884#issuecomment-2186308594, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAP4POLXXK7DH34S6J43Z6DZI745HAVCNFSM6AAAAABJZNA6LGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBWGMYDQNJZGQ . You are receiving this because you were mentioned.Message ID: @.***>

[RamAnvesh]

I just upgraded the SSL policy for clojars.org to support TLS 1.2 - 1.3 a few minutes ago, so it should be in better shape

That's great. Reflects in my tool as well. repo.clojars.org still shows that no TLS is enabled

[tobias]

I see an error from https://www.site24x7.com/tools/tls-checker.html from any location (Server busy, select another location or try after sometime...) when checking repo.clojars.org, so it isn't clear that that tool works for the CDN.

• What sort of error do you get when you try to deploy?
• What tool are you using to deploy?
• What happens when you visit https://repo.clojars.org in your browser? If your network blocks some protocols and TLS 1.2 isn't available, I would expect that to fail as well.
• Can you resolve artifacts from repo.clojars.org? I would also expect this to fail if your network is blocking protocols.

[RamAnvesh]

I see an error from https://www.site24x7.com/tools/tls-checker.html from any location (Server busy, select another location or try after sometime...) when checking repo.clojars.org, so it isn't clear that that tool works for the CDN.

You are right. This might be an issue with the tool.

• What sort of error do you get when you try to deploy?

The server may not support the client's requested TLS protocol versions: (TLSv1.2, TLSv1.3). You may need to configure the client to allow other protocols to be used. See: https://docs.gradle.org/8.1.1/userguide/build_environment.html#sec:gradle_system_properties PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

• What tool are you using to deploy?

Gradle maven publish plugin

• What happens when you visit https://repo.clojars.org in your browser? If your network blocks some protocols and TLS 1.2 isn't available, I would expect that to fail as well.

The page opens without any issues

• Can you resolve artifacts from repo.clojars.org? I would also expect this to fail if your network is blocking protocols.

I have not tried this yet. Will try it out. That said, I saw another issue were it is mentioned that clojars.org/repo now redirects to repo.clojars.org, So might already be doing this - and it works intermittently

To conclude, I have a hunch on what the issue might have been. clojars.org had TLS 1.0, 1.1 and 1.2 enabled. Maybe the TLS handshake was happening with 1.0/1.1 some times, in which case the upload fails, and with 1.2 sometimes, in which case it succeeds. Looks like you have disabled 1.0,1.1 and enabled 1.2 and 1.3 - so I don't think I will be facing this issue any more.

Thanks a lot for your time and such quick responses. Please go ahead and close this issue if you please. I will re-open this if I face the issue again.

[tobias]

Glad I could help, and let me know if you see issues in the future!