Closed RamAnvesh closed 3 months ago
Hi @RamAnvesh! Thanks for the report!
I just upgraded the SSL policy for clojars.org to support TLS 1.2 - 1.3 a few minutes ago, so it should be in better shape:
(from https://www.ssllabs.com/ssltest/analyze.html?d=clojars.org&s=3.138.63.125&latest)
or repo.clojars.org, my testing shows it only supports TLS 1.2:
(from https://www.ssllabs.com/ssltest/analyze.html?d=repo.clojars.org&s=151.101.1.128&hideResults=on).
But it looks like you are getting different results. What tool are you using to check the protocols?
https://www.site24x7.com/tools/tls-checker.html
Please try with Mumbaitest location
On Mon, 24 Jun, 2024, 16:39 Toby Crawley, @.***> wrote:
Hi @RamAnvesh https://github.com/RamAnvesh! Thanks for the report!
I just upgraded the SSL policy for clojars.org to support TLS 1.2 - 1.3 a few minutes ago, so it should be in better shape.
or repo.clojars.org, my testing shows it only supports TLS 1.2:
image.png (view on web) https://github.com/clojars/clojars-web/assets/2631/b478840a-4f94-4730-aef1-9c5b35b68cf4
(from https://www.ssllabs.com/ssltest/analyze.html?d=repo.clojars.org&s=151.101.1.128&hideResults=on ).
But it looks like you are getting different results. What tool are you using to check the protocols?
— Reply to this email directly, view it on GitHub https://github.com/clojars/clojars-web/issues/884#issuecomment-2186308594, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAP4POLXXK7DH34S6J43Z6DZI745HAVCNFSM6AAAAABJZNA6LGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBWGMYDQNJZGQ . You are receiving this because you were mentioned.Message ID: @.***>
I just upgraded the SSL policy for clojars.org to support TLS 1.2 - 1.3 a few minutes ago, so it should be in better shape
That's great. Reflects in my tool as well. repo.clojars.org still shows that no TLS is enabled
I see an error from https://www.site24x7.com/tools/tls-checker.html from any location (Server busy, select another location or try after sometime...
) when checking repo.clojars.org, so it isn't clear that that tool works for the CDN.
I see an error from https://www.site24x7.com/tools/tls-checker.html from any location (
Server busy, select another location or try after sometime...
) when checking repo.clojars.org, so it isn't clear that that tool works for the CDN.
You are right. This might be an issue with the tool.
- What sort of error do you get when you try to deploy?
The server may not support the client's requested TLS protocol versions: (TLSv1.2, TLSv1.3). You may need to configure the client to allow other protocols to be used. See: https://docs.gradle.org/8.1.1/userguide/build_environment.html#sec:gradle_system_properties PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- What tool are you using to deploy?
Gradle maven publish plugin
- What happens when you visit https://repo.clojars.org in your browser? If your network blocks some protocols and TLS 1.2 isn't available, I would expect that to fail as well.
The page opens without any issues
- Can you resolve artifacts from repo.clojars.org? I would also expect this to fail if your network is blocking protocols.
I have not tried this yet. Will try it out. That said, I saw another issue were it is mentioned that clojars.org/repo
now redirects to repo.clojars.org
, So might already be doing this - and it works intermittently
To conclude, I have a hunch on what the issue might have been. clojars.org
had TLS 1.0, 1.1 and 1.2 enabled. Maybe the TLS handshake was happening with 1.0/1.1 some times, in which case the upload fails, and with 1.2 sometimes, in which case it succeeds.
Looks like you have disabled 1.0,1.1 and enabled 1.2 and 1.3 - so I don't think I will be facing this issue any more.
Thanks a lot for your time and such quick responses. Please go ahead and close this issue if you please. I will re-open this if I face the issue again.
Glad I could help, and let me know if you see issues in the future!
This is apparently happening because the server doesn't support TLS 1.2/1.3 which are the only allowed protocols in our network.
A TLS checker tool says clojar.org has TLS 1.2 enabled, but repo.clojars.org doesn't have any TLS version 🤔 .
Can you please let me know what is the best way to upload artefacts without encountering these errors?