I.T., Web Development

Github remove Weak cryptographic standards

Since 23 Feb 2018, I find one of my work operation keep failing. In my workspace I have a Jenkins checkout Git repo which further run bower and Gulp for dependencies. It keeps saying Github fail to connect. The error say the HTTP protocol is not support, or cannot make HTTP connection. And turn out we find we fall to one of the scenario that our Jenkins server no longer able to get things from Github because Github disconnect the support of the following weak cryptographic standards:

  • TLSv1/TLSv1.1
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1

Ref: https://github.com/blog/2507-weak-cryptographic-standards-removed

Since the incident, I aware the linux server we have for our Jenkins is already kind of old.

Turn out we have to upgrade our Linux to have latest openssl, libcurl and git using `yum update openssl libcurl git`

I though the story is about to end after my colleagues upgraded the changes. Another side of the workspace dev buddies start complaining the failure of building the application. And they are actually working on VM which is CentOS 6.

After checking, our VM has CentOS 6 with openssl in 0.9, git with 1.7.2 version, both of them do not support TLS 1.2 (the version that supported by github from now on)

Therefore the way to fix the issue is to update these modules. Sadly, updating them in CentOS is not straight forward, and here are some command I ran to get them upgrade:

Update openssl (you may need sudo):

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
# tar -zxf openssl-1.0.2-latest.tar.gz
# cd openssl-1.0.2a
# ./config
# make
# make test
# make install
# openssl version

If you still find the version is incorrect, check which openssl to find which openssl is pointing at

Update GIT:

# yum install http://opensource.wandisco.com/centos/6/git/x86_64/wandisco-git-release-6-1.noarch.rpm
# yum install git

Hope this helps.

 

ref:

 

share

Leave a Comment

Please Answer * Time limit is exhausted. Please reload CAPTCHA.