From 3b9644b8ef34cb59878b9d75a72920b5046dec9f Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 3 Apr 2018 10:17:34 -0700 Subject: [PATCH] Use TLS 1.2 for GitHub downloads in Windows --- 8-jdk/windows/nanoserver-sac2016/Dockerfile | 13 +++++++++++++ 8-jdk/windows/windowsservercore-1709/Dockerfile | 1 + 8-jdk/windows/windowsservercore-ltsc2016/Dockerfile | 1 + 9-jdk/windows/nanoserver-sac2016/Dockerfile | 13 +++++++++++++ 9-jdk/windows/windowsservercore-1709/Dockerfile | 1 + 9-jdk/windows/windowsservercore-ltsc2016/Dockerfile | 1 + 6 files changed, 30 insertions(+) diff --git a/8-jdk/windows/nanoserver-sac2016/Dockerfile b/8-jdk/windows/nanoserver-sac2016/Dockerfile index aa125724..d96beeb1 100644 --- a/8-jdk/windows/nanoserver-sac2016/Dockerfile +++ b/8-jdk/windows/nanoserver-sac2016/Dockerfile @@ -3,6 +3,19 @@ FROM microsoft/nanoserver:sac2016 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 (Nano Server doesn't support using "[Net.ServicePointManager]::SecurityProtocol") +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force + ENV JAVA_HOME C:\\ojdkbuild RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ diff --git a/8-jdk/windows/windowsservercore-1709/Dockerfile b/8-jdk/windows/windowsservercore-1709/Dockerfile index a80f36fa..aa9294ce 100644 --- a/8-jdk/windows/windowsservercore-1709/Dockerfile +++ b/8-jdk/windows/windowsservercore-1709/Dockerfile @@ -17,6 +17,7 @@ ENV JAVA_OJDKBUILD_SHA256 7fcd9909173ed19f4ae6c0bba8b32b1e6bece2d49eb9d87271828b RUN $url = ('https://github.com/ojdkbuild/ojdkbuild/releases/download/{0}/{1}' -f $env:JAVA_OJDKBUILD_VERSION, $env:JAVA_OJDKBUILD_ZIP); \ Write-Host ('Downloading {0} ...' -f $url); \ + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'ojdkbuild.zip'; \ Write-Host ('Verifying sha256 ({0}) ...' -f $env:JAVA_OJDKBUILD_SHA256); \ if ((Get-FileHash ojdkbuild.zip -Algorithm sha256).Hash -ne $env:JAVA_OJDKBUILD_SHA256) { \ diff --git a/8-jdk/windows/windowsservercore-ltsc2016/Dockerfile b/8-jdk/windows/windowsservercore-ltsc2016/Dockerfile index d1b95d1c..3782abf3 100644 --- a/8-jdk/windows/windowsservercore-ltsc2016/Dockerfile +++ b/8-jdk/windows/windowsservercore-ltsc2016/Dockerfile @@ -17,6 +17,7 @@ ENV JAVA_OJDKBUILD_SHA256 7fcd9909173ed19f4ae6c0bba8b32b1e6bece2d49eb9d87271828b RUN $url = ('https://github.com/ojdkbuild/ojdkbuild/releases/download/{0}/{1}' -f $env:JAVA_OJDKBUILD_VERSION, $env:JAVA_OJDKBUILD_ZIP); \ Write-Host ('Downloading {0} ...' -f $url); \ + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'ojdkbuild.zip'; \ Write-Host ('Verifying sha256 ({0}) ...' -f $env:JAVA_OJDKBUILD_SHA256); \ if ((Get-FileHash ojdkbuild.zip -Algorithm sha256).Hash -ne $env:JAVA_OJDKBUILD_SHA256) { \ diff --git a/9-jdk/windows/nanoserver-sac2016/Dockerfile b/9-jdk/windows/nanoserver-sac2016/Dockerfile index e8227d73..62adadfa 100644 --- a/9-jdk/windows/nanoserver-sac2016/Dockerfile +++ b/9-jdk/windows/nanoserver-sac2016/Dockerfile @@ -3,6 +3,19 @@ FROM microsoft/nanoserver:sac2016 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] +# enable TLS 1.2 (Nano Server doesn't support using "[Net.ServicePointManager]::SecurityProtocol") +# https://docs.microsoft.com/en-us/system-center/vmm/install-tls?view=sc-vmm-1801 +# https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-tls-12 +RUN Write-Host 'Enabling TLS 1.2 (https://githubengineering.com/crypto-removal-notice/) ...'; \ + $tls12RegBase = 'HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2'; \ + if (Test-Path $tls12RegBase) { throw ('"{0}" already exists!' -f $tls12RegBase) }; \ + New-Item -Path ('{0}/Client' -f $tls12RegBase) -Force; \ + New-Item -Path ('{0}/Server' -f $tls12RegBase) -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Client' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'DisabledByDefault' -PropertyType DWORD -Value 0 -Force; \ + New-ItemProperty -Path ('{0}/Server' -f $tls12RegBase) -Name 'Enabled' -PropertyType DWORD -Value 1 -Force + ENV JAVA_HOME C:\\ojdkbuild RUN $newPath = ('{0}\bin;{1}' -f $env:JAVA_HOME, $env:PATH); \ Write-Host ('Updating PATH: {0}' -f $newPath); \ diff --git a/9-jdk/windows/windowsservercore-1709/Dockerfile b/9-jdk/windows/windowsservercore-1709/Dockerfile index a1e37ca9..5010d499 100644 --- a/9-jdk/windows/windowsservercore-1709/Dockerfile +++ b/9-jdk/windows/windowsservercore-1709/Dockerfile @@ -17,6 +17,7 @@ ENV JAVA_OJDKBUILD_SHA256 1333ab5bccc20e9043f0593b001825cbfa141f0e0c850d877af6b8 RUN $url = ('https://github.com/ojdkbuild/ojdkbuild/releases/download/{0}/{1}' -f $env:JAVA_OJDKBUILD_VERSION, $env:JAVA_OJDKBUILD_ZIP); \ Write-Host ('Downloading {0} ...' -f $url); \ + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'ojdkbuild.zip'; \ Write-Host ('Verifying sha256 ({0}) ...' -f $env:JAVA_OJDKBUILD_SHA256); \ if ((Get-FileHash ojdkbuild.zip -Algorithm sha256).Hash -ne $env:JAVA_OJDKBUILD_SHA256) { \ diff --git a/9-jdk/windows/windowsservercore-ltsc2016/Dockerfile b/9-jdk/windows/windowsservercore-ltsc2016/Dockerfile index a1a88c49..45e14b57 100644 --- a/9-jdk/windows/windowsservercore-ltsc2016/Dockerfile +++ b/9-jdk/windows/windowsservercore-ltsc2016/Dockerfile @@ -17,6 +17,7 @@ ENV JAVA_OJDKBUILD_SHA256 1333ab5bccc20e9043f0593b001825cbfa141f0e0c850d877af6b8 RUN $url = ('https://github.com/ojdkbuild/ojdkbuild/releases/download/{0}/{1}' -f $env:JAVA_OJDKBUILD_VERSION, $env:JAVA_OJDKBUILD_ZIP); \ Write-Host ('Downloading {0} ...' -f $url); \ + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'ojdkbuild.zip'; \ Write-Host ('Verifying sha256 ({0}) ...' -f $env:JAVA_OJDKBUILD_SHA256); \ if ((Get-FileHash ojdkbuild.zip -Algorithm sha256).Hash -ne $env:JAVA_OJDKBUILD_SHA256) { \