Question

Which TLS versions are supported by Central?

Answer

As of June 18th 2018, Central (repo1.maven.org & repo.maven.apache.org) supports TLS 1.2 only. If you encounter the error message

"Received fatal alert: protocol_version"

or

"peer not authenticated"

you have four options for remediation:

  1. Upgrade your Java runtime, for example with OpenJDK builds or Oracle paying support
  2. Configure your Java runtime to enable TLS 1.2 by adding -Dhttps.protocols=TLSv1.2
  3. Use a repository manager that uses a Java version supporting TLS 1.2
  4. Revert back to http until you can acheive one of the above remediation steps.

Question

Why did this happen?

Answer

TLS 1.1 is inherently insecure and in order to maintain compliance, our provider removed the last vestiges of support:

By June 18th, 2018, all customers, including those on dedicated endpoints, should have converted to TLS-1.2. Due to the PCI Security Standards Council mandate, older TLS implementations are no longer supported on Fastly infrastructure on shared or dedicated endpoints.

To read more on this, see the GitHub blog.

Question

Who is affected?

Answer

If you are using http to access Central, or Java 8+ with https urls, you are not affected.

If you are on Java 7, it supports TLS 1.2 but it is disabled by default in versions before 1.7.0_131-b31, and the following Apache Maven workaround functions for older Java 7 users:

mvn -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 <goals>

or add the following to your environment or build script:

export MAVEN_OPTS=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

If you are on Java 6, you will need to switch back to http or upgrade to a more modern Java version. Very recent versions of Java 6 claim to have TLS 1.2 support, but we have not confirmed it yet. See here for more information:

Changes in 6u115 b32 TLS v1.2 support now available

Question

I cannot implement the above required changes in my environment -- what are my options?

Answer

We don't recommend this, but http://repo1.maven.org is, and will continue to be supported in the long term.