Discontinued support for TLSv1.1 and below on Publishing servers and search.maven.org

Question

Which TLS versions are supported by Central Services?

Answer

As of September 30th 2021, the Publishing servers and search.maven.org supports TLS 1.2 only. Primary user facing services (repo1.maven.org, repo.maven.apache.org) are already configured in this fashion.

The list of affected Endpoints is below:

• https://search.maven.org
• https://oss.sonatype.org
• https://s01.oss.sonatype.org
• https://aws.oss.sonatype.org
• https://google.oss.sonatype.org
• https://jakarta.oss.sonatype.org

You may encounter different errors depending on the client/browser used to query the services above. Some of them could be:

• ERR_SSL_VERSION_OR_CYPHER_MISMATCH
• Secure Connection Failed ssl_error_no_cypher_overlap
• Received fatal alert: protocol_version
• peer not authenticated

If you encounter any issue similar to these, you need to update your client/browser to one that supports TLS 1.2 to continue using any of the services

Question

Why did this happen?

Answer

TLS 1.1 or below are inherently insecure and in order to maintain compliance with best practices we are forcing the minimum TLS version to 1.2.

Question

I cannot implement the above required changes in my environment -- what are my options?

Answer

You won't be able to query or access the mentioned services. There is no workaround.

Question

What about support of TLS 1.3?

Answer

We are evaluating and waiting for the support being available on all our providers to add future support of TLS 1.3 on our services.