I think I understand the cause for the confusion — The agent bootstrapper is provided port 8153, where it performs the initial handshake. As part of the handshake between the agent and server, the server tells the agent about the SSL port that it should communicate with (port 8154).
This initial handshake over an insecure channel, allowed a window of possibility for someone to MITM the handshake and mess around with all further communication between the server and agent. >From 16.7 onwards, we've fixed this initial handshake so it always happens over SSL — there is no way to override this behaviour. On Thu, Jul 28, 2016 at 12:33 PM Christian Kniep <[email protected]> wrote: > Hey there, > > I am happily using GOCD, but somehow I am confused here. I am using a > server which is not providing SSL (the config does not provide a SSL_URL) > and I set the aforementioned environment variables to use 8153 and http > (_URL). > But when running agent.sh he updates himself to use the https://<url>:8154 > target. I am a bit puzzled how this happens. > > Does the bootstrap.jar assumes to use https? How can I force gocd-agent to > not use SSL? > I tried with 16.5 and 16.6, while the server runs 16.6. > > Thanks guys, nice project! > Christian > > -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
