Fixing Gradle Dependency Resolution

Maven Central and Bintray have announced that they will discontinue support for TLS v1.1 and below. Here’s what you need to know to correct your Gradle builds.

Eric Wendelin

Updated Jun. 25, 18 · Tutorial

Likes (2)

Comment

Save

16.1K Views

Maven Central and Bintray have announced that they will discontinue support for TLS v1.1 and below. Here’s what you need to know to correct your Gradle builds if you’re affected.

You will need to take action if you are using Java 6 or 7 and using Gradle versions 2.1 through 4.8.

How to Check if You’re Affected

You may already be getting one of the following errors from your build after an error message saying: “Could not resolve [coordinates]”:

Received fatal alert: protocol_version

Peer not authenticated

If not, you can check to see whether you will be affected by running the following code:

gradle --version       # Without Gradle Wrapper

./gradlew --version    # Using Gradle Wrapper on *nix

gradlew.bat --version  # Using Gradle Wrapper on Windows

It will print something like this:

------------------------------------------------------------
Gradle 3.5
------------------------------------------------------------

Build time:   2017-04-10 13:37:25 UTC
Revision:     b762622a185d59ce0cfc9cbc6ab5dd22469e18a6

Groovy:       2.4.10
Ant:          Apache Ant(TM) version 1.9.6 compiled on June 29 2015
JVM:          1.7.0_80 (Oracle Corporation 24.80-b11)
OS:           Mac OS X 10.13.5 x86_64

You must take action, if all of these are true:

JVM version is Java 7u130 or lower
and the Gradle version is between 2.1 and 4.8, inclusive
and you have declared a repository {} of mavenCentral() or jcenter()

How to Use TLS 1.2 for Dependency Resolution

You can take any one of the following actions to use TLS v1.2+:

Run Gradle with Java 1.7.0_131-b31 or above
or upgrade to Gradle 4.8.1 or above
or replace mavenCentral() with maven { url = "http://repo.maven.apache.org/maven2" } and jcenter() with maven { url = "http://jcenter.bintray.com" }

The first two solutions are recommended. While, the third opens a possible attack vector.

Other Resources

Posts about discontinued support for old versions of TLS on Maven Central and in the Bintray knowledge base explain the background for the necessity of these changes.

You may also find Gradle-specific details from gradle/gradle#5740 on GitHub.

Gradle Dependency

Published at DZone with permission of Eric Wendelin, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

Trending