diff --git a/.mvn/extensions.xml b/.mvn/extensions.xml
new file mode 100644
index 000000000..94863e605
--- /dev/null
+++ b/.mvn/extensions.xml
@@ -0,0 +1,7 @@
+<extensions xmlns="http://maven.apache.org/EXTENSIONS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/EXTENSIONS/1.0.0 http://maven.apache.org/xsd/core-extensions-1.0.0.xsd">
+  <extension>
+    <groupId>io.jenkins.tools.incrementals</groupId>
+    <artifactId>git-changelist-maven-extension</artifactId>
+    <version>1.0-beta-7</version>
+  </extension>
+</extensions>
diff --git a/.mvn/maven.config b/.mvn/maven.config
new file mode 100644
index 000000000..2a0299c48
--- /dev/null
+++ b/.mvn/maven.config
@@ -0,0 +1,2 @@
+-Pconsume-incrementals
+-Pmight-produce-incrementals
diff --git a/CHANGELOG-2.x.md b/CHANGELOG-2.x.md
index 8cf9d8b4d..ba5797a21 100644
--- a/CHANGELOG-2.x.md
+++ b/CHANGELOG-2.x.md
@@ -1,21 +1,18 @@
 Remoting 2.x Changelog
 ====
 
-Below you can changelogs for Remoting <code>2.x</code>.
+:exclamation: Below you can see changelogs for the **obsolete** Remoting <code>2.x</code> baseline.
 This version only contains bugfixes and performance improvements.
 Current mainline is Remoting <code>3.x</code>, changelogs are available [here](CHANGELOG.md).
-
-The file also provides links to Jenkins versions, 
-which bundle the specified remoting version.
-See [Jenkins changelog](https://jenkins.io/changelog/) for more details.
+There is no plan to release new versions of Remoting 2.x.
 
 ##### 2.62.6
 
-Release date: Can be released on-demand
+Release date: Jun 26, 2017
 
 Fixed issues:
 
-* [JENKINS-41852](https://issues.jenkins-ci.org/browse/JENKINS-41852) - 
+* [JENKINS-41852](https://issues.jenkins-ci.org/browse/JENKINS-41852) -
 Fix exported object pinning logic to prevent release due to the integer overflow.
 ([PR #148](https://github.com/jenkinsci/remoting/pull/148))
 
@@ -25,8 +22,8 @@ Release date: Feb 01, 2017
 
 Fixed issues:
 
-* [SECURITY-383](https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01) - 
-Blacklist classes vulnerable to a remote code execution involving the deserialization of various types in 
+* [SECURITY-383](https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01) -
+Blacklist classes vulnerable to a remote code execution involving the deserialization of various types in
 `javax.imageio.*`, `java.util.ServiceLoader`, and `java.net.URLClassLoader`.
 
 ##### 2.62.4
@@ -35,19 +32,19 @@ Release date: Nov 21, 2016
 
 Fixed issues:
 
-* [JENKINS-25218](https://issues.jenkins-ci.org/browse/JENKINS-25218) - 
+* [JENKINS-25218](https://issues.jenkins-ci.org/browse/JENKINS-25218) -
 Hardening of FifoBuffer operation logic. The change adds additional minor fixes to the original fix in `remoting-2.54`.
 ([PR #100](https://github.com/jenkinsci/remoting/pull/100))
 
 Improvements:
 
-* [JENKINS-39150](https://issues.jenkins-ci.org/browse/JENKINS-39150) - 
+* [JENKINS-39150](https://issues.jenkins-ci.org/browse/JENKINS-39150) -
 Add logic for dumping diagnostics across all the channels.
 ([PR #122](https://github.com/jenkinsci/remoting/pull/122), [PR #125](https://github.com/jenkinsci/remoting/pull/125))
-* [JENKINS-39543](https://issues.jenkins-ci.org/browse/JENKINS-39543) - 
+* [JENKINS-39543](https://issues.jenkins-ci.org/browse/JENKINS-39543) -
 Improve the caller/callee correlation diagnostics in thread dumps.
 ([PR #119](https://github.com/jenkinsci/remoting/pull/119))
-* [JENKINS-39290](https://issues.jenkins-ci.org/browse/JENKINS-39290) - 
+* [JENKINS-39290](https://issues.jenkins-ci.org/browse/JENKINS-39290) -
 Add the `org.jenkinsci.remoting.nio.NioChannelHub.disabled` flag for disabling NIO (mostly for debugging purposes).
 ([PR #123](https://github.com/jenkinsci/remoting/pull/123))
 
@@ -55,7 +52,7 @@ Add the `org.jenkinsci.remoting.nio.NioChannelHub.disabled` flag for disabling N
 
 Release date: (Nov 13, 2016) => Jenkins 2.19.3 LTS
 
-* [SECURITY-360](https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16) - 
+* [SECURITY-360](https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16) -
 Blacklist serialization of particular classes to close the Remote code execution vulnerability.
 ([Commit #b7ac85ed4ae41482d9754a881df91d2eb86d047d](https://github.com/jenkinsci/remoting/commit/b7ac85ed4ae41482d9754a881df91d2eb86d047d))
 
@@ -65,33 +62,33 @@ Release date: (Oct 7, 2016) => Jenkins 2.19.3 LTS
 
 Fixed issues:
 
-* [JENKINS-38539](https://issues.jenkins-ci.org/browse/JENKINS-38539) - 
+* [JENKINS-38539](https://issues.jenkins-ci.org/browse/JENKINS-38539) -
 Stability: Turn on SO_KEEPALIVE and provide CLI option to turn it off again.
 (https://github.com/jenkinsci/remoting/pull/110)
-* [JENKINS-37539](https://issues.jenkins-ci.org/browse/JENKINS-37539) - 
+* [JENKINS-37539](https://issues.jenkins-ci.org/browse/JENKINS-37539) -
 Prevent <code>NullPointerException</code> in <code>Engine#connect()</code> when host or port parameters are <code>null</code> or empty.
 (https://github.com/jenkinsci/remoting/pull/101)
-* [CID-152201] - 
+* [CID-152201] -
 Fix resource leak in <code>remoting.jnlp.Main</code>.
 (https://github.com/jenkinsci/remoting/pull/102)
-* [CID-152200,CID-152202] - 
+* [CID-152200,CID-152202] -
 Resource leak in Encryption Cipher I/O streams on exceptional paths.
 (https://github.com/jenkinsci/remoting/pull/104)
 
-##### 2.62 
+##### 2.62
 
 Release date: (Aug 14, 2016) => Jenkins 2.17, 2.19.1 LTS
 
 Fixed issues:
-* [JENKINS-22853](https://issues.jenkins-ci.org/browse/JENKINS-22853) - 
+* [JENKINS-22853](https://issues.jenkins-ci.org/browse/JENKINS-22853) -
 Be robust against the delayed EOF command when unexporting input and output streams.
 (https://github.com/jenkinsci/remoting/pull/97)
-* Fixed ~20 minor issues reported by FindBugs. 
+* Fixed ~20 minor issues reported by FindBugs.
 More fixes to be delivered in future versions.
 (https://github.com/jenkinsci/remoting/pull/96)
 
 Enhancements:
-* [JENKINS-37218](https://issues.jenkins-ci.org/browse/JENKINS-37218) - 
+* [JENKINS-37218](https://issues.jenkins-ci.org/browse/JENKINS-37218) -
 Performance: <code>ClassFilter</code> does not use Regular Expressions anymore to match <code>String.startsWith</code> patterns.
 (https://github.com/jenkinsci/remoting/pull/92)
 * [JENKINS-37031](https://issues.jenkins-ci.org/browse/JENKINS-37031)
@@ -103,7 +100,7 @@ Performance: <code>ClassFilter</code> does not use Regular Expressions anymore t
 Release date: (Aug 5, 2016) => Jenkins 2.17, 2.19.1 LTS
 
 Fixed issues:
-* [JENKINS-37140](https://issues.jenkins-ci.org/browse/JENKINS-37140) - 
+* [JENKINS-37140](https://issues.jenkins-ci.org/browse/JENKINS-37140) -
 JNLP Slave connection issue with *JNLP3-connect* protocol when the generated encrypted cookie contains a newline symbols.
 (https://github.com/jenkinsci/remoting/pull/95)
 * [JENKINS-36991](https://issues.jenkins-ci.org/browse/JENKINS-36991) -
@@ -119,24 +116,24 @@ Enhancements:
 Release date: (June 10, 2016) => Jenkins 2.9, 2.7.2
 
 Fixed issues:
-* [JENKINS-22722](https://issues.jenkins-ci.org/browse/JENKINS-22722) - 
-Make the channel reader tolerant against Socket timeouts. 
+* [JENKINS-22722](https://issues.jenkins-ci.org/browse/JENKINS-22722) -
+Make the channel reader tolerant against Socket timeouts.
 (https://github.com/jenkinsci/remoting/pull/80)
-* [JENKINS-32326](https://issues.jenkins-ci.org/browse/JENKINS-32326) - 
-Support no_proxy environment variable. 
+* [JENKINS-32326](https://issues.jenkins-ci.org/browse/JENKINS-32326) -
+Support no_proxy environment variable.
 (https://github.com/jenkinsci/remoting/pull/84)
-* [JENKINS-35190](https://issues.jenkins-ci.org/browse/JENKINS-35190)  - 
-Do not invoke PingFailureAnalyzer for agent=>master ping failures. 
+* [JENKINS-35190](https://issues.jenkins-ci.org/browse/JENKINS-35190)  -
+Do not invoke PingFailureAnalyzer for agent=>master ping failures.
 (https://github.com/jenkinsci/remoting/pull/85)
-* [JENKINS-31256](https://issues.jenkins-ci.org/browse/JENKINS-31256) - 
- <code>hudson.Remoting.Engine#waitForServerToBack</code> now uses credentials for connection. 
+* [JENKINS-31256](https://issues.jenkins-ci.org/browse/JENKINS-31256) -
+ <code>hudson.Remoting.Engine#waitForServerToBack</code> now uses credentials for connection.
 (https://github.com/jenkinsci/remoting/pull/87)
-* [JENKINS-35494](https://issues.jenkins-ci.org/browse/JENKINS-35494) - 
-Fix issues in file management in <code>hudson.remoting.Launcher</code> (main executable class). 
+* [JENKINS-35494](https://issues.jenkins-ci.org/browse/JENKINS-35494) -
+Fix issues in file management in <code>hudson.remoting.Launcher</code> (main executable class).
 (https://github.com/jenkinsci/remoting/pull/88)
 
 Enhancements:
-* Ensure a message is logged if remoting fails to override the default <code>ClassFilter</code>. 
+* Ensure a message is logged if remoting fails to override the default <code>ClassFilter</code>.
 (https://github.com/jenkinsci/remoting/pull/80)
 
 ##### 2.59
@@ -144,8 +141,8 @@ Enhancements:
 Release date: (May 13, 2016) => Jenkins 2.4, 2.7.1
 
 Enhancements:
-* [JENKINS-34819](https://issues.jenkins-ci.org/browse/JENKINS-34819) - 
-Allow disabling the remoting protocols individually. Works around issues like [JENKINS-34121](https://issues.jenkins-ci.org/browse/JENKINS-34121) 
+* [JENKINS-34819](https://issues.jenkins-ci.org/browse/JENKINS-34819) -
+Allow disabling the remoting protocols individually. Works around issues like [JENKINS-34121](https://issues.jenkins-ci.org/browse/JENKINS-34121)
 (https://github.com/jenkinsci/remoting/pull/83)
 
 ##### 2.58
@@ -153,15 +150,14 @@ Allow disabling the remoting protocols individually. Works around issues like [J
 Release date: (May 11, 2016) => Jenkins 2.4, 2.7.1
 
 Fixes issues:
-* [JENKINS-34213](https://issues.jenkins-ci.org/browse/JENKINS-34213) - 
+* [JENKINS-34213](https://issues.jenkins-ci.org/browse/JENKINS-34213) -
 Ensure that the unexporter cleans up whatever it can each sweep.
 (https://github.com/jenkinsci/remoting/pull/81)
-* [JENKINS-19445](https://issues.jenkins-ci.org/browse/JENKINS-19445) - 
+* [JENKINS-19445](https://issues.jenkins-ci.org/browse/JENKINS-19445) -
 Force class load on UserRequest in order to prevent deadlock on windows nodes when using JNA and Subversion.
 (https://github.com/jenkinsci/remoting/pull/82)
 
 Enhancements:
-* [JENKINS-34808](https://issues.jenkins-ci.org/browse/JENKINS-34808) - 
-Allow user to adjust socket timeout in the channel reader. 
+* [JENKINS-34808](https://issues.jenkins-ci.org/browse/JENKINS-34808) -
+Allow user to adjust socket timeout in the channel reader.
 (https://github.com/jenkinsci/remoting/pull/68)
-
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 16283aaa9..b0309623c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,14 +1,283 @@
 Changelog
 ====
 
-Below you can changelogs for the trunk version of remoting.
+Below you can read the changelogs for the trunk version of remoting.
 This file also provides links to Jenkins versions,
 which bundle the specified remoting version.
 See [Jenkins changelog](https://jenkins.io/changelog/) for more details.
 
+##### 3.29
+
+Release date: February 5, 2019
+
+* [JENKINS-55976](https://issues.jenkins-ci.org/browse/JENKINS-55976) Add missing log call.
+
+##### 3.28
+
+Release date: December 10, 2018
+
+* [JENKINS-48778](https://issues.jenkins-ci.org/browse/JENKINS-48778) Enhance the no_proxy configurations. See [NO_PROXY Environment Variable](docs/no_proxy.md) for documentation.
+* Better diagnostics for errors from RemoteClassLoader.fetch4.
+* Ignore attempts to flush a ProxyOutputStream which has already been finalized.
+* [JENKINS-51108](https://issues.jenkins-ci.org/browse/JENKINS-51108) - Allow remoting to publish incrementals.
+* [JENKINS-47977](https://issues.jenkins-ci.org/browse/JENKINS-47977) - Jenkins build failed if Remoting could not create the JAR cache.
+* [JENKINS-50730](https://issues.jenkins-ci.org/browse/JENKINS-50730) - Improve log messaging on reconnect.
+* [JENKINS-49987](https://issues.jenkins-ci.org/browse/JENKINS-49987) - Clean up warnings about anonymous callable.
+* [JENKINS-54005](https://issues.jenkins-ci.org/browse/JENKINS-54005) - Another instance of an unnecessarily severe warning when unexporting.
+
+##### 3.27
+
+Release date: September 28, 2018
+
+* Channel.notifyJar was being called too often.
+* Downgrade error messages from SynchronousCommandTransport.
+* [JENKINS-53569](https://issues.jenkins-ci.org/browse/JENKINS-53569) - Remove unnecessary locking that could cause deadlock when removing a filter from the ProtocolStack.
+
+##### 3.26
+
+Release date: August 31, 2018
+
+* [JENKINS-52945](https://issues.jenkins-ci.org/browse/JENKINS-52945) - AnonymousClassWarnings should not warn about enums.
+* [JENKINS-42533](https://issues.jenkins-ci.org/browse/JENKINS-42533) - Eliminate another excessively severe warning about trying to export already unexported object.
+
+##### 3.25
+
+Release date: July 31, 2018 => Weekly 2.138 / LTS 2.121.3
+
+* [SECURITY-637](https://jenkins.io/security/advisory/2018-08-15/) - Prevent deserialization of URL objects with host components
+
+##### 3.24
+
+Release date: July 12, 2018
+
+* Refresh the code-signing certificate
+* No functional changes
+
+##### 3.23
+
+Release date: June 29, 2018
+
+* [JENKINS-52204](https://issues.jenkins-ci.org/browse/JENKINS-52204) -
+Skip Tcp Agent Listener port availability check when `-tunnel` option is set
+(regression in 3.22)
+
+##### 3.22
+
+Release date: Jun 22, 2018 => 2.129
+
+* [JENKINS-51818](https://issues.jenkins-ci.org/browse/JENKINS-51818) -
+When connecting over TCP, agents will check availability of the master's TCP Agent Listener port
+* [JENKINS-51841](https://issues.jenkins-ci.org/browse/JENKINS-51841) -
+Extensibility: Offer a new `Channel#readFrom(Channel, byte[] payload)` method for a standardized command deserialization from the channel
+* [PR #277](https://github.com/jenkinsci/remoting/pull/277) -
+API: be explicit that `ChannelBuilder#getHeaderStream()` may return null
+
+##### 3.21
+
+Enhancements: Jun 8, 2018 => Jenkins 2.127
+
+* [JENKINS-51551](https://issues.jenkins-ci.org/browse/JENKINS-51551) -
+Developer API: Allow creating custom `CommandTransport` implementation in external 
+components.
+  * Reference implementation: [Remoting Kafka Plugin](https://github.com/jenkinsci/remoting-kafka-plugin)
+* [PR #274](https://github.com/jenkinsci/remoting/pull/274) -
+Do not print channel close reason stack traces for non-sent request responses when
+`hudson.remoting.Request` logging level is lower than `FINE`.
+
+Fixed issues:
+
+* [JENKINS-51223](https://issues.jenkins-ci.org/browse/JENKINS-51223) -
+`no_proxy` environment variable parsing logic did not properly support
+domain suffixes in fully-qualified names. 
+Now it is possible to set suffixes like `.com` in `no_proxy`.
+* [JENKINS-50965](https://issues.jenkins-ci.org/browse/JENKINS-50965) -
+Fix malformed log message when loading of classes is forced by
+the `hudson.remoting.RemoteClassLoader.force` system property.
+* [PR #274](https://github.com/jenkinsci/remoting/pull/274) -
+Prevent exception in IOHub when retrieving base thread name for handlers
+when NIO selector is already closed (race condition).
+
+##### 3.20
+
+Release date: Apr 18, 2018 => Jenkins 2.118, 2.121.1 LTS
+
+* Refresh the Code-signing certificate
+* No functional changes
+
+##### 3.19
+
+Release date: Mar 22, 2018 => Jenkins 2.113
+
+* [JENKINS-49618](https://issues.jenkins-ci.org/browse/JENKINS-49618) -
+Display Remoting version in the agent log when starting up the agent
+* [JENKINS-50237](https://issues.jenkins-ci.org/browse/JENKINS-50237) -
+Include a ProxyException to responses when returning an exception to a `UserRequest`s.
+  * This allows returning the exception details even if Jenkins 2.102+ refuses to deserialize the original exception
+    due to the whitelist violation
+  * More info: [JEP-200 announcement](https://jenkins.io/blog/2018/03/15/jep-200-lts/)
+
+##### 3.18
+
+Release date: Mar 9, 2018 => Jenkins 2.112
+
+* [JENKINS-49415](https://issues.jenkins-ci.org/browse/JENKINS-49415) -
+Add uncaught exception handler to the Engine's executor service 
+* [JENKINS-49472](https://issues.jenkins-ci.org/browse/JENKINS-49472) -
+Log channel name in StreamCorruptedExceptions
+* [JENKINS-48561](https://issues.jenkins-ci.org/browse/JENKINS-48561) -
+Give precedence to proxy exclusion list system property over environmental vars.
+* [JENKINS-49994](https://issues.jenkins-ci.org/browse/JENKINS-49994) -
+Add infrastructure for warning about remoting serialization of anonymous inner classes.
+* [PR #258](https://github.com/jenkinsci/remoting/pull/258) -
+Improve performance by disabling expensive diagnostics in `RemoteClassLoader`
+
+##### 3.17
+
+Release date: Jan 30, 2018 => Jenkins 2.106
+
+* [JENKINS-49027](https://issues.jenkins-ci.org/browse/JENKINS-49027) -
+Improve reporting of JEP-200 violations in Remoting serialization.
+  * More info: [Announcement Blogpost](https://jenkins.io/blog/2018/01/13/jep-200/)
+* [JENKINS-27035](https://issues.jenkins-ci.org/browse/JENKINS-27035) -
+Add read/write events to [Channel.Listener](http://javadoc.jenkins.io/component/remoting/hudson/remoting/Channel.Listener.html)
+to support collection of Request/Response statistics.
+  * More info: [Event Listeners Documentation](/docs/logging.md#event-listeners)
+* [JENKINS-45897](https://issues.jenkins-ci.org/browse/JENKINS-45897) -
+Improve string representation of `Request` types to improve log messages
+
+##### 3.16
+
+Release date: Jan 10, 2018 => Jenkins 2.102
+
+* [PR #208](https://github.com/jenkinsci/remoting/pull/208) -
+Introduce the new `ClassFilter.setDefault` API which allows replacing the default Class Filter
+  * This is a foundation work for [JEP-200](https://github.com/jenkinsci/jep/tree/master/jep/200)/[JENKINS-47736](https://issues.jenkins-ci.org/browse/JENKINS-47736), 
+  which switches the default Remoting/XStream blacklist to whitelist in the Jenkins core
+  * Other Remoting API users are adviced to do the same
+* [PR #208](https://github.com/jenkinsci/remoting/pull/208) -
+Update the blacklist in the default Class Filter to align it with the Jenkins core. 
+New entries:
+  * `^java[.]lang[.]reflect[.]Method$`
+  * `^net[.]sf[.]json[.].*`
+  * `^java[.]security[.]SignedObject$` ([SECURITY-429 advisory](https://jenkins.io/security/advisory/2017-04-26/#cli-unauthenticated-remote-code-execution))
+* [JENKINS-48686](https://issues.jenkins-ci.org/browse/JENKINS-48686) -
+Replace the _slave_ term by _agent_ in logging, UI and Javadocs
+
+
+##### 3.15
+
+Release date: Dec 22, 2017 => Jenkins 2.98
+
+Enhancements:
+
+* [JENKINS-48133](https://issues.jenkins-ci.org/browse/JENKINS-48133) -
+Channel exceptions now record the channel name and other information when possible
+* [PR #210](https://github.com/jenkinsci/remoting/pull/210) - 
+Allow disabling HTTPs certificate validation of JNLP endpoint when starting Remoting
+  * **WARNING**: This option undermines the HTTPs security and opens the connection to MiTM attacks.
+    Use it at your own risk
+* [JENKINS-48055](https://issues.jenkins-ci.org/browse/JENKINS-48055) -
+API: Introduce new `getChannelOrFail()` and `getOpenChannelOrFail()` methods in
+[hudson.remoting.Callable](http://javadoc.jenkins.io/component/remoting/hudson/remoting/Callable.html).
+* [JENKINS-37566](https://issues.jenkins-ci.org/browse/JENKINS-37566) -
+API: `Channel#current()` now explicitly requires checking for `null`.
+* [PR #227](https://github.com/jenkinsci/remoting/pull/227) - 
+API: Deprecate and restrict the obsolete [JNLP3 protocol](docs/protocols.md) utility classes
+
+Fixed issues:
+
+* [JENKINS-48309](https://issues.jenkins-ci.org/browse/JENKINS-48309) -
+Prevent timeout in `AsyncFutureImpl#get(timeout)` when a spurious thread wakeup happens 
+before the timeout expiration.
+  * The issue also impacts [FutureImpl](http://javadoc.jenkins.io/hudson/model/queue/FutureImpl.html) in the Jenkins core
+* [JENKINS-47965](https://issues.jenkins-ci.org/browse/JENKINS-47965) -
+Prevent infinite hanging of JNLP4 `IOHub` selector threads when `IOHub` does not get closed properly 
+  * Affected [protocols](docs/protocols.md): JNLP4 only
+* [JENKINS-48130](https://issues.jenkins-ci.org/browse/JENKINS-48130) -
+Prevent fatal failure of `NIOChannelHub` when an underlying executor service rejects a task execution.
+After the change such failure terminates only a single channel
+  * Affected [protocols](docs/protocols.md): JNLP, JNLP2, CLI and CLI2. JNLP4 is not affected
+  * The change also improves diagnostics of `RejectedExecutionException` in other execution services
+* [JENKINS-37670](https://issues.jenkins-ci.org/browse/JENKINS-37670) -
+Throw the standard `UnsupportedClassVersionError` in `RemoteClassLoader` 
+when the bytecode is not supported.
+* [JENKINS-37566](https://issues.jenkins-ci.org/browse/JENKINS-37566) - 
+Clean up all issues reported by FindBugs. Notable issues:
+  * Prevent infinite hanging of `Channel#waitForProperty()` when the channel hangs in the closing state.
+  * Prevent `NullPointerException`s in `Command#createdAt` handling logic and API
+  * Prevent serialization of `Callable`s in `NioChannelHub` selectors (JNLP1 and JNLP2 protocols)
+* [JENKINS-46724](https://issues.jenkins-ci.org/browse/JENKINS-46724) - 
+Remove obsolete reflection calls in `RemoteClassloader` and `Launcher#checkTty()`
+* [PR #234](https://github.com/jenkinsci/remoting/pull/234) - 
+`hudson.remoting.Capability` preamble initialization cannot longer throw exceptions
+
+Build flow:
+
+* [JENKINS-38696](https://issues.jenkins-ci.org/browse/JENKINS-38696) -
+Fix Windows tests and enable them in the pull request builder
+* [JENKINS-37566](https://issues.jenkins-ci.org/browse/JENKINS-37566) -
+Enforce FindBugs in the pull request builder
+
+
+##### 3.14
+
+Release date: Nov 10, 2017 => [Jenkins 2.90](https://jenkins.io/changelog/#v2.90)
+
+Fixed issues:
+
+* [JENKINS-45294](https://issues.jenkins-ci.org/browse/JENKINS-45294) -
+User-space RMI calls (including Jenkins core ones) will be rejected when the channel is being closed 
+(similar to [JENKINS-45023](https://issues.jenkins-ci.org/browse/JENKINS-45023) in 3.11).
+It prevents channel hanging in edge cases.
+* [JENKINS-47425](https://issues.jenkins-ci.org/browse/JENKINS-47425) - 
+Do not print full stack traces on network connection errors.
+* [JENKINS-37566](https://issues.jenkins-ci.org/browse/JENKINS-37566) - 
+Cleanup a number of issues reported by FindBugs.
+Notable ones: Unchecked file operations, improper synchronization.
+* [JENKINS-47901](https://issues.jenkins-ci.org/browse/JENKINS-47901) -
+Prevent uncaught `InvalidPathException` for file operations if and invalid path is passed from command line or API.
+* [JENKINS-47942](https://issues.jenkins-ci.org/browse/JENKINS-47942) -
+Performance: Reduce scope of Channel instance locks by property management.
+
+Build flow:
+
+* [PR #207](https://github.com/jenkinsci/remoting/pull/207) -
+Jacoco does not longer run by default in the build, `jacoco` profile should be used.
+* [PR #207](https://github.com/jenkinsci/remoting/pull/207) -
+Update Jacoco version to make the reports compatible with Jenkins [Jacoco Plugin](https://plugins.jenkins.io/jacoco).
+
+
+##### 3.13 => [Jenkins 2.85](https://jenkins.io/changelog/#v2.85)
+
+Release date: Oct 05, 2017
+
+Improvements:
+
+* [JENKINS-38711](https://issues.jenkins-ci.org/browse/JENKINS-38711) -
+Add uncaught exception handling logic to remoting threads.
+Threads now either have failover or proper termination.
+
+Fixed issues:
+
+* [JENKINS-47132](https://issues.jenkins-ci.org/browse/JENKINS-47132) -
+When an agent is waiting for master to be ready, 
+the port was not filled in the `Master isnt ready to talk to us on {0}. Will retry again` log message.
+
+##### 3.12 => [Jenkins 2.79](https://jenkins.io/changelog/#v2.79)
+
+Release date: Sep 14, 2017 => [Jenkins 2.79](https://jenkins.io/changelog/#v2.79)
+
+* [JENKINS-45755](https://issues.jenkins-ci.org/browse/JENKINS-45755) -
+Prevent channel initialization failure when JAR Cache directory is not writable and the channel does not need this cache
+(regression in 3.10).
+  * This issue causes a regression in Jenkins LTS 2.73.1
+  See the [upgrade guide](https://jenkins.io/doc/upgrade-guide/2.73/#known-issue-agent-connection-failures-involving-jenkins-masters-with-undefined-or-non-writable-home-directory) for more info.
+* [JENKINS-46140](https://issues.jenkins-ci.org/browse/JENKINS-46140) -
+Improve representation of remote operation exceptions in logs.
+
 ##### 3.11
 
-Release date: Coming Soon
+Release date: Aug 18, 2017 => [Jenkins 2.76](https://jenkins.io/changelog/#v2.76)
 
 :exclamation: **Warning!** Starting from this release, Jenkins Remoting requires Java 8 to run.
 In edge cases it may require manual actions during the upgrade.
@@ -48,6 +317,34 @@ Remoting build was failing when user name contained metacharacters.
 * [PR #190](https://github.com/jenkinsci/remoting/pull/190) -
 Enforce code signing verification when building Remoting with the `release` profile.
 
+##### 3.10.2
+
+Release date: Oct 05, 2017
+
+:exclamation: This is a backport release for Jenkins 2.73.2, 
+which integrates changes from 3.11 and 3.12.
+
+* [JENKINS-45755](https://issues.jenkins-ci.org/browse/JENKINS-45755) -
+Prevent channel initialization failure when JAR Cache directory is not writable and the channel does not need this cache
+(regression in 3.10).
+* [JENKINS-45023](https://issues.jenkins-ci.org/browse/JENKINS-45023) -
+Prevent execution of `UserRequest`s when the channel is closed or being closed.
+It prevents hanging of the channel in some cases.
+* [JENKINS-46259](https://issues.jenkins-ci.org/browse/JENKINS-46259) -
+ Log all linkage errors when executing `UserRequest`s (generic remote operations started from API).
+* [JENKINS-45233](https://issues.jenkins-ci.org/browse/JENKINS-45233) -
+ Log errors when Response message cannot be delivered due to the closed channel.
+
+Build Flow:
+
+* [JENKINS-37567](https://issues.jenkins-ci.org/browse/JENKINS-37567) -
+Code signing: [@oleg-nenashev](https://github.com/oleg-nenashev) will be releasing Remoting JARs signed with his certificate 
+for the next 3.10.x releases.
+
+##### 3.10.1
+
+This release is burned.
+
 ##### 3.10
 
 Release date: (Jun 26, 2017) => Jenkins 2.68
@@ -109,6 +406,8 @@ See the [Logging page](./docs/logging.md) for more details.
 Cleanup FindBugs-reported issues in ExportTable implementation (regression in 2.40).
 * [PR #153](https://github.com/jenkinsci/remoting/pull/153) -
 Prevent `NullPointerException` in `hudson.remoting.Channel.Ref()` when creating a reference to a `null` channel.
+* [JENKINS-5374](https://issues.jenkins-ci.org/browse/JENKINS-5374) - 
+Plrevent `NullPointerException` when executing a `UserRequest` constructed with a null classloader reference.
 
 ##### 3.7
 
diff --git a/Jenkinsfile b/Jenkinsfile
index 9c05f8610..179388e56 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -8,8 +8,7 @@ properties([[$class: 'BuildDiscarderProperty',
 /* These platforms correspond to labels in ci.jenkins.io, see:
  *  https://github.com/jenkins-infra/documentation/blob/master/ci.adoc
  */
-//TODO: Enable Windows once JENKINS-38696 is fixed. No sense to spend CPU cycles before that
-List platforms = ['linux']
+List platforms = ['linux', 'windows']
 Map branches = [:]
 
 for (int i = 0; i < platforms.size(); ++i) {
@@ -28,7 +27,7 @@ for (int i = 0; i < platforms.size(); ++i) {
                         'PATH+JDK=$JAVA_HOME/bin',
                     ]) {
                         timeout(30) {
-                            String command = 'mvn --batch-mode clean install -Dmaven.test.failure.ignore=true'
+                            String command = "mvn --batch-mode clean install -Dmaven.test.failure.ignore=true ${infra.isRunningOnJenkinsInfra() ? '-s settings-azure.xml' : ''} -e"
                             if (isUnix()) {
                                 sh command
                             }
@@ -43,8 +42,10 @@ for (int i = 0; i < platforms.size(); ++i) {
                     /* Archive the test results */
                     junit '**/target/surefire-reports/TEST-*.xml'
 
-                    /* Archive the build artifacts */
-                    archiveArtifacts artifacts: 'target/**/*.jar'
+                    if (label == 'linux') {
+                      archiveArtifacts artifacts: 'target/**/*.jar'
+                      findbugs pattern: '**/target/findbugsXml.xml'
+                    }
                 }
             }
         }
diff --git a/README.md b/README.md
index 783d7d788..1398f405b 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,8 @@
 Jenkins Remoting layer
 ====
 
+[![Join the chat at https://gitter.im/jenkinsci/remoting](https://badges.gitter.im/jenkinsci/remoting.svg)](https://gitter.im/jenkinsci/remoting?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
 Jenkins remoting is an executable JAR, 
 which implements communication layer in [Jenkins](https://jenkins.io) automation server. 
 It's being used for master <=> agent(fka "slave") and master <=> CLI communications.
@@ -37,6 +39,7 @@ Previous versions:
 Developer documentation:
 
 * [Contributing](CONTRIBUTING.md)
+* [Javadoc](http://javadoc.jenkins.io/component/remoting/)
 * [Channel Termination Process](docs/close.md)
 
 ### Reporting issues
@@ -53,5 +56,5 @@ by Winston Prakash, Oracle (the information is outdated)
 * [Making your plugin behave in distributed Jenkins](https://wiki.jenkins-ci.org/display/JENKINS/Making+your+plugin+behave+in+distributed+Jenkins)
 * [Writing an SCM plugin. Remoting examples](https://wiki.jenkins-ci.org/display/JENKINS/Remoting)
 * [Troubleshooting remoting issues](https://wiki.jenkins-ci.org/display/JENKINS/Remoting+issue)
-* [Scaling Jenkins to Hundreds of Nodes](https://www.cloudbees.com/jenkins/juc-2015/abstracts/us-west/02-01-1600) 
-by Akshay Dayal, Google (remoting optimization, JNLP3)
\ No newline at end of file
+* [Scaling Jenkins to Hundreds of Nodes](https://www.youtube.com/watch?v=9-DUVroz7yk) 
+by Akshay Dayal, Google (remoting optimization, JNLP3)
diff --git a/docs/configuration.md b/docs/configuration.md
index d339a5474..20f0b7505 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -93,7 +93,7 @@ These properties require independent configuration on both sides of the channel.
     <tr>
       <td>${PROTOCOL_FULLY_QUALIFIED_NAME}.disabled, 
       where PROTOCOL_FULLY_QUALIFIED_NAME equals 
-      <code>PROTOCOL_HANDLER_CLASSNAME</code> without the <code>Handler</code> suffix.</td>,
+      <code>PROTOCOL_HANDLER_CLASSNAME</code> without the <code>Handler</code> suffix.</td>
       <td>false</td>
       <td>2.59</td>
       <td>2.4</td>
@@ -119,6 +119,14 @@ These properties require independent configuration on both sides of the channel.
       <td><a href="https://issues.jenkins-ci.org/browse/JENKINS-41730">JENKINS-41730</a></td>
       <td>If specified, only the protocols from the list will be tried during the connection. The option provides protocol names, but the order of the check is defined internally and cannot be changed.</td>
     </tr>
+    <tr>
+        <td><a href="no_proxy.md">NO_PROXY</a> (or no_proxy)</td>
+      <td></td>
+      <td></td>
+      <td></td>
+      <td></td>
+      <td>Provides specifications for hosts that should not be proxied. See the <a href="no_proxy.md">NO_PROXY Environment Variable</a> page for details on supported specifications.</td>
+    </tr>
     <!--Template
     <tr>
       <td></td>
diff --git a/docs/logging.md b/docs/logging.md
index 2d0f02637..a75a45c37 100644
--- a/docs/logging.md
+++ b/docs/logging.md
@@ -1,5 +1,6 @@
-Logging
-===
+# Logging and Diagnostics
+
+## Standard logging
 
 In Remoting logging is powered by the standard `java.util.logging` engine. 
 The default behavior depends on the [Work Directory](workDir.md) mode.
@@ -46,4 +47,13 @@ If `-agentLog` or `-slaveLog` are not specified, `${workDir}/${internalDir}/logs
   * Remoting does not perform automatic log rotation of this log file
   
 Particular Jenkins components use external features to provide better logging in the legacy mode.
-E.g. Windows agent services generate logs using features provided by [Windows Service Wrapper (WinSW)](https://github.com/kohsuke/winsw/).
\ No newline at end of file
+E.g. Windows agent services generate logs using features provided by [Windows Service Wrapper (WinSW)](https://github.com/kohsuke/winsw/).
+
+## Event listeners
+
+The `hudson.remoting.Channel.Listener` interface can be used to intercept important events programmatically.
+For example, you can be notified when a `Command` has been sent out over the channel, and obtain certain details.
+
+Normally administrators need not use this API directly.
+[Jenkins core will print events to a standard logger](https://github.com/jenkinsci/jenkins/pull/3071),
+and the [Support Core plugin will gather aggregate statistics](https://github.com/jenkinsci/support-core-plugin/pull/128).
diff --git a/docs/no_proxy.md b/docs/no_proxy.md
new file mode 100644
index 000000000..e1bc2fca2
--- /dev/null
+++ b/docs/no_proxy.md
@@ -0,0 +1,28 @@
+# NO_PROXY Environment Variable
+
+This optional setting provides a way to specify one or more hosts where the connection should not be proxied.
+Similar settings are available in many applications. Unfortunately, there is no standard specification across the different implementations.
+Each one defines its own syntax and supported capabilities.
+
+Remoting provides an implementation that is similar to a number of other applications and systems. Its simple rules provide
+sufficient power and flexibility for many needs.
+
+Rules:
+1. Environment variable may be named `NO_PROXY` or `no_proxy`.
+1. Different specification pieces may be separated by a comma (`,`) or a pipe (`|`).
+1. Each piece may specify an IP address, a network, or a host / domain.
+1. An IP address may be IPv4 or IPv6.
+1. An IPv6 address may be expressed in full or compressed form.
+1. A network is expressed in CIDR notation, for example, `192.168.17.0/24`.
+1. Localhost and loopback addresses are not proxied by default.
+1. All subdomains matching a domain or host are not proxied.
+1.1. A `NO_PROXY` setting of `jenkins.io` matches `repo.jenkins.io`, `sub.sub.jenkins.io`, and `jenkins.io`. It also matches `myjenkins.io`.
+1.1. The following forms are identical: `jenkins.io`, `.jenkins.io`, and `*.jenkins.io`.
+1. All other notations are ignored.
+
+## History
+
+The exact implementation has changed in different remoting versions. The 3.28 release of Remoting clarified and expanded a
+number of these capabilities. All specifications that worked prior to 3.28 should still work. Enhancements added at 3.28
+include environment variable capitalization, pipe separation, compressed
+IPv6 form, networks, and simple hostnames or root domains. The [Changelog](../CHANGELOG.md) provides information on some of the prior changes.
\ No newline at end of file
diff --git a/docs/protocols.md b/docs/protocols.md
index 6a7bcd9d6..da2d19087 100644
--- a/docs/protocols.md
+++ b/docs/protocols.md
@@ -98,6 +98,14 @@ On some configurations only one JNLP3 slave per IP address can be connected.
 * [JENKINS-34121](https://issues.jenkins-ci.org/browse/JENKINS-34121) -
 JNLP3 cannot be used on IBM Java, which doesn't support AES/CTR/PKCS5Padding.
 
+## Plugin protocols
+
+### Remoting Kafka Plugin
+
+* [Remoting Kafka Plugin](https://github.com/jenkinsci/remoting-kafka-plugin) uses Kafka as fault-tolerant communication layer to support command invocation between Jenkins master and agent.
+* The plugin gets rid of current direct TCP connection between master and agent.
+* More info can be found in the technical [documentation](https://github.com/jenkinsci/remoting-kafka-plugin/blob/master/docs/DOCUMENTATION.md) of the plugin.
+
 ## Test Protocols
 
 The protocols below exist for testing purposes only.
diff --git a/docs/remoting-kafka-architecture.png b/docs/remoting-kafka-architecture.png
new file mode 100644
index 000000000..357c1aed8
Binary files /dev/null and b/docs/remoting-kafka-architecture.png differ
diff --git a/docs/workDir.md b/docs/workDir.md
index fc8397072..a98772114 100644
--- a/docs/workDir.md
+++ b/docs/workDir.md
@@ -1,9 +1,9 @@
 Remoting Work directory
 ===
 
-In Remoting work directory is a storage 
+In Remoting work directory is an internal data storage, which may be used by Remoting to store caches, logs and other metadata.
 
-Remoting work directory is available starting from Remoting `3.8`.
+Remoting work directory is available starting from Remoting `3.8`, which is available in [Jenkins 2.68](https://jenkins.io/changelog/#v2.68)).
 Before this version there was no working directory concept in the library itself;
 all operations were managed by library users (e.g. Jenkins agent workspaces).
 
diff --git a/pom.xml b/pom.xml
index 20ce4ba59..77e9812d6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,12 +28,13 @@ THE SOFTWARE.
   <parent>
     <groupId>org.jenkins-ci</groupId>
     <artifactId>jenkins</artifactId>
-    <version>1.38</version>
+    <version>1.50</version>
+    <relativePath />
   </parent>
 
   <groupId>org.jenkins-ci.main</groupId>
   <artifactId>remoting</artifactId>
-  <version>3.12-SNAPSHOT</version>
+  <version>${revision}${changelist}</version>
 
   <name>Jenkins remoting layer</name>
   <description>
@@ -56,16 +57,20 @@ THE SOFTWARE.
     <connection>scm:git:git://github.com/jenkinsci/remoting.git</connection>
     <developerConnection>scm:git:ssh://git@github.com/jenkinsci/remoting.git</developerConnection>
     <url>https://github.com/jenkinsci/remoting</url>
-    <tag>HEAD</tag>
+    <tag>${scmTag}</tag>
   </scm>
 
   <properties>
+    <revision>3.30</revision>
+    <changelist>-SNAPSHOT</changelist>
     <java.level>8</java.level>
     <build.type>private</build.type>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <project.build.outputEncoding>UTF-8</project.build.outputEncoding>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <findbugs.failOnError>false</findbugs.failOnError>
+    <findbugs.effort>Max</findbugs.effort>
+    <findbugs.excludeFilterFile>${basedir}/src/findbugs/excludeFilter.xml</findbugs.excludeFilterFile>
+    <findbugs.threshold>Low</findbugs.threshold>
     <!-- TODO: Required to override by a version with certchain support (MJARSIGNER-53) on @oleg-nenashev's machine. Remove once it's in upstream -->
     <maven-jarsigner-plugin.version>1.4</maven-jarsigner-plugin.version>
   </properties>
@@ -73,21 +78,20 @@ THE SOFTWARE.
   <repositories>
     <repository>
       <id>repo.jenkins-ci.org</id>
-      <url>http://repo.jenkins-ci.org/public/</url>
-      <releases>
-        <enabled>true</enabled>
-      </releases>
-      <snapshots>
-        <enabled>false</enabled>
-      </snapshots>
+      <url>https://repo.jenkins-ci.org/public/</url>
     </repository>
   </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>repo.jenkins-ci.org</id>
+      <url>https://repo.jenkins-ci.org/public/</url>
+    </pluginRepository>
+  </pluginRepositories>
 
   <dependencies>
     <dependency>
       <groupId>org.codehaus.mojo</groupId>
       <artifactId>animal-sniffer-annotations</artifactId>
-      <version>1.15</version>
       <scope>provided</scope>
     </dependency>
     <!-- test dependencies -->
@@ -145,18 +149,6 @@ THE SOFTWARE.
       <version>1.10.19</version>
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>org.powermock</groupId>
-      <artifactId>powermock-module-junit4</artifactId>
-      <version>1.6.2</version>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.powermock</groupId>
-      <artifactId>powermock-api-mockito</artifactId>
-      <version>1.6.2</version>
-      <scope>test</scope>
-    </dependency>
     <dependency>
       <!-- for JRE requirement check annotation -->
       <groupId>org.jvnet</groupId>
@@ -190,7 +182,7 @@ THE SOFTWARE.
     <dependency>
       <groupId>org.kohsuke</groupId>
       <artifactId>access-modifier-annotation</artifactId>
-      <version>1.7</version>
+      <version>1.12</version>
       <type>jar</type>
       <optional>true</optional><!-- no need to have this at runtime -->
     </dependency>
@@ -282,7 +274,7 @@ THE SOFTWARE.
           <providerClass>${hudson.sign.providerClass}</providerClass>
           <providerArg>${hudson.sign.providerArg}</providerArg>
           <tsa>${hudson.sign.tsa}</tsa>
-          <!-- 
+          <!--
             This option is required for JENKINS-37567, not required on any release machine.
             In order to take effect, a version with MJARSIGNER-53 should be used.
             See the "maven-jarsigner-plugin.version" parameter.
@@ -416,54 +408,9 @@ THE SOFTWARE.
           </execution>
         </executions>
       </plugin>
-      <plugin>
-        <artifactId>maven-release-plugin</artifactId>
-        <version>2.5.2</version>
-        <configuration>
-          <releaseProfiles>release</releaseProfiles>
-        </configuration>
-      </plugin>
-      <plugin>
-        <groupId>org.jacoco</groupId>
-        <artifactId>jacoco-maven-plugin</artifactId>
-        <version>0.7.0.201403182114</version>
-        <executions>
-          <execution>
-            <goals>
-              <goal>prepare-agent</goal>
-            </goals>
-          </execution>
-          <execution>
-            <id>report</id>
-            <phase>prepare-package</phase>
-            <goals>
-              <goal>report</goal>
-            </goals>
-          </execution>
-        </executions>
-      </plugin>
-      <plugin>
-        <groupId>org.codehaus.mojo</groupId>
-        <artifactId>findbugs-maven-plugin</artifactId>
-        <version>3.0.4</version>
-        <configuration>
-          <xmlOutput>true</xmlOutput>
-          <effort>Max</effort>
-          <excludeFilterFile>${basedir}/src/findbugs/excludeFilter.xml</excludeFilterFile>
-          <threshold>Low</threshold><!-- we want to find serialization related problems -->
-        </configuration>
-        <executions>
-          <execution>
-            <phase>verify</phase>
-            <goals>
-              <goal>check</goal>
-            </goals>
-          </execution>
-        </executions>
-      </plugin>
       <plugin>
         <artifactId>maven-surefire-plugin</artifactId>
-        <version>2.19.1</version>
+        <version>3.0.0-M1</version>
         <configuration>
           <trimStackTrace>false</trimStackTrace> <!-- SUREFIRE-1226 workaround -->
           <rerunFailingTestsCount>4</rerunFailingTestsCount>
@@ -474,9 +421,9 @@ THE SOFTWARE.
         <executions>
           <execution>
             <id>run-javadoc</id>
+            <phase>package</phase>
             <goals>
               <goal>jar</goal>
-              <goal>javadoc</goal>
             </goals>
           </execution>
         </executions>
@@ -536,6 +483,12 @@ THE SOFTWARE.
                 <goals>
                   <goal>sign</goal>
                 </goals>
+                <configuration>
+                  <gpgArguments>
+                    <arg>--pinentry-mode</arg>
+                    <arg>loopback</arg>
+                  </gpgArguments>
+                </configuration>
               </execution>
             </executions>
           </plugin>
@@ -570,7 +523,7 @@ THE SOFTWARE.
                   <keystore>${hudson.sign.keystore}</keystore>
                   <storetype>${hudson.sign.storetype}</storetype>
                   <providerClass>${hudson.sign.providerClass}</providerClass>
-                  <providerArg>${hudson.sign.providerArg}</providerArg> 
+                  <providerArg>${hudson.sign.providerArg}</providerArg>
                 </configuration>
               </execution>
             </executions>
@@ -578,5 +531,31 @@ THE SOFTWARE.
         </plugins>
       </build>
     </profile>
+    <profile>
+      <id>jacoco</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.jacoco</groupId>
+            <artifactId>jacoco-maven-plugin</artifactId>
+            <version>0.7.9</version>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>prepare-agent</goal>
+                </goals>
+              </execution>
+              <execution>
+                <id>report</id>
+                <phase>prepare-package</phase>
+                <goals>
+                  <goal>report</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 </project>
diff --git a/settings-azure.xml b/settings-azure.xml
new file mode 100644
index 000000000..a1e96394d
--- /dev/null
+++ b/settings-azure.xml
@@ -0,0 +1,9 @@
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
+    <mirrors>
+        <mirror>
+            <id>azure</id>
+            <url>https://repo.azure.jenkins.io/public/</url> <!-- INFRA-1176 -->
+            <mirrorOf>repo.jenkins-ci.org</mirrorOf>
+        </mirror>
+    </mirrors>
+</settings>
diff --git a/src/findbugs/excludeFilter.xml b/src/findbugs/excludeFilter.xml
index 6015b02a4..6f349ad07 100644
--- a/src/findbugs/excludeFilter.xml
+++ b/src/findbugs/excludeFilter.xml
@@ -8,13 +8,19 @@
   </Match>
   
   <Match>
-    <Or>
-      <!--We do not want do break API by converting potentially usefull classes-->
-      <Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON"/>
-    </Or>
+    <!--We do not want do break API by converting potentially usefull classes-->
+    <Bug pattern="SIC_INNER_SHOULD_BE_STATIC_ANON"/>
   </Match>
   
-  
+  <Match>
+    <!-- TODO: On hold due to the discussion in PR #118 -->
+    <Bug pattern="DP_DO_INSIDE_DO_PRIVILEGED"/>
+  </Match>
+  <Match>
+    <!-- TODO: On hold due to the discussion in PR #118 -->
+    <Bug pattern="DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED"/>
+  </Match>
+    
   <!--TODO: reconsider commented filters after cleanup-->
   <!-- ignore all low-level (priority=2,3) issues except serialization problems -->
   <!--<Match>
diff --git a/src/main/java/hudson/remoting/AbstractByteArrayCommandTransport.java b/src/main/java/hudson/remoting/AbstractByteArrayCommandTransport.java
index 02423c742..7299c6ca7 100644
--- a/src/main/java/hudson/remoting/AbstractByteArrayCommandTransport.java
+++ b/src/main/java/hudson/remoting/AbstractByteArrayCommandTransport.java
@@ -6,6 +6,8 @@
 import java.io.ObjectOutputStream;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import javax.annotation.Nonnull;
+import org.jenkinsci.remoting.util.AnonymousClassWarnings;
 
 /**
  * {@link CommandTransport} that works with {@code byte[]} instead of command object.
@@ -35,7 +37,7 @@ public abstract class AbstractByteArrayCommandTransport extends CommandTransport
      * 
      * In this subtype, we pass in {@link ByteArrayReceiver} that uses byte[] instead of {@link Command}
      */
-    public abstract void setup(ByteArrayReceiver receiver);
+    public abstract void setup(@Nonnull ByteArrayReceiver receiver);
     
     public static interface ByteArrayReceiver {
         /**
@@ -58,12 +60,10 @@ public final void setup(final Channel channel, final CommandReceiver receiver) {
         setup(new ByteArrayReceiver() {
             public void handle(byte[] payload) {
                 try {
-                    receiver.handle(Command.readFrom(channel, new ObjectInputStreamEx(
-                            new ByteArrayInputStream(payload),channel.baseClassLoader,channel.classFilter)));
-                } catch (IOException e) {
-                    LOGGER.log(Level.WARNING, "Failed to construct Command", e);
-                } catch (ClassNotFoundException e) {
-                    LOGGER.log(Level.WARNING, "Failed to construct Command", e);
+                    Command cmd = Command.readFrom(channel, payload);
+                    receiver.handle(cmd);
+                } catch (IOException | ClassNotFoundException e) {
+                    LOGGER.log(Level.WARNING, "Failed to construct Command in channel " + channel.getName(), e);
                 }
             }
 
@@ -76,10 +76,12 @@ public void terminate(IOException e) {
     @Override
     public final void write(Command cmd, boolean last) throws IOException {
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        ObjectOutputStream oos = new ObjectOutputStream(baos);
+        ObjectOutputStream oos = AnonymousClassWarnings.checkingObjectOutputStream(baos);
         cmd.writeTo(channel,oos);
         oos.close();
-        writeBlock(channel,baos.toByteArray());
+        byte[] block = baos.toByteArray();
+        channel.notifyWrite(cmd, block.length);
+        writeBlock(channel, block);
     }
 
     private static final Logger LOGGER = Logger.getLogger(AbstractByteArrayCommandTransport.class.getName());
diff --git a/src/main/java/hudson/remoting/AbstractByteBufferCommandTransport.java b/src/main/java/hudson/remoting/AbstractByteBufferCommandTransport.java
index 5d36b2c26..6d4d7a9c2 100644
--- a/src/main/java/hudson/remoting/AbstractByteBufferCommandTransport.java
+++ b/src/main/java/hudson/remoting/AbstractByteBufferCommandTransport.java
@@ -31,6 +31,7 @@
 import java.util.logging.Logger;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
+import org.jenkinsci.remoting.util.AnonymousClassWarnings;
 import org.jenkinsci.remoting.util.ByteBufferQueue;
 import org.jenkinsci.remoting.util.ByteBufferQueueOutputStream;
 import org.jenkinsci.remoting.util.FastByteBufferQueueInputStream;
@@ -198,12 +199,10 @@ private void processCommand() throws IOException {
         try {
             FastByteBufferQueueInputStream is = new FastByteBufferQueueInputStream(receiveQueue, readCommandSizes[0]);
             try {
-                ObjectInputStreamEx ois = new ObjectInputStreamEx(is, channel.baseClassLoader, channel.classFilter);
-                receiver.handle(Command.readFrom(channel, ois));
-            } catch (IOException e1) {
-                LOGGER.log(Level.WARNING, "Failed to construct Command", e1);
-            } catch (ClassNotFoundException e11) {
-                LOGGER.log(Level.WARNING, "Failed to construct Command", e11);
+                Command cmd = Command.readFrom(channel, is, readCommandSizes[0]);
+                receiver.handle(cmd);
+            } catch (IOException | ClassNotFoundException e) {
+                LOGGER.log(Level.WARNING, "Failed to construct Command in channel " + channel.getName(), e);
             } finally {
                 int available = is.available();
                 if (available > 0) {
@@ -283,13 +282,14 @@ public final synchronized void setup(final Channel channel, final CommandReceive
     @Override
     public final void write(Command cmd, boolean last) throws IOException {
         ByteBufferQueueOutputStream bqos = new ByteBufferQueueOutputStream(sendStaging);
-        ObjectOutputStream oos = new ObjectOutputStream(bqos);
+        ObjectOutputStream oos = AnonymousClassWarnings.checkingObjectOutputStream(bqos);
         try {
             cmd.writeTo(channel, oos);
         } finally {
             oos.close();
         }
         long remaining = sendStaging.remaining();
+        channel.notifyWrite(cmd, remaining);
         while (remaining > 0L) {
             int frame = remaining > transportFrameSize
                     ? transportFrameSize
diff --git a/src/main/java/hudson/remoting/AbstractSynchronousByteArrayCommandTransport.java b/src/main/java/hudson/remoting/AbstractSynchronousByteArrayCommandTransport.java
index 4ffc62654..ed30d8a82 100644
--- a/src/main/java/hudson/remoting/AbstractSynchronousByteArrayCommandTransport.java
+++ b/src/main/java/hudson/remoting/AbstractSynchronousByteArrayCommandTransport.java
@@ -4,6 +4,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.ObjectOutputStream;
+import org.jenkinsci.remoting.util.AnonymousClassWarnings;
 
 /**
  * {@link SynchronousCommandTransport} that works with {@code byte[]} instead of command object.
@@ -31,17 +32,18 @@ public abstract class AbstractSynchronousByteArrayCommandTransport extends Synch
 
     @Override
     public Command read() throws IOException, ClassNotFoundException {
-        return Command.readFrom(channel,new ObjectInputStreamEx(
-                new ByteArrayInputStream(readBlock(channel)),
-                channel.baseClassLoader,channel.classFilter));
+        byte[] block = readBlock(channel);
+        return Command.readFrom(channel, block);
     }
 
     @Override
     public void write(Command cmd, boolean last) throws IOException {
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        ObjectOutputStream oos = new ObjectOutputStream(baos);
+        ObjectOutputStream oos = AnonymousClassWarnings.checkingObjectOutputStream(baos);
         cmd.writeTo(channel,oos);
         oos.close();
-        writeBlock(channel,baos.toByteArray());
+        byte[] block = baos.toByteArray();
+        channel.notifyWrite(cmd, block.length);
+        writeBlock(channel, block);
     }
 }
diff --git a/src/main/java/hudson/remoting/AsyncFutureImpl.java b/src/main/java/hudson/remoting/AsyncFutureImpl.java
index e8d9042f5..5e5b70bf0 100644
--- a/src/main/java/hudson/remoting/AsyncFutureImpl.java
+++ b/src/main/java/hudson/remoting/AsyncFutureImpl.java
@@ -23,6 +23,8 @@
  */
 package hudson.remoting;
 
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnegative;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
@@ -78,13 +80,27 @@ public synchronized V get() throws InterruptedException, ExecutionException {
         return value;
     }
 
-    public synchronized V get(long timeout, TimeUnit unit) throws InterruptedException, ExecutionException, TimeoutException {
-        if(!completed)
-            wait(unit.toMillis(timeout));
+    @CheckForNull
+    public synchronized V get(@Nonnegative long timeout, TimeUnit unit) throws InterruptedException, ExecutionException, TimeoutException {
+        // The accuracy of wait(long) operation is milliseconds anyway, but ok.
+        long endWaitTime = System.nanoTime() + unit.toNanos(timeout);
+        while (!completed) {
+            long timeToWait = endWaitTime - System.nanoTime();
+            if (timeToWait < 0) {
+                break;
+            }
+
+            wait(timeToWait / 1000000, (int)(timeToWait % 1000000));
+        }
+
         if(!completed)
             throw new TimeoutException();
         if(cancelled)
             throw new CancellationException();
+
+        //TODO: we may be calling a complex get() implementation in the override, which may hang the code
+        // The only missing behavior is "problem!=null" branch, but probably we cannot just replace the code without
+        // an override issue risk.
         return get();
     }
 
diff --git a/src/main/java/hudson/remoting/AtmostOneThreadExecutor.java b/src/main/java/hudson/remoting/AtmostOneThreadExecutor.java
index fc9e1432e..bc173330a 100644
--- a/src/main/java/hudson/remoting/AtmostOneThreadExecutor.java
+++ b/src/main/java/hudson/remoting/AtmostOneThreadExecutor.java
@@ -8,6 +8,7 @@
 import java.util.concurrent.RejectedExecutionException;
 import java.util.concurrent.ThreadFactory;
 import java.util.concurrent.TimeUnit;
+import org.jenkinsci.remoting.util.ExecutorServiceUtils.FatalRejectedExecutionException;
 
 /**
  * {@link ExecutorService} that uses at most one executor.
@@ -86,7 +87,8 @@ public boolean awaitTermination(long timeout, TimeUnit unit) throws InterruptedE
     public void execute(Runnable command) {
         synchronized (q) {
             if (isShutdown()) {
-                throw new RejectedExecutionException("This executor has been shutdown.");
+                // No way this executor service can be recovered
+                throw new FatalRejectedExecutionException("This executor has been shutdown.");
             }
             q.add(command);
             if (!isAlive()) {
diff --git a/src/main/java/hudson/remoting/Callable.java b/src/main/java/hudson/remoting/Callable.java
index e841c3120..744d34793 100644
--- a/src/main/java/hudson/remoting/Callable.java
+++ b/src/main/java/hudson/remoting/Callable.java
@@ -23,10 +23,18 @@
  */
 package hudson.remoting;
 
+import org.jenkinsci.remoting.ChannelStateException;
 import org.jenkinsci.remoting.RoleSensitive;
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
 
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.io.NotSerializableException;
 import java.io.Serializable;
 
+//TODO: Make it SerializableOnlyOverRemoting?
+// Oleg Nenashev: Formally there is no reason for that, you can serialize object over whatever binary stream and then
+// execute it on remote side if it has channel instance. Likely YAGNI, but I can imagine such Pipeline context class implementation.
 /**
  * Represents computation to be done on a remote system.
  *
@@ -39,4 +47,46 @@ public interface Callable<V,T extends Throwable> extends Serializable, RoleSensi
      * or throws some exception.
      */
     V call() throws T;
+
+    /**
+     * Gets a channel for the operation inside callable.
+     * @return Channel Instance
+     * @throws ChannelStateException Channel is not associated with the thread
+     * @since TODO
+     */
+    @Nonnull
+    default Channel getChannelOrFail() throws ChannelStateException {
+        final Channel ch = Channel.current();
+        if (ch == null) {
+            // This logic does not prevent from improperly serializing objects within Remoting calls.
+            // If it happens in API calls in external usages, we wish good luck with diagnosing Remoting issues
+            // and leaks in ExportTable.
+            //TODO: maybe there is a way to actually diagnose this case?
+            final Thread t = Thread.currentThread();
+            throw new ChannelStateException(null, "The calling thread " + t + " has no associated channel. "
+                    + "The current object " + this + " is " + SerializableOnlyOverRemoting.class +
+                    ", but it is likely being serialized/deserialized without the channel");
+        }
+        return ch;
+    }
+
+    /**
+     * Gets an open channel, which is ready to accept commands.
+     *
+     * It is a convenience method for cases, when a callable needs to invoke call backs on the master.
+     * In such case the requests will be likely failed by {@linkplain UserRequest} logic anyway, but it is better to fail fast.
+     * 
+     * @return Channel instance
+     * @throws ChannelStateException The channel is closing down or has been closed.
+     *          Also happens if the channel is not associated with the thread at all.
+     * @since TODO
+     */
+    @Nonnull
+    default Channel getOpenChannelOrFail() throws ChannelStateException {
+        final Channel ch = getChannelOrFail();
+        if (ch.isClosingOrClosed()) {
+            throw new ChannelClosedException(ch, "The associated channel " + ch + " is closing down or has closed down", ch.getCloseRequestCause());
+        }
+        return ch;
+    }
 }
diff --git a/src/main/java/hudson/remoting/Capability.java b/src/main/java/hudson/remoting/Capability.java
index ce4294329..fb5a16513 100644
--- a/src/main/java/hudson/remoting/Capability.java
+++ b/src/main/java/hudson/remoting/Capability.java
@@ -1,5 +1,6 @@
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.remoting.Channel.Mode;
 import java.io.IOException;
 import java.io.InputStream;
@@ -9,6 +10,8 @@
 import java.io.OutputStream;
 import java.io.Serializable;
 import java.io.UnsupportedEncodingException;
+import java.nio.charset.StandardCharsets;
+import org.jenkinsci.remoting.util.AnonymousClassWarnings;
 
 /**
  * Represents additional features implemented on {@link Channel}.
@@ -33,7 +36,7 @@ public final class Capability implements Serializable {
     }
 
     public Capability() {
-        this(MASK_MULTI_CLASSLOADER|MASK_PIPE_THROTTLING|MASK_MIMIC_EXCEPTION|MASK_PREFETCH|GREEDY_REMOTE_INPUTSTREAM| MASK_PROXY_WRITER_2_35|MASK_CHUNKED_ENCODING);
+        this(MASK_MULTI_CLASSLOADER | MASK_PIPE_THROTTLING | MASK_MIMIC_EXCEPTION | MASK_PREFETCH | GREEDY_REMOTE_INPUTSTREAM | MASK_PROXY_WRITER_2_35 | MASK_CHUNKED_ENCODING | PROXY_EXCEPTION_FALLBACK);
     }
 
     /**
@@ -108,22 +111,44 @@ public boolean supportsProxyWriter2_35() {
         return (mask & MASK_PROXY_WRITER_2_35) != 0;
     }
 
+    /**
+     * Supports {@link ProxyException} as a fallback when failing to deserialize {@link UserRequest} exceptions.
+     * @since 3.19
+     * @see <a href="https://issues.jenkins-ci.org/browse/JENKINS-50237">JENKINS-50237</a>
+     */
+    public boolean supportsProxyExceptionFallback() {
+        return (mask & PROXY_EXCEPTION_FALLBACK) != 0;
+    }
+
+    //TODO: ideally preamble handling needs to be reworked in order to avoid FB suppression
     /**
      * Writes out the capacity preamble.
      */
     void writePreamble(OutputStream os) throws IOException {
         os.write(PREAMBLE);
-        ObjectOutputStream oos = new ObjectOutputStream(Mode.TEXT.wrap(os));
-        oos.writeObject(this);
-        oos.flush();
+        try (ObjectOutputStream oos = new ObjectOutputStream(Mode.TEXT.wrap(os)) {
+            @Override
+            public void close() throws IOException {
+                flush();
+                // TODO: Cannot invoke the private clear() method, but GC well do it for us. Not worse than the original solution
+                // Here the code does not close the proxied stream OS on completion
+            }
+            @Override
+            protected void annotateClass(Class<?> c) throws IOException {
+                AnonymousClassWarnings.check(c);
+                super.annotateClass(c);
+            }
+        }) {
+            oos.writeObject(this);
+            oos.flush();
+        }
     }
 
     /**
      * The opposite operation of {@link #writePreamble(OutputStream)}.
      */
     public static Capability read(InputStream is) throws IOException {
-        try {
-            ObjectInputStream ois = new ObjectInputStream(Mode.TEXT.wrap(is)) {
+        try (ObjectInputStream ois = new ObjectInputStream(Mode.TEXT.wrap(is)) {
                 // during deserialization, only accept Capability to protect ourselves
                 // from malicious payload. Allow java.lang.String so that
                 // future versions of Capability can send more complex data structure.
@@ -136,7 +161,12 @@ protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, Clas
                         return super.resolveClass(desc);
                     throw new SecurityException("Rejected: "+n);
                 }
-            };
+
+                @Override
+                public void close() throws IOException {
+                    // Do not close the stream since we continue reading from the input stream "is" 
+                }   
+            }) {
             return (Capability)ois.readObject();
         } catch (ClassNotFoundException e) {
             throw (Error)new NoClassDefFoundError(e.getMessage()).initCause(e);
@@ -208,11 +238,13 @@ protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, Clas
     /**
      * Supports chunked encoding.
      *
-     * @sine 2.38
+     * @since 2.38
      */
     private static final long MASK_CHUNKED_ENCODING = 1L << 7;
 
-    static final byte[] PREAMBLE;
+    private static final long PROXY_EXCEPTION_FALLBACK = 1L << 8;
+
+    static final byte[] PREAMBLE = "<===[JENKINS REMOTING CAPACITY]===>".getBytes(StandardCharsets.UTF_8);
 
     public static final Capability NONE = new Capability(0);
 
@@ -275,15 +307,15 @@ public String toString() {
             }
             sb.append("Chunked encoding");
         }
+        if ((mask & PROXY_EXCEPTION_FALLBACK) != 0) {
+            if (first) {
+                first = false;
+            } else {
+                sb.append(", ");
+            }
+            sb.append("ProxyException fallback");
+        }
         sb.append('}');
         return sb.toString();
     }
-
-    static {
-        try {
-            PREAMBLE = "<===[JENKINS REMOTING CAPACITY]===>".getBytes("UTF-8");
-        } catch (UnsupportedEncodingException e) {
-            throw new AssertionError(e);
-        }
-    }
 }
diff --git a/src/main/java/hudson/remoting/Channel.java b/src/main/java/hudson/remoting/Channel.java
index 4f440aec6..1c4572d9a 100644
--- a/src/main/java/hudson/remoting/Channel.java
+++ b/src/main/java/hudson/remoting/Channel.java
@@ -23,6 +23,7 @@
  */
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import edu.umd.cs.findbugs.annotations.SuppressWarnings;
 import hudson.remoting.CommandTransport.CommandReceiver;
 import hudson.remoting.PipeWindow.Key;
@@ -37,21 +38,25 @@
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import java.io.Closeable;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectOutputStream;
 import java.io.OutputStream;
 import java.io.PrintWriter;
+import java.io.Serializable;
 import java.io.UnsupportedEncodingException;
 import java.lang.ref.WeakReference;
 import java.net.URL;
 import java.util.Collections;
 import java.util.Date;
 import java.util.Hashtable;
+import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Vector;
 import java.util.WeakHashMap;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.TimeUnit;
@@ -61,6 +66,7 @@
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
 import javax.annotation.Nullable;
+import org.jenkinsci.remoting.util.LoggingChannelListener;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 
@@ -134,7 +140,8 @@ public class Channel implements VirtualChannel, IChannel, Closeable {
     private final String name;
     private volatile boolean remoteClassLoadingAllowed, arbitraryCallableAllowed;
     /*package*/ final CallableDecoratorList decorators = new CallableDecoratorList();
-    /*package*/ final ExecutorService executor;
+    @Restricted(NoExternalUse.class)
+    public final ExecutorService executor;
 
     /**
      * If non-null, the incoming link is already shut down,
@@ -207,7 +214,7 @@ public class Channel implements VirtualChannel, IChannel, Closeable {
     /**
      * Registered listeners. 
      */
-    private final Vector<Listener> listeners = new Vector<Listener>();
+    private final List<Listener> listeners = new CopyOnWriteArrayList<>();
     private int gcCounter;
 
     /**
@@ -291,7 +298,7 @@ public class Channel implements VirtualChannel, IChannel, Closeable {
     /**
      * Property bag that contains application-specific stuff.
      */
-    private final Hashtable<Object,Object> properties = new Hashtable<Object,Object>();
+    private final ConcurrentHashMap<Object,Object> properties = new ConcurrentHashMap<>();
 
     /**
      * Proxy to the remote {@link Channel} object.
@@ -317,7 +324,12 @@ public class Channel implements VirtualChannel, IChannel, Closeable {
      */
     /*package*/ final ClassLoader baseClassLoader;
 
-    @Nonnull
+    /**
+     * JAR Resolution Cache.
+     * Can be {@code null} if caching disabled for this channel.
+     * In such case some classloading operations may be rejected.
+     */
+    @CheckForNull
     private JarCache jarCache;
 
     /*package*/ final JarLoaderImpl jarLoader;
@@ -443,6 +455,7 @@ public Channel(String name, ExecutorService exec, Mode mode, InputStream is, Out
      * Creates a new channel.
      *
      * @param restricted
+     *      See {@link #Channel(String, ExecutorService, Mode, InputStream, OutputStream, OutputStream, boolean, ClassLoader)}
      * @deprecated as of 2.24
      *      Use {@link ChannelBuilder}
      */
@@ -504,7 +517,7 @@ public Channel(String name, ExecutorService exec, CommandTransport transport, bo
     }
 
     /**
-     * @since TODO
+     * @since 2.38
      */
     protected Channel(@Nonnull ChannelBuilder settings, @Nonnull CommandTransport transport) throws IOException {
         this.name = settings.getName();
@@ -515,19 +528,17 @@ protected Channel(@Nonnull ChannelBuilder settings, @Nonnull CommandTransport tr
         this.underlyingOutput = transport.getUnderlyingStream();
         
         // JAR Cache resolution
-        JarCache effectiveJarCache = settings.getJarCache();
-        if (effectiveJarCache == null) {
-            effectiveJarCache = JarCache.getDefault();
-            logger.log(Level.CONFIG, "Using the default JAR Cache: {0}", effectiveJarCache);
+        this.jarCache = settings.getJarCache();
+        if (this.jarCache == null) {
+            logger.log(Level.CONFIG, "JAR Cache is not defined for channel {0}", name);
         }
-        this.jarCache = effectiveJarCache;
 
         this.baseClassLoader = settings.getBaseLoader();
         this.classFilter = settings.getClassFilter();
 
         if(internalExport(IChannel.class, this, false)!=1)
             throw new AssertionError(); // export number 1 is reserved for the channel itself
-        remoteChannel = RemoteInvocationHandler.wrap(this,1,IChannel.class,true,false);
+        remoteChannel = RemoteInvocationHandler.wrap(this, 1, IChannel.class, true, false, false, true);
 
         this.remoteCapability = transport.getRemoteCapability();
         this.pipeWriter = new PipeWriter(createPipeWriterExecutor());
@@ -557,7 +568,9 @@ public void handle(Command cmd) {
                     }
                 } catch (Throwable t) {
                     logger.log(Level.SEVERE, "Failed to execute command " + cmd + " (channel " + Channel.this.name + ")", t);
-                    logger.log(Level.SEVERE, "This command is created here", cmd.createdAt);
+                    if (cmd.createdAt != null) {
+                        logger.log(Level.SEVERE, "This command is created here", cmd.createdAt);
+                    }
                 }
             }
 
@@ -581,6 +594,8 @@ public void terminate(IOException e) {
 
     /**
      * Callback "interface" for changes in the state of {@link Channel}.
+     * @see #addListener
+     * @see LoggingChannelListener
      */
     public static abstract class Listener {
         /**
@@ -592,6 +607,45 @@ public static abstract class Listener {
          *      Otherwise null.
          */
         public void onClosed(Channel channel, IOException cause) {}
+
+        /**
+         * Called when a command is successfully received by a channel.
+         * @param channel a channel
+         * @param cmd a command
+         * @param blockSize the number of bytes used to read this command
+         * @since 3.17
+         */
+        public void onRead(Channel channel, Command cmd, long blockSize) {}
+
+        /**
+         * Called when a command is successfully written to a channel.
+         * See {@link #onRead} for general usage guidelines.
+         * @param channel a channel
+         * @param cmd a command
+         * @param blockSize the number of bytes used to write this command
+         * @since 3.17
+         */
+        public void onWrite(Channel channel, Command cmd, long blockSize) {}
+
+        /**
+         * Called when a response has been read from a channel.
+         * @param channel a channel
+         * @param req the original request
+         * @param rsp the resulting response
+         * @param totalTime the total time in nanoseconds taken to service the request
+         * @since 3.17
+         */
+        public void onResponse(Channel channel, Request<?, ?> req, Response<?, ?> rsp, long totalTime) {}
+
+        /**
+         * Called when a JAR file is being sent to the remote side.
+         * @param channel a channel
+         * @param jar the JAR file from which code is being loaded remotely
+         * @see Capability#supportsPrefetch
+         * @since 3.17
+         */
+        public void onJar(Channel channel, File jar) {}
+
     }
 
     /**
@@ -605,7 +659,7 @@ public boolean isOutClosed() {
      * Get why the sender side of the channel has been closed.
      * @return Close cause or {@code null} if the sender side is active.
      *         {@code null} result does not guarantee that the channel is actually operational.
-     * @since TODO
+     * @since 3.11
      */
     @CheckForNull
     public final Throwable getSenderCloseCause() {
@@ -631,7 +685,7 @@ public boolean isClosingOrClosed() {
      * @return {@link #outClosed} if not {@code null}, value of the transient cache
      *         {@link #closeRequestCause} otherwise. 
      *         The latter one may show random cause in the case of race conditions.
-     * @since TODO
+     * @since 3.11
      */
     @CheckForNull
     public Throwable getCloseRequestCause() {
@@ -659,9 +713,10 @@ private ExecutorService createPipeWriterExecutor() {
      * This is the lowest layer of abstraction in {@link Channel}.
      * {@link Command}s are executed on a remote system in the order they are sent.
      */
+    @SuppressFBWarnings(value = "VO_VOLATILE_INCREMENT", justification = "The method is synchronized, no other usages. See https://sourceforge.net/p/findbugs/bugs/1032/")
     /*package*/ synchronized void send(Command cmd) throws IOException {
         if(outClosed!=null)
-            throw new ChannelClosedException(outClosed);
+            throw new ChannelClosedException(this, outClosed);
         if(logger.isLoggable(Level.FINE))
             logger.fine("Send "+cmd);
 
@@ -675,7 +730,7 @@ private ExecutorService createPipeWriterExecutor() {
      */
     @Override
     public <T> T export(Class<T> type, T instance) {
-        return export(type, instance, true);
+        return export(type, instance, true, true, true);
     }
 
     /**
@@ -688,11 +743,12 @@ public <T> T export(Class<T> type, T instance) {
      *      used by {@link RemoteClassLoader}.
      *
      *      To create proxies for objects inside remoting, pass in false. 
+     * @param recordCreatedAt as in {@link Command#Command(boolean)}
      * @return Reference to the exported instance wrapped by {@link RemoteInvocationHandler}. 
      *      {@code null} if the input instance is {@code null}.     
      */
     @Nullable
-    /*package*/ <T> T export(Class<T> type, @CheckForNull T instance, boolean userProxy) {
+    /*package*/ <T> T export(Class<T> type, @CheckForNull T instance, boolean userProxy, boolean userScope, boolean recordCreatedAt) {
         if(instance==null) {
             return null;
         }
@@ -711,7 +767,7 @@ public <T> T export(Class<T> type, T instance) {
         // either local side will auto-unexport, or the remote side will unexport when it's GC-ed
         boolean autoUnexportByCaller = exportedObjects.isRecording();
         final int id = internalExport(type, instance, autoUnexportByCaller);
-        return RemoteInvocationHandler.wrap(null, id, type, userProxy, autoUnexportByCaller);
+        return RemoteInvocationHandler.wrap(null, id, type, userProxy, autoUnexportByCaller, userScope, recordCreatedAt);
     }
 
     /*package*/ <T> int internalExport(Class<T> clazz, T instance) {
@@ -735,18 +791,17 @@ public <T> T export(Class<T> type, T instance) {
         return exportedObjects.type(oid);
     }
 
-    /*package*/ void unexport(int id, Throwable cause) {
-        unexport(id, cause, true);
+    /*package*/ void unexport(int id, @CheckForNull Throwable cause) {
+        unexport(id, cause, false);
     }
     
     /**
      * Unexports object.
      * @param id Object ID
      * @param cause Stacktrace pf the object creation call
-     * @param severeErrorIfMissing Consider missing object as {@link #SEVERE} error. {@link #FINE} otherwise
-     * @since TODO
+     * @param severeErrorIfMissing Consider missing object as {@code SEVERE} error. {@code FINE} otherwise
      */
-    /*package*/ void unexport(int id, Throwable cause, boolean severeErrorIfMissing) {
+    /*package*/ void unexport(int id, @CheckForNull Throwable cause, boolean severeErrorIfMissing) {
         exportedObjects.unexportByOid(id, cause, severeErrorIfMissing);
     }
 
@@ -838,9 +893,12 @@ public boolean preloadJar(ClassLoader local, URL... jars) throws IOException, In
 
     /**
      * If this channel is built with jar file caching, return the object that manages this cache.
+     * @return JAR Cache object. {@code null} if JAR caching is disabled
      * @since 2.24
+     * @since 3.10 JAR Cache is Nonnull
+     * @since 3.12 JAR Cache made nullable again due to <a href="https://issues.jenkins-ci.org/browse/JENKINS-45755">JENKINS-45755</a>
      */
-    @Nonnull
+    @CheckForNull
     public JarCache getJarCache() {
         return jarCache;
     }
@@ -851,6 +909,9 @@ public JarCache getJarCache() {
      *
      * So to best avoid performance loss due to race condition, please set a JarCache in the constructor,
      * unless your call sequence guarantees that you call this method before remote classes are loaded.
+     *
+     * @param jarCache New JAR Cache to be used.
+     *                 Cannot be {@code null}, JAR Cache disabling on a running channel is not supported.
      * @since 2.24
      */
     public void setJarCache(@Nonnull JarCache jarCache) {
@@ -892,18 +953,16 @@ V call(Callable<V,T> callable) throws IOException, T, InterruptedException {
         UserRequest<V,T> request=null;
         try {
             request = new UserRequest<V, T>(this, callable);
-            UserResponse<V,T> r = request.call(this);
+            UserRequest.ResponseToUserRequest<V, T> r = request.call(this);
             return r.retrieve(this, UserRequest.getClassLoader(callable));
 
         // re-wrap the exception so that we can capture the stack trace of the caller.
         } catch (ClassNotFoundException e) {
-            IOException x = new IOException("Remote call on "+name+" failed");
-            x.initCause(e);
-            throw x;
+            throw new IOException("Remote call on " + name + " failed", e);
         } catch (Error e) {
-            IOException x = new IOException("Remote call on "+name+" failed");
-            x.initCause(e);
-            throw x;
+            throw new IOException("Remote call on " + name + " failed", e);
+        } catch (SecurityException e) {
+            throw new IOException("Failed to deserialize response to " + request + ": " + e, e);
         } finally {
             // since this is synchronous operation, when the round trip is over
             // we assume all the exported objects are out of scope.
@@ -925,9 +984,10 @@ Future<V> callAsync(final Callable<V,T> callable) throws IOException {
                     + "The channel is closing down or has closed down", getCloseRequestCause());
         }
         
-        final Future<UserResponse<V,T>> f = new UserRequest<V,T>(this, callable).callAsync(this);
-        return new FutureAdapter<V,UserResponse<V,T>>(f) {
-            protected V adapt(UserResponse<V,T> r) throws ExecutionException {
+        final Future<UserRequest.ResponseToUserRequest<V, T>> f = new UserRequest<V, T>(this, callable).callAsync(this);
+        return new FutureAdapter<V, UserRequest.ResponseToUserRequest<V, T>>(f) {
+            @Override
+            protected V adapt(UserRequest.ResponseToUserRequest<V, T> r) throws ExecutionException {
                 try {
                     return r.retrieve(Channel.this, UserRequest.getClassLoader(callable));
                 } catch (Throwable t) {// really means catch(T t)
@@ -996,7 +1056,7 @@ public void terminate(@Nonnull IOException e) {
             } // JENKINS-14909: leave synch block
         } finally {
             if (e instanceof OrderlyShutdown) e = null;
-            for (Listener l : listeners.toArray(new Listener[0])) {
+            for (Listener l : listeners) {
                 try {
                     l.onClosed(this, e);
                 } catch (Throwable t) {
@@ -1115,7 +1175,7 @@ public void setRestricted(boolean b) {
     }
 
     /**
-     * @since TODO
+     * @since 2.47
      */
     public boolean isRemoteClassLoadingAllowed() {
         return remoteClassLoadingAllowed;
@@ -1124,14 +1184,14 @@ public boolean isRemoteClassLoadingAllowed() {
     /**
      * Controls whether or not this channel is willing to load classes from the other side.
      * The default is on.
-     * @since TODO
+     * @since 2.47
      */
     public void setRemoteClassLoadingAllowed(boolean b) {
         this.remoteClassLoadingAllowed = b;
     }
 
     /**
-     * @since TODO
+     * @since 2.47
      */
     public boolean isArbitraryCallableAllowed() {
         return arbitraryCallableAllowed;
@@ -1139,7 +1199,7 @@ public boolean isArbitraryCallableAllowed() {
 
     /**
      * @see ChannelBuilder#withArbitraryCallableAllowed(boolean)
-     * @since TODO
+     * @since 2.47
      */
     public void setArbitraryCallableAllowed(boolean b) {
         this.arbitraryCallableAllowed = b;
@@ -1167,7 +1227,7 @@ private static final class SetMaximumBytecodeLevel implements Callable<Void,Runt
             this.level = level;
         }
         public Void call() throws RuntimeException {
-            Channel.current().maximumBytecodeLevel = level;
+            Channel.currentOrFail().maximumBytecodeLevel = level;
             return null;
         }
 
@@ -1219,7 +1279,7 @@ protected void execute(Channel channel) {
 
         @Override
         public String toString() {
-            return "close";
+            return "Close";
         }
 
         // this value is compatible with remoting < 2.8. I made an incompatible change in 2.8 that got corrected in 2.11.
@@ -1231,9 +1291,8 @@ public String toString() {
      * where the termination was initiated as a nested exception.
      */
     private static final class OrderlyShutdown extends IOException {
-        private OrderlyShutdown(Throwable cause) {
-            super(cause.getMessage());
-            initCause(cause);
+        private OrderlyShutdown(@CheckForNull  Throwable cause) {
+            super(cause);
         }
         private static final long serialVersionUID = 1L;
     }
@@ -1335,8 +1394,7 @@ public void dumpDiagnostics(@Nonnull PrintWriter w) throws IOException {
         w.printf("  Last command sent=%s%n", new Date(lastCommandSentAt));
         w.printf("  Last command received=%s%n", new Date(lastCommandReceivedAt));
         
-        // TODO: Update after the merge to 3.x branch, where the Hashtable is going to be replaced as a part of
-        // https://github.com/jenkinsci/remoting/pull/109
+        // TODO: Synchronize when Hashtable gets replaced by a modern collection.
         w.printf("  Pending calls=%d%n", pendingCalls.size());
     }
 
@@ -1405,6 +1463,7 @@ public void close(@CheckForNull Throwable diagnosis) throws IOException {
         // termination is done by CloseCommand when we received it.
     }
 
+    //TODO: ideally waitForProperty() methods should get rid of the notify-driven implementation
     /**
      * Gets the application specific property set by {@link #setProperty(Object, Object)}.
      * These properties are also accessible from the remote channel via {@link #getRemoteProperty(Object)}.
@@ -1413,7 +1472,10 @@ public void close(@CheckForNull Throwable diagnosis) throws IOException {
      * This mechanism can be used for one side to discover contextual objects created by the other JVM
      * (as opposed to executing {@link Callable}, which cannot have any reference to the context
      * of the remote {@link Channel}.
+     * @param key Key
+     * @return The property or {@code null} if there is no property for the specified key
      */
+    @Override
     public Object getProperty(Object key) {
         return properties.get(key);
     }
@@ -1425,23 +1487,41 @@ public <T> T getProperty(ChannelProperty<T> key) {
     /**
      * Works like {@link #getProperty(Object)} but wait until some value is set by someone.
      *
+     * @param key Property key
      * @throws IllegalStateException
      *      if the channel is closed. The idea is that channel properties are expected to be the coordination
      *      mechanism between two sides of the channel, and this method in particular is a way of one side
      *      to wait for the set by the other side of the channel (via {@link #waitForRemoteProperty(Object)}.
      *      If we don't abort after the channel shutdown, this method will block forever.
      */
-    public synchronized Object waitForProperty(Object key) throws InterruptedException {
-        while(true) {
-            Object v = properties.get(key);
-            if(v!=null) return v;
+    @Nonnull
+    public Object waitForProperty(@Nonnull Object key) throws InterruptedException {
 
-            if (isInClosed())
-                throw (IllegalStateException)new IllegalStateException("Channel was already closed").initCause(inClosed);
-            if (isOutClosed())
-                throw (IllegalStateException)new IllegalStateException("Channel was already closed").initCause(outClosed);
+        // There is no need to acquire the channel lock if the property is already set
+        Object prop = properties.get(key);
+        if(prop!=null) {
+            return prop;
+        }
 
-            wait();
+        // TODO: Does it make sense to execute this thing when the channel is closing?
+        if (isInClosed())
+            throw new IllegalStateException("Channel was already closed", inClosed);
+        if (isOutClosed())
+            throw new IllegalStateException("Channel was already closed", outClosed);
+
+        while (true) {
+            // Now we wait till setProperty() notifies us (in a cycle)
+            synchronized(this) {
+                if (isInClosed()) {
+                    throw new IllegalStateException("Channel was already closed", inClosed);
+                } else if (isOutClosed()) {
+                    throw new IllegalStateException("Channel was already closed", outClosed);
+                } else {
+                    wait(1000);
+                }
+            }
+            Object v = properties.get(key);
+            if (v != null) return v;
         }
     }
 
@@ -1451,13 +1531,26 @@ public <T> T waitForProperty(ChannelProperty<T> key) throws InterruptedException
 
     /**
      * Sets the property value on this side of the channel.
-     * 
+     * @param key Property key
+     * @param value Value to set. {@code null} removes the existing entry without adding a new one.
+     * @return Old property value or {@code null} if it was not set
      * @see #getProperty(Object)
      */
-    public synchronized Object setProperty(Object key, Object value) {
-        Object old = value!=null ? properties.put(key, value) : properties.remove(key);
-        notifyAll();
-        return old;
+    @CheckForNull
+    public Object setProperty(@Nonnull Object key, @CheckForNull Object value) {
+        if (value == null) {
+            // We do not need to notify listeners here, the only use-case is
+            // Channel#waitForProperty(), which cares about defined properties only
+            return properties.remove(key);
+        }
+
+        synchronized (this) {
+            // TODO: Oleg Nenashev: I believe that the synchronization logic should be removed at all
+            // and probably replaced by async timed polling in waitForProperty() or by a Future implementation.
+            Object old = properties.put(key, value);
+            notifyAll();
+            return old;
+        }
     }
 
     public <T> T setProperty(ChannelProperty<T> key, T value) {
@@ -1530,6 +1623,7 @@ public OutputStream getUnderlyingOutput() {
      * @param forwardPort
      *      The remote port that the connection will be forwarded to.
      * @return
+     *      Created {@link PortForwarder}
      */
     public ListeningPort createLocalToRemotePortForwarding(int recvPort, String forwardHost, int forwardPort) throws IOException, InterruptedException {
         PortForwarder portForwarder = new PortForwarder(recvPort,
@@ -1552,6 +1646,7 @@ public ListeningPort createLocalToRemotePortForwarding(int recvPort, String forw
      * @param forwardPort
      *      The remote port that the connection will be forwarded to.
      * @return
+     *      Created {@link PortForwarder}.
      */
     public ListeningPort createRemoteToLocalPortForwarding(int recvPort, String forwardHost, int forwardPort) throws IOException, InterruptedException {
         return PortForwarder.create(this,recvPort,
@@ -1622,8 +1717,9 @@ public void run() {
     }
 
     private static final class IOSyncer implements Callable<Object, InterruptedException> {
+        @Override
         public Object call() throws InterruptedException {
-            Channel.current().syncLocalIO();
+            Channel.currentOrFail().syncLocalIO();
             return null;
         }
 
@@ -1644,16 +1740,16 @@ public void checkRoles(RoleChecker checker) throws SecurityException {
      * Decorates the stack elements of the given {@link Throwable} by adding the call site information.
      */
     /*package*/ void attachCallSiteStackTrace(Throwable t) {
-        Exception e = new Exception();
-        StackTraceElement[] callSite = e.getStackTrace();
-        StackTraceElement[] original = t.getStackTrace();
-
-        StackTraceElement[] combined = new StackTraceElement[original.length+1+callSite.length];
-        System.arraycopy(original,0,combined,0,original.length); // original stack trace at the top
-        combined[original.length] = new StackTraceElement(".....","remote call to "+name,null,-2);
-        System.arraycopy(callSite,0,combined,original.length+1,callSite.length);
+        t.addSuppressed(new CallSiteStackTrace(name));
+    }
 
-        t.setStackTrace(combined);
+    /**
+     * Dummy exception indicating the stacktrace on calling side of channel for remote exception for ease of debugging.
+     */
+    private static final class CallSiteStackTrace extends Exception {
+        public CallSiteStackTrace(String message) {
+            super("Remote call to " + message);
+        }
     }
 
     public String getName() {
@@ -1708,6 +1804,24 @@ public static Channel current() {
         return CURRENT.get();
     }
 
+    /**
+     * Gets current channel or fails with {@link IllegalStateException}.
+     *
+     * @return Current channel
+     * @throws IllegalStateException the calling thread has no associated channel.
+     * @since 3.14
+     * @see org.jenkinsci.remoting.SerializableOnlyOverRemoting
+     */
+    @Nonnull
+    public static Channel currentOrFail() throws IllegalStateException {
+        final Channel ch = CURRENT.get();
+        if (ch == null) {
+            final Thread t = Thread.currentThread();
+            throw new IllegalStateException("The calling thread " + t + " has no associated channel");
+        }
+        return ch;
+    }
+
     // TODO: Unrestrict after the merge into the master.
     // By now one may use it via the reflection logic only
     /**
@@ -1753,6 +1867,71 @@ public static void dumpDiagnosticsForAll(@Nonnull PrintWriter w) {
         }
     }
 
+    /**
+     * Notification that {@link Command#readFrom} has succeeded.
+     * @param cmd the resulting command
+     * @param blockSize the serialized size of the command
+     * @see CommandListener
+     */
+    void notifyRead(Command cmd, long blockSize) {
+        for (Listener listener : listeners) {
+            try {
+                listener.onRead(this, cmd, blockSize);
+            } catch (Throwable x) {
+                logger.log(Level.WARNING, null, x);
+            }
+        }
+    }
+
+    /**
+     * Notification that {@link Command#writeTo} has succeeded.
+     * @param cmd the command passed in
+     * @param blockSize the serialized size of the command
+     * @see CommandListener
+     */
+    void notifyWrite(Command cmd, long blockSize) {
+        for (Listener listener : listeners) {
+            try {
+                listener.onWrite(this, cmd, blockSize);
+            } catch (Throwable x) {
+                logger.log(Level.WARNING, null, x);
+            }
+        }
+    }
+
+    /**
+     * Notification that a {@link Response} has been received.
+     * @param req the original request
+     * @param rsp the resulting response
+     * @param totalTime the total time in nanoseconds taken to service the request
+     * @see CommandListener
+     */
+    void notifyResponse(Request<?, ?> req, Response<?, ?> rsp, long totalTime) {
+        for (Listener listener : listeners) {
+            try {
+                listener.onResponse(this, req, rsp, totalTime);
+            } catch (Throwable x) {
+                logger.log(Level.WARNING, null, x);
+            }
+        }
+    }
+
+    /**
+     * Notification that a JAR file will be delivered to the remote side.
+     * @param jar the JAR file from which code is being loaded remotely
+     * @see CommandListener
+     */
+    void notifyJar(File jar) {
+        for (Listener listener : listeners) {
+            try {
+                listener.onJar(this, jar);
+            } catch (Throwable x) {
+                logger.log(Level.WARNING, null, x);
+            }
+        }
+    }
+
+
     /**
      * Remembers the current "channel" associated for this thread.
      */
@@ -1809,7 +1988,7 @@ protected int[] initialValue() {
 
     /**
      * A reference for the {@link Channel} that can be cleared out on {@link #close()}/{@link #terminate(IOException)}.
-     * Could probably be replaced with {@link AtomicReference} but then we would not retain the only change being
+     * Could probably be replaced with {@link java.util.concurrent.atomic.AtomicReference} but then we would not retain the only change being
      * from valid channel to {@code null} channel semantics of this class.
      * @since 2.52
      * @see #reference
@@ -1818,7 +1997,7 @@ protected int[] initialValue() {
         
         /**
          * Cached name of the channel.
-         * @see {@link Channel#getName()}
+         * @see Channel#getName()
          */
         @Nonnull
         private final String name;
diff --git a/src/main/java/hudson/remoting/ChannelBuilder.java b/src/main/java/hudson/remoting/ChannelBuilder.java
index 242e784b7..d92307a30 100644
--- a/src/main/java/hudson/remoting/ChannelBuilder.java
+++ b/src/main/java/hudson/remoting/ChannelBuilder.java
@@ -21,12 +21,14 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ExecutorService;
 import javax.annotation.CheckForNull;
+import org.jenkinsci.remoting.util.AnonymousClassWarnings;
 
 /**
  * Factory for {@link Channel}, including hand-shaking between two sides
@@ -46,6 +48,7 @@ public class ChannelBuilder {
     private ClassLoader base = this.getClass().getClassLoader();
     private Mode mode = Mode.NEGOTIATE;
     private Capability capability = new Capability();
+    @CheckForNull
     private OutputStream header;
     @CheckForNull
     private JarCache jarCache;
@@ -123,11 +126,12 @@ public Capability getCapability() {
      * when the established communication channel might include some data that might
      * be useful for debugging/trouble-shooting.
      */
-    public ChannelBuilder withHeaderStream(OutputStream header) {
+    public ChannelBuilder withHeaderStream(@CheckForNull OutputStream header) {
         this.header = header;
         return this;
     }
 
+    @CheckForNull
     public OutputStream getHeaderStream() {
         return header;
     }
@@ -159,7 +163,7 @@ public boolean isRestricted() {
      * but not {@link Channel#call(Callable)} (and its family of methods.)
      *
      * The default is {@code true}.
-     * @since TODO
+     * @since 2.47
      */
     public ChannelBuilder withArbitraryCallableAllowed(boolean b) {
         this.arbitraryCallableAllowed = b;
@@ -167,7 +171,7 @@ public ChannelBuilder withArbitraryCallableAllowed(boolean b) {
     }
 
     /**
-     * @since TODO
+     * @since 2.47
      */
     public boolean isArbitraryCallableAllowed() {
         return arbitraryCallableAllowed;
@@ -176,7 +180,7 @@ public boolean isArbitraryCallableAllowed() {
     /**
      * Controls whether or not this channel is willing to load classes from the other side.
      * The default is {@code true}.
-     * @since TODO
+     * @since 2.47
      */
     public ChannelBuilder withRemoteClassLoadingAllowed(boolean b) {
         this.remoteClassLoadingAllowed = b;
@@ -184,7 +188,7 @@ public ChannelBuilder withRemoteClassLoadingAllowed(boolean b) {
     }
 
     /**
-     * @since TODO
+     * @since 2.47
      */
     public boolean isRemoteClassLoadingAllowed() {
         return remoteClassLoadingAllowed;
@@ -192,18 +196,51 @@ public boolean isRemoteClassLoadingAllowed() {
 
     /**
      * Sets the JAR cache storage.
-     * @param jarCache JAR Cache to be used. If {@code null}, a default value will be used by the {@link Channel}
+     * @param jarCache JAR Cache to be used. If a deprecated {@code null} value is passed,
+     *                 the behavior will be determined by the {@link Channel} implementation.
      * @return {@code this}
+     * @since 2.38
+     * @since 3.12 {@code null} parameter value is deprecated.
+     *        {@link #withoutJarCache()} or {@link #withJarCacheOrDefault(JarCache)} should be used instead.
      */
-    public ChannelBuilder withJarCache(@CheckForNull JarCache jarCache) {
+    public ChannelBuilder withJarCache(@Nonnull JarCache jarCache) {
         this.jarCache = jarCache;
         return this;
     }
 
+    /**
+     * Sets the JAR cache storage.
+     * @param jarCache JAR Cache to be used.
+     *                 If {@code null}, value of {@link JarCache#getDefault()} will be used.
+     * @return {@code this}
+     * @since 3.12
+     * @throws IOException Default JAR Cache location cannot be initialized
+     */
+    public ChannelBuilder withJarCacheOrDefault(@CheckForNull JarCache jarCache) throws IOException {
+        try {
+            this.jarCache = jarCache != null ? jarCache : JarCache.getDefault();
+        } catch (IOException ioe) {
+            LOGGER.log(Level.WARNING, "Could not create jar cache. Running without cache.", ioe);
+        }
+        return this;
+    }
+
+    /**
+     * Resets JAR Cache setting to the default.
+     * The behavior will be determined by the {@link Channel} implementation.
+     *
+     * @since 3.12
+     */
+    public ChannelBuilder withoutJarCache() {
+        this.jarCache = null;
+        return this;
+    }
+
     /**
      * Gets the JAR Cache storage.
      * @return {@code null} if it is not defined.
-     *         {@link Channel} implementation should use a default cache value then.
+     *         {@link Channel} implementation defines the behavior in such case.
+     * @since 2.38
      */
     @CheckForNull
     public JarCache getJarCache() {
@@ -221,7 +258,7 @@ public List<CallableDecorator> getDecorators() {
 
     /**
      * Convenience method to install {@link RoleChecker} that verifies against the fixed set of roles.
-     * @since TODO
+     * @since 2.47
      */
     public ChannelBuilder withRoles(Role... roles) {
         return withRoles(Arrays.asList(roles));
@@ -229,7 +266,7 @@ public ChannelBuilder withRoles(Role... roles) {
 
     /**
      * Convenience method to install {@link RoleChecker} that verifies against the fixed set of roles.
-     * @since TODO
+     * @since 2.47
      */
     public ChannelBuilder withRoles(final Collection<? extends Role> actual) {
         return withRoleChecker(new RoleChecker() {
@@ -246,7 +283,7 @@ public void check(RoleSensitive subject, @Nonnull Collection<Role> expected) {
 
     /**
      * Installs another {@link RoleChecker}.
-     * @since TODO
+     * @since 2.47
      */
     public ChannelBuilder withRoleChecker(final RoleChecker checker) {
         return with(new CallableDecorator() {
@@ -269,7 +306,7 @@ public <V, T extends Throwable> Callable<V, T> userRequest(Callable<V, T> op, Ca
      * Properties are modifiable after {@link Channel} is created, but a property set
      * during channel building is guaranteed to be visible to the other side as soon
      * as the channel is established.
-     * @since TODO
+     * @since 2.47
      */
     public ChannelBuilder withProperty(Object key, Object value) {
         properties.put(key,value);
@@ -277,17 +314,17 @@ public ChannelBuilder withProperty(Object key, Object value) {
     }
 
     /**
-     * @since TODO
+     * @since 2.47
      */
     public <T> ChannelBuilder withProperty(ChannelProperty<T> key, T value) {
         return withProperty((Object) key, value);
     }
 
     /**
-     * @since TODO
+     * @since 2.47
      */
     public Map<Object,Object> getProperties() {
-        return properties;
+        return Collections.unmodifiableMap(properties);
     }
 
     /**
@@ -440,7 +477,7 @@ protected CommandTransport makeTransport(InputStream is, OutputStream os, Mode m
         if (cap.supportsChunking())
             return new ChunkedCommandTransport(cap, mode.wrap(fis), mode.wrap(os), os);
         else {
-            ObjectOutputStream oos = new ObjectOutputStream(mode.wrap(os));
+            ObjectOutputStream oos = AnonymousClassWarnings.checkingObjectOutputStream(mode.wrap(os));
             oos.flush();    // make sure that stream preamble is sent to the other end. avoids dead-lock
 
             return new ClassicCommandTransport(
diff --git a/src/main/java/hudson/remoting/ChannelClosedException.java b/src/main/java/hudson/remoting/ChannelClosedException.java
index 448dae76d..177aecc85 100644
--- a/src/main/java/hudson/remoting/ChannelClosedException.java
+++ b/src/main/java/hudson/remoting/ChannelClosedException.java
@@ -1,5 +1,7 @@
 package hudson.remoting;
 
+import org.jenkinsci.remoting.ChannelStateException;
+
 import java.io.IOException;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
@@ -9,7 +11,7 @@
  *
  * @author Kohsuke Kawaguchi
  */
-public class ChannelClosedException extends IOException {
+public class ChannelClosedException extends ChannelStateException {
     /**
      * @deprecated
      *      Use {@link #ChannelClosedException(Throwable)} or {@link #ChannelClosedException(java.lang.String, java.lang.Throwable)}.
@@ -17,11 +19,25 @@ public class ChannelClosedException extends IOException {
      */
     @Deprecated
     public ChannelClosedException() {
-        super("channel is already closed");
+        this(null, "channel is already closed", null);
     }
 
+    /**
+     * @deprecated Use {@link #ChannelClosedException(Channel, Throwable)}
+     */
+    @Deprecated
     public ChannelClosedException(Throwable cause) {
-        super("channel is already closed", cause);
+        this((Channel) null, cause);
+    }
+
+    /**
+     * Constructor.
+     * @param channel Reference to the channel. {@code null} if the channel is unknown.
+     * @param cause Cause
+     * @since TODO
+     */
+    public ChannelClosedException(@CheckForNull Channel channel, @CheckForNull Throwable cause) {
+        super(channel, "channel is already closed", cause);
     }
     
     /**
@@ -30,9 +46,24 @@ public ChannelClosedException(Throwable cause) {
      * @param message Message
      * @param cause Cause of the channel close/termination. 
      *              May be {@code null} if it cannot be determined when the exception is constructed.
-     * @since TODO
+     * @since 3.11
+     * @deprecated Use {@link #ChannelClosedException(Channel, String, Throwable)}
      */
+    @Deprecated
     public ChannelClosedException(@Nonnull String message, @CheckForNull Throwable cause) {
-        super(message, cause);
+        this(null, message, cause);
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param channel Reference to the channel. {@code null} if the channel is unknown.
+     * @param message Message
+     * @param cause Cause of the channel close/termination.
+     *              May be {@code null} if it cannot be determined when the exception is constructed.
+     * @since TODO
+     */
+    public ChannelClosedException(@CheckForNull Channel channel, @Nonnull String message, @CheckForNull Throwable cause) {
+        super(channel, message, cause);
     }
 }
diff --git a/src/main/java/hudson/remoting/ChunkedOutputStream.java b/src/main/java/hudson/remoting/ChunkedOutputStream.java
index d5285b22b..2a1cd0ed7 100644
--- a/src/main/java/hudson/remoting/ChunkedOutputStream.java
+++ b/src/main/java/hudson/remoting/ChunkedOutputStream.java
@@ -30,10 +30,6 @@ public ChunkedOutputStream(int frameSize, OutputStream base) {
         this.base = base;
     }
 
-    private int frameSize() {
-        return buf.length;
-    }
-
     /**
      * How many more bytes can our buffer take?
      */
diff --git a/src/main/java/hudson/remoting/ClassFilter.java b/src/main/java/hudson/remoting/ClassFilter.java
index 14d86d56f..9fed64884 100644
--- a/src/main/java/hudson/remoting/ClassFilter.java
+++ b/src/main/java/hudson/remoting/ClassFilter.java
@@ -15,41 +15,67 @@
 import java.util.regex.PatternSyntaxException;
 
 import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
+import org.jenkinsci.remoting.util.AnonymousClassWarnings;
 
 /**
  * Restricts what classes can be received through remoting.
- *
+ * The same filter is also applied by Jenkins core for XStream serialization.
  * @author Kohsuke Kawaguchi
  * @since 2.53
  */
 public abstract class ClassFilter {
     /**
-     * Property to set to <b>override</b> the blacklist used by {{@link #DEFAULT} with a different set.
+     * Property to set to <b>override</b> the blacklist used by {@link #STANDARD} with a different set.
      * The location should point to a a file containing regular expressions (one per line) of classes to blacklist.
      * If this property is set but the file can not be read the default blacklist will be used.
      * @since 2.53.2
+     * @deprecated use {@link #setDefault} as needed
      */
+    @Deprecated
     public static final String FILE_OVERRIDE_LOCATION_PROPERTY = "hudson.remoting.ClassFilter.DEFAULTS_OVERRIDE_LOCATION";
 
     private static final Logger LOGGER = Logger.getLogger(ClassFilter.class.getName());
 
-    protected boolean isBlacklisted(String name) {
+    /**
+     * Whether a given class should be blocked, before even attempting to load that class.
+     * @param name {@link Class#getName}
+     * @return false by default; override to return true to blacklist this class
+     */
+    public boolean isBlacklisted(@Nonnull String name) {
         return false;
     }
 
-    protected boolean isBlacklisted(Class c) {
+    /**
+     * Whether a given class should be blocked, after having loaded that class.
+     * @param c a loaded class
+     * @return false by default; override to return true to blacklist this class
+     */
+    public boolean isBlacklisted(@Nonnull Class c) {
         return false;
     }
 
+    /**
+     * API version of {@link #isBlacklisted(String)} SPI.
+     * @return the same {@code name}
+     * @throws SecurityException if it is blacklisted
+     */
 	public final String check(String name) {
-		if (isBlacklisted(name))
-			throw new SecurityException("Rejected: " +name);
+        if (isBlacklisted(name)) {
+            throw new SecurityException("Rejected: " + name + "; see https://jenkins.io/redirect/class-filter/");
+        }
 		return name;
 	}
 
+    /**
+     * API version of {@link #isBlacklisted(Class)} SPI.
+     * @return the same {@code c}
+     * @throws SecurityException if it is blacklisted
+     */
 	public final Class check(Class c) {
-		if (isBlacklisted(c))
-			throw new SecurityException("Rejected: " +c.getName());
+        if (isBlacklisted(c)) {
+            throw new SecurityException("Rejected: " + c.getName() + "; see https://jenkins.io/redirect/class-filter/");
+        }
 		return c;
 	}
 
@@ -62,11 +88,13 @@ public final Class check(Class c) {
         "^com[.]sun[.]javafx[.].*",
         "^com[.]sun[.]org[.]apache[.]regex[.]internal[.].*",
         "^java[.]awt[.].*",
+        "^java[.]lang[.]reflect[.]Method$",
         "^java[.]rmi[.].*",
         "^javax[.]management[.].*",
         "^javax[.]naming[.].*",
         "^javax[.]script[.].*",
         "^javax[.]swing[.].*",
+        "^net[.]sf[.]json[.].*",
         "^org[.]apache[.]commons[.]beanutils[.].*",
         "^org[.]apache[.]commons[.]collections[.]functors[.].*",
         "^org[.]apache[.]myfaces[.].*",
@@ -79,37 +107,66 @@ public final Class check(Class c) {
         "^sun[.]rmi[.].*",
         "^javax[.]imageio[.].*",
         "^java[.]util[.]ServiceLoader$",
-        "^java[.]net[.]URLClassLoader$"
+        "^java[.]net[.]URLClassLoader$",
+        "^java[.]security[.]SignedObject$"
     };
 
     /**
-     * A set of sensible default filtering rules to apply,
-     * unless the context guarantees the trust between two channels.
+     * The currently used default.
+     * Defaults to {@link #STANDARD}.
      */
-    public static final ClassFilter DEFAULT;
+    public static final ClassFilter DEFAULT = new ClassFilter() {
+        @Override
+        public boolean isBlacklisted(Class c) {
+            return CURRENT_DEFAULT.isBlacklisted(c);
+        }
+        @Override
+        public boolean isBlacklisted(String name) {
+            return CURRENT_DEFAULT.isBlacklisted(name);
+        }
+    };
+
+    private static @Nonnull ClassFilter CURRENT_DEFAULT;
+
+    /**
+     * Changes the effective value of {@link #DEFAULT}.
+     * @param filter a new default to set; may or may not delegate to {@link STANDARD}
+     * @since 3.16
+     */
+    public static void setDefault(@Nonnull ClassFilter filter) {
+        CURRENT_DEFAULT = filter;
+    }
+
+    /**
+     * A set of sensible default filtering rules to apply, based on a configurable blacklist.
+     */
+    public static final ClassFilter STANDARD;
 
     static {
         try {
-            DEFAULT = createDefaultInstance();
+            STANDARD = createDefaultInstance();
         } catch (ClassFilterException ex) {
             LOGGER.log(Level.SEVERE, "Default class filter cannot be initialized. Remoting will not start", ex);
             throw new ExceptionInInitializerError(ex);
         }
+        CURRENT_DEFAULT = STANDARD;
     }
 
     /**
-     * Adds an additional exclusion to {@link #DEFAULT}.
+     * Adds an additional exclusion to {@link #STANDARD}.
      * 
      * Does nothing if the default list has already been customized via {@link #FILE_OVERRIDE_LOCATION_PROPERTY}.
      * This API is not supposed to be used anywhere outside Jenkins core, calls for other sources may be rejected later.
      * @param filter a regular expression for {@link Class#getName} which, if matched according to {@link Matcher#matches}, will blacklist the class
      * @throws ClassFilterException Filter pattern cannot be applied.
      *                              It means either unexpected processing error or rejection by the internal logic.
-     * @since TODO
+     * @since 3.11
+     * @deprecated use {@link #setDefault} as needed
      */
+    @Deprecated
     public static void appendDefaultFilter(Pattern filter) throws ClassFilterException {
         if (System.getProperty(FILE_OVERRIDE_LOCATION_PROPERTY) == null) {
-            ((RegExpClassFilter) DEFAULT).add(filter.toString());
+            ((RegExpClassFilter) STANDARD).add(filter.toString());
         }
     }
 
@@ -217,17 +274,18 @@ void add(String pattern) throws ClassFilterException {
                 // this is a simple startsWith test, no need to slow things down with a regex
                 blacklistPatterns.add(pattern.substring(3, pattern.length() - 4));
             } else {
+                final Pattern regex;
                 try {
-                    Pattern regex = Pattern.compile(pattern);
+                    regex = Pattern.compile(pattern);
                 } catch (PatternSyntaxException ex) {
                     throw new ClassFilterException("Cannot add RegExp class filter", ex);
                 }
-                blacklistPatterns.add(Pattern.compile(pattern));
+                blacklistPatterns.add(regex);
             }
         }
 
         @Override
-        protected boolean isBlacklisted(String name) {
+        public boolean isBlacklisted(String name) {
             for (Object p : blacklistPatterns) {
                 if (p instanceof Pattern && ((Pattern)p).matcher(name).matches()) {
                     return true;
@@ -238,6 +296,12 @@ protected boolean isBlacklisted(String name) {
             return false;
         }
 
+        @Override
+        public boolean isBlacklisted(Class c) {
+            AnonymousClassWarnings.check(c);
+            return false;
+        }
+
         /**
          * Report the patterns that it's using to help users verify the use of custom filtering rule
          * and inspect its content at runtime if necessary.
@@ -250,8 +314,10 @@ public String toString() {
 
     /**
      * Class for propagating exceptions in {@link ClassFilter}.
-     * @since TODO
+     * @since 3.11
+     * @deprecated Only used by deprecated {@link #appendDefaultFilter}.
      */
+    @Deprecated
     public static class ClassFilterException extends Exception {
 
         @CheckForNull
diff --git a/src/main/java/hudson/remoting/ClassLoaderHolder.java b/src/main/java/hudson/remoting/ClassLoaderHolder.java
index 08dbda8c8..b9c0f7653 100644
--- a/src/main/java/hudson/remoting/ClassLoaderHolder.java
+++ b/src/main/java/hudson/remoting/ClassLoaderHolder.java
@@ -1,11 +1,12 @@
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.remoting.RemoteClassLoader.IClassLoader;
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
 
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
-import java.io.Serializable;
 import javax.annotation.CheckForNull;
 
 /**
@@ -14,7 +15,7 @@
  * @author Kohsuke Kawaguchi
  * @since 2.12
  */
-public class ClassLoaderHolder implements Serializable {
+public class ClassLoaderHolder implements SerializableOnlyOverRemoting {
     
     @CheckForNull
     private transient ClassLoader classLoader;
@@ -37,14 +38,16 @@ public void set(@CheckForNull ClassLoader classLoader) {
 
     private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
         IClassLoader proxy = (IClassLoader)ois.readObject();
-        classLoader = proxy==null ? null : Channel.current().importedClassLoaders.get(proxy);
+        classLoader = proxy==null ? null : getChannelForSerialization().importedClassLoaders.get(proxy);
     }
 
+    @SuppressFBWarnings(value = "DMI_NONSERIALIZABLE_OBJECT_WRITTEN", 
+            justification = "RemoteClassLoader.export() produces a serializable wrapper class")
     private void writeObject(ObjectOutputStream oos) throws IOException {
         if (classLoader==null)
             oos.writeObject(null);
         else {
-            IClassLoader proxy = RemoteClassLoader.export(classLoader, Channel.current());
+            IClassLoader proxy = RemoteClassLoader.export(classLoader, getChannelForSerialization());
             oos.writeObject(proxy);
         }
     }
diff --git a/src/main/java/hudson/remoting/ClassicCommandTransport.java b/src/main/java/hudson/remoting/ClassicCommandTransport.java
index b4858b396..58fbb233f 100644
--- a/src/main/java/hudson/remoting/ClassicCommandTransport.java
+++ b/src/main/java/hudson/remoting/ClassicCommandTransport.java
@@ -49,6 +49,7 @@ public Capability getRemoteCapability() throws IOException {
 
     public final void write(Command cmd, boolean last) throws IOException {
         cmd.writeTo(channel,oos);
+        // TODO notifyWrite using CountingOutputStream
         oos.flush();        // make sure the command reaches the other end.
 
         // unless this is the last command, have OOS and remote OIS forget all the objects we sent
@@ -67,7 +68,8 @@ public void closeWrite() throws IOException {
 
     public final Command read() throws IOException, ClassNotFoundException {
         try {
-            Command cmd = Command.readFrom(channel, ois);
+            Command cmd = Command.readFromObjectStream(channel, ois);
+            // TODO notifyRead using CountingInputStream
             if (rawIn!=null)
                 rawIn.clear();
             return cmd;
diff --git a/src/main/java/hudson/remoting/Command.java b/src/main/java/hudson/remoting/Command.java
index 4551d4762..483ec6cf8 100644
--- a/src/main/java/hudson/remoting/Command.java
+++ b/src/main/java/hudson/remoting/Command.java
@@ -23,12 +23,15 @@
  */
 package hudson.remoting;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
 import java.util.concurrent.ExecutionException;
 import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
 
 /**
  * One-way command to be sent over to the remote system and executed there.
@@ -41,20 +44,25 @@
  * need to have the definition of {@link Command}-implementation.
  * 
  * @author Kohsuke Kawaguchi
+ * @see hudson.remoting.Channel.Listener#onRead
+ * @see hudson.remoting.Channel.Listener#onWrite
+ * @since 3.17
  */
-abstract class Command implements Serializable {
+public abstract class Command implements Serializable {
     /**
      * This exception captures the stack trace of where the Command object is created.
-     * This is useful for diagnosing the error when command fails to execute on the remote peer. 
+     * This is useful for diagnosing the error when command fails to execute on the remote peer.
+     * {@code null} if the cause is not recorded.
      */
-    public final Exception createdAt;
+    @CheckForNull
+    final Exception createdAt;
 
-
-    protected Command() {
+    // Prohibited to subclass outside of this package.
+    Command() {
         this(true);
     }
 
-    protected Command(Channel channel, @CheckForNull Throwable cause) {
+    Command(Channel channel, @CheckForNull Throwable cause) {
         // Command object needs to be deserializable on the other end without requiring custom classloading,
         // so we wrap this in ProxyException
         this.createdAt = new Source(cause != null ? new ProxyException(cause) : null);
@@ -66,7 +74,7 @@ protected Command(Channel channel, @CheckForNull Throwable cause) {
      *      and cause/effect correlation hard in case of a failure, but it will reduce the amount of the data
      *      transferred.
      */
-    protected Command(boolean recordCreatedAt) {
+    Command(boolean recordCreatedAt) {
         if(recordCreatedAt)
             this.createdAt = new Source();
         else
@@ -80,8 +88,21 @@ protected Command(boolean recordCreatedAt) {
      *      The {@link Channel} of the remote system.
      * @throws ExecutionException Execution error
      */
-    protected abstract void execute(Channel channel) throws ExecutionException;
+    abstract void execute(Channel channel) throws ExecutionException;
+
+
+    /**
+     * Chains the {@link #createdAt} cause.
+     * It will happen if and only if cause recording is enabled.
+     * @param initCause Original Cause. {@code null} causes will be ignored
+     */
+    final void chainCause(@CheckForNull Throwable initCause) {
+        if (createdAt != null && initCause != null) {
+            createdAt.initCause(initCause);
+        }
+    }
       
+    /** Consider calling {@link Channel#notifyWrite} afterwards. */
     void writeTo(Channel channel, ObjectOutputStream oos) throws IOException {
         Channel old = Channel.setCurrent(channel);
         try {
@@ -90,8 +111,42 @@ void writeTo(Channel channel, ObjectOutputStream oos) throws IOException {
             Channel.setCurrent(old);
         }
     }
-    
-    static Command readFrom(Channel channel, ObjectInputStream ois) throws IOException, ClassNotFoundException {
+
+    /**
+     * Reads command from the specified payload.
+     * @param channel Channel
+     * @param payload Payload
+     * @return Read command
+     * @throws IOException Read exception
+     * @throws ClassNotFoundException Deserialization error: class not found
+     * @since TODO
+     */
+    public static Command readFrom(@Nonnull Channel channel, @Nonnull byte[] payload)
+            throws IOException, ClassNotFoundException {
+        return readFrom(channel, new ByteArrayInputStream(payload), payload.length);
+    }
+
+    /**
+     * Reads command from the specified payload.
+     * @param channel Channel
+     * @param istream Input stream
+     * @param payloadSize Payload size to be read. Used only for logging
+     * @return Read command
+     * @throws IOException Read exception
+     * @throws ClassNotFoundException Deserialization error: class not found
+     */
+    /*package*/ static Command readFrom(@Nonnull Channel channel, @Nonnull InputStream istream, int payloadSize)
+            throws IOException, ClassNotFoundException {
+        Command cmd = Command.readFromObjectStream(channel, new ObjectInputStreamEx(
+                istream,
+                channel.baseClassLoader,channel.classFilter));
+        channel.notifyRead(cmd, payloadSize);
+        return cmd;
+    }
+
+
+    /** Consider calling {@link Channel#notifyRead} afterwards. */
+    static Command readFromObjectStream(Channel channel, ObjectInputStream ois) throws IOException, ClassNotFoundException {
         Channel old = Channel.setCurrent(channel);
         try {
             return (Command)ois.readObject();
@@ -100,6 +155,23 @@ static Command readFrom(Channel channel, ObjectInputStream ois) throws IOExcepti
         }
     }
 
+    /**
+     * Obtains a diagnostic stack trace recording the point at which the command was created.
+     * This is not necessarily the point at which the command was delivered or run.
+     * Part of the stack trace might have been produced on a remote machine,
+     * in which case {@link ProxyException} may be used in place of the original.
+     * @return an information stack trace, or null if not recorded
+     */
+    public @CheckForNull Throwable getCreationStackTrace() {
+        return createdAt;
+    }
+
+    /**
+     * Should provide concise information useful for {@link hudson.remoting.Channel.Listener}.
+     */
+    @Override
+    public abstract String toString();
+
     private static final long serialVersionUID = 1L;
 
     private final class Source extends Exception {
diff --git a/src/main/java/hudson/remoting/CommandTransport.java b/src/main/java/hudson/remoting/CommandTransport.java
index f4884ce88..9a440cae9 100644
--- a/src/main/java/hudson/remoting/CommandTransport.java
+++ b/src/main/java/hudson/remoting/CommandTransport.java
@@ -43,23 +43,22 @@
  * {@link Command} objects need to be serialized and deseralized in a specific environment
  * so that {@link Command}s can access {@link Channel} that's using it. Because of this,
  * a transport needs to use {@link Command#writeTo(Channel, ObjectOutputStream)} and
- * {@link Command#readFrom(Channel, ObjectInputStream)}.
+ * {@link Command#readFromObjectStream(Channel, ObjectInputStream)} or
+ * {@link Command#readFrom(Channel, byte[])}.
  *
  * @author Kohsuke Kawaguchi
  * @since 2.13
  */
 public abstract class CommandTransport {
-    /**
-     * Package private so as not to allow direct subtyping (just yet.)
-     */
-    /*package*/ CommandTransport() {
+
+    protected CommandTransport() {
     }
 
     /**
      * SPI implemented by {@link Channel} so that the transport can pass the received command
      * to {@link Channel} for processing.
      */
-    static interface CommandReceiver {
+    protected static interface CommandReceiver {
         /**
          * Notifies the channel that a new {@link Command} was received from the other side.
          * 
@@ -71,8 +70,8 @@ static interface CommandReceiver {
          * concurrently.
          * 
          * @param cmd
-         *      The command received. This object must be read from {@link ObjectInputStream} via
-         *      {@link Command#readFrom(Channel, ObjectInputStream)}
+         *      The command received. This object must be read from the payload
+         *      using {@link Command#readFrom(Channel, byte[])}.
          */
         void handle(Command cmd);
         
@@ -142,7 +141,7 @@ static interface CommandReceiver {
      *      Informational flag that indicates that this is the last
      *      call of the {@link #write(Command, boolean)}.
      */
-    abstract void write(Command cmd, boolean last) throws IOException;
+    public abstract void write(Command cmd, boolean last) throws IOException;
 
     /**
      * Called to close the write side of the transport, allowing the underlying transport
diff --git a/src/main/java/hudson/remoting/DaemonThreadFactory.java b/src/main/java/hudson/remoting/DaemonThreadFactory.java
index bcd41b45c..5e0db36c8 100644
--- a/src/main/java/hudson/remoting/DaemonThreadFactory.java
+++ b/src/main/java/hudson/remoting/DaemonThreadFactory.java
@@ -1,14 +1,19 @@
 package hudson.remoting;
 
 import java.util.concurrent.ThreadFactory;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 /**
  * @author Kohsuke Kawaguchi
  */
 public class DaemonThreadFactory implements ThreadFactory {
+    private static final Logger LOGGER = Logger.getLogger(DaemonThreadFactory.class.getName());
+
     public Thread newThread(Runnable r) {
-        Thread t = new Thread(r);
-        t.setDaemon(true);
-        return t;
+        Thread thread = new Thread(r);
+        thread.setDaemon(true);
+        thread.setUncaughtExceptionHandler((t, e) -> LOGGER.log(Level.SEVERE, "Unhandled exception in thread " + t, e));
+        return thread;
     }
 }
diff --git a/src/main/java/hudson/remoting/DiagnosedStreamCorruptionException.java b/src/main/java/hudson/remoting/DiagnosedStreamCorruptionException.java
index d660ef97a..c1bcdc356 100644
--- a/src/main/java/hudson/remoting/DiagnosedStreamCorruptionException.java
+++ b/src/main/java/hudson/remoting/DiagnosedStreamCorruptionException.java
@@ -1,8 +1,11 @@
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.io.PrintWriter;
 import java.io.StreamCorruptedException;
 import java.io.StringWriter;
+import java.util.Arrays;
+import javax.annotation.Nonnull;
 
 /**
  * Signals a {@link StreamCorruptedException} with some additional diagnostic information.
@@ -11,10 +14,15 @@
  */
 public class DiagnosedStreamCorruptionException extends StreamCorruptedException {
     private final Exception diagnoseFailure;
+    
+    @Nonnull
     private final byte[] readBack;
+    
+    @Nonnull
     private final byte[] readAhead;
 
-    DiagnosedStreamCorruptionException(Exception cause, Exception diagnoseFailure, byte[] readBack, byte[] readAhead) {
+    DiagnosedStreamCorruptionException(Exception cause, Exception diagnoseFailure, 
+            @Nonnull byte[] readBack, @Nonnull byte[] readAhead) {
         initCause(cause);
         this.diagnoseFailure = diagnoseFailure;
         this.readBack = readBack;
@@ -25,12 +33,14 @@ public Exception getDiagnoseFailure() {
         return diagnoseFailure;
     }
 
+    @Nonnull
     public byte[] getReadBack() {
-        return readBack;
+        return readBack.clone();
     }
-
+  
+    @Nonnull
     public byte[] getReadAhead() {
-        return readAhead;
+        return readAhead.clone();
     }
 
     @Override
diff --git a/src/main/java/hudson/remoting/Engine.java b/src/main/java/hudson/remoting/Engine.java
index 474172447..0f1b92ed3 100644
--- a/src/main/java/hudson/remoting/Engine.java
+++ b/src/main/java/hudson/remoting/Engine.java
@@ -23,15 +23,11 @@
  */
 package hudson.remoting;
 
-import edu.umd.cs.findbugs.annotations.Nullable;
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.remoting.Channel.Mode;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
 import java.io.IOException;
-import java.io.PrintStream;
 import java.net.Socket;
 import java.net.URL;
 import java.nio.file.Path;
@@ -80,7 +76,7 @@
 import org.jenkinsci.remoting.util.KeyUtils;
 
 /**
- * Slave agent engine that proactively connects to Jenkins master.
+ * Agent engine that proactively connects to Jenkins master.
  *
  * @author Kohsuke Kawaguchi
  */
@@ -92,14 +88,13 @@ public class Engine extends Thread {
     private final ExecutorService executor = Executors.newCachedThreadPool(new ThreadFactory() {
         private final ThreadFactory defaultFactory = Executors.defaultThreadFactory();
         public Thread newThread(final Runnable r) {
-            Thread t = defaultFactory.newThread(new Runnable() {
-                public void run() {
-                    CURRENT.set(Engine.this);
-                    r.run();
-                }
+            Thread thread = defaultFactory.newThread(() -> {
+                CURRENT.set(Engine.this);
+                r.run();
             });
-            t.setDaemon(true);
-            return t;
+            thread.setDaemon(true);
+            thread.setUncaughtExceptionHandler((t, e) -> LOGGER.log(Level.SEVERE, "Uncaught exception in thread " + t, e));
+            return thread;
         }
     });
 
@@ -126,7 +121,7 @@ public void run() {
     private List<X509Certificate> candidateCertificates;
 
     /**
-     * URL that points to Jenkins's tcp slave agent listener, like <tt>http://myhost/hudson/</tt>
+     * URL that points to Jenkins's tcp agent listener, like <tt>http://myhost/hudson/</tt>
      *
      * <p>
      * This value is determined from {@link #candidateUrls} after a successful connection.
@@ -134,28 +129,27 @@ public void run() {
      */
     @CheckForNull
     private URL hudsonUrl;
-
     private final String secretKey;
     public final String slaveName;
     private String credentials;
 	private String proxyCredentials = System.getProperty("proxyCredentials");
 
     /**
-     * See Main#tunnel in the jnlp-agent module for the details.
+     * See {@link hudson.remoting.jnlp.Main#tunnel} for the documentation.
      */
+    @CheckForNull
     private String tunnel;
 
+    private boolean disableHttpsCertValidation;
+
     private boolean noReconnect;
 
     /**
      * Determines whether the socket will have {@link Socket#setKeepAlive(boolean)} set or not.
      *
-     * @since TODO
+     * @since 2.62.1
      */
     private boolean keepAlive = true;
-
-    
-    
     
     @CheckForNull
     private JarCache jarCache = null;
@@ -164,14 +158,14 @@ public void run() {
      * Specifies a destination for the agent log.
      * If specified, this option overrides the default destination within {@link #workDir}.
      * If both this options and {@link #workDir} is not set, the log will not be generated.
-     * @since TODO
+     * @since 3.8
      */
     @CheckForNull
     private Path agentLog;
     
     /**
      * Specified location of the property file with JUL settings.
-     * @since TODO
+     * @since 3.8
      */
     @CheckForNull
     private Path loggingConfigFilePath = null;
@@ -183,7 +177,7 @@ public void run() {
      * In order to retain compatibility, the option is disabled by default.
      * <p>
      * Jenkins specifics: This working directory is expected to be equal to the agent root specified in Jenkins configuration.
-     * @since TODO
+     * @since 3.8
      */
     @CheckForNull
     public Path workDir = null;
@@ -193,7 +187,7 @@ public void run() {
      * <p>
      * This option is not expected to be used frequently, but it allows remoting users to specify a custom
      * storage directory if the default {@code remoting} directory is consumed by other stuff.
-     * @since TODO
+     * @since 3.8
      */
     @Nonnull
     public String internalDir = WorkDirManager.DirType.INTERNAL_DIR.getDefaultLocation();
@@ -202,7 +196,7 @@ public void run() {
      * Fail the initialization if the workDir or internalDir are missing.
      * This option presumes that the workspace structure gets initialized previously in order to ensure that we do not start up with a borked instance
      * (e.g. if a filesystem mount gets disconnected).
-     * @since TODO
+     * @since 3.8
      */
     @Nonnull
     public boolean failIfWorkDirIsMissing = WorkDirManager.DEFAULT_FAIL_IF_WORKDIR_IS_MISSING;
@@ -217,13 +211,17 @@ public Engine(EngineListener listener, List<URL> hudsonUrls, String secretKey, S
         this.slaveName = slaveName;
         if(candidateUrls.isEmpty())
             throw new IllegalArgumentException("No URLs given");
+        setUncaughtExceptionHandler((t, e) -> {
+            LOGGER.log(Level.SEVERE, "Uncaught exception in Engine thread " + t, e);
+            interrupt();
+        });
     }
 
     /**
      * Starts the engine.
      * The procedure initializes the working directory and all the required environment
      * @throws IOException Initialization error
-     * @since TODO
+     * @since 3.9
      */
     public synchronized void startEngine() throws IOException {
         startEngine(false);
@@ -235,6 +233,7 @@ public synchronized void startEngine() throws IOException {
      *               This method can be used for testing startup logic.
      */
     /*package*/ void startEngine(boolean dryRun) throws IOException {
+        LOGGER.log(Level.INFO, "Using Remoting version: {0}", Launcher.VERSION);
         @CheckForNull File jarCacheDirectory = null;
         
         // Prepare the working directory if required
@@ -263,7 +262,11 @@ public synchronized void startEngine() throws IOException {
                 throw new IOException("Cannot find the JAR Cache location");
             }
             LOGGER.log(Level.FINE, "Using standard File System JAR Cache. Root Directory is {0}", jarCacheDirectory);
-            jarCache = new FileSystemJarCache(jarCacheDirectory, true);
+            try {
+                jarCache = new FileSystemJarCache(jarCacheDirectory, true);
+            } catch (IllegalArgumentException ex) {
+                throw new IOException("Failed to initialize FileSystem JAR Cache in " + jarCacheDirectory, ex);
+            }
         } else {
             LOGGER.log(Level.INFO, "Using custom JAR Cache: {0}", jarCache);
         }
@@ -287,7 +290,7 @@ public void setJarCache(@Nonnull JarCache jarCache) {
     /**
      * Sets path to the property file with JUL settings.
      * @param filePath JAR Cache to be used
-     * @since TODO
+     * @since 3.8
      */
     public void setLoggingConfigFile(@Nonnull Path filePath) {
         this.loggingConfigFilePath = filePath;
@@ -303,7 +306,11 @@ public URL getHudsonUrl() {
         return hudsonUrl;
     }
 
-    public void setTunnel(String tunnel) {
+    /**
+     * If set, connect to the specified host and port instead of connecting directly to Jenkins.
+     * @param tunnel Value. {@code null} to disable tunneling
+     */
+    public void setTunnel(@CheckForNull String tunnel) {
         this.tunnel = tunnel;
     }
 
@@ -319,11 +326,31 @@ public void setNoReconnect(boolean noReconnect) {
         this.noReconnect = noReconnect;
     }
 
+    /**
+     * Determines if JNLPAgentEndpointResolver will not perform certificate validation in the HTTPs mode.
+     *
+     * @return {@code true} if the certificate validation is disabled.
+     * @since TODO
+     */
+    public boolean isDisableHttpsCertValidation() {
+        return disableHttpsCertValidation;
+    }
+
+    /**
+     * Sets if JNLPAgentEndpointResolver will not perform certificate validation in the HTTPs mode.
+     *
+     * @param disableHttpsCertValidation {@code true} if the certificate validation is disabled.
+     * @since TODO
+     */
+    public void setDisableHttpsCertValidation(boolean disableHttpsCertValidation) {
+        this.disableHttpsCertValidation = disableHttpsCertValidation;
+    }
+
     /**
      * Sets the destination for agent logs.
      * @param agentLog Path to the agent log.
      *      If {@code null}, the engine will pick the default behavior depending on the {@link #workDir} value
-     * @since TODO
+     * @since 3.8
      */
     public void setAgentLog(@CheckForNull Path agentLog) {
         this.agentLog = agentLog;
@@ -333,7 +360,7 @@ public void setAgentLog(@CheckForNull Path agentLog) {
      * Specified a path to the work directory.
      * @param workDir Path to the working directory of the remoting instance.
      *                {@code null} Disables the working directory.
-     * @since TODO
+     * @since 3.8
      */
     public void setWorkDir(@CheckForNull Path workDir) {
         this.workDir = workDir;
@@ -342,7 +369,7 @@ public void setWorkDir(@CheckForNull Path workDir) {
     /**
      * Specifies name of the internal data directory within {@link #workDir}.
      * @param internalDir Directory name
-     * @since TODO
+     * @since 3.8
      */
     public void setInternalDir(@Nonnull String internalDir) {
         this.internalDir = internalDir;
@@ -353,7 +380,7 @@ public void setInternalDir(@Nonnull String internalDir) {
      * This option presumes that the workspace structure gets initialized previously in order to ensure that we do not start up with a borked instance
      * (e.g. if a filesystem mount gets disconnected).
      * @param failIfWorkDirIsMissing Flag
-     * @since TODO
+     * @since 3.8
      */
     public void setFailIfWorkDirIsMissing(boolean failIfWorkDirIsMissing) { this.failIfWorkDirIsMissing = failIfWorkDirIsMissing; }
 
@@ -474,6 +501,7 @@ private void innerRun(IOHub hub, SSLContext context, ExecutorService service) {
         resolver.setTunnel(tunnel);
         try {
             resolver.setSslSocketFactory(getSSLSocketFactory());
+            resolver.setDisableHttpsCertValidation(disableHttpsCertValidation);
         } catch (Exception e) {
             events.error(e);
         }
@@ -567,7 +595,10 @@ public void afterProperties(@Nonnull JnlpConnectionState event) {
 
                                 @Override
                                 public void beforeChannel(@Nonnull JnlpConnectionState event) {
-                                    event.getChannelBuilder().withJarCache(jarCache).withMode(Mode.BINARY);
+                                    ChannelBuilder bldr = event.getChannelBuilder().withMode(Mode.BINARY);
+                                    if (jarCache != null) {
+                                        bldr.withJarCache(jarCache);
+                                    }
                                 }
 
                                 @Override
@@ -633,7 +664,14 @@ public void afterChannel(@Nonnull JnlpConnectionState event) {
                 // try to connect back to the server every 10 secs.
                 resolver.waitForReady();
 
-                events.onReconnect();
+                try {
+                    events.status("Performing onReconnect operation.");
+                    events.onReconnect();
+                    events.status("onReconnect operation completed.");
+                } catch (NoClassDefFoundError e) {
+                    events.status("onReconnect operation failed.");
+                    LOGGER.log(Level.FINE, "Reconnection error.", e);
+                }
             }
         } catch (Throwable e) {
             events.error(e);
@@ -646,7 +684,7 @@ private void onConnectionRejected(String greeting) throws InterruptedException {
     }
 
     /**
-     * Connects to TCP slave host:port, with a few retries.
+     * Connects to TCP agent host:port, with a few retries.
      * @param endpoint Connection endpoint
      * @throws IOException Connection failure or invalid parameter specification
      */
@@ -798,8 +836,8 @@ private SSLSocketFactory getSSLSocketFactory()
             trustManagerFactory.init(keyStore);
             // prepare the SSL context
             SSLContext ctx = SSLContext.getInstance("TLS");
-            ctx.init(null, trustManagerFactory.getTrustManagers(), null);
             // now we have our custom socket factory
+            ctx.init(null, trustManagerFactory.getTrustManagers(), null);
             sslSocketFactory = ctx.getSocketFactory();
         }
         return sslSocketFactory;
diff --git a/src/main/java/hudson/remoting/EngineListener.java b/src/main/java/hudson/remoting/EngineListener.java
index 8e9b87755..ea06d31bd 100644
--- a/src/main/java/hudson/remoting/EngineListener.java
+++ b/src/main/java/hudson/remoting/EngineListener.java
@@ -61,7 +61,7 @@ public interface EngineListener {
 
     /**
      * Called when a re-connection is about to be attempted.
-     * @since TODO
+     * @since 2.0
      */
     void onReconnect();
 }
diff --git a/src/main/java/hudson/remoting/ExportTable.java b/src/main/java/hudson/remoting/ExportTable.java
index 45747895e..088e68655 100644
--- a/src/main/java/hudson/remoting/ExportTable.java
+++ b/src/main/java/hudson/remoting/ExportTable.java
@@ -97,9 +97,12 @@ private final class Entry<T> {
          */
         private int referenceCount;
 
+        //TODO: cleanup this mess?
         /**
-         * This field can be set programmatically to track reference counting
+         * This field can be set programmatically to track reference counting.
+         * Please note that value unset is not thread-safe.
          */
+        @SuppressFBWarnings(value = "UWF_UNWRITTEN_FIELD", justification = "Old System script magic")
         @CheckForNull
         private ReferenceCountRecorder recorder;
 
@@ -398,7 +401,6 @@ synchronized Object get(int id) throws ExecutionException {
      * Retrieves object by id.
      * @param oid Object ID
      * @return Object or {@code null} if the ID is missing in the {@link ExportTable}.
-     * @since TODO
      */
     @CheckForNull
     synchronized Object getOrNull(int oid) {
@@ -461,13 +463,16 @@ private synchronized ExecutionException diagnoseInvalidObjectId(int id) {
         Exception cause=null;
 
         if (!unexportLog.isEmpty()) {
-            for (Entry e : unexportLog) {
+            for (Entry<?> e : unexportLog) {
                 if (e.id==id)
                     cause = new Exception("Object was recently deallocated\n"+Util.indent(e.dump()), e.releaseTrace);
             }
-            if (cause==null)
-                cause = new Exception("Object appears to be deallocated at lease before "+
-                    new Date(unexportLog.get(0).releaseTrace.timestamp));
+            if (cause==null) {
+                // If there is no cause available, create an artificial cause and use the last unexport entry as an estimated release time if possible
+                final ReleasedAt releasedAt = unexportLog.get(0).releaseTrace;
+                final Date releasedBefore = releasedAt != null ? new Date(releasedAt.timestamp) : new Date();
+                cause = new Exception("Object appears to be deallocated at lease before "+ releasedBefore);
+            }
         }
 
         return new ExecutionException("Invalid object ID "+id+" iota="+iota, cause);
@@ -493,14 +498,14 @@ synchronized void unexport(@CheckForNull Object t, Throwable callSite) {
      * Logs error if the object has been already unexported.
      */
     void unexportByOid(Integer oid, Throwable callSite) {
-        unexportByOid(oid, callSite, true);
+        unexportByOid(oid, callSite, false);
     }
     
     /**
      * Removes the exported object for the specified oid from the table.
      * @param oid Object ID. If {@code null} the method will do nothing.
      * @param callSite Unexport command caller
-     * @param severeErrorIfMissing Consider missing object as {@link #SEVERE} error. {@link #FINE} otherwise
+     * @param severeErrorIfMissing Consider missing object as {@code SEVERE} error. {@code FINE} otherwise
      * @since TODO
      */
     synchronized void unexportByOid(@CheckForNull Integer oid, @CheckForNull Throwable callSite, boolean severeErrorIfMissing) {
diff --git a/src/main/java/hudson/remoting/FileSystemJarCache.java b/src/main/java/hudson/remoting/FileSystemJarCache.java
index ed18eafdc..48e0662dd 100644
--- a/src/main/java/hudson/remoting/FileSystemJarCache.java
+++ b/src/main/java/hudson/remoting/FileSystemJarCache.java
@@ -1,11 +1,15 @@
 package hudson.remoting;
 
+import org.jenkinsci.remoting.util.PathUtils;
+
 import javax.annotation.Nonnull;
 import javax.annotation.concurrent.GuardedBy;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.attribute.FileTime;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -36,6 +40,7 @@ public class FileSystemJarCache extends JarCacheSupport {
     @GuardedBy("itself")
     private final Map<String, Checksum> checksumsByPath = new HashMap<>();
 
+    //TODO: Create new IOException constructor
     /**
      * @param rootDir  
      *      Root directory.
@@ -54,7 +59,7 @@ public FileSystemJarCache(@Nonnull File rootDir, boolean touch) {
         try {
             Util.mkdirs(rootDir);
         } catch (IOException ex) {
-            throw new RuntimeException("Root directory not writable: " + rootDir);
+            throw new IllegalArgumentException("Root directory not writable: " + rootDir, ex);
         }
     }
 
@@ -68,9 +73,12 @@ protected URL lookInCache(Channel channel, long sum1, long sum2) throws IOExcept
         File jar = map(sum1, sum2);
         if (jar.exists()) {
             LOGGER.log(Level.FINER, String.format("Jar file cache hit %16X%16X",sum1,sum2));
-            if (touch)  jar.setLastModified(System.currentTimeMillis());
-            if (notified.add(new Checksum(sum1,sum2)))
+            if (touch)  {
+                Files.setLastModifiedTime(PathUtils.fileToPath(jar), FileTime.fromMillis(System.currentTimeMillis()));
+            }
+            if (notified.add(new Checksum(sum1,sum2))) {
                 getJarLoader(channel).notifyJarPresence(sum1,sum2);
+            }
             return jar.toURI().toURL();
         }
         return null;
@@ -92,7 +100,7 @@ protected URL retrieve(Channel channel, long sum1, long sum2) throws IOException
                     "Cached file checksum mismatch: %s%nExpected: %s%n Actual: %s",
                     target.getAbsolutePath(), expected, actual
             ));
-            target.delete();
+            Files.delete(PathUtils.fileToPath(target));
             synchronized (checksumsByPath) {
                 checksumsByPath.remove(target.getCanonicalPath());
             }
@@ -136,7 +144,7 @@ protected URL retrieve(Channel channel, long sum1, long sum2) throws IOException
 
                 return target.toURI().toURL();
             } finally {
-                tmp.delete();
+                Files.deleteIfExists(PathUtils.fileToPath(tmp));
             }
         } catch (IOException e) {
             throw (IOException)new IOException("Failed to write to "+target).initCause(e);
diff --git a/src/main/java/hudson/remoting/FlightRecorderInputStream.java b/src/main/java/hudson/remoting/FlightRecorderInputStream.java
index 3d6aa2fc6..171b0c179 100644
--- a/src/main/java/hudson/remoting/FlightRecorderInputStream.java
+++ b/src/main/java/hudson/remoting/FlightRecorderInputStream.java
@@ -5,6 +5,8 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.Arrays;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 /**
  * Filter input stream that records the content as it's read, so that it can be reported
@@ -13,6 +15,7 @@
  * @author Kohsuke Kawaguchi
  */
 class FlightRecorderInputStream extends InputStream {
+    private static final Logger LOGGER = Logger.getLogger(FlightRecorderInputStream.class.getName());
 
     /**
      * Size (in bytes) of the flight recorder ring buffer used for debugging remoting issues.
@@ -62,6 +65,8 @@ public void run() {
                 }
             }
         };
+        diagnosisThread.setUncaughtExceptionHandler(
+                (t, e) -> LOGGER.log(Level.SEVERE, "Uncaught exception in diagnosis thread " + t, e));
 
         // wait up to 1 sec to grab as much data as possible
         diagnosisThread.start();
diff --git a/src/main/java/hudson/remoting/GCCommand.java b/src/main/java/hudson/remoting/GCCommand.java
index baf26b4f6..78466e781 100644
--- a/src/main/java/hudson/remoting/GCCommand.java
+++ b/src/main/java/hudson/remoting/GCCommand.java
@@ -34,5 +34,10 @@ protected void execute(Channel channel) {
         System.gc();
     }
 
+    @Override
+    public String toString() {
+        return "GC";
+    }
+
     private static final long serialVersionUID = 1L;
 }
diff --git a/src/main/java/hudson/remoting/ImportedClassLoaderTable.java b/src/main/java/hudson/remoting/ImportedClassLoaderTable.java
index 7fb59acae..f35257ea6 100644
--- a/src/main/java/hudson/remoting/ImportedClassLoaderTable.java
+++ b/src/main/java/hudson/remoting/ImportedClassLoaderTable.java
@@ -51,7 +51,7 @@ final class ImportedClassLoaderTable {
      */
     @Nonnull
     public synchronized ClassLoader get(int oid) {
-        return get(RemoteInvocationHandler.wrap(channel,oid,IClassLoader.class,false,false));
+        return get(RemoteInvocationHandler.wrap(channel, oid, IClassLoader.class, false, false, false, false));
     }
 
     /**
diff --git a/src/main/java/hudson/remoting/InitializeJarCacheMain.java b/src/main/java/hudson/remoting/InitializeJarCacheMain.java
index 2ff7b2698..66f60a4c1 100644
--- a/src/main/java/hudson/remoting/InitializeJarCacheMain.java
+++ b/src/main/java/hudson/remoting/InitializeJarCacheMain.java
@@ -34,7 +34,7 @@ public boolean accept(File dir, String name) {
     public static void main(String[] argv) throws Exception {
         if (argv.length != 2) {
             throw new IllegalArgumentException(
-                    "Usage: java -cp slave.jar hudson.remoting.InitializeJarCacheMain " +
+                    "Usage: java -cp agent.jar hudson.remoting.InitializeJarCacheMain " +
                     "<source jar dir> <jar cache dir>");
         }
 
@@ -62,23 +62,12 @@ public static void main(String[] argv) throws Exception {
      * our own from scratch.
      */
     private static void copyFile(File src, File dest) throws Exception {
-        FileInputStream input = null;
-        FileOutputStream output = null;
-        try {
-            input = new FileInputStream(src);
-            output = new FileOutputStream(dest);
+        try (FileInputStream input = new FileInputStream(src); FileOutputStream output = new FileOutputStream(dest)) {
             byte[] buf = new byte[1024 * 1024];
             int bytesRead;
             while ((bytesRead = input.read(buf)) > 0) {
                 output.write(buf, 0, bytesRead);
             }
-        } finally {
-            if (input != null) {
-                input.close();
-            }
-            if (output != null) {
-                output.close();
-            }
         }
     }
 }
diff --git a/src/main/java/hudson/remoting/InterceptingExecutorService.java b/src/main/java/hudson/remoting/InterceptingExecutorService.java
index d22a9c2ae..913f33100 100644
--- a/src/main/java/hudson/remoting/InterceptingExecutorService.java
+++ b/src/main/java/hudson/remoting/InterceptingExecutorService.java
@@ -1,5 +1,7 @@
 package hudson.remoting;
 
+import org.jenkinsci.remoting.CallableDecorator;
+
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -13,6 +15,8 @@
 /**
  * {@link ExecutorService} that runs all the tasks in a given set of {@link CallableDecorator}s.
  * @author Kohsuke Kawaguchi
+ * @see CallableDecorator
+ * @see CallableDecoratorList
  */
 class InterceptingExecutorService extends DelegatingExecutorService {
     private final CallableDecoratorList decorators;
diff --git a/src/main/java/hudson/remoting/JarCache.java b/src/main/java/hudson/remoting/JarCache.java
index 1123f3178..bb39b4df2 100644
--- a/src/main/java/hudson/remoting/JarCache.java
+++ b/src/main/java/hudson/remoting/JarCache.java
@@ -24,12 +24,22 @@ public abstract class JarCache {
     /**
      * Default JAR cache location for disabled workspace Manager.
      */
-    /*package*/ static final File DEFAULT_NOWS_JAR_CACHE_LOCATION = 
+    public static final File DEFAULT_NOWS_JAR_CACHE_LOCATION =
         new File(System.getProperty("user.home"),".jenkins/cache/jars");
-    
+
+    //TODO: replace by checked exception
+    /**
+     * Gets a default value for {@link FileSystemJarCache} to be initialized on agents.
+     * @return Created JAR Cache
+     * @throws IOException Default JAR Cache location cannot be initialized
+     */
     @Nonnull
-    /*package*/ static JarCache getDefault() {
-        return new FileSystemJarCache(DEFAULT_NOWS_JAR_CACHE_LOCATION, true);
+    /*package*/ static JarCache getDefault() throws IOException {
+        try {
+            return new FileSystemJarCache(DEFAULT_NOWS_JAR_CACHE_LOCATION, true);
+        } catch (IllegalArgumentException ex) {
+            throw new IOException("Failed to initialize the default JAR Cache location", ex);
+        }
     }
     
     /**
diff --git a/src/main/java/hudson/remoting/JarCacheSupport.java b/src/main/java/hudson/remoting/JarCacheSupport.java
index 05fed29ce..a47a0881b 100644
--- a/src/main/java/hudson/remoting/JarCacheSupport.java
+++ b/src/main/java/hudson/remoting/JarCacheSupport.java
@@ -7,6 +7,7 @@
 import java.util.concurrent.ExecutorService;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.jenkinsci.remoting.util.ExecutorServiceUtils;
 
 /**
  * Default partial implementation of {@link JarCache}.
@@ -50,50 +51,92 @@ public Future<URL> resolve(final Channel channel, final long sum1, final long su
 
         while (true) {// might have to try a few times before we get successfully resolve
 
-            final Checksum key = new Checksum(sum1,sum2);
-            final AsyncFutureImpl<URL> promise = new AsyncFutureImpl<URL>();
-            Future<URL> cur = inprogress.putIfAbsent(key, promise);
+            final Checksum key = new Checksum(sum1,sum2);        
+            Future<URL> cur = inprogress.get(key);
             if (cur!=null) {
                 // this computation is already in progress. piggy back on that one
                 return cur;
             } else {
                 // we are going to resolve this ourselves and publish the result in 'promise' for others
-                downloader.submit(new Runnable() {
-                    public void run() {
-                        try {
-                            URL url = retrieve(channel,sum1,sum2);
-                            inprogress.remove(key);
-                            promise.set(url);
-                        } catch (ChannelClosedException e) {
-                            // the connection was killed while we were still resolving the file
-                            bailout(e);
-                        } catch (RequestAbortedException e) {
-                            // the connection was killed while we were still resolving the file
-                            bailout(e);
-                        } catch (InterruptedException e) {
-                            // we are bailing out, but we need to allow another thread to retry later.
-                            bailout(e);
+                try {
+                    final AsyncFutureImpl<URL> promise = new AsyncFutureImpl<URL>();
+                    ExecutorServiceUtils.submitAsync(downloader, new  DownloadRunnable(channel, sum1, sum2, key, promise));
+                    // Now we are sure that the task has been accepted to the queue, hence we cache the promise
+                    // if nobody else caches it before.
+                    inprogress.putIfAbsent(key, promise);
+                } catch (ExecutorServiceUtils.ExecutionRejectedException ex) {
+                    final String message = "Downloader executor service has rejected the download command for checksum " + key;
+                    LOGGER.log(Level.SEVERE, message, ex);
+                    // Retry the submission after 100 ms if the error is not fatal
+                    if (ex.isFatal()) {
+                        // downloader won't accept anything else, do not even try
+                        throw new IOException(message, ex);
+                    } else {
+                        //TODO: should we just fail? unrealistic case for the current AtmostOneThreadExecutor implementation anyway
+                        Thread.sleep(100);
+                    }
+                }
+            }
+        }
+    }
+    
+    private class DownloadRunnable implements Runnable {
+    
+        final Channel channel;
+        final long sum1;
+        final long sum2;
+        final Checksum key;
+        final AsyncFutureImpl<URL> promise;
 
-                            LOGGER.log(Level.WARNING, String.format("Interrupted while resolving a jar %016x%016x",sum1,sum2), e);
-                        } catch (Throwable e) {
-                            // in other general failures, we aren't retrying
-                            // TODO: or should we?
-                            promise.set(e);
+        public DownloadRunnable(Channel channel, long sum1, long sum2, Checksum key, AsyncFutureImpl<URL> promise) {
+            this.channel = channel;
+            this.sum1 = sum1;
+            this.sum2 = sum2;
+            this.key = key;
+            this.promise = promise;
+        }
+        
+        @Override
+        public void run() {
+            try {
+                // Deduplication: There is a risk that multiple downloadables get scheduled, hence we check if
+                // the promise is actually in the queue
+                Future<URL> inprogressDownload = inprogress.get(key);
+                if (promise != inprogressDownload) {
+                    // Duplicated entry due to the race condition, do nothing
+                    return;
+                }
+                
+                URL url = retrieve(channel, sum1, sum2);
+                inprogress.remove(key);
+                promise.set(url);
+            } catch (ChannelClosedException e) {
+                // the connection was killed while we were still resolving the file
+                bailout(e);
+            } catch (RequestAbortedException e) {
+                // the connection was killed while we were still resolving the file
+                bailout(e);
+            } catch (InterruptedException e) {
+                // we are bailing out, but we need to allow another thread to retry later.
+                bailout(e);
 
-                            LOGGER.log(Level.WARNING, String.format("Failed to resolve a jar %016x%016x",sum1,sum2), e);
-                        }
-                    }
+                LOGGER.log(Level.WARNING, String.format("Interrupted while resolving a jar %016x%016x", sum1, sum2), e);
+            } catch (Throwable e) {
+                // in other general failures, we aren't retrying
+                // TODO: or should we?
+                promise.set(e);
 
-                    /**
-                     * Report a failure of the retrieval and allows another thread to retry.
-                     */
-                    private void bailout(Exception e) {
-                        inprogress.remove(key);     // this lets another thread to retry later
-                        promise.set(e);             // then tell those who are waiting that we aborted
-                    }
-                });
+                LOGGER.log(Level.WARNING, String.format("Failed to resolve a jar %016x%016x", sum1, sum2), e);
             }
         }
+
+        /**
+         * Report a failure of the retrieval and allows another thread to retry.
+         */
+        private void bailout(Exception e) {
+            inprogress.remove(key);     // this lets another thread to retry later
+            promise.set(e);             // then tell those who are waiting that we aborted
+        }
     }
 
     protected JarLoader getJarLoader(Channel channel) throws InterruptedException {
@@ -104,6 +147,6 @@ protected JarLoader getJarLoader(Channel channel) throws InterruptedException {
         }
         return jl;
     }
-
+    
     private static final Logger LOGGER = Logger.getLogger(JarCacheSupport.class.getName());
 }
diff --git a/src/main/java/hudson/remoting/JarLoaderImpl.java b/src/main/java/hudson/remoting/JarLoaderImpl.java
index 0f8ba7ed8..0abf3230e 100644
--- a/src/main/java/hudson/remoting/JarLoaderImpl.java
+++ b/src/main/java/hudson/remoting/JarLoaderImpl.java
@@ -1,15 +1,20 @@
 package hudson.remoting;
 
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
+
 import java.io.File;
 import java.io.IOException;
+import java.io.NotSerializableException;
 import java.io.OutputStream;
-import java.io.Serializable;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 /**
  * Implements {@link JarLoader} to be called from the other side.
@@ -17,7 +22,10 @@
  * @author Kohsuke Kawaguchi
  */
 @edu.umd.cs.findbugs.annotations.SuppressWarnings("SE_BAD_FIELD")
-class JarLoaderImpl implements JarLoader, Serializable {
+class JarLoaderImpl implements JarLoader, SerializableOnlyOverRemoting {
+
+    private static final Logger LOGGER = Logger.getLogger(JarLoaderImpl.class.getName());
+
     private final ConcurrentMap<Checksum,URL> knownJars = new ConcurrentHashMap<>();
 
     @edu.umd.cs.findbugs.annotations.SuppressWarnings("DMI_COLLECTION_OF_URLS") // TODO: fix this
@@ -31,6 +39,20 @@ public void writeJarTo(long sum1, long sum2, OutputStream sink) throws IOExcepti
         if (url==null)
             throw new IOException("Unadvertised jar file "+k);
 
+        Channel channel = Channel.current();
+        if (channel != null) {
+            if (url.getProtocol().equals("file")) {
+                try {
+                    channel.notifyJar(new File(url.toURI()));
+                } catch (URISyntaxException | IllegalArgumentException x) {
+                    LOGGER.log(Level.WARNING, "cannot properly report " + url, x);
+                }
+            } else {
+                LOGGER.log(Level.FINE, "serving non-file URL {0}", url);
+            }
+        } else {
+            LOGGER.log(Level.WARNING, "no active channel");
+        }
         Util.copy(url.openStream(), sink);
         presentOnRemote.add(k);
     }
@@ -71,8 +93,8 @@ public Checksum calcChecksum(URL jar) throws IOException {
     /**
      * When sent to the remote node, send a proxy.
      */
-    private Object writeReplace() {
-        return Channel.current().export(JarLoader.class, this);
+    private Object writeReplace() throws NotSerializableException {
+        return getChannelForSerialization().export(JarLoader.class, this);
     }
 
     public static final String DIGEST_ALGORITHM = System.getProperty(JarLoaderImpl.class.getName()+".algorithm","SHA-256");
diff --git a/src/main/java/hudson/remoting/Launcher.java b/src/main/java/hudson/remoting/Launcher.java
index 32c19a175..69a2b77c0 100644
--- a/src/main/java/hudson/remoting/Launcher.java
+++ b/src/main/java/hudson/remoting/Launcher.java
@@ -25,10 +25,11 @@
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.remoting.Channel.Mode;
+
+import java.io.Console;
 import java.io.FileInputStream;
 import java.io.UnsupportedEncodingException;
 import java.io.FileNotFoundException;
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
@@ -42,6 +43,9 @@
 
 import org.jenkinsci.remoting.engine.WorkDirManager;
 import org.jenkinsci.remoting.util.IOUtils;
+import org.jenkinsci.remoting.util.https.NoCheckHostnameVerifier;
+import org.jenkinsci.remoting.util.https.NoCheckTrustManager;
+import org.jenkinsci.remoting.util.PathUtils;
 import org.w3c.dom.Document;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
@@ -60,7 +64,6 @@
 import javax.net.ssl.X509TrustManager;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLSession;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -71,7 +74,6 @@
 import java.io.ByteArrayOutputStream;
 import java.io.Closeable;
 import java.io.FileWriter;
-import java.io.PrintStream;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.net.URL;
@@ -127,7 +129,7 @@ public class Launcher {
     public File slaveLog = null;
 
     @Option(name="-text",usage="encode communication with the master with base64. " +
-            "Useful for running slave over 8-bit unsafe protocol like telnet")
+            "Useful for running agent over 8-bit unsafe protocol like telnet")
     public void setTextMode(boolean b) {
         mode = b?Mode.TEXT:Mode.BINARY;
         System.out.println("Running in "+mode.name().toLowerCase(Locale.ENGLISH)+" mode");
@@ -141,7 +143,7 @@ public void setTextMode(boolean b) {
     @Option(name="-jnlpCredentials",metaVar="USER:PASSWORD",usage="HTTP BASIC AUTH header to pass in for making HTTP requests.")
     public String slaveJnlpCredentials = null;
 
-    @Option(name="-secret", metaVar="HEX_SECRET", usage="Slave connection secret to use instead of -jnlpCredentials.")
+    @Option(name="-secret", metaVar="HEX_SECRET", usage="Agent connection secret to use instead of -jnlpCredentials.")
     public String secret;
 
     @Option(name="-proxyCredentials",metaVar="USER:PASSWORD",usage="HTTP BASIC AUTH header to pass in for making HTTP authenticated proxy requests.")
@@ -180,7 +182,7 @@ public void addClasspath(String pathList) throws Exception {
 
     /**
      * Specified location of the property file with JUL settings.
-     * @since TODO
+     * @since 3.8
      */
     @CheckForNull
     @Option(name="-loggingConfig",usage="Path to the property file with java.util.logging settings")
@@ -192,6 +194,12 @@ public void addClasspath(String pathList) throws Exception {
                     "certificate file to read.", forbids = "-noCertificateCheck")
     public List<String> candidateCertificates;
 
+    /**
+     * Disables HTTPs Certificate validation of the server when using {@link org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver}.
+     * This option is managed by the {@code -noCertificateCheck} option.
+     */
+    private boolean noCertificateCheck = false;
+
     public InetSocketAddress connectionTarget = null;
 
     @Option(name="-connectTo",usage="make a TCP connection to the given host and port, then start communication.",metaVar="HOST:PORT")
@@ -213,15 +221,13 @@ public void setConnectTo(String target) {
     @Option(name="-noCertificateCheck", forbids = "-cert")
     public void setNoCertificateCheck(boolean ignored) throws NoSuchAlgorithmException, KeyManagementException {
         System.out.println("Skipping HTTPS certificate checks altogether. Note that this is not secure at all.");
+
+        this.noCertificateCheck = true;
         SSLContext context = SSLContext.getInstance("TLS");
         context.init(null, new TrustManager[]{new NoCheckTrustManager()}, new java.security.SecureRandom());
         HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
         // bypass host name check, too.
-        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
-            public boolean verify(String s, SSLSession sslSession) {
-                return true;
-            }
-        });
+        HttpsURLConnection.setDefaultHostnameVerifier(new NoCheckHostnameVerifier());
     }
 
     @Option(name="-noReconnect",usage="Doesn't try to reconnect when a communication fail, and exit instead")
@@ -238,7 +244,7 @@ public boolean verify(String s, SSLSession sslSession) {
      * In order to retain compatibility, the option is disabled by default.
      * <p>
      * Jenkins specifics: This working directory is expected to be equal to the agent root specified in Jenkins configuration.
-     * @since TODO
+     * @since 3.8
      */
     @Option(name = "-workDir",
             usage = "Declares the working directory of the remoting instance (stores cache and logs by default)")
@@ -250,7 +256,7 @@ public boolean verify(String s, SSLSession sslSession) {
      * <p>
      * This option is not expected to be used frequently, but it allows remoting users to specify a custom
      * storage directory if the default {@code remoting} directory is consumed by other stuff.
-     * @since TODO
+     * @since 3.8
      */
     @Option(name = "-internalDir",
             usage = "Specifies a name of the internal files within a working directory ('remoting' by default)",
@@ -262,7 +268,7 @@ public boolean verify(String s, SSLSession sslSession) {
      * Fail the initialization if the workDir or internalDir are missing.
      * This option presumes that the workspace structure gets initialized previously in order to ensure that we do not start up with a borked instance
      * (e.g. if a filesystem mount gets disconnected).
-     * @since TODO
+     * @since 3.8
      */
     @Option(name = "-failIfWorkDirIsMissing",
             usage = "Fails the initialization if the requested workDir or internalDir are missing ('false' by default)",
@@ -278,7 +284,7 @@ public static void main(String... args) throws Exception {
             launcher.run();
         } catch (CmdLineException e) {
             System.err.println(e.getMessage());
-            System.err.println("java -jar slave.jar [options...]");
+            System.err.println("java -jar agent.jar [options...]");
             parser.printUsage(System.err);
             System.err.println();
         }
@@ -296,7 +302,7 @@ public void run() throws Exception {
         if (slaveLog != null) {
             workDirManager.disable(WorkDirManager.DirType.LOGS_DIR);
         }
-        workDirManager.setupLogging(internalDirPath, slaveLog != null ? slaveLog.toPath() : null);
+        workDirManager.setupLogging(internalDirPath, slaveLog != null ? PathUtils.fileToPath(slaveLog) : null);
 
         if(auth!=null) {
             final int idx = auth.indexOf(':');
@@ -348,6 +354,11 @@ public void run() throws Exception {
                     jnlpArgs.add(c);
                 }
             }
+            if (noCertificateCheck) {
+		// Generally it is not required since the default settings have been changed anyway.
+		// But we set it up just in case there are overrides somewhere in the logic
+                jnlpArgs.add("-disableHttpsCertValidation");
+            }
             try {
                 hudson.remoting.jnlp.Main._main(jnlpArgs.toArray(new String[jnlpArgs.size()]));
             } catch (CmdLineException e) {
@@ -583,9 +594,9 @@ private static byte[] fromHexString(String data) {
         return r;
     }
 
-    private static Document loadDom(URL slaveJnlpURL, InputStream is) throws ParserConfigurationException, SAXException, IOException {
+    private static Document loadDom(URL agentJnlpURL, InputStream is) throws ParserConfigurationException, SAXException, IOException {
         DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-        return db.parse(is, slaveJnlpURL.toExternalForm());
+        return db.parse(is, agentJnlpURL.toExternalForm());
     }
 
     /**
@@ -689,29 +700,19 @@ private void runWithStdinStdout() throws IOException, InterruptedException {
         main(System.in, os, mode, ping, jarCache != null ? new FileSystemJarCache(jarCache,true) : null);
     }
 
+    /**
+     * Checks if there is any {@link java.io.Console Console} object associated with JVM.
+     * If yes, prints a warning to STDOUT.
+     */
     private static void ttyCheck() {
-        try {
-            Method m = System.class.getMethod("console");
-            Object console = m.invoke(null);
-            if(console!=null) {
-                // we seem to be running from interactive console. issue a warning.
-                // but since this diagnosis could be wrong, go on and do what we normally do anyway. Don't exit.
-                System.out.println(
-                        "WARNING: Are you running slave agent from an interactive console?\n" +
-                        "If so, you are probably using it incorrectly.\n" +
-                        "See http://wiki.jenkins-ci.org/display/JENKINS/Launching+slave.jar+from+from+console");
-            }
-        } catch (LinkageError e) {
-            // we are probably running on JDK5 that doesn't have System.console()
-            // we can't check
-        } catch (InvocationTargetException e) {
-            // this is impossible
-            throw new AssertionError(e);
-        } catch (NoSuchMethodException e) {
-            // must be running on JDK5
-        } catch (IllegalAccessException e) {
-            // this is impossible
-            throw new AssertionError(e);
+        final Console console = System.console();
+        if(console != null) {
+            // we seem to be running from interactive console. issue a warning.
+            // but since this diagnosis could be wrong, go on and do what we normally do anyway. Don't exit.
+            System.out.println(
+                    "WARNING: Are you running agent from an interactive console?\n" +
+                            "If so, you are probably using it incorrectly.\n" +
+                            "See https://wiki.jenkins.io/display/JENKINS/Launching+agent+from+console");
         }
     }
 
@@ -741,7 +742,7 @@ public static void main(InputStream is, OutputStream os, Mode mode, boolean perf
         ExecutorService executor = Executors.newCachedThreadPool();
         ChannelBuilder cb = new ChannelBuilder("channel", executor)
                 .withMode(mode)
-                .withJarCache(cache);
+                .withJarCacheOrDefault(cache);
 
         // expose StandardOutputStream as a channel property, which is a better way to make this available
         // to the user of Channel than Channel#getUnderlyingOutput()
@@ -777,21 +778,6 @@ protected void onDead(Throwable cause) {
         System.err.println("channel stopped");
     }
 
-    /**
-     * {@link X509TrustManager} that performs no check at all.
-     */
-    private static class NoCheckTrustManager implements X509TrustManager {
-        public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
-        }
-
-        public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
-        }
-
-        public X509Certificate[] getAcceptedIssuers() {
-            return new X509Certificate[0];
-        }
-    }
-
     public static boolean isWindows() {
         return File.pathSeparatorChar==';';
     }
@@ -824,7 +810,7 @@ private static void closeWithLogOnly(Closeable stream, String name) {
     }
 
     /**
-     * Version number of Hudson this slave.jar is from.
+     * Version number of Hudson this agent.jar is from.
      */
     public static final String VERSION = computeVersion();
     
diff --git a/src/main/java/hudson/remoting/MultiClassLoaderSerializer.java b/src/main/java/hudson/remoting/MultiClassLoaderSerializer.java
index 44dc99aa0..a9baa5d28 100644
--- a/src/main/java/hudson/remoting/MultiClassLoaderSerializer.java
+++ b/src/main/java/hudson/remoting/MultiClassLoaderSerializer.java
@@ -9,6 +9,7 @@
 import java.io.ObjectStreamClass;
 import java.io.OutputStream;
 import java.lang.reflect.Proxy;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -17,6 +18,7 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.CheckForNull;
+import org.jenkinsci.remoting.util.AnonymousClassWarnings;
 
 /**
  * {@link ObjectInputStream}/{@link ObjectOutputStream} pair that can handle object graph that spans across
@@ -45,6 +47,7 @@ static final class Output extends ObjectOutputStream {
 
         @Override
         protected void annotateClass(Class<?> c) throws IOException {
+            AnonymousClassWarnings.check(c);
             ClassLoader cl = c.getClassLoader();
             if (cl==null) {// bootstrap classloader. no need to export.
                 writeInt(TAG_SYSTEMCLASSLOADER);
@@ -86,6 +89,9 @@ static final class Input extends ObjectInputStream {
         Input(Channel channel, InputStream in) throws IOException {
             super(in);
             this.channel = channel;
+
+            // by default, the resolveObject is not called
+            enableResolveObject(true);
         }
 
         @CheckForNull
@@ -165,6 +171,15 @@ protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, Cl
 
             return Proxy.getProxyClass(cl, classes);
         }
+
+        @Override
+        protected Object resolveObject(Object obj) throws IOException {
+            if(obj instanceof URL){
+                // SECURITY-637, URL deserialization could lead to DNS query
+                return URLDeserializationHelper.wrapIfRequired((URL) obj);
+            }
+            return super.resolveObject(obj);
+        }
     }
 
     /**
diff --git a/src/main/java/hudson/remoting/NoProxyEvaluator.java b/src/main/java/hudson/remoting/NoProxyEvaluator.java
new file mode 100644
index 000000000..6dcfe0b80
--- /dev/null
+++ b/src/main/java/hudson/remoting/NoProxyEvaluator.java
@@ -0,0 +1,155 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2004-2018, Sun Microsystems, Inc., Kohsuke Kawaguchi, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package hudson.remoting;
+
+import org.jenkinsci.remoting.org.apache.commons.net.util.SubnetUtils;
+import org.jenkinsci.remoting.org.apache.commons.validator.routines.InetAddressValidator;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+@Restricted(NoExternalUse.class)
+public class NoProxyEvaluator {
+
+    private static final Pattern COMMA = Pattern.compile(",");
+    private static final Pattern PIPE = Pattern.compile("\\|");
+
+    private final Set<InetAddress> noProxyIpAddresses = new HashSet<>();
+    private final Set<SubnetUtils.SubnetInfo> noProxySubnets = new HashSet<>();
+    private final Set<String> noProxyDomainsHosts = new HashSet<>();
+
+    public static boolean shouldProxy(String host) {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(getEnvironmentValue());
+        return evaluator.shouldProxyHost(host);
+    }
+
+    NoProxyEvaluator(String noProxySpecification) {
+        if (noProxySpecification != null) {
+            processSpecificationsIntoTypes(noProxySpecification);
+        }
+    }
+
+    boolean shouldProxyHost(String host) {
+        if (host.toLowerCase(Locale.ROOT).equals("localhost")) {
+            return false;
+        }
+        if (isIpAddress(host)) {
+            try {
+                InetAddress hostAddress = InetAddress.getByName(host);
+                if (hostAddress.isLoopbackAddress()) {
+                    return false;
+                }
+                if (matchesIpAddress(hostAddress)) {
+                    return false;
+                }
+                return !matchesSubnet(host);
+            } catch (UnknownHostException e) {
+                // Could not process it so just proxy it.
+                return true;
+            }
+        }
+        return !matchesDomainHost(host);
+    }
+
+    private static String getEnvironmentValue() {
+        String noProxy = System.getenv("no_proxy");
+        if (noProxy == null) {
+            noProxy = System.getenv("NO_PROXY");
+        }
+        return noProxy;
+    }
+
+    private boolean matchesIpAddress(InetAddress hostAddress) {
+        return noProxyIpAddresses.stream().
+                anyMatch(inetAddress -> inetAddress.equals(hostAddress));
+    }
+
+    private void processSpecificationsIntoTypes(String noProxySpecification) {
+        noProxySpecification = noProxySpecification.trim();
+        String[] noProxySpecifications = splitComponents(noProxySpecification);
+        for (String specification : noProxySpecifications){
+            specification = stripLeadingStarDot(stripLeadingDot(specification.trim()));
+            if (specification.isEmpty() ) {
+                continue;
+            }
+            if (isIpAddress(specification)) {
+                try {
+                    noProxyIpAddresses.add(InetAddress.getByName(specification));
+                } catch (UnknownHostException e) {
+                    // Failed to create InetAddress.
+                }
+                continue;
+            }
+            try {
+                SubnetUtils subnetUtils = new SubnetUtils(specification);
+                SubnetUtils.SubnetInfo subnetInfo = subnetUtils.getInfo();
+                noProxySubnets.add(subnetInfo);
+                continue;
+            } catch (IllegalArgumentException iae) {
+                // Not a subnet definition.
+            }
+            noProxyDomainsHosts.add(specification);
+        }
+    }
+
+    private String[] splitComponents(String noProxySpecification) {
+        String[] noProxySpecifications;
+        if (noProxySpecification.contains(",")) {
+            noProxySpecifications = COMMA.split(noProxySpecification);
+        } else if (noProxySpecification.contains("|")) {
+            noProxySpecifications = PIPE.split(noProxySpecification);
+        } else {
+            noProxySpecifications = new String[] {noProxySpecification};
+        }
+        return noProxySpecifications;
+    }
+
+    private String stripLeadingDot(String string) {
+        return string.startsWith(".") ? string.substring(1) : string;
+    }
+
+    private String stripLeadingStarDot(String string) {
+        return string.startsWith("*.") ? string.substring(2) : string;
+    }
+
+    private boolean matchesSubnet(String host) {
+        return noProxySubnets.stream().anyMatch(subnet -> subnet.isInRange(host));
+    }
+
+    private boolean matchesDomainHost(String host) {
+        return noProxyDomainsHosts.stream().
+               anyMatch(host::endsWith);
+    }
+
+    private boolean isIpAddress(String host) {
+        return InetAddressValidator.getInstance().isValid(host);
+    }
+
+}
diff --git a/src/main/java/hudson/remoting/ObjectInputStreamEx.java b/src/main/java/hudson/remoting/ObjectInputStreamEx.java
index 18af937fd..58f9bd913 100644
--- a/src/main/java/hudson/remoting/ObjectInputStreamEx.java
+++ b/src/main/java/hudson/remoting/ObjectInputStreamEx.java
@@ -29,6 +29,7 @@
 import java.io.ObjectStreamClass;
 import java.lang.reflect.Modifier;
 import java.lang.reflect.Proxy;
+import java.net.URL;
 
 /**
  * {@link ObjectInputStream} that uses a specific class loader.
@@ -48,6 +49,9 @@ public ObjectInputStreamEx(InputStream in, ClassLoader cl, ClassFilter filter) t
         super(in);
         this.cl = cl;
         this.filter = filter;
+        
+        // by default, the resolveObject is not called
+        enableResolveObject(true);
     }
 
     @Override
@@ -91,4 +95,13 @@ protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, Cl
             throw new ClassNotFoundException(null, e);
         }
     }
+    
+    @Override 
+    protected Object resolveObject(Object obj) throws IOException {
+        if(obj instanceof URL){
+            // SECURITY-637, URL deserialization could lead to DNS query
+            return URLDeserializationHelper.wrapIfRequired((URL) obj);
+        }
+        return super.resolveObject(obj);
+    }
 }
diff --git a/src/main/java/hudson/remoting/PingThread.java b/src/main/java/hudson/remoting/PingThread.java
index 1168579f3..92a2faf8f 100644
--- a/src/main/java/hudson/remoting/PingThread.java
+++ b/src/main/java/hudson/remoting/PingThread.java
@@ -68,6 +68,10 @@ public PingThread(Channel channel, long timeout, long interval) {
         this.timeout = timeout;
         this.interval = interval;
         setDaemon(true);
+        setUncaughtExceptionHandler((t, e) -> {
+            LOGGER.log(Level.SEVERE, "Uncaught exception in PingThread " + t, e);
+            onDead(e);
+        });
     }
 
     public PingThread(Channel channel, long interval) {
diff --git a/src/main/java/hudson/remoting/Pipe.java b/src/main/java/hudson/remoting/Pipe.java
index b0dbdd62f..d10d26b39 100644
--- a/src/main/java/hudson/remoting/Pipe.java
+++ b/src/main/java/hudson/remoting/Pipe.java
@@ -23,12 +23,13 @@
  */
 package hudson.remoting;
 
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.OutputStream;
-import java.io.Serializable;
 import java.util.concurrent.ExecutionException;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -96,7 +97,7 @@
  *
  * @author Kohsuke Kawaguchi
  */
-public final class Pipe implements Serializable, ErrorPropagatingOutputStream {
+public final class Pipe implements SerializableOnlyOverRemoting, ErrorPropagatingOutputStream {
     private InputStream in;
     private OutputStream out;
 
@@ -149,6 +150,8 @@ public static Pipe createLocalToRemote() {
     }
 
     private void writeObject(ObjectOutputStream oos) throws IOException {
+        final Channel ch = getChannelForSerialization();
+
         // TODO: there's a discrepancy in the pipe window size and FastPipedInputStream buffer size.
         // The former uses 1M, while the latter uses 64K, so if the sender is too fast, it'll cause
         // the pipe IO thread to block other IO activities. Fix this by first using adaptive growing buffer
@@ -156,14 +159,14 @@ private void writeObject(ObjectOutputStream oos) throws IOException {
         if(in!=null && out==null) {
             // remote will write to local
             FastPipedOutputStream pos = new FastPipedOutputStream((FastPipedInputStream)in);
-            int oid = Channel.current().internalExport(Object.class, pos, false);  // this export is unexported in ProxyOutputStream.finalize()
+            int oid = ch.internalExport(Object.class, pos, false);  // this export is unexported in ProxyOutputStream.finalize()
 
             oos.writeBoolean(true); // marker
             oos.writeInt(oid);
         } else {
             // remote will read from local this object gets unexported when the pipe is connected.
             // see ConnectCommand
-            int oid = Channel.current().internalExport(Object.class, out, false);
+            int oid = ch.internalExport(Object.class, out, false);
 
             oos.writeBoolean(false);
             oos.writeInt(oid);
@@ -171,8 +174,7 @@ private void writeObject(ObjectOutputStream oos) throws IOException {
     }
 
     private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
-        final Channel channel = Channel.current();
-        assert channel !=null;
+        final Channel channel = getChannelForSerialization();
 
         if(ois.readBoolean()) {
             // local will write to remote
@@ -230,6 +232,11 @@ public void run() {
             });
         }
 
+        @Override
+        public String toString() {
+            return "Pipe.Connect";
+        }
+
         static final long serialVersionUID = -9128735897846418140L;
     }
 }
diff --git a/src/main/java/hudson/remoting/PipeWindow.java b/src/main/java/hudson/remoting/PipeWindow.java
index 65a499da8..504beac77 100644
--- a/src/main/java/hudson/remoting/PipeWindow.java
+++ b/src/main/java/hudson/remoting/PipeWindow.java
@@ -23,6 +23,10 @@
  */
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.util.logging.Logger;
@@ -48,6 +52,12 @@
  * @author Kohsuke Kawaguchi
  */
 abstract class PipeWindow {
+
+    /**
+     * Cause of death.
+     * If not {@code null}, new commands will not be executed.
+     */
+    @CheckForNull
     protected volatile Throwable dead;
 
     /**
@@ -83,6 +93,7 @@ abstract class PipeWindow {
      * @return
      *      The available window size >= min.
      * @param min
+     *      Minimum size of the window to retrieve
      */
     abstract int get(int min) throws InterruptedException, IOException;
 
@@ -93,19 +104,23 @@ abstract class PipeWindow {
 
     /**
      * Indicates that the remote end has died and all the further send attempt should fail.
+     * @param cause Death cause. If {@code null}, the death will be still considered as dead, but there will be no cause recorded..
      */
-    void dead(Throwable cause) {
-        this.dead = cause;
+    void dead(@CheckForNull Throwable cause) {
+        // We need to record
+        this.dead = cause != null ? cause : new RemotingSystemException("Unknown cause", null) ;
     }
 
     /**
      * If we already know that the remote end had developed a problem, throw an exception.
      * Otherwise no-op.
+     * @throws IOException Pipe is already closed
      */
     protected void checkDeath() throws IOException {
-        if (dead!=null)
+        if (dead != null) {
             // the remote end failed to write.
-            throw (IOException)new IOException("Pipe is already closed").initCause(dead);
+            throw new IOException("Pipe is already closed", dead);
+        }
     }
 
 
@@ -154,6 +169,8 @@ public int hashCode() {
         }
     }
 
+    //TODO: Consider rework and cleanup of the fields
+    @SuppressFBWarnings(value = "URF_UNREAD_FIELD", justification = "Legacy implementation")
     static class Real extends PipeWindow {
         private final int initial;
         private int available;
diff --git a/src/main/java/hudson/remoting/PreloadJarTask.java b/src/main/java/hudson/remoting/PreloadJarTask.java
index 007ee20e2..ae61412c7 100644
--- a/src/main/java/hudson/remoting/PreloadJarTask.java
+++ b/src/main/java/hudson/remoting/PreloadJarTask.java
@@ -23,6 +23,7 @@
  */
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.jenkinsci.remoting.Role;
 import org.jenkinsci.remoting.RoleChecker;
 
diff --git a/src/main/java/hudson/remoting/ProxyInputStream.java b/src/main/java/hudson/remoting/ProxyInputStream.java
index a0f4e4e7d..4ffd61674 100644
--- a/src/main/java/hudson/remoting/ProxyInputStream.java
+++ b/src/main/java/hudson/remoting/ProxyInputStream.java
@@ -144,7 +144,13 @@ protected Buffer perform(Channel channel) throws IOException {
             return buf;
         }
 
+        @Override
+        public String toString() {
+            return "ProxyInputStream.Chunk(len=" + len + ")";
+        }
+
         private static final long serialVersionUID = 1L;
+
     }
 
     /**
diff --git a/src/main/java/hudson/remoting/ProxyOutputStream.java b/src/main/java/hudson/remoting/ProxyOutputStream.java
index 506ecf213..c0c1387e0 100644
--- a/src/main/java/hudson/remoting/ProxyOutputStream.java
+++ b/src/main/java/hudson/remoting/ProxyOutputStream.java
@@ -23,8 +23,8 @@
  */
 package hudson.remoting;
 
+import javax.annotation.Nonnull;
 import java.io.IOException;
-import java.io.InputStream;
 import java.io.InterruptedIOException;
 import java.io.OutputStream;
 import java.util.concurrent.ExecutionException;
@@ -67,14 +67,14 @@ public ProxyOutputStream() {
      * @param oid
      *      The object id of the exported {@link OutputStream}.
      */
-    public ProxyOutputStream(Channel channel, int oid) throws IOException {
+    public ProxyOutputStream(@Nonnull Channel channel, int oid) throws IOException {
         connect(channel,oid);
     }
 
     /**
      * Connects this stream to the specified remote object.
      */
-    synchronized void connect(Channel channel, int oid) throws IOException {
+    synchronized void connect(@Nonnull Channel channel, int oid) throws IOException {
         if(this.channel!=null)
             throw new IllegalStateException("Cannot connect twice");
         if(oid==0)
@@ -151,8 +151,9 @@ a fragmentation will happen. We start sending out a small Chunk at a time (say 4
     }
 
     public synchronized void flush() throws IOException {
-        if(channel!=null)
-            channel.send(new Flush(channel.newIoId(),oid));
+        if (channel != null && /* see #finalize */ oid != -1) {
+            channel.send(new Flush(channel.newIoId(), oid));
+        }
     }
 
     public synchronized void close() throws IOException {
@@ -180,9 +181,8 @@ protected void finalize() throws Throwable {
         super.finalize();
         // if we haven't done so, release the exported object on the remote side.
         // if the object is auto-unexported, the export entry could have already been removed.
-        if(channel!=null) {
+        if(channel != null && oid != -1) {
             channel.send(new Unexport(channel.newIoId(),oid));
-            channel = null;
             oid = -1;
         }
     }
@@ -341,7 +341,7 @@ public Unexport(int ioId, int oid) {
         protected void execute(final Channel channel) {
             channel.pipeWriter.submit(ioId,new Runnable() {
                 public void run() {
-                    channel.unexport(oid,createdAt);
+                    channel.unexport(oid,createdAt,false);
                 }
             });
         }
@@ -442,7 +442,7 @@ private NotifyDeadWriter(Channel channel,Throwable cause, int oid) {
         @Override
         protected void execute(Channel channel) {
             PipeWindow w = channel.getPipeWindow(oid);
-            w.dead(createdAt.getCause());
+            w.dead(createdAt != null ? createdAt.getCause() : null);
         }
 
         public String toString() {
diff --git a/src/main/java/hudson/remoting/ProxyWriter.java b/src/main/java/hudson/remoting/ProxyWriter.java
index 9c152d720..b37da1034 100644
--- a/src/main/java/hudson/remoting/ProxyWriter.java
+++ b/src/main/java/hudson/remoting/ProxyWriter.java
@@ -23,6 +23,7 @@
  */
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.io.CharArrayWriter;
 import java.io.IOException;
 import java.io.InterruptedIOException;
@@ -30,12 +31,17 @@
 import java.util.concurrent.ExecutionException;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
+import javax.annotation.concurrent.GuardedBy;
 
 /**
  * {@link Writer} that sends bits to an exported
  * {@link Writer} on a remote machine.
  */
 final class ProxyWriter extends Writer {
+    
+    @GuardedBy("this")
     private Channel channel;
     private int oid;
 
@@ -48,9 +54,16 @@ final class ProxyWriter extends Writer {
     private CharArrayWriter tmp;
 
     /**
-     * Set to true if the stream is closed.
+     * Keeps the close request cause.
+     * If the field is not {@code null}, it means that the writer is being closed and hence not writable anymore.
      */
-    private boolean closed;
+    @CheckForNull
+    private Throwable closeCause;
+    /**
+     * Indicates that the object does not longer hold the channel instance.
+     * This is asynchronous toggle flag.
+     */
+    private volatile boolean channelReleased;
 
     /**
      * Creates unconnected {@link ProxyWriter}.
@@ -67,14 +80,14 @@ public ProxyWriter() {
      * @param oid
      *      The object id of the exported {@link Writer}.
      */
-    public ProxyWriter(Channel channel, int oid) throws IOException {
+    public ProxyWriter(@Nonnull Channel channel, int oid) throws IOException {
         connect(channel,oid);
     }
 
     /**
      * Connects this stream to the specified remote object.
      */
-    synchronized void connect(Channel channel, int oid) throws IOException {
+    synchronized void connect(@Nonnull Channel channel, int oid) throws IOException {
         if(this.channel!=null)
             throw new IllegalStateException("Cannot connect twice");
         if(oid==0)
@@ -90,8 +103,9 @@ synchronized void connect(Channel channel, int oid) throws IOException {
             tmp = null;
             _write(b, 0, b.length);
         }
-        if(closed)  // already marked closed?
+        if(closeCause != null) { // already closed asynchronously?
             close();
+        }
     }
 
     public void write(int c) throws IOException {
@@ -99,8 +113,9 @@ public void write(int c) throws IOException {
     }
 
     public void write(char[] cbuf, int off, int len) throws IOException {
-        if (closed)
+        if (closeCause != null) {
             throw new IOException("stream is already closed");
+        }
         _write(cbuf, off, len);
     }
 
@@ -163,7 +178,7 @@ a fragmentation will happen. We start sending out a small Chunk at a time (say 4
         }
     }
 
-    public void flush() throws IOException {
+    public synchronized void flush() throws IOException {
         if(channel!=null && channel.remoteCapability.supportsProxyWriter2_35())
             channel.send(new Flush(channel.newIoId(),oid));
     }
@@ -172,23 +187,64 @@ public synchronized void close() throws IOException {
         error(null);
     }
 
-    public synchronized void error(Throwable e) throws IOException {
-        if (!closed) {
-            closed = true;
-//            error = e;
-        }
-        if(channel!=null)
-            doClose(e);
+    /**
+     * Gets the close cause.
+     *
+     * @return Close cause. {@code null} if the writer close has not been requested yet.
+     *         Nonnull values indicate that the writer may be still active, but it won't accept new write commands in such case.
+     * @since TODO
+     */
+    @CheckForNull
+    public Throwable getCloseCause() {
+        return closeCause;
     }
 
-    private void doClose(Throwable error) throws IOException {
-        channel.send(new EOF(channel.newIoId(),oid/*,error*/));
-        channel = null;
-        oid = -1;
-    }
+    /**
+     * Reports error and immediately terminates the writer.
+     * @param cause Cause
+     * @throws IOException if failed to send the {@link EOF} command to the remote side.
+     *                     The writer will be considered as closed even in such case.
+     */
+    public void error(@CheckForNull Throwable cause) throws IOException {
+        Throwable terminationCause = cause != null ? cause : new IOException("ProxyWriter close has been requested");
+        if (channelReleased) {
+            // Channel is already closed, do nothing
+            if (LOGGER.isLoggable(Level.FINE)) {
+                final IOException ex;
+                if (closeCause != null) {
+                    ex = new IOException("Writer is already closed", closeCause);
+                    ex.addSuppressed(terminationCause);
+                } else {
+                    ex = new IOException("Writer is already closed", terminationCause);
+                }
+                LOGGER.log(Level.FINE, "Trying to close the already closed writer", ex);
+            }
+            return;
+        }
+
+        if (closeCause == null) {
+            // There is a slight risk of race condition here, but we do not really care.
+            // If two termination events come at the same time, we will just cache a random one.
+            this.closeCause = terminationCause;
+        }
 
+        synchronized (this) {
+            //TODO: Bug. If the channel cannot send the command, the channel object will be never released and garbage collected
+            if (channel != null) {
+                // Close the writer on the remote side. This call may be invoked multiple times intil the channel is released
+                //TODO: send cause over the channel
+                channel.send(new EOF(channel.newIoId(), oid/*,error*/));
+                channel = null;
+                channelReleased = true;
+                oid = -1;
+            }
+        }
+    }
 
-    protected void finalize() throws Throwable {
+    @Override
+    //TODO: really?
+    @SuppressFBWarnings(value = "FI_FINALIZER_NULLS_FIELDS", justification = "As designed")
+    protected synchronized void finalize() throws Throwable {
         super.finalize();
         // if we haven't done so, release the exported object on the remote side.
         // if the object is auto-unexported, the export entry could have already been removed.
@@ -321,7 +377,7 @@ public Unexport(int ioId, int oid) {
         protected void execute(final Channel channel) {
             channel.pipeWriter.submit(ioId,new Runnable() {
                 public void run() {
-                    channel.unexport(oid,createdAt);
+                    channel.unexport(oid,createdAt,false);
                 }
             });
         }
@@ -418,7 +474,7 @@ private NotifyDeadWriter(Channel channel,Throwable cause, int oid) {
         @Override
         protected void execute(Channel channel) {
             PipeWindow w = channel.getPipeWindow(oid);
-            w.dead(createdAt.getCause());
+            w.dead(createdAt != null ? createdAt.getCause() : null);
         }
 
         public String toString() {
diff --git a/src/main/java/hudson/remoting/RemoteClassLoader.java b/src/main/java/hudson/remoting/RemoteClassLoader.java
index 51f3e0bc8..9d5ff6905 100644
--- a/src/main/java/hudson/remoting/RemoteClassLoader.java
+++ b/src/main/java/hudson/remoting/RemoteClassLoader.java
@@ -27,8 +27,8 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.ObjectStreamException;
 import java.io.Serializable;
-import java.lang.reflect.Method;
 import java.net.URL;
 import java.net.MalformedURLException;
 import java.net.URLClassLoader;
@@ -46,6 +46,7 @@
 import java.util.logging.Logger;
 
 import org.jenkinsci.constant_pool_scanner.ConstantPoolScanner;
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
 
 import javax.annotation.CheckForNull;
 
@@ -151,6 +152,19 @@ private Channel channel() {
         return RemoteInvocationHandler.unwrap(underlyingProxy,channel);
     }
 
+    /**
+     * Finds and loads the class with the specified name from the URL search from the remote instance.
+     * Any URLs referring to JAR files are loaded and opened as needed
+     * until the class is found.
+     *
+     * @param name the name of the class
+     * @return the resulting class
+     * @exception ClassNotFoundException if the class could not be found or if the loader is closed.
+     * @throws UnsupportedClassVersionError The channel does not support the specified bytecode version
+     * @throws ClassFormatError Class format is incorrect
+     * @throws LinkageError Linkage error during the class loading
+     */
+    @Override
     protected Class<?> findClass(String name) throws ClassNotFoundException {
         try {
             // first attempt to load from locally fetched jars
@@ -270,7 +284,7 @@ ClassReference toRef(ClassFile2 cf) {
                 ClassLoader cl = cr.classLoader;
                 if (cl instanceof RemoteClassLoader) {
                     RemoteClassLoader rcl = (RemoteClassLoader) cl;
-                    synchronized (_getClassLoadingLock(rcl, name)) {
+                    synchronized (rcl.getClassLoadingLock(name)) {
                         Class<?> c = rcl.findLoadedClass(name);
 
                         boolean interrupted = false;
@@ -331,28 +345,6 @@ ClassReference toRef(ClassFile2 cf) {
         }
     }
 
-    private static Method gCLL;
-    static {
-        try {
-            gCLL = ClassLoader.class.getDeclaredMethod("getClassLoadingLock", String.class);
-            gCLL.setAccessible(true);
-        } catch (NoSuchMethodException x) {
-            // OK, Java 6
-        } catch (Exception x) {
-            LOGGER.log(WARNING, null, x);
-        }
-    }
-    private static Object _getClassLoadingLock(RemoteClassLoader rcl, String name) {
-        // Java 7: return rcl.getClassLoadingLock(name);
-        if (gCLL != null) {
-            try {
-                return gCLL.invoke(rcl, name);
-            } catch (Exception x) {
-                LOGGER.log(WARNING, null, x);
-            }
-        }
-        return rcl;
-    }
     /**
      * Intercept {@link RemoteClassLoader#findClass(String)} to allow unittests to be written.
      *
@@ -361,14 +353,23 @@ private static Object _getClassLoadingLock(RemoteClassLoader rcl, String name) {
     static Runnable TESTING_CLASS_LOAD;
     static Runnable TESTING_CLASS_REFERENCE_LOAD;
 
-    private Class<?> loadClassFile(String name, byte[] bytes) {
+    /**
+     * Loads class from the byte array.
+     * @param name Name of the class
+     * @param bytes Bytes
+     * @return Loaded class
+     * @throws UnsupportedClassVersionError The channel does not support the specified bytecode version
+     * @throws ClassFormatError Class format is incorrect
+     * @throws LinkageError Linkage error during the class loading
+     */
+    private Class<?> loadClassFile(String name, byte[] bytes) throws LinkageError {
         if (bytes.length < 8) {
             throw new ClassFormatError(name + " is <8 bytes long");
         }
         short bytecodeLevel = (short) ((bytes[6] << 8) + (bytes[7] & 0xFF) - 44);
         final Channel channel = channel();
         if (channel != null && bytecodeLevel > channel.maximumBytecodeLevel) {
-            throw new ClassFormatError("this channel is restricted to JDK 1." + channel.maximumBytecodeLevel + " compatibility but " + name + " was compiled for 1." + bytecodeLevel);
+            throw new UnsupportedClassVersionError("this channel is restricted to JDK 1." + channel.maximumBytecodeLevel + " compatibility but " + name + " was compiled for 1." + bytecodeLevel);
         }
 
         // if someone else is forcing us to load a class by giving as bytecode,
@@ -377,12 +378,15 @@ private Class<?> loadClassFile(String name, byte[] bytes) {
 
         definePackage(name);
 
+        //TODO: probably this wrapping is not required anymore
         try {
             return defineClass(name, bytes, 0, bytes.length);
+        } catch (UnsupportedClassVersionError e) {
+            throw (UnsupportedClassVersionError)new UnsupportedClassVersionError("Failed to load "+name).initCause(e);
         } catch (ClassFormatError e) {
             throw (ClassFormatError)new ClassFormatError("Failed to load "+name).initCause(e);
         } catch (LinkageError e) {
-            throw (LinkageError)new LinkageError("Failed to load "+name).initCause(e);
+            throw new LinkageError("Failed to load "+name, e);
         }
     }
 
@@ -602,6 +606,7 @@ public static class ResourceFile implements Serializable {
          * this points to the location of the resource. Used by
          * the sender side to retrieve the resource when necessary.
          */
+        @SuppressFBWarnings(value = "SE_TRANSIENT_FIELD_NOT_RESTORED", justification = "We're fine with the default null on the recipient side")
         transient final URL local;
 
         /**
@@ -654,6 +659,7 @@ public static class ClassFile2 extends ResourceFile {
          * While this object is still on the sender side, used to remember the actual
          * class that this {@link ClassFile2} represents.
          */
+        @SuppressFBWarnings(value = "SE_TRANSIENT_FIELD_NOT_RESTORED", justification = "We're fine with the default null on the recipient side")
         transient final Class clazz;
 
         ClassFile2(int classLoader, ResourceImageRef image, ClassFile2 referer, Class clazz, URL local) {
@@ -731,7 +737,17 @@ public static interface IClassLoader {
         ResourceFile[] getResources2(String name) throws IOException;
     }
 
-    public static IClassLoader export(@Nonnull ClassLoader cl, Channel local) {
+    /**
+     * Exports classloader over the channel.
+     *
+     * If the classloader is an instance of {@link RemoteClassLoader}, this classloader will be unwrapped and reused.
+     * Otherwise, a classloader object will be exported
+     *
+     * @param cl Classloader to be exported
+     * @param local Channel
+     * @return Exported reference. This reference is always {@link Serializable} though interface is not explict about that
+     */
+    public static IClassLoader export(@Nonnull ClassLoader cl, @Nonnull Channel local) {
         if (cl instanceof RemoteClassLoader) {
             // check if this is a remote classloader from the channel
             final RemoteClassLoader rcl = (RemoteClassLoader) cl;
@@ -740,7 +756,10 @@ public static IClassLoader export(@Nonnull ClassLoader cl, Channel local) {
                 return new RemoteIClassLoader(oid,rcl.proxy);
             }
         }
-        return local.export(IClassLoader.class, new ClassLoaderProxy(cl,local), false);
+        // Remote classloader operates in the System scope (JENKINS-45294).
+        // It's probably YOLO, but otherwise the termination calls may be unable
+        // to execute correctly.
+        return local.export(IClassLoader.class, new ClassLoaderProxy(cl,local), false, false, false);
     }
 
     public static void pin(ClassLoader cl, Channel local) {
@@ -820,19 +839,20 @@ public ClassFile fetch2(String className) throws ClassNotFoundException {
         /**
          * Fetch a single class and creates a {@link ClassFile2} for it.
          */
-        public ClassFile2 fetch4(String className, ClassFile2 referer) throws ClassNotFoundException {
+        public ClassFile2 fetch4(String className, @CheckForNull ClassFile2 referer) throws ClassNotFoundException {
+            Class<?> referrerClass = referer == null ? null : referer.clazz;
             Class<?> c;
             try {
                 c = (referer==null?this.cl:referer.clazz.getClassLoader()).loadClass(className);
             } catch (LinkageError e) {
-                throw (LinkageError)new LinkageError("Failed to load "+className).initCause(e);
+                throw new LinkageError("Failed to load " + className + " via " + referrerClass, e);
             }
             ClassLoader ecl = c.getClassLoader();
             if (ecl == null) {
             	if (USE_BOOTSTRAP_CLASSLOADER) {
             		ecl = PSEUDO_BOOTSTRAP;
             	} else {
-            		throw new ClassNotFoundException("Classloading from system classloader disabled");
+            		throw new ClassNotFoundException("Bootstrap pseudo-classloader disabled: " + className + " via " + referrerClass);
             	}
             }
 
@@ -845,12 +865,13 @@ public ClassFile2 fetch4(String className, ClassFile2 referer) throws ClassNotFo
                         Checksum sum = channel.jarLoader.calcChecksum(jar);
 
                         ResourceImageRef imageRef;
-                        if (referer==null && !channel.jarLoader.isPresentOnRemote(sum))
+                        if (referer == null && !channel.jarLoader.isPresentOnRemote(sum)) {
                             // for the class being requested, if the remote doesn't have the jar yet
                             // send the image as well, so as not to require another call to get this class loaded
                             imageRef = new ResourceImageBoth(urlOfClassFile,sum);
-                        else // otherwise just send the checksum and save space
+                        } else { // otherwise just send the checksum and save space
                             imageRef = new ResourceImageInJar(sum,null /* TODO: we need to check if the URL of c points to the expected location of the file */);
+                        }
 
                         return new ClassFile2(exportId(ecl,channel), imageRef, referer, c, urlOfClassFile);
                     }
@@ -860,7 +881,7 @@ public ClassFile2 fetch4(String className, ClassFile2 referer) throws ClassNotFo
                 }
                 return fetch2(className).upconvert(referer,c,urlOfClassFile);
             } catch (IOException e) {
-                throw new ClassNotFoundException();
+                throw new ClassNotFoundException("Failed to load " + className + " via " + referrerClass, e);
             }
         }
 
@@ -926,10 +947,11 @@ private ResourceFile makeResource(String name, URL resource) throws IOException
                 if (jar.isFile()) {// for historical reasons the jarFile method can return a directory
                     Checksum sum = channel.jarLoader.calcChecksum(jar);
                     ResourceImageRef ir;
-                    if (!channel.jarLoader.isPresentOnRemote(sum))
-                        ir = new ResourceImageBoth(resource,sum);   // remote probably doesn't have
-                    else
-                        ir = new ResourceImageInJar(sum,null);
+                    if (!channel.jarLoader.isPresentOnRemote(sum)) {
+                        ir = new ResourceImageBoth(resource, sum);   // remote probably doesn't have
+                    } else {
+                        ir = new ResourceImageInJar(sum, null);
+                    }
                     return new ResourceFile(ir,resource);
                 }
             } catch (IllegalArgumentException e) {
@@ -1031,7 +1053,7 @@ public String toString() {
      * to work (which will be the remote instance.) Once transferred to the other side,
      * resolve back to the instance on the server.
      */
-    private static class RemoteIClassLoader implements IClassLoader, Serializable {
+    private static class RemoteIClassLoader implements IClassLoader, SerializableOnlyOverRemoting {
         private transient final IClassLoader proxy;
         private final int oid;
 
@@ -1076,9 +1098,9 @@ public ResourceFile[] getResources2(String name) throws IOException {
             return proxy.getResources2(name);
         }
 
-        private Object readResolve() {
+        private Object readResolve() throws ObjectStreamException {
             try {
-                return Channel.current().getExportedObject(oid);
+                return getChannelForSerialization().getExportedObject(oid);
             } catch (ExecutionException ex) {
                 //TODO: Implement something better?
                 throw new IllegalStateException("Cannot resolve remoting classloader", ex);
diff --git a/src/main/java/hudson/remoting/RemoteInputStream.java b/src/main/java/hudson/remoting/RemoteInputStream.java
index 7a2807060..7c11a10ab 100644
--- a/src/main/java/hudson/remoting/RemoteInputStream.java
+++ b/src/main/java/hudson/remoting/RemoteInputStream.java
@@ -23,17 +23,20 @@
  */
 package hudson.remoting;
 
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
+
 import java.io.BufferedInputStream;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.PrintWriter;
-import java.io.Serializable;
 import java.io.ObjectOutputStream;
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.StringWriter;
 import java.util.EnumSet;
 import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import static hudson.remoting.RemoteInputStream.Flag.*;
 
@@ -45,7 +48,8 @@
  *
  * @author Kohsuke Kawaguchi
  */
-public class RemoteInputStream extends InputStream implements Serializable {
+public class RemoteInputStream extends InputStream implements SerializableOnlyOverRemoting {
+    private static final Logger LOGGER = Logger.getLogger(RemoteInputStream.class.getName());
     private transient InputStream core;
     private boolean autoUnexport;
     private transient Greedy greedyAt;
@@ -104,7 +108,7 @@ public RemoteInputStream(InputStream core, Set<Flag> flags) {
     }
 
     private void writeObject(ObjectOutputStream oos) throws IOException {
-        Channel ch = Channel.current();
+        final Channel ch = getChannelForSerialization();
         if (ch.remoteCapability.supportsGreedyRemoteInputStream()) {
             oos.writeBoolean(greedy);
 
@@ -115,6 +119,8 @@ private void writeObject(ObjectOutputStream oos) throws IOException {
 
                 new Thread("RemoteInputStream greedy pump thread: " + greedyAt.print()) {
                     {
+                        setUncaughtExceptionHandler(
+                                (t, e) -> LOGGER.log(Level.SEVERE, "Uncaught exception in RemoteInputStream pump thread " + t, e));
                         setDaemon(true);
                     }
 
@@ -170,9 +176,7 @@ public void run() {
     }
 
     private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
-        final Channel channel = Channel.current();
-        assert channel !=null;
-
+        final Channel channel = getChannelForSerialization();
         if (channel.remoteCapability.supportsGreedyRemoteInputStream()) {
             boolean greedy = ois.readBoolean();
             if (greedy) {
diff --git a/src/main/java/hudson/remoting/RemoteInvocationHandler.java b/src/main/java/hudson/remoting/RemoteInvocationHandler.java
index 99a088c15..0776da4f2 100644
--- a/src/main/java/hudson/remoting/RemoteInvocationHandler.java
+++ b/src/main/java/hudson/remoting/RemoteInvocationHandler.java
@@ -23,6 +23,7 @@
  */
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.remoting.Channel.Ref;
 import java.io.IOException;
 import java.io.ObjectInputStream;
@@ -59,6 +60,8 @@
  *
  * @author Kohsuke Kawaguchi
  */
+//TODO: Likely should be serializable over Remoting logic, but this class has protection logic
+// Use-cases need to be investigated
 final class RemoteInvocationHandler implements InvocationHandler, Serializable {
     /**
      * Our logger.
@@ -115,29 +118,47 @@ final class RemoteInvocationHandler implements InvocationHandler, Serializable {
     /**
      * Diagnostic information that remembers where the proxy was created.
      */
-    private final Throwable origin;
+    private final @CheckForNull Throwable origin;
+
+    /**
+     * Indicates that the handler operates in the user space.
+     * In such case the requests will be automatically failed if the
+     * Remoting channel is not fully operational.
+     */
+    private final boolean userSpace;
+
+    /** @see Command#Command(boolean) */
+    private final boolean recordCreatedAt;
 
     /**
      * Creates a proxy that wraps an existing OID on the remote.
      */
-    RemoteInvocationHandler(Channel channel, int id, boolean userProxy, boolean autoUnexportByCaller, Class proxyType) {
+    private RemoteInvocationHandler(Channel channel, int id, boolean userProxy,
+                            boolean autoUnexportByCaller, boolean userSpace,
+                            Class proxyType, boolean recordCreatedAt) {
         this.channel = channel == null ? null : channel.ref();
         this.oid = id;
         this.userProxy = userProxy;
-        this.origin = new Exception("Proxy "+toString()+" was created for "+proxyType);
+        this.origin = recordCreatedAt ? new Exception("Proxy " + toString() + " was created for " + proxyType) : null;
         this.autoUnexportByCaller = autoUnexportByCaller;
+        this.userSpace = userSpace;
+        this.recordCreatedAt = recordCreatedAt;
     }
 
     /**
      * Wraps an OID to the typed wrapper.
+     *
+     * @param userProxy If {@code true} (recommended), all commands will be wrapped into {@link UserRequest}s.
+     * @param userSpace If {@code true} (recommended), the requests will be executed in a user scope
+     * @param recordCreatedAt as in {@link Command#Command(boolean)}
      */
     @Nonnull
-    public static <T> T wrap(Channel channel, int id, Class<T> type, boolean userProxy, boolean autoUnexportByCaller) {
+    static <T> T wrap(Channel channel, int id, Class<T> type, boolean userProxy, boolean autoUnexportByCaller, boolean userSpace, boolean recordCreatedAt) {
         ClassLoader cl = type.getClassLoader();
         // if the type is a JDK-defined type, classloader should be for IReadResolve
         if(cl==null || cl==ClassLoader.getSystemClassLoader())
             cl = IReadResolve.class.getClassLoader();
-        RemoteInvocationHandler handler = new RemoteInvocationHandler(channel, id, userProxy, autoUnexportByCaller, type);
+        RemoteInvocationHandler handler = new RemoteInvocationHandler(channel, id, userProxy, autoUnexportByCaller, userSpace, type, recordCreatedAt);
         if (channel != null) {
             if (!autoUnexportByCaller) {
                 UNEXPORTER.watch(handler);
@@ -231,7 +252,7 @@ public Object invoke(Object proxy, Method method, Object[] args) throws Throwabl
         if(method.getDeclaringClass()==IReadResolve.class) {
             // readResolve on the proxy.
             // if we are going back to where we came from, replace the proxy by the real object
-            if(goingHome)   return Channel.current().getExportedObject(oid);
+            if(goingHome)   return Channel.currentOrFail().getExportedObject(oid);
             else            return proxy;
         }
 
@@ -253,7 +274,9 @@ public Object invoke(Object proxy, Method method, Object[] args) throws Throwabl
         // delegate the rest of the methods to the remote object
 
         boolean async = method.isAnnotationPresent(Asynchronous.class);
-        RPCRequest req = new RPCRequest(oid, method, args, userProxy ? dc.getClassLoader() : null);
+        RPCRequest req = userSpace
+                ? new UserRPCRequest(oid, method, args, userProxy ? dc.getClassLoader() : null, recordCreatedAt)
+                : new RPCRequest(oid, method, args, userProxy ? dc.getClassLoader() : null, recordCreatedAt);
         try {
             if(userProxy) {
                 if (async)  channelOrFail().callAsync(req);
@@ -335,7 +358,7 @@ private static class PhantomReferenceImpl extends PhantomReference<RemoteInvocat
         /**
          * The origin from where the object was created.
          */
-        private Throwable origin;
+        private @CheckForNull Throwable origin;
         /**
          * The reference to the channel on which to unexport.
          */
@@ -825,17 +848,24 @@ private void onChannelTermination(Channel channel) {
      * The downside of this is that the classes used as a parameter/return value
      * must be available to both JVMs.
      *
-     * If used as {@link Callable} in conjunction with {@link UserRequest},
-     * this can be used to send a method call to user-level objects, and
-     * classes for the parameters and the return value are sent remotely if needed.
+     * For user-space commands and operations, there is a {@link UserRPCRequest} implementation.
+     *
+     * @see UserRPCRequest
      */
-    static final class RPCRequest extends Request<Serializable,Throwable> implements DelegatingCallable<Serializable,Throwable> {
+    static class RPCRequest extends Request<Serializable,Throwable> implements DelegatingCallable<Serializable,Throwable> {
         /**
          * Target object id to invoke.
          */
-        private final int oid;
+        protected final int oid;
+
+        /**
+         * Type name of declaring class.
+         * Null if deserialized historically.
+         */
+        @CheckForNull
+        private final String declaringClassName;
 
-        private final String methodName;
+        protected final String methodName;
         /**
          * Type name of the arguments to invoke. They are names because
          * neither {@link Method} nor {@link Class} is serializable.
@@ -850,15 +880,15 @@ static final class RPCRequest extends Request<Serializable,Throwable> implements
          * If this is used as {@link Callable}, we need to remember what classloader
          * to be used to serialize the request and the response.
          */
+        @CheckForNull
+        @SuppressFBWarnings(value = "SE_TRANSIENT_FIELD_NOT_RESTORED", justification = "We're fine with the default null on the recipient side")
         private transient ClassLoader classLoader;
 
-        public RPCRequest(int oid, Method m, Object[] arguments) {
-            this(oid,m,arguments,null);
-        }
-
-        public RPCRequest(int oid, Method m, Object[] arguments, ClassLoader cl) {
+        private RPCRequest(int oid, Method m, Object[] arguments, ClassLoader cl, boolean recordCreatedAt) {
+            super(recordCreatedAt);
             this.oid = oid;
             this.arguments = arguments;
+            declaringClassName = m.getDeclaringClass().getName();
             this.methodName = m.getName();
             this.classLoader = cl;
 
@@ -870,7 +900,7 @@ public RPCRequest(int oid, Method m, Object[] arguments, ClassLoader cl) {
         }
 
         public Serializable call() throws Throwable {
-            return perform(Channel.current());
+            return perform(getChannelOrFail());
         }
 
         @Override
@@ -886,7 +916,7 @@ public ClassLoader getClassLoader() {
                 return getClass().getClassLoader();
         }
 
-        protected Serializable perform(Channel channel) throws Throwable {
+        protected Serializable perform(@Nonnull Channel channel) throws Throwable {
             Object o = channel.getExportedObject(oid);
             Class[] clazz = channel.getExportedTypes(oid);
             try {
@@ -935,12 +965,53 @@ Object[] getArguments() { // for debugging
             return arguments;
         }
 
+        @Override
         public String toString() {
-            return "RPCRequest("+oid+","+methodName+")";
+            StringBuilder b = new StringBuilder(getClass().getSimpleName()).append(':').append(declaringClassName).append('.').append(methodName).append('[');
+            for (int i = 0; i < types.length; i++) {
+                if (i > 0) {
+                    b.append(',');
+                }
+                b.append(types[i]);
+            }
+            b.append("](").append(oid).append(')');
+            return b.toString();
         }
 
         private static final long serialVersionUID = 1L; 
     }
 
+    /**
+     * User-space version of {@link RPCRequest}.
+     *
+     * This is an equivalent of {@link UserRequest} for RPC calls.
+     * Such kind of requests will not be send over closing or malfunctional channel.
+     *
+     * If used as {@link Callable} in conjunction with {@link UserRequest},
+     * this can be used to send a method call to user-level objects, and
+     * classes for the parameters and the return value are sent remotely if needed.
+     */
+    private static class UserRPCRequest extends RPCRequest {
+
+        private static final long serialVersionUID = -9185841650347902580L;
+
+        UserRPCRequest(int oid, Method m, Object[] arguments, ClassLoader cl, boolean recordCreatedAt) {
+            super(oid, m, arguments, cl, recordCreatedAt);
+        }
+
+        // Same implementation as UserRequest
+        @Override
+        public void checkIfCanBeExecutedOnChannel(Channel channel) throws IOException {
+            // Default check for all requests
+            super.checkIfCanBeExecutedOnChannel(channel);
+
+            // We also do not want to run UserRequests when the channel is being closed
+            if (channel.isClosingOrClosed()) {
+                throw new ChannelClosedException("The request cannot be executed on channel " + channel + ". "
+                        + "The channel is closing down or has closed down", channel.getCloseRequestCause());
+            }
+        }
+    }
+
     private static final Object[] EMPTY_ARRAY = new Object[0];
 }
diff --git a/src/main/java/hudson/remoting/RemoteOutputStream.java b/src/main/java/hudson/remoting/RemoteOutputStream.java
index 873c561c9..aa956d110 100644
--- a/src/main/java/hudson/remoting/RemoteOutputStream.java
+++ b/src/main/java/hudson/remoting/RemoteOutputStream.java
@@ -23,11 +23,12 @@
  */
 package hudson.remoting;
 
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
+
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.OutputStream;
-import java.io.Serializable;
 
 /**
  * {@link OutputStream} that can be sent over to the remote {@link Channel},
@@ -62,7 +63,7 @@
  * @see RemoteInputStream
  * @author Kohsuke Kawaguchi
  */
-public final class RemoteOutputStream extends OutputStream implements Serializable {
+public final class RemoteOutputStream extends OutputStream implements SerializableOnlyOverRemoting {
     /**
      * On local machine, this points to the {@link OutputStream} where
      * the data will be sent ultimately.
@@ -79,15 +80,12 @@ public RemoteOutputStream(OutputStream core) {
     }
 
     private void writeObject(ObjectOutputStream oos) throws IOException {
-        int id = Channel.current().internalExport(OutputStream.class, core, false); // this export is unexported in ProxyOutputStream.finalize()
+        int id = getChannelForSerialization().internalExport(OutputStream.class, core, false); // this export is unexported in ProxyOutputStream.finalize()
         oos.writeInt(id);
     }
 
     private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
-        final Channel channel = Channel.current();
-        assert channel !=null;
-
-        this.core = new ProxyOutputStream(channel, ois.readInt());
+        this.core = new ProxyOutputStream(getChannelForSerialization(), ois.readInt());
     }
 
     private static final long serialVersionUID = 1L;
diff --git a/src/main/java/hudson/remoting/RemoteWriter.java b/src/main/java/hudson/remoting/RemoteWriter.java
index 07343ecc0..99920f916 100644
--- a/src/main/java/hudson/remoting/RemoteWriter.java
+++ b/src/main/java/hudson/remoting/RemoteWriter.java
@@ -23,10 +23,11 @@
  */
 package hudson.remoting;
 
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
+
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
-import java.io.Serializable;
 import java.io.Writer;
 
 /**
@@ -48,7 +49,7 @@
  * @see RemoteInputStream
  * @author Kohsuke Kawaguchi
  */
-public final class RemoteWriter extends Writer implements Serializable {
+public final class RemoteWriter extends Writer implements SerializableOnlyOverRemoting {
     /**
      * On local machine, this points to the {@link Writer} where
      * the data will be sent ultimately.
@@ -63,14 +64,12 @@ public RemoteWriter(Writer core) {
     }
 
     private void writeObject(ObjectOutputStream oos) throws IOException {
-        int id = Channel.current().internalExport(Writer.class, core, false);  // this export is unexported in ProxyWriter.finalize()
+        int id = getChannelForSerialization().internalExport(Writer.class, core, false);  // this export is unexported in ProxyWriter.finalize()
         oos.writeInt(id);
     }
 
     private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
-        final Channel channel = Channel.current();
-        assert channel !=null;
-
+        final Channel channel = getChannelForSerialization();
         this.core = new ProxyWriter(channel, ois.readInt());
     }
 
diff --git a/src/main/java/hudson/remoting/Request.java b/src/main/java/hudson/remoting/Request.java
index 22ce7c2fb..8c8c95b42 100644
--- a/src/main/java/hudson/remoting/Request.java
+++ b/src/main/java/hudson/remoting/Request.java
@@ -23,9 +23,9 @@
  */
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import java.io.IOException;
 import java.io.Serializable;
-import java.nio.channels.ClosedChannelException;
 import java.util.concurrent.CancellationException;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Future;
@@ -34,6 +34,7 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
 
 /**
  * Request/response pattern over {@link Channel}, the layer-1 service.
@@ -44,14 +45,15 @@
  *
  * @author Kohsuke Kawaguchi
  * @see Response
+ * @since 3.17
  */
-abstract class Request<RSP extends Serializable,EXC extends Throwable> extends Command {
+public abstract class Request<RSP extends Serializable,EXC extends Throwable> extends Command {
     /**
      * Executed on a remote system to perform the task.
      *
      * @param channel
      *      The local channel. From the view point of the JVM that
-     *      {@link #call(Channel) made the call}, this channel is
+     *      {@link #call(Channel)} made the call, this channel is
      *      the remote channel.
      * @return
      *      the return value will be sent back to the calling process.
@@ -59,7 +61,8 @@ abstract class Request<RSP extends Serializable,EXC extends Throwable> extends C
      *      The exception will be forwarded to the calling process.
      *      If no checked exception is supposed to be thrown, use {@link RuntimeException}.
      */
-    protected abstract RSP perform(Channel channel) throws EXC;
+    @Nullable
+    abstract RSP perform(@Nonnull Channel channel) throws EXC;
 
     /**
      * Uniquely identifies this request.
@@ -78,10 +81,12 @@ abstract class Request<RSP extends Serializable,EXC extends Throwable> extends C
 
     private volatile Response<RSP,EXC> response;
 
+    transient long startTime;
+
     /**
      * While executing the call this is set to the handle of the execution.
      */
-    protected volatile transient Future<?> future;
+    volatile transient Future<?> future;
 
     /**
      * Set by {@link Response} to point to the I/O ID issued from the other side that this request needs to
@@ -98,7 +103,13 @@ abstract class Request<RSP extends Serializable,EXC extends Throwable> extends C
     @Deprecated
     /*package*/ volatile transient Future<?> lastIo;
 
-    protected Request() {
+    Request() {
+        this(true);
+    }
+
+    @SuppressFBWarnings(value="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD", justification="That is why we synchronize on the class.")
+    Request(boolean recordCreatedAt) {
+        super(recordCreatedAt);
         synchronized(Request.class) {
             id = nextId++;
         }
@@ -109,13 +120,13 @@ protected Request() {
      * 
      * @param channel Channel
      * @throws IOException Error with explanation if the request cannot be executed. 
-     * @since TODO
+     * @since 3.11
      */
-    public void checkIfCanBeExecutedOnChannel(@Nonnull Channel channel) throws IOException {
+    void checkIfCanBeExecutedOnChannel(@Nonnull Channel channel) throws IOException {
         final Throwable senderCloseCause = channel.getSenderCloseCause();
         if (senderCloseCause != null) {
             // Sender is closed, we won't be able to send anything
-            throw new ChannelClosedException(senderCloseCause);
+            throw new ChannelClosedException(channel, senderCloseCause);
         }
     }
     
@@ -133,7 +144,7 @@ public void checkIfCanBeExecutedOnChannel(@Nonnull Channel channel) throws IOExc
      * @throws EXC
      *      If the {@link #perform(Channel)} throws an exception.
      */
-    public final RSP call(Channel channel) throws EXC, InterruptedException, IOException {
+    final RSP call(Channel channel) throws EXC, InterruptedException, IOException {
         checkIfCanBeExecutedOnChannel(channel);
         lastIoId = channel.lastIoId();
 
@@ -145,6 +156,7 @@ public final RSP call(Channel channel) throws EXC, InterruptedException, IOExcep
                 response=null;
 
                 channel.pendingCalls.put(id,this);
+                startTime = System.nanoTime();
                 channel.send(this);
             }
         }
@@ -215,13 +227,14 @@ public final RSP call(Channel channel) throws EXC, InterruptedException, IOExcep
      * @throws IOException
      *      If there's an error during the communication.
      */
-    public final hudson.remoting.Future<RSP> callAsync(final Channel channel) throws IOException {
+    final hudson.remoting.Future<RSP> callAsync(final Channel channel) throws IOException {
         checkIfCanBeExecutedOnChannel(channel);
         
         response=null;
         lastIoId = channel.lastIoId();
 
         channel.pendingCalls.put(id,this);
+        startTime = System.nanoTime();
         channel.send(this);
 
         return new hudson.remoting.Future<RSP>() {
@@ -324,13 +337,13 @@ public RSP get(long timeout, TimeUnit unit) throws InterruptedException, Executi
      * Aborts the processing. The calling thread will receive an exception. 
      */
     /*package*/ void abort(IOException e) {
-        onCompleted(new Response(id,0,new RequestAbortedException(e)));
+        onCompleted(new Response(this, id, 0, new RequestAbortedException(e)));
     }
 
     /**
      * Schedules the execution of this request.
      */
-    protected final void execute(final Channel channel) {
+    final void execute(final Channel channel) {
         channel.executingCalls.put(id,this);
         future = channel.executor.submit(new Runnable() {
 
@@ -355,21 +368,26 @@ public void run() {
 
                         RSP r = Request.this.perform(channel);
                         // normal completion
-                        rsp = new Response<RSP,EXC>(id,calcLastIoId(),r);
+                        rsp = new Response<RSP, EXC>(Request.this, id, calcLastIoId(), r);
                     } catch (Throwable t) {
                         // error return
-                        rsp = new Response<RSP,Throwable>(id,calcLastIoId(),t);
+                        rsp = new Response<RSP, Throwable>(Request.this, id, calcLastIoId(), t);
                     } finally {
                         CURRENT.set(null);
                     }
-                    if(chainCause)
-                        rsp.createdAt.initCause(createdAt);
+                    if(chainCause) {
+                        rsp.chainCause(createdAt);
+                    }
 
                     channel.send(rsp);
                 } catch (IOException e) {
                     // communication error.
                     // this means the caller will block forever
-                    logger.log(Level.WARNING, "Failed to send back a reply to the request " + this, e);
+                    if (e instanceof ChannelClosedException && !logger.isLoggable(Level.FINE)) {
+                        logger.log(Level.INFO, "Failed to send back a reply to the request {0}: {1}", new Object[] {this, e});
+                    } else {
+                        logger.log(Level.WARNING, "Failed to send back a reply to the request " + this, e);
+                    }
                 } finally {
                     channel.executingCalls.remove(id);
                     Thread.currentThread().setName(oldThreadName);
@@ -391,7 +409,7 @@ public void run() {
      * Set to true to chain {@link Command#createdAt} to track request/response relationship.
      * This will substantially increase the network traffic, but useful for debugging.
      */
-    public static boolean chainCause = Boolean.getBoolean(Request.class.getName()+".chainCause");
+    static boolean chainCause = Boolean.getBoolean(Request.class.getName()+".chainCause");
 
     /**
      * Set to the {@link Request} object during {@linkplain #perform(Channel) the execution of the call}.
@@ -425,6 +443,11 @@ protected void execute(Channel channel) {
             if(f!=null)     f.cancel(true);
         }
 
+        @Override
+        public String toString() {
+            return "Request.Cancel";
+        }
+
         private static final long serialVersionUID = -1709992419006993208L;
     }
 }
diff --git a/src/main/java/hudson/remoting/ResourceImageBoth.java b/src/main/java/hudson/remoting/ResourceImageBoth.java
index 28846bc80..d5d8bf3a2 100644
--- a/src/main/java/hudson/remoting/ResourceImageBoth.java
+++ b/src/main/java/hudson/remoting/ResourceImageBoth.java
@@ -42,7 +42,9 @@ Future<URLish> resolveURL(Channel channel, String resourcePath) throws IOExcepti
     @Nonnull
     private Future<URL> initiateJarRetrieval(@Nonnull Channel channel) throws IOException, InterruptedException {
         JarCache c = channel.getJarCache();
-        assert c !=null : "we don't advertise jar caching to the other side unless we have a cache with us";
+        if (c == null) {
+            throw new IOException("Failed to initiate retrieval. JAR Cache is disabled for the channel " + channel.getName());
+        }
 
         try {
             return c.resolve(channel, sum1, sum2);
diff --git a/src/main/java/hudson/remoting/ResourceImageInJar.java b/src/main/java/hudson/remoting/ResourceImageInJar.java
index b6d3a372c..831bba459 100644
--- a/src/main/java/hudson/remoting/ResourceImageInJar.java
+++ b/src/main/java/hudson/remoting/ResourceImageInJar.java
@@ -82,7 +82,10 @@ open jar file (see sun.net.www.protocol.jar.JarURLConnection.JarURLInputStream.c
 
     Future<URL> _resolveJarURL(Channel channel) throws IOException, InterruptedException {
         JarCache c = channel.getJarCache();
-        assert c !=null : "we don't advertise jar caching to the other side unless we have a cache with us";
+        if (c == null) {
+            throw new IOException(String.format("Failed to resolve a jar %016x%016x. JAR Cache is disabled for the channel %s",
+                    sum1, sum2, channel.getName()));
+        }
 
         return c.resolve(channel, sum1, sum2);
 //            throw (IOException)new IOException(String.format("Failed to resolve a jar %016x%016x",sum1,sum2)).initCause(e);
diff --git a/src/main/java/hudson/remoting/Response.java b/src/main/java/hudson/remoting/Response.java
index 6bbb4e56f..a0afcd67c 100644
--- a/src/main/java/hudson/remoting/Response.java
+++ b/src/main/java/hudson/remoting/Response.java
@@ -23,6 +23,10 @@
  */
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import javax.annotation.CheckForNull;
+import javax.annotation.Nullable;
+
 /**
  * Request/response pattern over {@link Command}.
  *
@@ -30,8 +34,9 @@
  *
  * @author Kohsuke Kawaguchi
  * @see Request
+ * @since 3.17
  */
-final class Response<RSP,EXC extends Throwable> extends Command {
+public final class Response<RSP,EXC extends Throwable> extends Command {
     /**
      * ID of the {@link Request} for which
      */
@@ -51,14 +56,21 @@ final class Response<RSP,EXC extends Throwable> extends Command {
     final RSP returnValue;
     final EXC exception;
 
-    Response(int id, int lastIoId, RSP returnValue) {
+    @SuppressFBWarnings(value="SE_TRANSIENT_FIELD_NOT_RESTORED", justification="Only supposed to be defined on one side.")
+    private transient long totalTime;
+    @SuppressFBWarnings(value="SE_TRANSIENT_FIELD_NOT_RESTORED", justification="Bound after deserialization, in execute.")
+    private transient Request<?, ?> request;
+
+    Response(Request request, int id, int lastIoId, RSP returnValue) {
+        this.request = request;
         this.id = id;
         this.lastIoId = lastIoId;
         this.returnValue = returnValue;
         this.exception = null;
     }
 
-    Response(int id, int lastIoId, EXC exception) {
+    Response(Request request, int id, int lastIoId, EXC exception) {
+        this.request = request;
         this.id = id;
         this.lastIoId = lastIoId;
         this.returnValue = null;
@@ -69,7 +81,7 @@ final class Response<RSP,EXC extends Throwable> extends Command {
      * Notifies the waiting {@link Request}.
      */
     @Override
-    protected void execute(Channel channel) {
+    void execute(Channel channel) {
         Request req = channel.pendingCalls.get(id);
         if(req==null)
             return; // maybe aborted
@@ -77,15 +89,50 @@ protected void execute(Channel channel) {
 
         req.onCompleted(this);
         channel.pendingCalls.remove(id);
+        request = req;
+        long startTime = req.startTime;
+        if (startTime != 0) {
+            long time = System.nanoTime() - startTime;
+            totalTime = time;
+            channel.notifyResponse(req, this, time);
+        }
     }
 
+    @Override
     public String toString() {
-        return "Response[retVal="+toString(returnValue)+",exception="+toString(exception)+"]";
+        return "Response" + (request != null ? ":" + request : "") + "(" + (returnValue != null ? returnValue.getClass().getName() : exception != null ? exception.getClass().getName() : null) + ")";
     }
 
-    private static String toString(Object o) {
-        if(o==null) return "null";
-        else        return o.toString();
+    /**
+     * Obtains the matching request.
+     * @return null if this response has not been processed successfully
+     */
+    public @CheckForNull Request<?, ?> getRequest() {
+        return request;
+    }
+
+    /**
+     * Gets the return value of the response.
+     * @return null in case {@link #getException} is non-null
+     */
+    public @Nullable RSP getReturnValue() {
+        return returnValue;
+    }
+
+    /**
+     * Gets the exception thrown by the response.
+     * @return null in case {@link #getReturnValue} is non-null
+     */
+    public @Nullable EXC getException() {
+        return exception;
+    }
+
+    /**
+     * Gets the total time taken on the local side to send the request and receive the response.
+     * @return the total time in nanoseconds, or zero if unknown, including if this response is being sent to a remote request
+     */
+    public long getTotalTime() {
+        return totalTime;
     }
 
     private static final long serialVersionUID = 1L;
diff --git a/src/main/java/hudson/remoting/SingleLaneExecutorService.java b/src/main/java/hudson/remoting/SingleLaneExecutorService.java
index beab6ecee..79a3b730e 100644
--- a/src/main/java/hudson/remoting/SingleLaneExecutorService.java
+++ b/src/main/java/hudson/remoting/SingleLaneExecutorService.java
@@ -8,6 +8,10 @@
 import java.util.concurrent.LinkedBlockingQueue;
 import java.util.concurrent.RejectedExecutionException;
 import java.util.concurrent.TimeUnit;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.jenkinsci.remoting.util.ExecutorServiceUtils;
+import org.jenkinsci.remoting.util.ExecutorServiceUtils.FatalRejectedExecutionException;
 
 /**
  * Creates an {@link ExecutorService} that executes submitted tasks sequentially
@@ -43,6 +47,8 @@ public class SingleLaneExecutorService extends AbstractExecutorService {
      * We have finished shut down. Every tasks are full executed.
      */
     private boolean shutDown;
+    
+    private static final Logger LOGGER = Logger.getLogger(SingleLaneExecutorService.class.getName());
 
     /**
      * @param base
@@ -95,18 +101,31 @@ public synchronized boolean awaitTermination(long timeout, TimeUnit unit) throws
         return isTerminated();
     }
 
+    // TODO: create a new method with non-Runtime exceptions and timeout support
+    @Override
     public synchronized void execute(Runnable command) {
-        if (shuttingDown)
-            throw new RejectedExecutionException();
-
+        if (shuttingDown) {
+            throw new FatalRejectedExecutionException("Cannot execute the command " + command +
+                    ". The executor service is shutting down");
+        }
+            
         this.tasks.add(command);
+        
+        // If we haven't been scheduled yet, do so now
         if (!scheduled) {
             scheduled = true;
-            base.submit(runner);  // if we haven't been scheduled yet, do so now
+            try {
+                // Submit task in the async mode
+                ExecutorServiceUtils.submitAsync(base, runner);
+            } catch (ExecutorServiceUtils.ExecutionRejectedException ex) {
+                // Wrap by the runtime exception since there is no other solution here
+                throw new RejectedExecutionException("Base executor service " + base + " has rejected the task " + command, ex);
+            }
         }
     }
 
     private final Runnable runner = new Runnable() {
+        @Override
         public void run() {
             try {
                 tasks.peek().run();
@@ -117,7 +136,18 @@ public void run() {
                     assert scheduled;
                     if (!tasks.isEmpty()) {
                         // we have still more things to do
-                        base.submit(this);
+                        try {
+                            ExecutorServiceUtils.submitAsync(base, this);
+                        } catch (ExecutorServiceUtils.ExecutionRejectedException ex) {
+                            // It is supposed to be a fatal error, but we cannot propagate it properly
+                            // So the code just logs the error and then throws RuntimeException as it
+                            // used to do before the code migration to ExecutorServiceUtils.
+                            // TODO: so this behavior still implies the BOOM risk, but there wil be a log entry at least
+                            LOGGER.log(Level.SEVERE, String.format(
+                                    "Base executor service %s has rejected the queue task %s. Propagating the RuntimeException to the caller.", 
+                                    ex.getExecutorServiceDisplayName(), ex.getRunnableDisplayName()), ex);
+                            throw ExecutorServiceUtils.createRuntimeException("Base executor service has rejected the task from the queue", ex);
+                        }
                     } else {
                         scheduled = false;
                         if (shuttingDown) {
diff --git a/src/main/java/hudson/remoting/SynchronousCommandTransport.java b/src/main/java/hudson/remoting/SynchronousCommandTransport.java
index f3ec1b39d..50188c6b2 100644
--- a/src/main/java/hudson/remoting/SynchronousCommandTransport.java
+++ b/src/main/java/hudson/remoting/SynchronousCommandTransport.java
@@ -31,7 +31,7 @@ public abstract class SynchronousCommandTransport extends CommandTransport {
     /**
      * Called by {@link Channel} to read the next command to arrive from the stream.
      */
-    abstract Command read() throws IOException, ClassNotFoundException, InterruptedException;
+    public abstract Command read() throws IOException, ClassNotFoundException, InterruptedException;
 
     @Override
     public void setup(Channel channel, CommandReceiver receiver) {
@@ -47,6 +47,10 @@ private final class ReaderThread extends Thread {
         public ReaderThread(CommandReceiver receiver) {
             super("Channel reader thread: "+channel.getName());
             this.receiver = receiver;
+            setUncaughtExceptionHandler((t, e) -> {
+                LOGGER.log(Level.SEVERE, "Uncaught exception in SynchronousCommandTransport.ReaderThread " + t, e);
+                channel.terminate(new IOException("Unexpected reader termination", e));
+            });
         }
 
         @Override
@@ -70,9 +74,7 @@ public void run() {
                         LOGGER.log(Level.WARNING, "Socket timeout in the Synchronous channel reader", ex);
                         continue;
                     } catch (EOFException e) {
-                        IOException ioe = new IOException("Unexpected termination of the channel");
-                        ioe.initCause(e);
-                        throw ioe;
+                        throw new IOException("Unexpected termination of the channel", e);
                     } catch (ClassNotFoundException e) {
                         LOGGER.log(Level.SEVERE, "Unable to read a command (channel " + name + ")",e);
                         continue;
@@ -88,15 +90,15 @@ public void run() {
                 LOGGER.log(Level.SEVERE, "I/O error in channel "+name,e);
                 channel.terminate((InterruptedIOException) new InterruptedIOException().initCause(e));
             } catch (IOException e) {
-                LOGGER.log(Level.SEVERE, "I/O error in channel "+name,e);
+                LOGGER.log(Level.INFO, "I/O error in channel "+name,e);
                 channel.terminate(e);
             } catch (RuntimeException e) {
                 LOGGER.log(Level.SEVERE, "Unexpected error in channel "+name,e);
-                channel.terminate((IOException) new IOException("Unexpected reader termination").initCause(e));
+                channel.terminate(new IOException("Unexpected reader termination", e));
                 throw e;
             } catch (Error e) {
                 LOGGER.log(Level.SEVERE, "Unexpected error in channel "+name,e);
-                channel.terminate((IOException) new IOException("Unexpected reader termination").initCause(e));
+                channel.terminate(new IOException("Unexpected reader termination", e));
                 throw e;
             } finally {
                 channel.pipeWriter.shutdown();
diff --git a/src/main/java/hudson/remoting/URLDeserializationHelper.java b/src/main/java/hudson/remoting/URLDeserializationHelper.java
new file mode 100644
index 000000000..206c1734a
--- /dev/null
+++ b/src/main/java/hudson/remoting/URLDeserializationHelper.java
@@ -0,0 +1,87 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2018, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package hudson.remoting;
+
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.net.URL;
+import java.net.URLConnection;
+import java.net.URLStreamHandler;
+
+/**
+ * SECURITY-637, this helper wraps the URL into a "safe" version if the url has a non-empty host 
+ * and the JVM configuration is standard.
+ *
+ * Essentially the wrap does not provide the same logic for {@link java.net.URLStreamHandler#hashCode(URL)}
+ * and {@link java.net.URLStreamHandler#equals(URL, URL)} but a version that use directly the {@code String} representation
+ * instead of requesting the DNS to have name equivalence.
+ * 
+ * @since TODO
+ */
+public class URLDeserializationHelper {
+    // escape hatch for SECURITY-637 to keep legacy behavior
+    @SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "Accessible via System Groovy Scripts")
+    private static boolean AVOID_URL_WRAPPING = Boolean.getBoolean(URLDeserializationHelper.class + ".avoidUrlWrapping");
+    
+    private static final SafeURLStreamHandler SAFE_HANDLER = new SafeURLStreamHandler();
+    
+    /**
+     * Wraps the given URL into a "safe" version against deserialization attack if the url has a non-empty host 
+     * and the JVM configuration is standard.
+     */
+    public static @Nonnull URL wrapIfRequired(@Nonnull URL url) throws IOException {
+        if(AVOID_URL_WRAPPING){
+            // legacy behavior
+            return url;
+        }
+        
+        if (url.getHost() == null || url.getHost().isEmpty()) {
+            // default equals/hashcode are not vulnerable in case the host is null or empty
+            return url;
+        }
+        
+        return new URL(null, url.toString(), SAFE_HANDLER);
+    }
+    
+    private static class SafeURLStreamHandler extends URLStreamHandler {
+        @Override
+        protected URLConnection openConnection(URL u) throws IOException {
+            return new URL(u.toString()).openConnection();
+        }
+        
+        // actual correction is here (hashCode + equals), we avoid requesting the DNS for the hostname
+        
+        @Override
+        protected int hashCode(URL u) {
+            return u.toExternalForm().hashCode();
+        }
+        
+        @Override
+        protected boolean equals(URL u1, URL u2) {
+            return u1.toExternalForm().equals(u2.toExternalForm());
+        }
+    }
+}
diff --git a/src/main/java/hudson/remoting/UnexportCommand.java b/src/main/java/hudson/remoting/UnexportCommand.java
index 309d3bcdf..dd2a416b4 100644
--- a/src/main/java/hudson/remoting/UnexportCommand.java
+++ b/src/main/java/hudson/remoting/UnexportCommand.java
@@ -23,6 +23,8 @@
  */
 package hudson.remoting;
 
+import javax.annotation.CheckForNull;
+
 /**
  * {@link Command} that unexports an object.
  * @author Kohsuke Kawaguchi
@@ -30,11 +32,15 @@
 public class UnexportCommand extends Command {
     private final int oid;
 
-    UnexportCommand(int oid, Throwable cause) {
+    UnexportCommand(int oid, @CheckForNull Throwable cause) {
         this.oid = oid;
-        this.createdAt.initCause(cause);
+        chainCause(cause);
     }
 
+    /**
+     * @deprecated Use {@link #UnexportCommand(int, Throwable)}
+     */
+    @Deprecated
     public UnexportCommand(int oid) {
         this(oid,null);
     }
@@ -45,7 +51,7 @@ protected void execute(Channel channel) {
 
     @Override
     public String toString() {
-        return super.toString();
+        return "Unexport";
     }
 
     private static final long serialVersionUID = 1L;
diff --git a/src/main/java/hudson/remoting/UserRequest.java b/src/main/java/hudson/remoting/UserRequest.java
index d4fc76a58..51b90867a 100644
--- a/src/main/java/hudson/remoting/UserRequest.java
+++ b/src/main/java/hudson/remoting/UserRequest.java
@@ -23,6 +23,7 @@
  */
 package hudson.remoting;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.remoting.RemoteClassLoader.IClassLoader;
 import hudson.remoting.ExportTable.ExportList;
 import hudson.remoting.RemoteInvocationHandler.RPCRequest;
@@ -38,6 +39,7 @@
 import java.util.logging.Logger;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
+import org.jenkinsci.remoting.util.AnonymousClassWarnings;
 
 /**
  * {@link Request} that can take {@link Callable} whose actual implementation
@@ -49,19 +51,21 @@
  *
  * @author Kohsuke Kawaguchi
  */
-final class UserRequest<RSP,EXC extends Throwable> extends Request<UserResponse<RSP,EXC>,EXC> {
+final class UserRequest<RSP,EXC extends Throwable> extends Request<UserRequest.ResponseToUserRequest<RSP,EXC>,EXC> {
 
     private static final Logger LOGGER = Logger.getLogger(UserRequest.class.getName());
 
     private final byte[] request;
     
     @Nonnull
+    @SuppressFBWarnings(value = "SE_BAD_FIELD", justification = "RemoteClassLoader.export() always returns a serializable instance, but we cannot check it statically due to the java.lang.reflect.Proxy")
     private final IClassLoader classLoaderProxy;
     private final String toString;
     /**
      * Objects exported by the request. This value will remain local
      * and won't be sent over to the remote side.
      */
+    @SuppressFBWarnings(value = "SE_TRANSIENT_FIELD_NOT_RESTORED", justification = "We're fine with default null")
     private transient final ExportList exports;
 
     /**
@@ -99,6 +103,8 @@ public UserRequest(Channel local, Callable<?,EXC> c) throws IOException {
             exports.stopRecording();
         }
 
+        // TODO: We know that the classloader is always serializable, but there is no way to express it here in a compatible way \
+        // (as well as to call instance off or whatever)
         this.classLoaderProxy = RemoteClassLoader.export(cl, local);
     }
 
@@ -141,7 +147,8 @@ public void checkIfCanBeExecutedOnChannel(Channel channel) throws IOException {
     }
 
     private static boolean workaroundDone = false;
-    protected UserResponse<RSP,EXC> perform(Channel channel) throws EXC {
+    @Override
+    protected ResponseToUserRequest<RSP,EXC> perform(Channel channel) throws EXC {
         try {
             ClassLoader cl = channel.importedClassLoaders.get(classLoaderProxy);
 
@@ -171,7 +178,7 @@ protected UserResponse<RSP,EXC> perform(Channel channel) throws EXC {
                 final Logger logger = Logger.getLogger(RemoteClassLoader.class.getName());
                 if( logger.isLoggable(logLevel) )
                 {
-                    logger.log(logLevel, "%s class '%s' using classloader: %s", new String[]{ eventMsg, clazz, cl.toString()} );
+                    logger.log(logLevel, "{0} class ''{1}'' using classloader: {2}", new Object[]{ eventMsg, clazz, cl.toString()} );
                 }
             }
 
@@ -213,10 +220,22 @@ protected UserResponse<RSP,EXC> perform(Channel channel) throws EXC {
                 Channel.setCurrent(oldc);
             }
 
-            return new UserResponse<RSP,EXC>(serialize(r,channel),false);
+            byte[] response = serialize(r,channel);
+            return channel.remoteCapability.supportsProxyExceptionFallback() ? new NormalResponse<>(response) : new UserResponse<>(response,false);
         } catch (Throwable e) {
             // propagate this to the calling process
             try {
+                if (channel.remoteCapability.supportsProxyExceptionFallback()) {
+                    byte[] rawResponse = null;
+                    try {
+                        rawResponse = _serialize(e, channel);
+                    } catch (NotSerializableException x) {
+                        // OK
+                    }
+                    byte[] proxyResponse = serialize(new ProxyException(e), channel);
+                    return new ExceptionResponse<>(rawResponse, proxyResponse);
+                }
+                // Remote side is old, so need to use less robust variant:
                 byte[] response;
                 try {
                     response = _serialize(e, channel);
@@ -240,7 +259,7 @@ private byte[] _serialize(Object o, final Channel channel) throws IOException {
             if (channel.remoteCapability.supportsMultiClassLoaderRPC())
                 oos = new MultiClassLoaderSerializer.Output(channel,baos);
             else
-                oos = new ObjectOutputStream(baos);
+                oos = AnonymousClassWarnings.checkingObjectOutputStream(baos);
 
             oos.writeObject(o);
             return baos.toByteArray();
@@ -285,9 +304,71 @@ public String toString() {
     }
 
     private static final long serialVersionUID = 1L;
+
+    interface ResponseToUserRequest<RSP,EXC extends Throwable> extends Serializable {
+        /**
+         * Deserializes the response byte stream into an object.
+         */
+        RSP retrieve(Channel channel, ClassLoader cl) throws IOException, ClassNotFoundException, EXC;
+    }
+
+    private static final class NormalResponse<RSP, EXC extends Throwable> implements ResponseToUserRequest<RSP, EXC> {
+        private static final long serialVersionUID = 1L;
+        private final byte[] response;
+        NormalResponse(byte[] response) {
+            this.response = response;
+        }
+        @SuppressWarnings("unchecked")
+        @Override
+        public RSP retrieve(Channel channel, ClassLoader cl) throws IOException, ClassNotFoundException, EXC {
+            Channel old = Channel.setCurrent(channel);
+            try {
+                return (RSP) deserialize(channel, response, cl);
+            } finally {
+                Channel.setCurrent(old);
+            }
+        }
+    }
+
+    private static final class ExceptionResponse<RSP, EXC extends Throwable> implements ResponseToUserRequest<RSP, EXC> {
+        private static final long serialVersionUID = 1L;
+        private @CheckForNull final byte[] rawResponse;
+        private final byte[] proxyResponse;
+        ExceptionResponse(@CheckForNull byte[] rawResponse, byte[] proxyResponse) {
+            this.rawResponse = rawResponse;
+            this.proxyResponse = proxyResponse;
+        }
+        @SuppressWarnings("unchecked")
+        @Override
+        public RSP retrieve(Channel channel, ClassLoader cl) throws IOException, ClassNotFoundException, EXC {
+            Channel old = Channel.setCurrent(channel);
+            try {
+                Throwable t = null;
+                if (rawResponse != null) {
+                    try {
+                        t = (Throwable) deserialize(channel, rawResponse, cl);
+                    } catch (Exception x) {
+                        LOGGER.log(Level.FINE, "could not deserialize exception response", x);
+                    }
+                }
+                if (t == null) {
+                    t = (Throwable) deserialize(channel, proxyResponse, cl);
+                }
+                channel.attachCallSiteStackTrace(t);
+                throw (EXC) t;
+            } finally {
+                Channel.setCurrent(old);
+            }
+        }
+    }
+
 }
 
-final class UserResponse<RSP,EXC extends Throwable> implements Serializable {
+/**
+ * @deprecated Used only when we lack {@link Capability#supportsProxyExceptionFallback}.
+ */
+@Deprecated
+final class UserResponse<RSP,EXC extends Throwable> implements UserRequest.ResponseToUserRequest<RSP, EXC> {
     private final byte[] response;
     private final boolean isException;
 
diff --git a/src/main/java/hudson/remoting/Util.java b/src/main/java/hudson/remoting/Util.java
index 62f562a79..711ccceae 100644
--- a/src/main/java/hudson/remoting/Util.java
+++ b/src/main/java/hudson/remoting/Util.java
@@ -1,6 +1,8 @@
 package hudson.remoting;
 
-import org.jvnet.animal_sniffer.IgnoreJRERequirement;
+import org.jenkinsci.remoting.util.PathUtils;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
@@ -9,8 +11,6 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.InetSocketAddress;
-import java.net.ProxySelector;
-import java.net.URI;
 import java.net.URLConnection;
 import java.net.MalformedURLException;
 import java.net.Proxy;
@@ -20,14 +20,15 @@
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLSocketFactory;
 import java.nio.file.Files;
-import java.util.Iterator;
+import java.nio.file.Path;
 
 /**
  * Misc. I/O utilities
  *
  * @author Kohsuke Kawaguchi
  */
-class Util {
+@Restricted(NoExternalUse.class)
+public class Util {
     /**
      * Gets the file name portion from a qualified '/'-separate resource path name.
      *
@@ -56,43 +57,19 @@ public static void copy(InputStream in, OutputStream out) throws IOException {
 
     @Nonnull
     static File makeResource(String name, byte[] image) throws IOException {
-        File tmpFile = createTempDir();
-        File resource = new File(tmpFile, name);
-        resource.getParentFile().mkdirs();
+        Path tmpDir = Files.createTempDirectory("resource-");
+        File resource = new File(tmpDir.toFile(), name);
+        Files.createDirectories(PathUtils.fileToPath(resource.getParentFile()));
+        Files.createFile(PathUtils.fileToPath(resource));
 
-        FileOutputStream fos = new FileOutputStream(resource);
-        try {
+        try(FileOutputStream fos = new FileOutputStream(resource)) {
             fos.write(image);
-        } finally {
-            fos.close();
         }
 
-        deleteDirectoryOnExit(tmpFile);
-
+        deleteDirectoryOnExit(resource);
         return resource;
     }
 
-    static File createTempDir() throws IOException {
-    	// work around sun bug 6325169 on windows
-    	// see http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6325169
-        int nRetry=0;
-        while (true) {
-            try {
-                File tmpFile = File.createTempFile("jenkins-remoting", "");
-                tmpFile.delete();
-                tmpFile.mkdir();
-                return tmpFile;
-            } catch (IOException e) {
-                if (nRetry++ < 100){
-                    continue;
-                }
-                IOException nioe = new IOException("failed to create temp directory at default location, most probably at: "+System.getProperty("java.io.tmpdir"));
-                nioe.initCause(e);
-                throw nioe;
-            }
-        }
-    }
-
     /** Instructs Java to recursively delete the given directory (dir) and its contents when the JVM exits.
      *  @param dir File  customer  representing directory to delete. If this file argument is not a directory, it will still
      *  be deleted. <p>
@@ -117,55 +94,6 @@ static String indent(String s) {
         return "    " + s.trim().replace("\n", "\n    ");
     }
 
-    /**
-     * Check if given URL is in the exclusion list defined by the no_proxy environment variable.
-     * On most *NIX system wildcards are not supported but if one top domain is added, all related subdomains will also
-     * be ignored. Both "mit.edu" and ".mit.edu" are valid syntax.
-     * http://www.gnu.org/software/wget/manual/html_node/Proxies.html
-     *
-     * Regexp:
-     * - \Q and \E: https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html
-     * - To match IPV4/IPV/FQDN: Regular Expressions Cookbook, 2nd Edition (ISBN: 9781449327453)
-     *
-     * Warning: this method won't match shortened representation of IPV6 address
-     */
-    static boolean inNoProxyEnvVar(@Nonnull  String host) {
-        String noProxy = System.getenv("no_proxy");
-        if (noProxy != null) {
-            noProxy = noProxy.trim()
-                    // Remove spaces
-                    .replaceAll("\\s+", "")
-                    // Convert .foobar.com to foobar.com
-                    .replaceAll("((?<=^|,)\\.)*(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})(?=($|,))", "$2");
-
-            if (!noProxy.isEmpty()) {
-                // IPV4 and IPV6
-                if (host.matches("^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$") || host.matches("^(?:[a-fA-F0-9]{1,4}:){7}[a-fA-F0-9]{1,4}$")) {
-                    return noProxy.matches(".*(^|,)\\Q" + host + "\\E($|,).*");
-                }
-                else {
-                    int depth = 0;
-                    // Loop while we have a valid domain name: acme.com
-                    // We add a safeguard to avoid a case where the host would always be valid because the regex would
-                    // for example fail to remove subdomains.
-                    // According to Wikipedia (no RFC defines it), 128 is the max number of subdivision for a valid FQDN:
-                    // https://en.wikipedia.org/wiki/Subdomain#Overview
-                    while (host.matches("^([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,}$") && depth < 128) {
-                        ++depth;
-                        // Check if the no_proxy contains the host
-                        if (noProxy.matches(".*(^|,)\\Q" + host + "\\E($|,).*"))
-                            return true;
-                        // Remove first subdomain: master.jenkins.acme.com -> jenkins.acme.com
-                        else
-                            host = host.replaceFirst("^[a-z0-9]+(-[a-z0-9]+)*\\.", "");
-                    }
-                }
-            }
-        }
-
-        return false;
-    }
-
     /**
      * Gets URL connection.
      * If http_proxy environment variable exists,  the connection uses the proxy.
@@ -178,7 +106,7 @@ static URLConnection openURLConnection(URL url, String credentials, String proxy
             httpProxy = System.getenv("http_proxy");
         }
         URLConnection con = null;
-        if (httpProxy != null && "http".equals(url.getProtocol()) && !inNoProxyEnvVar(url.getHost())) {
+        if (httpProxy != null && "http".equals(url.getProtocol()) && NoProxyEvaluator.shouldProxy(url.getHost())) {
             try {
                 URL proxyUrl = new URL(httpProxy);
                 SocketAddress addr = new InetSocketAddress(proxyUrl.getHost(), proxyUrl.getPort());
@@ -222,25 +150,13 @@ static URLConnection openURLConnection(URL url) throws IOException {
         return openURLConnection(url, null, null, null);
     }
 
-    @IgnoreJRERequirement @SuppressWarnings("Since15")
+    /**
+     * @deprecated Use {@link Files#createDirectories(java.nio.file.Path, java.nio.file.attribute.FileAttribute...)} instead.
+     */
+    @Deprecated
     static void mkdirs(@Nonnull File file) throws IOException {
         if (file.isDirectory()) return;
-
-        try {
-            Class.forName("java.nio.file.Files");
-            Files.createDirectories(file.toPath());
-            return;
-        } catch (ClassNotFoundException e) {
-            // JDK6
-        } catch (ExceptionInInitializerError e) {
-            // JDK7 on multibyte encoding (http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7050570)
-        }
-
-        // Fallback
-        if (!file.mkdirs()) {
-            if (!file.isDirectory()) {
-                throw new IOException("Directory not created");
-            }
-        }
+        Files.createDirectories(PathUtils.fileToPath(file));
     }
+
 }
diff --git a/src/main/java/hudson/remoting/Which.java b/src/main/java/hudson/remoting/Which.java
index a8dded9e7..dac236128 100644
--- a/src/main/java/hudson/remoting/Which.java
+++ b/src/main/java/hudson/remoting/Which.java
@@ -23,6 +23,7 @@
  */
 package hudson.remoting;
 
+import javax.annotation.Nonnull;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
@@ -33,6 +34,7 @@
 import java.net.URLConnection;
 import java.net.JarURLConnection;
 import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
 import java.util.zip.ZipFile;
 import java.util.jar.JarFile;
 import java.util.logging.Logger;
@@ -47,10 +49,13 @@ public class Which {
     /**
      * Returns the URL of the class file where the given class has been loaded from.
      *
+     * @param clazz Class
      * @throws IllegalArgumentException
-     *      if failed to determine.
+     *      if failed to determine the URL.
+     * @return URL of the class file
      * @since 2.24
      */
+    @Nonnull
     public static URL classFileUrl(Class clazz) throws IOException {
         ClassLoader cl = clazz.getClassLoader();
         if(cl==null)
@@ -76,13 +81,18 @@ public static URL jarURL(Class clazz) throws IOException {
      * Note that jar files are not always loaded from {@link File},
      * so for diagnostics purposes {@link #jarURL(Class)} is preferrable.
      *
+     * @param clazz Class
      * @throws IllegalArgumentException
-     *      if failed to determine.
+     *      if failed to determine the class File URL.
+     * @return
+     *      JAR File, which contains the class.
      */
+    @Nonnull
     public static File jarFile(Class clazz) throws IOException {
         return jarFile(classFileUrl(clazz),clazz.getName().replace('.','/')+".class");
     }
 
+    //TODO: This method will likely start blowing up in Java 9. Needs some testing.
     /**
      * Locates the jar file that contains the given resource
      *
@@ -96,8 +106,9 @@ public static File jarFile(Class clazz) throws IOException {
      * @throws IllegalArgumentException
      *      If the URL is not in a jar file.
      * @return
-     *      never null
+     *      JAR File, which contains the URL
      */
+    @Nonnull
     /*package*/ static File jarFile(URL res, String qualifiedName) throws IOException {
         String resURL = res.toExternalForm();
         String originalURL = resURL;
@@ -136,14 +147,14 @@ public static File jarFile(Class clazz) throws IOException {
 
         if(resURL.startsWith("vfszip:")) {
             // JBoss5
-            InputStream is = res.openStream();
-            try {
+            try(InputStream is = res.openStream()) {
                 Object delegate = is;
                 while (delegate.getClass().getEnclosingClass()!=ZipFile.class) {
                     Field f = delegate.getClass().getDeclaredField("delegate");
                     f.setAccessible(true);
                     delegate = f.get(delegate);
                     //JENKINS-5922 - workaround for CertificateReaderInputStream; JBoss 5.0.0, EAP 5.0 and EAP 5.1
+                    // java.util.jar.JarVerifier is not public in Java, so we have to use reflection
                     if(delegate.getClass().getName().equals("java.util.jar.JarVerifier$VerifierStream")){
                         f = delegate.getClass().getDeclaredField("is");
                         f.setAccessible(true);
@@ -154,14 +165,9 @@ public static File jarFile(Class clazz) throws IOException {
                 f.setAccessible(true);
                 ZipFile zipFile = (ZipFile)f.get(delegate);
                 return new File(zipFile.getName());
-            } catch (NoSuchFieldException e) {
+            } catch (NoSuchFieldException | IllegalAccessException e) {
                 // something must have changed in JBoss5. fall through
                 LOGGER.log(Level.FINE, "Failed to resolve vfszip into a jar location",e);
-            } catch (IllegalAccessException e) {
-                // something must have changed in JBoss5. fall through
-                LOGGER.log(Level.FINE, "Failed to resolve vfszip into a jar location",e);
-            } finally {
-                is.close();
             }
         }
 
@@ -183,7 +189,7 @@ public static File jarFile(Class clazz) throws IOException {
 
                 File jarFile = new File(dir,fileName);
                 if (jarFile.exists())   return jarFile;
-            } catch (Exception e) {
+            } catch (RuntimeException | NoSuchMethodException | IllegalAccessException | IOException | InvocationTargetException e) {
                 LOGGER.log(Level.FINE, "Failed to resolve vfs file into a location",e);
             }
         }
@@ -199,13 +205,13 @@ public static File jarFile(Class clazz) throws IOException {
                 } else {
                     // JDK6u10 apparently starts hiding the real jar file name,
                     // so this just keeps getting tricker and trickier...
+                    // TODO: this is a bit insane, but it is not covered by autotests now.
+                    // Needs to be solved by Remoting test harness if there is a plan to have such fallback for Java 9
                     try {
                         Field f = ZipFile.class.getDeclaredField("name");
                         f.setAccessible(true);
                         return new File((String) f.get(jarFile));
-                    } catch (NoSuchFieldException e) {
-                        LOGGER.log(Level.INFO, "Failed to obtain the local cache file name of "+resURL, e);
-                    } catch (IllegalAccessException e) {
+                    } catch (NoSuchFieldException | IllegalAccessException e) {
                         LOGGER.log(Level.INFO, "Failed to obtain the local cache file name of "+resURL, e);
                     }
                 }
diff --git a/src/main/java/hudson/remoting/forward/CopyThread.java b/src/main/java/hudson/remoting/forward/CopyThread.java
index 3c3f50254..06092db41 100644
--- a/src/main/java/hudson/remoting/forward/CopyThread.java
+++ b/src/main/java/hudson/remoting/forward/CopyThread.java
@@ -16,23 +16,34 @@ final class CopyThread extends Thread {
     private final InputStream in;
     private final OutputStream out;
 
-    public CopyThread(String threadName, InputStream in, OutputStream out) {
+    /**
+     * Callers are responsible for closing the input and output streams.
+     */
+    public CopyThread(String threadName, InputStream in, OutputStream out, Runnable termination) {
+        this(threadName, in, out, termination, 5);
+    }
+
+    private CopyThread(String threadName, InputStream in, OutputStream out, Runnable termination, int remainingTries) {
         super(threadName);
         this.in = in;
         this.out = out;
+        setUncaughtExceptionHandler((t, e) -> {
+            if (remainingTries > 0) {
+                LOGGER.log(Level.WARNING, "Uncaught exception in CopyThread " + t + ", retrying copy", e);
+                new CopyThread(threadName, in, out, termination, remainingTries - 1).start();
+            } else {
+                LOGGER.log(Level.SEVERE, "Uncaught exception in CopyThread " + t + ", out of retries", e);
+                termination.run();
+            }
+        });
     }
 
     public void run() {
         try {
-            try {
-                byte[] buf = new byte[8192];
-                int len;
-                while ((len = in.read(buf)) > 0)
-                    out.write(buf, 0, len);
-            } finally {
-                in.close();
-                out.close();
-            }
+            byte[] buf = new byte[8192];
+            int len;
+            while ((len = in.read(buf)) > 0)
+                out.write(buf, 0, len);
         } catch (IOException e) {
             LOGGER.log(Level.WARNING, "Exception while copying in thread: " + getName(), e);
         }
diff --git a/src/main/java/hudson/remoting/forward/ForwarderFactory.java b/src/main/java/hudson/remoting/forward/ForwarderFactory.java
index 81fb3cd00..e63cd5b97 100644
--- a/src/main/java/hudson/remoting/forward/ForwarderFactory.java
+++ b/src/main/java/hudson/remoting/forward/ForwarderFactory.java
@@ -24,16 +24,20 @@
 package hudson.remoting.forward;
 
 import hudson.remoting.Callable;
-import hudson.remoting.Channel;
 import hudson.remoting.RemoteOutputStream;
 import hudson.remoting.SocketChannelStream;
 import hudson.remoting.VirtualChannel;
 import org.jenkinsci.remoting.Role;
 import org.jenkinsci.remoting.RoleChecker;
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
 
 import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectStreamException;
 import java.io.OutputStream;
 import java.net.Socket;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 /**
  * Creates {@link Forwarder}.
@@ -41,29 +45,21 @@
  * @author Kohsuke Kawaguchi
  */
 public class ForwarderFactory {
+
+    private static final Logger LOGGER = Logger.getLogger(ForwarderFactory.class.getName());
+
     /**
      * Creates a connector on the remote side that connects to the speicied host and port.
      */
     public static Forwarder create(VirtualChannel channel, final String remoteHost, final int remotePort) throws IOException, InterruptedException {
-        return channel.call(new Callable<Forwarder,IOException>() {
-            public Forwarder call() throws IOException {
-                return new ForwarderImpl(remoteHost,remotePort);
-            }
-
-            @Override
-            public void checkRoles(RoleChecker checker) throws SecurityException {
-                checker.check(this,ROLE);
-            }
-
-            private static final long serialVersionUID = 1L;
-        });
+        return channel.call(new ForwarderCallable(remoteHost, remotePort));
     }
 
     public static Forwarder create(String remoteHost, int remotePort) {
         return new ForwarderImpl(remoteHost,remotePort);
     }
 
-    private static class ForwarderImpl implements Forwarder {
+    private static class ForwarderImpl implements Forwarder, SerializableOnlyOverRemoting {
         private final String remoteHost;
         private final int remotePort;
 
@@ -74,16 +70,27 @@ private ForwarderImpl(String remoteHost, int remotePort) {
 
         public OutputStream connect(OutputStream out) throws IOException {
             Socket s = new Socket(remoteHost, remotePort);
-            new CopyThread(String.format("Copier to %s:%d", remoteHost, remotePort),
-                SocketChannelStream.in(s), out).start();
+            try (InputStream in = SocketChannelStream.in(s)) {
+                new CopyThread(
+                        String.format("Copier to %s:%d", remoteHost, remotePort),
+                        in,
+                        out,
+                        () -> {
+                            try {
+                                s.close();
+                            } catch (IOException e) {
+                                LOGGER.log(Level.WARNING, "Problem closing socket for ForwardingFactory", e);
+                            }
+                        }).start();
+            }
             return new RemoteOutputStream(SocketChannelStream.out(s));
         }
 
         /**
          * When sent to the remote node, send a proxy.
          */
-        private Object writeReplace() {
-            return Channel.current().export(Forwarder.class, this);
+        private Object writeReplace() throws ObjectStreamException {
+            return getChannelForSerialization().export(Forwarder.class, this);
         }
 
         private static final long serialVersionUID = 8382509901649461466L;
@@ -93,4 +100,25 @@ private Object writeReplace() {
      * Role that's willing to open a socket to arbitrary node nad forward that to the other side.
      */
     public static final Role ROLE = new Role(ForwarderFactory.class);
+
+    private static class ForwarderCallable implements Callable<Forwarder,IOException> {
+
+        private static final long serialVersionUID = 1L;
+        private final String remoteHost;
+        private final int remotePort;
+
+        public ForwarderCallable(String remoteHost, int remotePort) {
+            this.remoteHost = remoteHost;
+            this.remotePort = remotePort;
+        }
+
+        public Forwarder call() throws IOException {
+            return new ForwarderImpl(remoteHost, remotePort);
+        }
+
+        @Override
+        public void checkRoles(RoleChecker checker) throws SecurityException {
+            checker.check(this, ROLE);
+        }
+    }
 }
diff --git a/src/main/java/hudson/remoting/forward/PortForwarder.java b/src/main/java/hudson/remoting/forward/PortForwarder.java
index bcb7d9573..5b5bc0823 100644
--- a/src/main/java/hudson/remoting/forward/PortForwarder.java
+++ b/src/main/java/hudson/remoting/forward/PortForwarder.java
@@ -33,9 +33,11 @@
 
 import java.io.Closeable;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.ServerSocket;
 import java.net.Socket;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import static java.util.logging.Level.*;
@@ -57,6 +59,14 @@ public PortForwarder(int localPort, Forwarder forwarder) throws IOException {
         // mark as a daemon thread by default.
         // the caller can explicitly cancel this by doing "setDaemon(false)"
         setDaemon(true);
+        setUncaughtExceptionHandler((t, e) -> {
+            LOGGER.log(SEVERE, "Uncaught exception in PortForwarder thread " + t, e);
+            try {
+                socket.close();
+            } catch (IOException e1) {
+                LOGGER.log(SEVERE, "Could not close socket after uncaught exception");
+            }
+        });
     }
 
     public int getPort() {
@@ -70,11 +80,24 @@ public void run() {
                 while(true) {
                     final Socket s = socket.accept();
                     new Thread("Port forwarding session from "+s.getRemoteSocketAddress()) {
+                        {
+                            setUncaughtExceptionHandler(
+                                    (t, e) -> LOGGER.log(Level.SEVERE, "Unhandled exception in port forwarding session " + t, e));
+                        }
                         public void run() {
-                            try {
-                                final OutputStream out = forwarder.connect(new RemoteOutputStream(SocketChannelStream.out(s)));
-                                new CopyThread("Copier for "+s.getRemoteSocketAddress(),
-                                        SocketChannelStream.in(s), out).start();
+                            try (InputStream in = SocketChannelStream.in(s);
+                                    OutputStream out = forwarder.connect(new RemoteOutputStream(SocketChannelStream.out(s)))) {
+                                new CopyThread(
+                                        "Copier for " + s.getRemoteSocketAddress(),
+                                        in,
+                                        out,
+                                        () -> {
+                                            try {
+                                                s.close();
+                                            } catch (IOException e) {
+                                                LOGGER.log(Level.WARNING, "Failed to close socket", e);
+                                            }
+                                        }).start();
                             } catch (IOException e) {
                                 // this happens if the socket connection is terminated abruptly.
                                 LOGGER.log(FINE,"Port forwarding session was shut down abnormally",e);
@@ -109,18 +132,7 @@ public static ListeningPort create(VirtualChannel ch, final int acceptingPort, F
         // need a remotable reference
         final Forwarder proxy = ch.export(Forwarder.class, forwarder);
 
-        return ch.call(new Callable<ListeningPort,IOException>() {
-            public ListeningPort call() throws IOException {
-                PortForwarder t = new PortForwarder(acceptingPort, proxy);
-                t.start();
-                return Channel.current().export(ListeningPort.class,t);
-            }
-
-            @Override
-            public void checkRoles(RoleChecker checker) throws SecurityException {
-                checker.check(this,ROLE);
-            }
-        });
+        return ch.call(new ListeningPortCallable(acceptingPort, proxy));
     }
 
     private static final Logger LOGGER = Logger.getLogger(PortForwarder.class.getName());
@@ -129,4 +141,27 @@ public void checkRoles(RoleChecker checker) throws SecurityException {
      * Role that's willing to listen on a socket and forward that to the other side.
      */
     public static final Role ROLE = new Role(PortForwarder.class);
+
+    private static class ListeningPortCallable implements Callable<ListeningPort,IOException> {
+        private static final long serialVersionUID = 1L;
+        private final int acceptingPort;
+        private final Forwarder proxy;
+
+        public ListeningPortCallable(int acceptingPort, Forwarder proxy) {
+            this.acceptingPort = acceptingPort;
+            this.proxy = proxy;
+        }
+
+        public ListeningPort call() throws IOException {
+            final Channel channel = getOpenChannelOrFail(); // We initialize it early, so the forwarder won's start its daemon if the channel is shutting down
+            PortForwarder t = new PortForwarder(acceptingPort, proxy);
+            t.start();
+            return channel.export(ListeningPort.class,t);
+        }
+
+        @Override
+        public void checkRoles(RoleChecker checker) throws SecurityException {
+            checker.check(this, ROLE);
+        }
+    }
 }
diff --git a/src/main/java/hudson/remoting/jnlp/Main.java b/src/main/java/hudson/remoting/jnlp/Main.java
index d262369bf..d28911fbf 100644
--- a/src/main/java/hudson/remoting/jnlp/Main.java
+++ b/src/main/java/hudson/remoting/jnlp/Main.java
@@ -27,7 +27,6 @@
 import hudson.remoting.FileSystemJarCache;
 import java.io.ByteArrayInputStream;
 import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.UnsupportedEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
@@ -35,6 +34,7 @@
 
 import org.jenkinsci.remoting.engine.WorkDirManager;
 import org.jenkinsci.remoting.util.IOUtils;
+import org.jenkinsci.remoting.util.PathUtils;
 import org.kohsuke.args4j.Option;
 import org.kohsuke.args4j.CmdLineParser;
 import org.kohsuke.args4j.Argument;
@@ -44,6 +44,8 @@
 import java.util.logging.Logger;
 import java.util.logging.Level;
 import static java.util.logging.Level.INFO;
+import static java.util.logging.Level.WARNING;
+
 import java.util.List;
 import java.util.ArrayList;
 import java.net.URL;
@@ -51,13 +53,12 @@
 
 import hudson.remoting.Engine;
 import hudson.remoting.EngineListener;
-import java.nio.file.Path;
 
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 
 /**
- * Entry point to JNLP slave agent.
+ * Entry point to JNLP agent.
  *
  * <p>
  * See also <tt>slave-agent.jnlp.jelly</tt> in the core.
@@ -68,7 +69,7 @@ public class Main {
 
     @Option(name="-tunnel",metaVar="HOST:PORT",
             usage="Connect to the specified host and port, instead of connecting directly to Jenkins. " +
-                  "Useful when connection to Hudson needs to be tunneled. Can be also HOST: or :PORT, " +
+                  "Useful when connection to Jenkins needs to be tunneled. Can be also HOST: or :PORT, " +
                   "in which case the missing portion will be auto-configured like the default behavior")
     public String tunnel;
 
@@ -102,11 +103,21 @@ public class Main {
                     "certificate file to read.")
     public List<String> candidateCertificates;
 
+    /**
+     * Disables HTTPs Certificate validation of the server when using {@link org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver}.
+     *
+     * This option is not recommended for production use.
+     * @since TODO
+     */
+    @Option(name="-disableHttpsCertValidation",
+            usage="Ignore SSL validation errors - use as a last resort only.")
+    public boolean disableHttpsCertValidation = false;
+
     /**
      * Specifies a destination for error logs.
      * If specified, this option overrides the default destination within {@link #workDir}.
      * If both this options and {@link #workDir} is not set, the log will not be generated.
-     * @since TODO
+     * @since 3.8
      */
     @Option(name="-agentLog", usage="Local agent error log destination (overrides workDir)")
     @CheckForNull
@@ -114,7 +125,7 @@ public class Main {
     
     /**
      * Specified location of the property file with JUL settings.
-     * @since TODO
+     * @since 3.8
      */
     @CheckForNull
     @Option(name="-loggingConfig",usage="Path to the property file with java.util.logging settings")
@@ -127,7 +138,7 @@ public class Main {
      * In order to retain compatibility, the option is disabled by default.
      * <p>
      * Jenkins specifics: This working directory is expected to be equal to the agent root specified in Jenkins configuration.
-     * @since TODO
+     * @since 3.8
      */
     @Option(name = "-workDir",
             usage = "Declares the working directory of the remoting instance (stores cache and logs by default)")
@@ -139,7 +150,7 @@ public class Main {
      * <p>
      * This option is not expected to be used frequently, but it allows remoting users to specify a custom
      * storage directory if the default {@code remoting} directory is consumed by other stuff.
-     * @since TODO
+     * @since 3.8
      */
     @Option(name = "-internalDir",
             usage = "Specifies a name of the internal files within a working directory ('remoting' by default)",
@@ -151,7 +162,7 @@ public class Main {
      * Fail the initialization if the workDir or internalDir are missing.
      * This option presumes that the workspace structure gets initialized previously in order to ensure that we do not start up with a borked instance
      * (e.g. if a filesystem mount gets disconnected).
-     * @since TODO
+     * @since 3.8
      */
     @Option(name = "-failIfWorkDirIsMissing",
             usage = "Fails the initialization if the requested workDir or internalDir are missing ('false' by default)",
@@ -168,7 +179,7 @@ public class Main {
 
     /**
      * 4 mandatory parameters.
-     * Host name (deprecated), Jenkins URL, secret key, and slave name.
+     * Host name (deprecated), Jenkins URL, secret key, and agent name.
      */
     @Argument
     public final List<String> args = new ArrayList<String>();
@@ -178,7 +189,7 @@ public static void main(String[] args) throws IOException, InterruptedException
             _main(args);
         } catch (CmdLineException e) {
             System.err.println(e.getMessage());
-            System.err.println("java -jar slave.jar [options...] <secret key> <slave name>");
+            System.err.println("java -jar agent.jar [options...] <secret key> <agent name>");
             new CmdLineParser(new Main()).printUsage(System.err);
         }
     }
@@ -227,11 +238,11 @@ public void main() throws IOException, InterruptedException {
     }
 
     public Engine createEngine() {
-        String slaveName = args.get(1);
-        LOGGER.log(INFO, "Setting up slave: {0}", slaveName);
+        String agentName = args.get(1);
+        LOGGER.log(INFO, "Setting up agent: {0}", agentName);
         Engine engine = new Engine(
                 headlessMode ? new CuiListener() : new GuiListener(),
-                urls, args.get(0), slaveName);
+                urls, args.get(0), agentName);
         if(tunnel!=null)
             engine.setTunnel(tunnel);
         if(credentials!=null)
@@ -242,13 +253,27 @@ public Engine createEngine() {
             engine.setJarCache(new FileSystemJarCache(jarCache,true));
         engine.setNoReconnect(noReconnect);
         engine.setKeepAlive(!noKeepAlive);
+
+        if (disableHttpsCertValidation) {
+            LOGGER.log(WARNING, "Certificate validation for HTTPs endpoints is disabled");
+        }
+        engine.setDisableHttpsCertValidation(disableHttpsCertValidation);
+
         
-        // TODO: ideally logging should be initialized before the "Setting up slave" entry
+        // TODO: ideally logging should be initialized before the "Setting up agent" entry
         if (agentLog != null) {
-            engine.setAgentLog(agentLog.toPath());
+            try {
+                engine.setAgentLog(PathUtils.fileToPath(agentLog));
+            } catch (IOException ex) {
+                throw new IllegalStateException("Cannot retrieve custom log destination", ex);
+            }
         }
         if (loggingConfigFile != null) {
-            engine.setLoggingConfigFile(loggingConfigFile.toPath());
+            try {
+                engine.setLoggingConfigFile(PathUtils.fileToPath(loggingConfigFile));
+            } catch (IOException ex) {
+                throw new IllegalStateException("Logging config file is invalid", ex);
+            }
         }
         
         if (candidateCertificates != null && !candidateCertificates.isEmpty()) {
@@ -321,7 +346,11 @@ public Engine createEngine() {
 
         // Working directory settings
         if (workDir != null) {
-            engine.setWorkDir(workDir.toPath());
+            try {
+                engine.setWorkDir(PathUtils.fileToPath(workDir));
+            } catch (IOException ex) {
+                throw new IllegalStateException("Work directory path is invalid", ex);
+            }
         }
         engine.setInternalDir(internalDir);
         engine.setFailIfWorkDirIsMissing(failIfWorkDirIsMissing);
diff --git a/src/main/java/hudson/remoting/jnlp/MainDialog.java b/src/main/java/hudson/remoting/jnlp/MainDialog.java
index a378a0341..d244b9468 100644
--- a/src/main/java/hudson/remoting/jnlp/MainDialog.java
+++ b/src/main/java/hudson/remoting/jnlp/MainDialog.java
@@ -31,7 +31,7 @@
 import javax.annotation.CheckForNull;
 
 /**
- * Main window for JNLP slave agent.
+ * Main window for JNLP agent.
  * 
  * @author Kohsuke Kawaguchi
  */
@@ -43,7 +43,7 @@ public class MainDialog extends JFrame {
     @SuppressFBWarnings(value = "UI_INHERITANCE_UNSAFE_GETRESOURCE",
             justification = "We allow overriding this resource. Just in case")
     public MainDialog() throws HeadlessException {
-        super("Jenkins slave agent");
+        super("Jenkins agent");
 
         ImageIcon background = new ImageIcon(getClass().getResource("title.png"));
 
@@ -93,7 +93,7 @@ public void status(String msg) {
     }
 
     /**
-     * If the current JVM runs a {@link MainDialog} as a JNLP slave agent,
+     * If the current JVM runs a {@link MainDialog} as a JNLP agent,
      * return its reference, otherwise {@code null}.
      */
     @CheckForNull
diff --git a/src/main/java/hudson/remoting/package-info.java b/src/main/java/hudson/remoting/package-info.java
index b467948b9..27b29ff71 100644
--- a/src/main/java/hudson/remoting/package-info.java
+++ b/src/main/java/hudson/remoting/package-info.java
@@ -25,7 +25,7 @@
  * Remoting infrastructure for Hudson.
  *
  * <p>
- * Code in this package is used for running a part of a program in slaves.
- * If you are new to this package, start from {@link Channel}.
+ * Code in this package is used for running a part of a program in agents.
+ * If you are new to this package, start from {@link hudson.remoting.Channel}.
  */
 package hudson.remoting;
diff --git a/src/main/java/org/jenkinsci/remoting/ChannelStateException.java b/src/main/java/org/jenkinsci/remoting/ChannelStateException.java
new file mode 100644
index 000000000..4ecef2d36
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/ChannelStateException.java
@@ -0,0 +1,99 @@
+/*
+ *
+ * The MIT License
+ *
+ * Copyright (c) 2017 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ *
+ */
+
+package org.jenkinsci.remoting;
+
+import hudson.remoting.Channel;
+
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.lang.ref.WeakReference;
+
+/**
+ * Indicates invalid state of the channel during the operation.
+ *
+ * Exception stores the channel reference is a {@link WeakReference}, so the information may be deallocated at any moment.
+ * Former channel name can be retrieved via {@link #getChannelName()}.
+ * The reference also will not be serialized.
+ *
+ * @author Oleg Nenashev
+ * @since TODO
+ */
+public class ChannelStateException extends IOException {
+
+    @Nonnull
+    private final String channelName;
+
+    @CheckForNull
+    private final transient WeakReference<Channel> channelRef;
+
+    public ChannelStateException(@CheckForNull Channel channel, @Nonnull String message) {
+        super(message);
+        channelRef = channel != null ?  new WeakReference<>(channel) : null;
+        channelName = channel != null ? channel.getName() : "unknown";
+    }
+
+    public ChannelStateException(@CheckForNull Channel channel, String message, @CheckForNull Throwable cause) {
+        super(message, cause);
+        channelRef = channel != null ?  new WeakReference<>(channel) : null;
+        channelName = channel != null ? channel.getName() : "unknown";
+    }
+
+    @CheckForNull
+    public WeakReference<Channel> getChannelRef() {
+        return channelRef;
+    }
+
+    /**
+     * Gets channel name.
+     * @return Channel name ot {@code unknown} if it is not known.
+     */
+    @Nonnull
+    public String getChannelName() {
+        return channelName;
+    }
+
+    /**
+     * Gets channel associated with the exception.
+     *
+     * The channel reference is a {@link WeakReference}, so the information may be deallocated at any moment.
+     * Former channel name can be retrieved via {@link #getChannelName()}.
+     * The reference also will not be serialized.
+     * @return Channel reference if it is available. {@code null} otherwise.
+     */
+    @CheckForNull
+    public Channel getChannel() {
+        return channelRef != null ? channelRef.get() : null;
+    }
+
+    @Override
+    public String getMessage() {
+        Channel ch = getChannel();
+        String infoForMessage = ch != null ? ch.toString() : channelName;
+        return String.format("Channel \"%s\": %s", infoForMessage, super.getMessage());
+    }
+}
diff --git a/src/main/java/org/jenkinsci/remoting/RoleChecker.java b/src/main/java/org/jenkinsci/remoting/RoleChecker.java
index 5ab49e9d5..d67c058b6 100644
--- a/src/main/java/org/jenkinsci/remoting/RoleChecker.java
+++ b/src/main/java/org/jenkinsci/remoting/RoleChecker.java
@@ -13,7 +13,7 @@
  *
  * @author Kohsuke Kawaguchi
  * @see ChannelBuilder#withRoleChecker(RoleChecker)
- * @since TODO
+ * @since 2.47
  */
 public abstract class RoleChecker {
     /**
diff --git a/src/main/java/org/jenkinsci/remoting/RoleSensitive.java b/src/main/java/org/jenkinsci/remoting/RoleSensitive.java
index 10dd983a7..63abe9425 100644
--- a/src/main/java/org/jenkinsci/remoting/RoleSensitive.java
+++ b/src/main/java/org/jenkinsci/remoting/RoleSensitive.java
@@ -14,7 +14,7 @@
  *
  * @author Kohsuke Kawaguchi
  * @see RoleChecker
- * @since TODO
+ * @since 2.47
  */
 public interface RoleSensitive {
     /**
diff --git a/src/main/java/org/jenkinsci/remoting/SerializableOnlyOverRemoting.java b/src/main/java/org/jenkinsci/remoting/SerializableOnlyOverRemoting.java
new file mode 100644
index 000000000..037f62820
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/SerializableOnlyOverRemoting.java
@@ -0,0 +1,73 @@
+/*
+ *
+ * The MIT License
+ *
+ * Copyright (c) 2017 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ *
+ */
+
+package org.jenkinsci.remoting;
+
+import hudson.remoting.Channel;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.ProtectedExternally;
+
+import javax.annotation.Nonnull;
+import java.io.NotSerializableException;
+import java.io.Serializable;
+
+/**
+ * This interface indicates objects which are {@link Serializable} only for sending over the Remoting {@link Channel}.
+ *
+ * Usually it means that the object requires export of the class via {@link Channel}
+ * and {@code hudson.remoting.ExportTable}.
+ * Attempts to serialize the instance of this interface for different purposes lead to undefined behavior.
+ *
+ * @author Oleg Nenashev
+ * @since 3.14
+ */
+public interface SerializableOnlyOverRemoting extends Serializable {
+
+    /**
+     * Gets current channel or fails with {@link NotSerializableException}.
+     *
+     * This method is designed for serialization/deserialization methods in the channel.
+     * @return Current channel
+     * @throws NotSerializableException the calling thread has no associated channel.
+     *      In such case the object cannot be serialized.
+     */
+    @Nonnull
+    @Restricted(ProtectedExternally.class)
+    default Channel getChannelForSerialization() throws NotSerializableException {
+        final Channel ch = Channel.current();
+        if (ch == null) {
+            // This logic does not prevent from improperly serializing objects within Remoting calls.
+            // If it happens in API calls in external usages, we wish good luck with diagnosing Remoting issues
+            // and leaks in ExportTable.
+            //TODO: maybe there is a way to actually diagnose this case?
+            final Thread t = Thread.currentThread();
+            throw new NotSerializableException("The calling thread " + t + " has no associated channel. "
+                    + "The current object " + this + " is " + SerializableOnlyOverRemoting.class +
+                    ", but it is likely being serialized/deserialized without the channel");
+        }
+        return ch;
+    }
+}
diff --git a/src/main/java/org/jenkinsci/remoting/engine/ChannelCiphers.java b/src/main/java/org/jenkinsci/remoting/engine/ChannelCiphers.java
index 261d1a2df..410d1af63 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/ChannelCiphers.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/ChannelCiphers.java
@@ -23,6 +23,9 @@
  */
 package org.jenkinsci.remoting.engine;
 
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.util.Random;
@@ -32,11 +35,16 @@
 import javax.crypto.spec.SecretKeySpec;
 
 /**
+ * Provides ciphers required by the JNLP3 protocol.
+ *
  * {@link javax.crypto.Cipher}s that will be used to construct an encrypted
  * {@link hudson.remoting.Channel} after a successful handshake.
  *
+ * @deprecated JNLP3 protocol is deprecated
  * @author Akshay Dayal
  */
+@Deprecated
+@Restricted(NoExternalUse.class)
 class ChannelCiphers {
 
     private final byte[] aesKey;
diff --git a/src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java b/src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
index 509c09acf..4be87a94d 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/EngineUtil.java
@@ -23,6 +23,9 @@
  */
 package org.jenkinsci.remoting.engine;
 
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
 import java.io.ByteArrayOutputStream;
 import java.io.Closeable;
 import java.io.IOException;
@@ -34,12 +37,16 @@
 import java.util.logging.Logger;
 
 /**
- * Engine utility methods.
+ * Engine utility methods for JNLP3.
  * 
  * Internal class. DO NOT USE FROM OUTSIDE.
  *
+ * @deprecated JNLP3 protocol is deprecated
  * @author Akshay Dayal
  */
+@Restricted(NoExternalUse.class)
+@Deprecated
+//TODO: @RestrictedSince
 public class EngineUtil {
 
     /**
@@ -47,7 +54,7 @@ public class EngineUtil {
      *
      * @param inputStream The input stream to read from.
      * @return The line read.
-     * @throws IOException
+     * @throws IOException Failed to read character from the input stream
      */
     public static String readLine(InputStream inputStream) throws IOException {
         ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
@@ -67,7 +74,7 @@ public static String readLine(InputStream inputStream) throws IOException {
      * @param inputStream The input stream to read from.
      * @param len The amount of characters to read.
      * @return The characters read.
-     * @throws IOException
+     * @throws IOException Failed to read character from the input stream
      */
     public static String readChars(InputStream inputStream, int len) throws IOException {
         byte[] buf = new byte[len];
@@ -83,7 +90,7 @@ public static String readChars(InputStream inputStream, int len) throws IOExcept
      *
      * @param inputStream The input stream to read from.
      * @return The set of headers stored in a {@link Properties}.
-     * @throws IOException
+     * @throws IOException Failed to read line from the input stream
      */
     protected static Properties readResponseHeaders(InputStream inputStream) throws IOException {
         Properties response = new Properties();
diff --git a/src/main/java/org/jenkinsci/remoting/engine/HandshakeCiphers.java b/src/main/java/org/jenkinsci/remoting/engine/HandshakeCiphers.java
index 931a415de..a6d6a37e0 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/HandshakeCiphers.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/HandshakeCiphers.java
@@ -30,17 +30,21 @@
 import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.SecretKeySpec;
 import java.io.IOException;
-import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.security.spec.KeySpec;
-import org.jenkinsci.remoting.util.Charsets;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
  * {@link Cipher}s that will be used to during the handshake
  * process for JNLP3 protocol.
  *
+ * @deprecated JNLP3 protocol is deprecated
  * @author Akshay Dayal
  */
+@Deprecated
+@Restricted(NoExternalUse.class)
 class HandshakeCiphers {
 
     private final SecretKey secretKey;
@@ -65,7 +69,7 @@ class HandshakeCiphers {
     public String encrypt(String raw) throws IOException {
         try {
             String encrypted = new String(encryptCipher.doFinal(
-                    raw.getBytes(Charsets.UTF_8)), Charsets.ISO_8859_1);
+                    raw.getBytes(StandardCharsets.UTF_8)), StandardCharsets.ISO_8859_1);
             encryptCipher.init(Cipher.ENCRYPT_MODE, secretKey, spec);
             return encrypted;
         } catch (GeneralSecurityException e) {
@@ -82,7 +86,7 @@ public String encrypt(String raw) throws IOException {
     public String decrypt(String encrypted) throws IOException {
         try {
             String raw = new String(decryptCipher.doFinal(
-                    encrypted.getBytes(Charsets.ISO_8859_1)), Charsets.UTF_8);
+                    encrypted.getBytes(StandardCharsets.ISO_8859_1)), StandardCharsets.UTF_8);
             decryptCipher.init(Cipher.DECRYPT_MODE, secretKey, spec);
             return raw;
         } catch (GeneralSecurityException e) {
@@ -122,7 +126,7 @@ private static SecretKey generateSecretKey(String slaveName, String slaveSecret)
             throws GeneralSecurityException {
         SecretKeyFactory factory = SecretKeyFactory.getInstance(FACTORY_ALGORITHM);
         KeySpec spec = new PBEKeySpec(
-                slaveSecret.toCharArray(), slaveName.getBytes(Charsets.UTF_8),
+                slaveSecret.toCharArray(), slaveName.getBytes(StandardCharsets.UTF_8),
                 INTEGRATION_COUNT, KEY_LENGTH);
         SecretKey tmpSecret = factory.generateSecret(spec);
         return new SecretKeySpec(tmpSecret.getEncoded(), SPEC_ALGORITHM);
diff --git a/src/main/java/org/jenkinsci/remoting/engine/Jnlp3ConnectionState.java b/src/main/java/org/jenkinsci/remoting/engine/Jnlp3ConnectionState.java
index 5600351ca..3de4ef959 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/Jnlp3ConnectionState.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/Jnlp3ConnectionState.java
@@ -31,6 +31,7 @@
 /**
  * Represents the connection state of a {@link JnlpProtocol3Handler} connection.
  *
+ * @deprecated JNLP3 protocol is deprecated
  * @since 3.0
  */
 @Deprecated
diff --git a/src/main/java/org/jenkinsci/remoting/engine/Jnlp3Util.java b/src/main/java/org/jenkinsci/remoting/engine/Jnlp3Util.java
index 6e5b4a7af..8ace82a77 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/Jnlp3Util.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/Jnlp3Util.java
@@ -24,18 +24,23 @@
 package org.jenkinsci.remoting.engine;
 
 import java.math.BigInteger;
+import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.Random;
-import org.jenkinsci.remoting.util.Charsets;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
  * Utility methods for JNLP3.
  *
+ * @deprecated JNLP3 Protocol is deprecated.
  * @author Akshay Dayal
  */
-class Jnlp3Util {
+@Restricted(NoExternalUse.class)
+@Deprecated
+/*package*/ class Jnlp3Util {
 
     /**
      * Generate a random 128bit key.
@@ -52,7 +57,7 @@ public static byte[] generate128BitKey(Random entropy) {
     public static byte[] generate128BitKey(String str) {
         try {
             MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
-            messageDigest.update(str.getBytes(Charsets.UTF_8));
+            messageDigest.update(str.getBytes(StandardCharsets.UTF_8));
             return Arrays.copyOf(messageDigest.digest(), 16);
         } catch (NoSuchAlgorithmException nsae) {
             // This should never happen.
@@ -64,19 +69,19 @@ public static byte[] generate128BitKey(String str) {
      * Convert the given key to a string.
      */
     public static String keyToString(byte[] key) {
-        return new String(key, Charsets.ISO_8859_1);
+        return new String(key, StandardCharsets.ISO_8859_1);
     }
 
     /**
      * Get back the original key from the given string.
      */
     public static byte[] keyFromString(String keyString) {
-        return keyString.getBytes(Charsets.ISO_8859_1);
+        return keyString.getBytes(StandardCharsets.ISO_8859_1);
     }
 
     /**
      * Generate a random challenge phrase.
-     * @param entropy
+     * @param entropy Entropy
      */
     public static String generateChallenge(Random entropy) {
         return new BigInteger(10400, entropy).toString(32);
@@ -90,8 +95,8 @@ public static String generateChallenge(Random entropy) {
     public static String createChallengeResponse(String challenge) {
         try {
             MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
-            messageDigest.update(challenge.getBytes(Charsets.UTF_8));
-            return new String(messageDigest.digest(), Charsets.UTF_8); // <--- One of the root causes of JENKINS-37315
+            messageDigest.update(challenge.getBytes(StandardCharsets.UTF_8));
+            return new String(messageDigest.digest(), StandardCharsets.UTF_8); // <--- One of the root causes of JENKINS-37315
         } catch (NoSuchAlgorithmException nsae) {
             // This should never happen.
             throw new AssertionError(nsae);
@@ -107,7 +112,7 @@ public static boolean validateChallengeResponse(String challenge, String challen
             return true;
         }
         // JENKINS-37315 fallback to comparing the encoded bytes because the format should never have used UTF-8
-        if (Arrays.equals(expectedResponse.getBytes(Charsets.UTF_8), challengeResponse.getBytes(Charsets.UTF_8))) {
+        if (Arrays.equals(expectedResponse.getBytes(StandardCharsets.UTF_8), challengeResponse.getBytes(StandardCharsets.UTF_8))) {
             return true;
         }
         return false;
diff --git a/src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpoint.java b/src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpoint.java
index 7a3f0100b..bb39c1d22 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpoint.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpoint.java
@@ -69,7 +69,6 @@ public class JnlpAgentEndpoint {
     
     /**
      * Jenkins URL for the discovered endpoint.
-     * @since TODO
      */
     @CheckForNull
     private final URL serviceUrl;
@@ -92,7 +91,7 @@ public JnlpAgentEndpoint(@Nonnull String host, int port, @CheckForNull RSAPublic
      * @param protocols The supported protocols.
      * @param serviceURL URL of the service hosting the remoting endpoint.
      *                   Use {@code null} if it is not a web service or if the URL cannot be determined
-     * @since TODO
+     * @since 3.0
      */
     public JnlpAgentEndpoint(@Nonnull String host, int port, @CheckForNull RSAPublicKey publicKey,
                              @CheckForNull Set<String> protocols, @CheckForNull URL serviceURL) {
diff --git a/src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpointResolver.java b/src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpointResolver.java
index 4b43b5528..ec5fb2781 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpointResolver.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpointResolver.java
@@ -24,37 +24,45 @@
 package org.jenkinsci.remoting.engine;
 
 import hudson.remoting.Base64;
+import hudson.remoting.NoProxyEvaluator;
+import hudson.remoting.Util;
+
+import org.jenkinsci.remoting.util.https.NoCheckHostnameVerifier;
+import org.jenkinsci.remoting.util.https.NoCheckTrustManager;
+
 import java.io.IOException;
+import java.net.ConnectException;
 import java.net.HttpURLConnection;
 import java.net.InetSocketAddress;
 import java.net.MalformedURLException;
+import java.net.NoRouteToHostException;
 import java.net.Proxy;
 import java.net.ProxySelector;
+import java.net.Socket;
 import java.net.SocketAddress;
+import java.net.SocketTimeoutException;
 import java.net.URI;
 import java.net.URL;
 import java.net.URLConnection;
 import java.security.KeyFactory;
+import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.X509EncodedKeySpec;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.regex.Pattern;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLSocketFactory;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+
 import static java.util.logging.Level.INFO;
 import static org.jenkinsci.remoting.util.ThrowableUtils.chain;
 
@@ -77,12 +85,13 @@ public class JnlpAgentEndpointResolver {
 
     private String tunnel;
 
+    private boolean disableHttpsCertValidation;
+
     /**
      * If specified, only the protocols from the list will be tried during the connection.
      * The option provides protocol names, but the order of the check is defined internally and cannot be changed.
      * This option can be also used in order to workaround issues when the headers cannot be delivered
      * from the server due to whatever reason (e.g. JENKINS-41730).
-     * @since TODO
      */
     private static String PROTOCOL_NAMES_TO_TRY =
             System.getProperty(JnlpAgentEndpointResolver.class.getName() + ".protocolNamesToTry");
@@ -127,18 +136,43 @@ public void setProxyCredentials(String user, String pass) {
         this.proxyCredentials = user + ":" + pass;
     }
 
+    @CheckForNull
     public String getTunnel() {
         return tunnel;
     }
 
-    public void setTunnel(String tunnel) {
+    public void setTunnel(@CheckForNull String tunnel) {
         this.tunnel = tunnel;
     }
 
+    /**
+     *  Determine if certificate checking should be ignored for JNLP endpoint
+     *
+     * @return {@code true} if the HTTPs certificate is disabled, endpoint check is ignored
+     */
+
+    public boolean isDisableHttpsCertValidation() {
+        return disableHttpsCertValidation;
+    }
+
+    /**
+     * Sets if the HTTPs certificate check should be disabled.
+     *
+     * This behavior is no recommended.
+     * @param disableHttpsCertValidation
+     * @since TODO
+     */
+    public void setDisableHttpsCertValidation(boolean disableHttpsCertValidation) {
+        this.disableHttpsCertValidation = disableHttpsCertValidation;
+    }
+
     @CheckForNull
     public JnlpAgentEndpoint resolve() throws IOException {
         IOException firstError = null;
         for (String jenkinsUrl : jenkinsUrls) {
+            if (jenkinsUrl == null) {
+                continue;
+            }
             
             final URL selectedJenkinsURL;
             final URL salURL;
@@ -152,7 +186,7 @@ public JnlpAgentEndpoint resolve() throws IOException {
 
             // find out the TCP port
             HttpURLConnection con =
-                    (HttpURLConnection) openURLConnection(salURL, credentials, proxyCredentials, sslSocketFactory);
+                    (HttpURLConnection) openURLConnection(salURL, credentials, proxyCredentials, sslSocketFactory, disableHttpsCertValidation);
             try {
                 try {
                     con.setConnectTimeout(30000);
@@ -248,6 +282,18 @@ public JnlpAgentEndpoint resolve() throws IOException {
                     firstError = chain(firstError, new IOException(jenkinsUrl + " is publishing an invalid port"));
                     continue;
                 }
+                if (tunnel == null) {
+                    if (!isPortVisible(host, port, 5000)) {
+                        firstError = chain(firstError, new IOException(jenkinsUrl + " provided port:" + port
+                                + " is not reachable"));
+                        continue;
+                    } else {
+                        LOGGER.log(Level.FINE, "TCP Agent Listener Port availability check passed");
+                    }
+                } else {
+                    LOGGER.log(Level.INFO, "Remoting TCP connection tunneling is enabled. " +
+                            "Skipping the TCP Agent Listener Port availability check");
+                }
                 // sort the URLs so that the winner is the one we try first next time
                 final String winningJenkinsUrl = jenkinsUrl;
                 Collections.sort(jenkinsUrls, new Comparator<String>() {
@@ -269,6 +315,8 @@ public int compare(String o1, String o2) {
                     if (tokens[0].length() > 0) host = tokens[0];
                     if (tokens[1].length() > 0) port = Integer.parseInt(tokens[1]);
                 }
+
+                //TODO: all the checks above do not make much sense if tunneling is enabled (JENKINS-52246)
                 
                 return new JnlpAgentEndpoint(host, port, identity, agentProtocolNames, selectedJenkinsURL);
             } finally {
@@ -281,9 +329,35 @@ public int compare(String o1, String o2) {
         return null;
     }
 
-    @CheckForNull
-    private URL toAgentListenerURL(@CheckForNull String jenkinsUrl) throws MalformedURLException {
-        return jenkinsUrl == null ? null : jenkinsUrl.endsWith("/")
+    private boolean isPortVisible(String hostname, int port, int timeout) {
+        boolean exitStatus = false;
+        Socket s = null;
+
+        try {
+            s = new Socket();
+            s.setReuseAddress(true);
+            SocketAddress sa = new InetSocketAddress(hostname, port);
+            s.connect(sa, timeout);
+        } catch (IOException e) {
+            LOGGER.warning(e.getMessage());
+        } finally {
+            if (s != null) {
+                if (s.isConnected()) {
+                    exitStatus = true;
+                }
+                try {
+                    s.close();
+                } catch (IOException e) {
+                    LOGGER.warning(e.getMessage());
+                }
+            }
+        }
+        return exitStatus;
+    }
+
+    @Nonnull
+    private URL toAgentListenerURL(@Nonnull String jenkinsUrl) throws MalformedURLException {
+        return jenkinsUrl.endsWith("/")
                 ? new URL(jenkinsUrl + "tcpSlaveAgentListener/")
                 : new URL(jenkinsUrl + "/tcpSlaveAgentListener/");
     }
@@ -298,17 +372,18 @@ public void waitForReady() throws InterruptedException {
                 try {
                     // Jenkins top page might be read-protected. see http://www.nabble
                     // .com/more-lenient-retry-logic-in-Engine.waitForServerToBack-td24703172.html
-                    URL url = toAgentListenerURL(first(jenkinsUrls));
-                    if (url == null) {
+                    final String firstUrl = first(jenkinsUrls);
+                    if (firstUrl == null) {
                         // returning here will cause the whole loop to be broken and all the urls to be tried again
                         return;
                     }
+                    URL url = toAgentListenerURL(firstUrl);
 
                     retries++;
                     t.setName(oldName + ": trying " + url + " for " + retries + " times");
 
                     HttpURLConnection con =
-                            (HttpURLConnection) openURLConnection(url, credentials, proxyCredentials, sslSocketFactory);
+                            (HttpURLConnection) openURLConnection(url, credentials, proxyCredentials, sslSocketFactory, disableHttpsCertValidation);
                     con.setConnectTimeout(5000);
                     con.setReadTimeout(5000);
                     con.connect();
@@ -316,17 +391,19 @@ public void waitForReady() throws InterruptedException {
                         return;
                     }
                     LOGGER.log(Level.INFO,
-                            "Master isn't ready to talk to us on {0}. Will retry again: response code={1}",
+                            "Master isn''t ready to talk to us on {0}. Will try again: response code={1}",
                             new Object[]{url, con.getResponseCode()});
+                } catch (SocketTimeoutException | ConnectException | NoRouteToHostException e) {
+                    LOGGER.log(INFO, "Failed to connect to the master. Will try again: {0} {1}",
+                            new String[] { e.getClass().getName(), e.getMessage() });
                 } catch (IOException e) {
                     // report the failure
-                    LOGGER.log(INFO, "Failed to connect to the master. Will retry again", e);
+                    LOGGER.log(INFO, "Failed to connect to the master. Will try again", e);
                 }
             }
         } finally {
             t.setName(oldName);
         }
-
     }
 
     @CheckForNull
@@ -338,13 +415,49 @@ static InetSocketAddress getResolvedHttpProxyAddress(@Nonnull String host, int p
         while (targetAddress == null && proxies.hasNext()) {
             Proxy proxy = proxies.next();
             if (proxy.type() == Proxy.Type.DIRECT) {
-                break;
+                // Proxy.NO_PROXY with a DIRECT type is returned in two cases:
+                // - when no proxy (none) has been configured in the JVM (either with system properties or by the operating system)
+                // - when the host URI is part of the exclusion list defined by system property -Dhttp.nonProxyHosts
+                //
+                // Unfortunately, the Proxy class does not provide a way to differentiate both cases to fallback to
+                // environment variables only when no proxy has been configured. Therefore, we have to recheck if the URI
+                // host is in the exclusion list.
+                //
+                // Warning:
+                //      This code only supports Java 9+ implementation where nonProxyHosts entries are not interpreted as regex expressions anymore.
+                //      Wildcard at the beginning or the end of an expression are the only remaining supported behaviours (e.g. *.jenkins.io or 127.*)
+                //      https://bugs.java.com/view_bug.do?bug_id=8035158
+                //      http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/50a749f2cade
+                String nonProxyHosts = System.getProperty("http.nonProxyHosts");
+                if(nonProxyHosts != null && nonProxyHosts.length() != 0) {
+                    // Build a list of regexps matching all nonProxyHosts entries
+                    StringJoiner sj = new StringJoiner("|");
+                    nonProxyHosts = nonProxyHosts.toLowerCase(Locale.ENGLISH);
+                    for(String entry : nonProxyHosts.split("\\|")) {
+                        if(entry.isEmpty())
+                            continue;
+                        else if(entry.startsWith("*"))
+                            sj.add(".*" + Pattern.quote(entry.substring(1)));
+                        else if(entry.endsWith("*"))
+                            sj.add(Pattern.quote(entry.substring(0, entry.length() - 1)) + ".*");
+                        else
+                            sj.add(Pattern.quote(entry));
+                        // Detect when the pattern contains multiple wildcard, which used to work previous to Java 9 (e.g. 127.*.*.*)
+                        if(entry.split("\\*").length > 2)
+                            LOGGER.log(Level.WARNING, "Using more than one wildcard is not supported in nonProxyHosts entries: {0}", entry);
+                    }
+                    Pattern nonProxyRegexps = Pattern.compile(sj.toString());
+                    if(nonProxyRegexps.matcher(host.toLowerCase(Locale.ENGLISH)).matches()) {
+                        return null;
+                    } else {
+                        break;
+                    }
+                }
             }
             if (proxy.type() == Proxy.Type.HTTP) {
                 final SocketAddress address = proxy.address();
                 if (!(address instanceof InetSocketAddress)) {
-                    System.err.println(
-                            "Unsupported proxy address type " + (address != null ? address.getClass() : "null"));
+                    LOGGER.log(Level.WARNING, "Unsupported proxy address type {0}", (address != null ? address.getClass() : "null"));
                     continue;
                 }
                 InetSocketAddress proxyAddress = (InetSocketAddress) address;
@@ -360,7 +473,7 @@ static InetSocketAddress getResolvedHttpProxyAddress(@Nonnull String host, int p
                     URL url = new URL(httpProxy);
                     targetAddress = new InetSocketAddress(url.getHost(), url.getPort());
                 } catch (MalformedURLException e) {
-                    System.err.println("Not use http_proxy environment variable which is invalid: " + e.getMessage());
+                    LOGGER.log(Level.WARNING, "Not using http_proxy environment variable which is invalid.", e);
                 }
             }
         }
@@ -371,9 +484,10 @@ static InetSocketAddress getResolvedHttpProxyAddress(@Nonnull String host, int p
      * Gets URL connection.
      * If http_proxy environment variable exists,  the connection uses the proxy.
      * Credentials can be passed e.g. to support running Jenkins behind a (reverse) proxy requiring authorization
+     * FIXME: similar to hudson.remoting.Util.openURLConnection which is still used in hudson.remoting.Launcher
      */
     static URLConnection openURLConnection(URL url, String credentials, String proxyCredentials,
-                                           SSLSocketFactory sslSocketFactory) throws IOException {
+                                           SSLSocketFactory sslSocketFactory, boolean disableHttpsCertValidation) throws IOException {
         String httpProxy = null;
         // If http.proxyHost property exists, openConnection() uses it.
         if (System.getProperty("http.proxyHost") == null) {
@@ -387,8 +501,7 @@ static URLConnection openURLConnection(URL url, String credentials, String proxy
                 Proxy proxy = new Proxy(Proxy.Type.HTTP, addr);
                 con = url.openConnection(proxy);
             } catch (MalformedURLException e) {
-                System.err.println(
-                        "Not use http_proxy property or environment variable which is invalid: " + e.getMessage());
+                LOGGER.log(Level.WARNING, "Not using http_proxy environment variable which is invalid.", e);
                 con = url.openConnection();
             }
         } else {
@@ -402,71 +515,46 @@ static URLConnection openURLConnection(URL url, String credentials, String proxy
             String encoding = Base64.encode(proxyCredentials.getBytes("UTF-8"));
             con.setRequestProperty("Proxy-Authorization", "Basic " + encoding);
         }
-        if (con instanceof HttpsURLConnection && sslSocketFactory != null) {
-            ((HttpsURLConnection) con).setSSLSocketFactory(sslSocketFactory);
-        }
-        return con;
-    }
 
-    /**
-     * Check if given URL is in the exclusion list defined by the no_proxy environment variable.
-     * On most *NIX system wildcards are not supported but if one top domain is added, all related subdomains will also
-     * be ignored. Both "mit.edu" and ".mit.edu" are valid syntax.
-     * http://www.gnu.org/software/wget/manual/html_node/Proxies.html
-     *
-     * Regexp:
-     * - \Q and \E: https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html
-     * - To match IPV4/IPV/FQDN: Regular Expressions Cookbook, 2nd Edition (ISBN: 9781449327453)
-     *
-     * Warning: this method won't match shortened representation of IPV6 address
-     */
-    static boolean inNoProxyEnvVar(String host) {
-        String noProxy = System.getenv("no_proxy");
-        if (noProxy != null) {
-            noProxy = noProxy.trim()
-                    // Remove spaces
-                    .replaceAll("\\s+", "")
-                    // Convert .foobar.com to foobar.com
-                    .replaceAll("((?<=^|,)\\.)*(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})(?=($|,))", "$2");
-
-            if (!noProxy.isEmpty()) {
-                // IPV4 and IPV6
-                if (host.matches("^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$") || host
-                        .matches("^(?:[a-fA-F0-9]{1,4}:){7}[a-fA-F0-9]{1,4}$")) {
-                    return noProxy.matches(".*(^|,)\\Q" + host + "\\E($|,).*");
-                } else {
-                    int depth = 0;
-                    // Loop while we have a valid domain name: acme.com
-                    // We add a safeguard to avoid a case where the host would always be valid because the regex would
-                    // for example fail to remove subdomains.
-                    // According to Wikipedia (no RFC defines it), 128 is the max number of subdivision for a valid
-                    // FQDN:
-                    // https://en.wikipedia.org/wiki/Subdomain#Overview
-                    while (host.matches("^([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,}$") && depth < 128) {
-                        ++depth;
-                        // Check if the no_proxy contains the host
-                        if (noProxy.matches(".*(^|,)\\Q" + host + "\\E($|,).*")) {
-                            return true;
-                        }
-                        // Remove first subdomain: master.jenkins.acme.com -> jenkins.acme.com
-                        else {
-                            host = host.replaceFirst("^[a-z0-9]+(-[a-z0-9]+)*\\.", "");
-                        }
-                    }
+        if (con instanceof HttpsURLConnection) {
+            final HttpsURLConnection httpsConnection = (HttpsURLConnection) con;
+            if (disableHttpsCertValidation) {
+                LOGGER.log(Level.WARNING, "HTTPs certificate check is disabled for the endpoint.");
+
+                try {
+                    SSLContext ctx = SSLContext.getInstance("TLS");
+                    ctx.init(null, new TrustManager[]{new NoCheckTrustManager()}, new SecureRandom());
+                    sslSocketFactory = ctx.getSocketFactory();
+
+                    httpsConnection.setHostnameVerifier(new NoCheckHostnameVerifier());
+                    httpsConnection.setSSLSocketFactory(sslSocketFactory);
+                } catch (KeyManagementException | NoSuchAlgorithmException ex) {
+                    // We could just suppress it, but the exception will unlikely happen.
+                    // So let's just propagate the error and fail the resolution
+                    throw new IOException("Cannot initialize the insecure HTTPs mode", ex);
                 }
+
+            } else if (sslSocketFactory != null) {
+                httpsConnection.setSSLSocketFactory(sslSocketFactory);
+                //FIXME: Is it really required in this path? Seems like a bug
+                httpsConnection.setHostnameVerifier(new NoCheckHostnameVerifier());
             }
         }
+        return con;
+    }
 
-        return false;
+    static boolean inNoProxyEnvVar(String host) {
+    	return !NoProxyEvaluator.shouldProxy(host);
     }
 
     @CheckForNull
     private static List<String> header(@Nonnull HttpURLConnection connection, String... headerNames) {
         Map<String, List<String>> headerFields = connection.getHeaderFields();
         for (String headerName : headerNames) {
-            for (String headerField : headerFields.keySet()) {
+            for (Map.Entry<String, List<String>> entry: headerFields.entrySet()) {
+                final String headerField = entry.getKey();
                 if (headerField != null && headerField.equalsIgnoreCase(headerName)) {
-                    return headerFields.get(headerField);
+                    return entry.getValue();
                 }
             }
         }
diff --git a/src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java b/src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java
index 0c5a55b80..d233ca575 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java
@@ -34,6 +34,7 @@
 import java.io.InputStream;
 import java.io.PrintWriter;
 import java.net.Socket;
+import java.nio.charset.StandardCharsets;
 import java.security.SecureRandom;
 import java.util.HashMap;
 import java.util.List;
@@ -49,7 +50,6 @@
 import javax.crypto.CipherOutputStream;
 import org.jenkinsci.remoting.nio.NioChannelHub;
 import org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException;
-import org.jenkinsci.remoting.util.Charsets;
 
 import static org.jenkinsci.remoting.engine.EngineUtil.readChars;
 import static org.jenkinsci.remoting.engine.EngineUtil.readLine;
@@ -269,7 +269,7 @@ void receiveHandshake(@Nonnull Jnlp3ConnectionState state, @Nonnull Map<String,
         // Get initiation information from slave.
         Properties request = new Properties();
         DataInputStream in = state.getDataInputStream();
-        request.load(new ByteArrayInputStream(in.readUTF().getBytes(Charsets.UTF_8)));
+        request.load(new ByteArrayInputStream(in.readUTF().getBytes(StandardCharsets.UTF_8)));
         String clientName = request.getProperty(JnlpConnectionState.CLIENT_NAME_KEY);
         JnlpClientDatabase clientDatabase = getClientDatabase();
         if (clientDatabase == null || !clientDatabase.exists(clientName)) {
@@ -287,7 +287,7 @@ void receiveHandshake(@Nonnull Jnlp3ConnectionState state, @Nonnull Map<String,
         // Send agent challenge response.
         String challengeResponse = Jnlp3Util.createChallengeResponse(challenge);
         String encryptedChallengeResponse = handshakeCiphers.encrypt(challengeResponse);
-        out.println(encryptedChallengeResponse.getBytes(Charsets.UTF_8).length);
+        out.println(encryptedChallengeResponse.getBytes(StandardCharsets.UTF_8).length);
         out.print(encryptedChallengeResponse);
         out.flush();
 
@@ -315,7 +315,7 @@ void receiveHandshake(@Nonnull Jnlp3ConnectionState state, @Nonnull Map<String,
         // now validate the client
         String masterChallenge = Jnlp3Util.generateChallenge(RANDOM);
         String encryptedMasterChallenge = handshakeCiphers.encrypt(masterChallenge);
-        out.println(encryptedMasterChallenge.getBytes(Charsets.UTF_8).length);
+        out.println(encryptedMasterChallenge.getBytes(StandardCharsets.UTF_8).length);
         out.print(encryptedMasterChallenge);
         out.flush();
 
diff --git a/src/main/java/org/jenkinsci/remoting/engine/LegacyJnlpConnectionState.java b/src/main/java/org/jenkinsci/remoting/engine/LegacyJnlpConnectionState.java
index c0e47bd65..7411181c7 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/LegacyJnlpConnectionState.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/LegacyJnlpConnectionState.java
@@ -35,9 +35,8 @@
 import java.io.OutputStreamWriter;
 import java.io.PrintWriter;
 import java.net.Socket;
-import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.util.List;
-import org.jenkinsci.remoting.util.Charsets;
 
 /**
  * Base class for {@link LegacyJnlpProtocolHandler} based protocols.
@@ -90,7 +89,7 @@ public DataInputStream getDataInputStream() {
     @Deprecated
     public PrintWriter getPrintWriter() {
         if (printWriter == null) {
-            printWriter = new PrintWriter(new OutputStreamWriter(bufferedOutputStream, Charsets.UTF_8), true);
+            printWriter = new PrintWriter(new OutputStreamWriter(bufferedOutputStream, StandardCharsets.UTF_8), true);
         }
         return printWriter;
     }
diff --git a/src/main/java/org/jenkinsci/remoting/engine/WorkDirManager.java b/src/main/java/org/jenkinsci/remoting/engine/WorkDirManager.java
index 098a5c2f6..65fe715ff 100644
--- a/src/main/java/org/jenkinsci/remoting/engine/WorkDirManager.java
+++ b/src/main/java/org/jenkinsci/remoting/engine/WorkDirManager.java
@@ -25,7 +25,9 @@
 
 package org.jenkinsci.remoting.engine;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import hudson.remoting.TeeOutputStream;
+import org.jenkinsci.remoting.util.PathUtils;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 
@@ -33,8 +35,10 @@
 import javax.annotation.Nonnull;
 import java.io.File;
 import java.io.FileInputStream;
+import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.io.PrintStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -124,6 +128,19 @@ public void disable(@Nonnull DirType dir) {
     public File getLocation(@Nonnull DirType type) {
         return directories.get(type);
     }
+
+    /**
+     * Get {@link Path} of the directory.
+     * @param type Type of the directory
+     * @return Path
+     * @since TODO
+     * @throws IOException Invalid path, e.g. ig the root directory is incorrect
+     */
+    @CheckForNull
+    public Path getLocationPath(@Nonnull DirType type) throws IOException {
+        File location = directories.get(type);
+        return location != null ? PathUtils.fileToPath(location) : null;
+    }
     
     /**
      * Sets path to the Logging JUL property file with logging settings.
@@ -191,7 +208,7 @@ public Path initializeWorkDir(final @CheckForNull File workDir, final @Nonnull S
             directories.put(DirType.INTERNAL_DIR, internalDirFile);
 
             // Create the directory on-demand
-            final Path internalDirPath = internalDirFile.toPath();
+            final Path internalDirPath = PathUtils.fileToPath(internalDirFile);
             Files.createDirectories(internalDirPath);
             LOGGER.log(Level.INFO, "Using {0} as a remoting work directory", internalDirPath);
             
@@ -208,7 +225,7 @@ private void createInternalDirIfRequired(File internalDir, DirType type)
         if (!disabledDirectories.contains(type)) {
             final File directory = new File(internalDir, type.getDefaultLocation());
             verifyDirectory(directory, type, false);
-            Files.createDirectories(directory.toPath());
+            Files.createDirectories(PathUtils.fileToPath(directory));
             directories.put(type, directory);
         } else {
             LOGGER.log(Level.FINE, "Skipping the disabled directory: {0}", type.getName());
@@ -268,7 +285,7 @@ public void setupLogging(@CheckForNull Path internalDirPath, @CheckForNull Path
             System.out.println("Using " + overrideLogPath + " as an agent Error log destination. 'Out' log won't be generated");
             System.out.flush(); // Just in case the channel
             System.err.flush();
-            System.setErr(new PrintStream(new TeeOutputStream(System.err, new FileOutputStream(overrideLogPath.toFile()))));
+            System.setErr(legacyCreateTeeStream(System.err, overrideLogPath));
             this.loggingInitialized = true;
         } else if (internalDirPath != null) { // New behavior
             System.out.println("Both error and output logs will be printed to " + internalDirPath);
@@ -279,13 +296,7 @@ public void setupLogging(@CheckForNull Path internalDirPath, @CheckForNull Path
             final File internalDirFile = internalDirPath.toFile();
             createInternalDirIfRequired(internalDirFile, DirType.LOGS_DIR);
             final File logsDir = getLocation(DirType.LOGS_DIR);
-            
-            // TODO: Forward these logs? Likely no, we do not expect something to get there
-            //System.setErr(new PrintStream(new TeeOutputStream(System.err,
-            //        new FileOutputStream(new File(logsDir, "remoting.err.log")))));
-            //System.setOut(new PrintStream(new TeeOutputStream(System.out,
-            //        new FileOutputStream(new File(logsDir, "remoting.out.log")))));
-             
+
             if (configFile == null) {
                 final Logger rootLogger = Logger.getLogger("");
                 final File julLog = new File(logsDir, "remoting.log");
@@ -293,14 +304,7 @@ public void setupLogging(@CheckForNull Path internalDirPath, @CheckForNull Path
                                          10*1024*1024, 5, false); 
                 logHandler.setFormatter(new SimpleFormatter()); 
                 logHandler.setLevel(Level.INFO); 
-                rootLogger.addHandler(logHandler); 
-                
-                // TODO: Uncomment if there is TeeOutputStream added
-                // Remove console handler since the logs are going to the file now
-                // ConsoleHandler consoleHandler = findConsoleHandler(rootLogger);
-                // if (consoleHandler != null) {
-                //    rootLogger.removeHandler(consoleHandler);
-                // }
+                rootLogger.addHandler(logHandler);
             }
 
             this.loggingInitialized = true;
@@ -310,19 +314,14 @@ public void setupLogging(@CheckForNull Path internalDirPath, @CheckForNull Path
         }
     }
 
-    @CheckForNull
-    private static ConsoleHandler findConsoleHandler(Logger logger) {
-        for (Handler h : logger.getHandlers()) {
-            if (h instanceof ConsoleHandler) {
-                return (ConsoleHandler)h;
-            }
-        }
-        return null;
+    @SuppressFBWarnings(value = "DM_DEFAULT_ENCODING", justification = "It is a legacy logging mode. Relying on the default is not fine, but it just behaves as it used to behave for years")
+    private PrintStream legacyCreateTeeStream(OutputStream ostream, Path destination) throws FileNotFoundException {
+        return new PrintStream(new TeeOutputStream(ostream, new FileOutputStream(destination.toFile())));
     }
     
     /**
      * Defines components of the Working directory.
-     * @since TODO
+     * @since 3.8
      */
     @Restricted(NoExternalUse.class)
     public enum DirType {
diff --git a/src/main/java/org/jenkinsci/remoting/nio/FifoBuffer.java b/src/main/java/org/jenkinsci/remoting/nio/FifoBuffer.java
index 69d6e001d..98dc4eb82 100644
--- a/src/main/java/org/jenkinsci/remoting/nio/FifoBuffer.java
+++ b/src/main/java/org/jenkinsci/remoting/nio/FifoBuffer.java
@@ -257,7 +257,7 @@ public boolean isClosed() {
     /**
      * Returns Exception with stacktrace of the command, which invoked the buffer close.
      * @return Close cause or {@code null}
-     * @since TODO
+     * @since 3.3
      */
     @CheckForNull
     public CloseCause getCloseCause() {
@@ -618,7 +618,7 @@ public int read(byte[] b, int off, int len) throws IOException {
     
     /**
      * Explains the reason of the buffer close.
-     * @since TODO
+     * @since 3.3
      */
     public static class CloseCause extends Exception {
 
diff --git a/src/main/java/org/jenkinsci/remoting/nio/NioChannelBuilder.java b/src/main/java/org/jenkinsci/remoting/nio/NioChannelBuilder.java
index 66b15791c..7ddb9ed1e 100644
--- a/src/main/java/org/jenkinsci/remoting/nio/NioChannelBuilder.java
+++ b/src/main/java/org/jenkinsci/remoting/nio/NioChannelBuilder.java
@@ -84,6 +84,11 @@ public NioChannelBuilder withJarCache(JarCache jarCache) {
         return (NioChannelBuilder) super.withJarCache(jarCache);
     }
 
+    @Override
+    public NioChannelBuilder withoutJarCache() {
+        return (NioChannelBuilder) super.withoutJarCache();
+    }
+
     @Override
     public NioChannelBuilder withClassFilter(ClassFilter filter) {
         return (NioChannelBuilder)super.withClassFilter(filter);
diff --git a/src/main/java/org/jenkinsci/remoting/nio/NioChannelHub.java b/src/main/java/org/jenkinsci/remoting/nio/NioChannelHub.java
index c4aba1a7c..cc755c4b6 100644
--- a/src/main/java/org/jenkinsci/remoting/nio/NioChannelHub.java
+++ b/src/main/java/org/jenkinsci/remoting/nio/NioChannelHub.java
@@ -19,6 +19,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InterruptedIOException;
+import java.io.NotSerializableException;
+import java.io.ObjectStreamException;
 import java.io.OutputStream;
 import java.nio.channels.CancelledKeyException;
 import java.nio.channels.ClosedSelectorException;
@@ -38,6 +40,9 @@
 
 import static java.nio.channels.SelectionKey.*;
 import static java.util.logging.Level.*;
+import org.jenkinsci.remoting.util.ExecutorServiceUtils;
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
 
 /**
  * Switch board of multiple {@link Channel}s through NIO select.
@@ -114,7 +119,8 @@ abstract class NioTransport extends AbstractByteArrayCommandTransport {
          */
         final FifoBuffer wb = new FifoBuffer(16*1024,256*1024);
 
-        private ByteArrayReceiver receiver;
+        @CheckForNull
+        private ByteArrayReceiver receiver = null;
 
         /**
          * To ensure serial execution order within each {@link Channel}, we submit
@@ -195,6 +201,7 @@ protected Channel getChannel() {
             return channel;
         }
 
+        //TODO: do not just ignore the exceptions below
         @SelectorThreadOnly
         public void abort(Throwable e) {
             try {
@@ -207,6 +214,9 @@ public void abort(Throwable e) {
             } catch (IOException ignored) {
                 // ignore
             }
+            if (receiver == null) {
+                throw new IllegalStateException("Aborting connection before it has been actually set up");
+            }
             receiver.terminate((IOException)new IOException("Connection aborted: "+this).initCause(e));
         }
 
@@ -247,16 +257,9 @@ public void closeWrite() throws IOException {
 
         @Override
         public void closeRead() throws IOException {
-            scheduleSelectorTask(new Callable<Void, IOException>() {
-                public Void call() throws IOException {
-                    closeR();
-                    return null;
-                }
-
-                @Override
-                public void checkRoles(RoleChecker checker) throws SecurityException {
-                    throw new AssertionError();    // not actually used over remoting
-                }
+            scheduleSelectorTask(() -> {
+                closeR();
+                return null;
             });
         }
 
@@ -264,16 +267,9 @@ public void checkRoles(RoleChecker checker) throws SecurityException {
          * Update the operations for which we are registered.
          */
         private void scheduleReregister() {
-            scheduleSelectorTask(new Callable<Void, IOException>() {
-                public Void call() throws IOException {
-                    reregister();
-                    return null;
-                }
-
-                @Override
-                public void checkRoles(RoleChecker checker) throws SecurityException {
-                    throw new AssertionError();    // not actually used over remoting
-                }
+            scheduleSelectorTask(() -> {
+                reregister();
+                return null;
             });
         }
 
@@ -502,11 +498,55 @@ protected CommandTransport makeTransport(InputStream is, OutputStream os, Mode m
         };
     }
 
-    private void scheduleSelectorTask(Callable<Void, IOException> task) {
-        selectorTasks.add(task);
+    // TODO: This logic should use Executor service
+    private void scheduleSelectorTask(java.util.concurrent.Callable<Void> task) {
+        selectorTasks.add(new CallableRemotingWrapper(task));
         selector.wakeup();
     }
 
+    /**
+     * Provides a wrapper for submitting {@link java.util.concurrent.Callable}s over Remoting execution queues.
+     *
+     * @deprecated It is just a hack, which schedules non-serializable tasks over the Remoting Task queue.
+     *             There is no sane reason to reuse this wrapper class anywhere.
+     */
+    @Deprecated
+    private static final class CallableRemotingWrapper implements Callable<Void, IOException> {
+        private static final long serialVersionUID = -7331104479109353930L;
+        final transient java.util.concurrent.Callable<Void> task;
+
+        CallableRemotingWrapper(@Nonnull java.util.concurrent.Callable<Void> task) {
+            this.task = task;
+        }
+
+        @Override
+        public Void call() throws IOException {
+            if (task == null) {
+                throw new IOException("The callable " + this + " has been serialized somehow, but it is actually not serializable");
+            }
+            try {
+                return task.call();
+            } catch (IOException ex) {
+                throw ex;
+            } catch (Exception ex) {
+                throw new IOException(ex);
+            }
+        }
+
+        private Object readResolve() throws ObjectStreamException {
+            throw new NotSerializableException("The class should not be serialized over Remoting");
+        }
+        
+        private Object writeReplace() throws ObjectStreamException {
+            throw new NotSerializableException("The class should not be serialized over Remoting");
+        }
+
+        @Override
+        public void checkRoles(RoleChecker checker) throws SecurityException {
+            throw new SecurityException("The class should not be serialized over Remoting");
+        }
+    }
+
     /**
      * Shuts down the selector thread and aborts all
      */
@@ -592,9 +632,14 @@ public void run() {
                                         } while (!last);
                                         assert packetSize==0;
                                         if (packet.length > 0) {
-                                            t.swimLane.submit(new Runnable() {
+                                            ExecutorServiceUtils.submitAsync(t.swimLane, new Runnable() {
+                                                @Override
                                                 public void run() {
-                                                    t.receiver.handle(packet);
+                                                    final ByteArrayReceiver receiver = t.receiver;
+                                                    if (receiver == null) {
+                                                        throw new IllegalStateException("NIO transport layer has not been set up yet");
+                                                    }
+                                                    receiver.handle(packet);
                                                 }
                                             });
                                         }
@@ -609,8 +654,9 @@ public void run() {
                                     t.abort(new IOException(msg));
                                 }
                                 if (t.rb.isClosed()) {
-                                    // EOF. process this synchronously with respect to packets
-                                    t.swimLane.submit(new Runnable() {
+                                    // EOF. process this synchronously with respect to packets waiting for handling in the queue
+                                    ExecutorServiceUtils.submitAsync(t.swimLane, new Runnable() {
+                                        @Override
                                         public void run() {
                                             // if this EOF is unexpected, report an error.
                                             if (!t.getChannel().isInClosed()) {
@@ -633,6 +679,11 @@ public void run() {
                             // It causes the channel failure, hence it is severe
                             LOGGER.log(SEVERE, "Communication problem in " + t + ". NIO Transport will be aborted.", e);
                             t.abort(e);
+                        } catch (ExecutorServiceUtils.ExecutionRejectedException e) {
+                            // TODO: should we try to reschedule the task if the issue is not fatal?
+                            // The swimlane has rejected the execution, e.g. due to the "shutting down" state.
+                            LOGGER.log(SEVERE, "The underlying executor service rejected the task in " + t + ". NIO Transport will be aborted.", e);
+                            t.abort(e);
                         } catch (CancelledKeyException e) {
                             // see JENKINS-24050. I don't understand how this can happen, given that the selector
                             // thread is the only thread that cancels keys. So to better understand what's going on,
diff --git a/src/main/java/org/jenkinsci/remoting/org/apache/commons/net/util/SubnetUtils.java b/src/main/java/org/jenkinsci/remoting/org/apache/commons/net/util/SubnetUtils.java
new file mode 100644
index 000000000..994a04a71
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/org/apache/commons/net/util/SubnetUtils.java
@@ -0,0 +1,368 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jenkinsci.remoting.org.apache.commons.net.util;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * A class that performs some subnet calculations given a network address and a subnet mask.
+ * @see "http://www.faqs.org/rfcs/rfc1519.html"
+ * @since 2.0
+ */
+//[PATCH]
+@Restricted(NoExternalUse.class)
+// end of [PATCH]
+public class SubnetUtils {
+
+    private static final String IP_ADDRESS = "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})";
+    private static final String SLASH_FORMAT = IP_ADDRESS + "/(\\d{1,3})";
+    private static final Pattern addressPattern = Pattern.compile(IP_ADDRESS);
+    private static final Pattern cidrPattern = Pattern.compile(SLASH_FORMAT);
+    private static final int NBITS = 32;
+
+    private int netmask = 0;
+    private int address = 0;
+    private int network = 0;
+    private int broadcast = 0;
+
+    /** Whether the broadcast/network address are included in host count */
+    private boolean inclusiveHostCount = false;
+
+
+    /**
+     * Constructor that takes a CIDR-notation string, e.g. "192.168.0.1/16"
+     * @param cidrNotation A CIDR-notation string, e.g. "192.168.0.1/16"
+     * @throws IllegalArgumentException if the parameter is invalid,
+     * i.e. does not match n.n.n.n/m where n=1-3 decimal digits, m = 1-3 decimal digits in range 1-32
+     */
+    public SubnetUtils(String cidrNotation) {
+        calculate(cidrNotation);
+    }
+
+    /**
+     * Constructor that takes a dotted decimal address and a dotted decimal mask.
+     * @param address An IP address, e.g. "192.168.0.1"
+     * @param mask A dotted decimal netmask e.g. "255.255.0.0"
+     * @throws IllegalArgumentException if the address or mask is invalid,
+     * i.e. does not match n.n.n.n where n=1-3 decimal digits and the mask is not all zeros
+     */
+    public SubnetUtils(String address, String mask) {
+        calculate(toCidrNotation(address, mask));
+    }
+
+
+    /**
+     * Returns <code>true</code> if the return value of {@link SubnetInfo#getAddressCount()}
+     * includes the network and broadcast addresses.
+     * @since 2.2
+     * @return true if the hostcount includes the network and broadcast addresses
+     */
+    public boolean isInclusiveHostCount() {
+        return inclusiveHostCount;
+    }
+
+    /**
+     * Set to <code>true</code> if you want the return value of {@link SubnetInfo#getAddressCount()}
+     * to include the network and broadcast addresses.
+     * @param inclusiveHostCount true if network and broadcast addresses are to be included
+     * @since 2.2
+     */
+    public void setInclusiveHostCount(boolean inclusiveHostCount) {
+        this.inclusiveHostCount = inclusiveHostCount;
+    }
+
+
+
+    /**
+     * Convenience container for subnet summary information.
+     *
+     */
+    public final class SubnetInfo {
+        /* Mask to convert unsigned int to a long (i.e. keep 32 bits) */
+        private static final long UNSIGNED_INT_MASK = 0x0FFFFFFFFL;
+
+        private SubnetInfo() {}
+
+        private int netmask()       { return netmask; }
+        private int network()       { return network; }
+        private int address()       { return address; }
+        private int broadcast()     { return broadcast; }
+
+        // long versions of the values (as unsigned int) which are more suitable for range checking
+        private long networkLong()  { return network &  UNSIGNED_INT_MASK; }
+        private long broadcastLong(){ return broadcast &  UNSIGNED_INT_MASK; }
+
+        private int low() {
+            return (isInclusiveHostCount() ? network() :
+                broadcastLong() - networkLong() > 1 ? network() + 1 : 0);
+        }
+
+        private int high() {
+            return (isInclusiveHostCount() ? broadcast() :
+                broadcastLong() - networkLong() > 1 ? broadcast() -1  : 0);
+        }
+
+        /**
+         * Returns true if the parameter <code>address</code> is in the
+         * range of usable endpoint addresses for this subnet. This excludes the
+         * network and broadcast adresses.
+         * @param address A dot-delimited IPv4 address, e.g. "192.168.0.1"
+         * @return True if in range, false otherwise
+         */
+        public boolean isInRange(String address) {
+            return isInRange(toInteger(address));
+        }
+
+        /**
+         *
+         * @param address the address to check
+         * @return true if it is in range
+         * @since 3.4 (made public)
+         */
+        public boolean isInRange(int address) {
+            long addLong = address & UNSIGNED_INT_MASK;
+            long lowLong = low() & UNSIGNED_INT_MASK;
+            long highLong = high() & UNSIGNED_INT_MASK;
+            return addLong >= lowLong && addLong <= highLong;
+        }
+
+        public String getBroadcastAddress() {
+            return format(toArray(broadcast()));
+        }
+
+        public String getNetworkAddress() {
+            return format(toArray(network()));
+        }
+
+        public String getNetmask() {
+            return format(toArray(netmask()));
+        }
+
+        public String getAddress() {
+            return format(toArray(address()));
+        }
+
+        /**
+         * Return the low address as a dotted IP address.
+         * Will be zero for CIDR/31 and CIDR/32 if the inclusive flag is false.
+         *
+         * @return the IP address in dotted format, may be "0.0.0.0" if there is no valid address
+         */
+        public String getLowAddress() {
+            return format(toArray(low()));
+        }
+
+        /**
+         * Return the high address as a dotted IP address.
+         * Will be zero for CIDR/31 and CIDR/32 if the inclusive flag is false.
+         *
+         * @return the IP address in dotted format, may be "0.0.0.0" if there is no valid address
+         */
+        public String getHighAddress() {
+            return format(toArray(high()));
+        }
+
+        /**
+         * Get the count of available addresses.
+         * Will be zero for CIDR/31 and CIDR/32 if the inclusive flag is false.
+         * @return the count of addresses, may be zero.
+         * @throws RuntimeException if the correct count is greater than {@code Integer.MAX_VALUE}
+         * @deprecated (3.4) use {@link #getAddressCountLong()} instead
+         */
+        @Deprecated
+        public int getAddressCount() {
+            long countLong = getAddressCountLong();
+            if (countLong > Integer.MAX_VALUE) {
+                throw new RuntimeException("Count is larger than an integer: " + countLong);
+            }
+            // N.B. cannot be negative
+            return (int)countLong;
+        }
+
+        /**
+         * Get the count of available addresses.
+         * Will be zero for CIDR/31 and CIDR/32 if the inclusive flag is false.
+         * @return the count of addresses, may be zero.
+         * @since 3.4
+         */
+        public long getAddressCountLong() {
+            long b = broadcastLong();
+            long n = networkLong();
+            long count = b - n + (isInclusiveHostCount() ? 1 : -1);
+            return count < 0 ? 0 : count;
+        }
+
+        public int asInteger(String address) {
+            return toInteger(address);
+        }
+
+        public String getCidrSignature() {
+            return toCidrNotation(
+                    format(toArray(address())),
+                    format(toArray(netmask()))
+            );
+        }
+
+        public String[] getAllAddresses() {
+            int ct = getAddressCount();
+            String[] addresses = new String[ct];
+            if (ct == 0) {
+                return addresses;
+            }
+            for (int add = low(), j=0; add <= high(); ++add, ++j) {
+                addresses[j] = format(toArray(add));
+            }
+            return addresses;
+        }
+
+        /**
+         * {@inheritDoc}
+         * @since 2.2
+         */
+        @Override
+        public String toString() {
+            final StringBuilder buf = new StringBuilder();
+            buf.append("CIDR Signature:\t[").append(getCidrSignature()).append("]")
+                .append(" Netmask: [").append(getNetmask()).append("]\n")
+                .append("Network:\t[").append(getNetworkAddress()).append("]\n")
+                .append("Broadcast:\t[").append(getBroadcastAddress()).append("]\n")
+                 .append("First Address:\t[").append(getLowAddress()).append("]\n")
+                 .append("Last Address:\t[").append(getHighAddress()).append("]\n")
+                 .append("# Addresses:\t[").append(getAddressCount()).append("]\n");
+            return buf.toString();
+        }
+    }
+
+    /**
+     * Return a {@link SubnetInfo} instance that contains subnet-specific statistics
+     * @return new instance
+     */
+    public final SubnetInfo getInfo() { return new SubnetInfo(); }
+
+    /*
+     * Initialize the internal fields from the supplied CIDR mask
+     */
+    private void calculate(String mask) {
+        Matcher matcher = cidrPattern.matcher(mask);
+
+        if (matcher.matches()) {
+            address = matchAddress(matcher);
+
+            /* Create a binary netmask from the number of bits specification /x */
+            int cidrPart = rangeCheck(Integer.parseInt(matcher.group(5)), 0, NBITS);
+            for (int j = 0; j < cidrPart; ++j) {
+                netmask |= (1 << 31 - j);
+            }
+
+            /* Calculate base network address */
+            network = (address & netmask);
+
+            /* Calculate broadcast address */
+            broadcast = network | ~(netmask);
+        } else {
+            throw new IllegalArgumentException("Could not parse [" + mask + "]");
+        }
+    }
+
+    /*
+     * Convert a dotted decimal format address to a packed integer format
+     */
+    private int toInteger(String address) {
+        Matcher matcher = addressPattern.matcher(address);
+        if (matcher.matches()) {
+            return matchAddress(matcher);
+        } else {
+            throw new IllegalArgumentException("Could not parse [" + address + "]");
+        }
+    }
+
+    /*
+     * Convenience method to extract the components of a dotted decimal address and
+     * pack into an integer using a regex match
+     */
+    private int matchAddress(Matcher matcher) {
+        int addr = 0;
+        for (int i = 1; i <= 4; ++i) {
+            int n = (rangeCheck(Integer.parseInt(matcher.group(i)), 0, 255));
+            addr |= ((n & 0xff) << 8*(4-i));
+        }
+        return addr;
+    }
+
+    /*
+     * Convert a packed integer address into a 4-element array
+     */
+    private int[] toArray(int val) {
+        int ret[] = new int[4];
+        for (int j = 3; j >= 0; --j) {
+            ret[j] |= ((val >>> 8*(3-j)) & (0xff));
+        }
+        return ret;
+    }
+
+    /*
+     * Convert a 4-element array into dotted decimal format
+     */
+    private String format(int[] octets) {
+        StringBuilder str = new StringBuilder();
+        for (int i =0; i < octets.length; ++i){
+            str.append(octets[i]);
+            if (i != octets.length - 1) {
+                str.append(".");
+            }
+        }
+        return str.toString();
+    }
+
+    /*
+     * Convenience function to check integer boundaries.
+     * Checks if a value x is in the range [begin,end].
+     * Returns x if it is in range, throws an exception otherwise.
+     */
+    private int rangeCheck(int value, int begin, int end) {
+        if (value >= begin && value <= end) { // (begin,end]
+            return value;
+        }
+
+        throw new IllegalArgumentException("Value [" + value + "] not in range ["+begin+","+end+"]");
+    }
+
+    /*
+     * Count the number of 1-bits in a 32-bit integer using a divide-and-conquer strategy
+     * see Hacker's Delight section 5.1
+     */
+    int pop(int x) {
+        x = x - ((x >>> 1) & 0x55555555);
+        x = (x & 0x33333333) + ((x >>> 2) & 0x33333333);
+        x = (x + (x >>> 4)) & 0x0F0F0F0F;
+        x = x + (x >>> 8);
+        x = x + (x >>> 16);
+        return x & 0x0000003F;
+    }
+
+    /* Convert two dotted decimal addresses to a single xxx.xxx.xxx.xxx/yy format
+     * by counting the 1-bit population in the mask address. (It may be better to count
+     * NBITS-#trailing zeroes for this case)
+     */
+    private String toCidrNotation(String addr, String mask) {
+        return addr + "/" + pop(toInteger(mask));
+    }
+}
diff --git a/src/main/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/InetAddressValidator.java b/src/main/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/InetAddressValidator.java
new file mode 100644
index 000000000..2f409fe36
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/InetAddressValidator.java
@@ -0,0 +1,196 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/* Copied from commons-validator:commons-validator:1.6, with [PATCH] modifications */
+package org.jenkinsci.remoting.org.apache.commons.validator.routines;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * <p><b>InetAddress</b> validation and conversion routines (<code>java.net.InetAddress</code>).</p>
+ *
+ * <p>This class provides methods to validate a candidate IP address.
+ *
+ * <p>
+ * This class is a Singleton; you can retrieve the instance via the {@link #getInstance()} method.
+ * </p>
+ *
+ * @version $Revision: 1783032 $
+ * @since Validator 1.4
+ */
+//[PATCH]
+@Restricted(NoExternalUse.class)
+// end of [PATCH]
+public class InetAddressValidator implements Serializable {
+
+    private static final int IPV4_MAX_OCTET_VALUE = 255;
+
+    private static final int MAX_UNSIGNED_SHORT = 0xffff;
+
+    private static final int BASE_16 = 16;
+
+    private static final long serialVersionUID = -919201640201914789L;
+
+    private static final String IPV4_REGEX =
+            "^(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})$";
+
+    // Max number of hex groups (separated by :) in an IPV6 address
+    private static final int IPV6_MAX_HEX_GROUPS = 8;
+
+    // Max hex digits in each IPv6 group
+    private static final int IPV6_MAX_HEX_DIGITS_PER_GROUP = 4;
+
+    /**
+     * Singleton instance of this class.
+     */
+    private static final InetAddressValidator VALIDATOR = new InetAddressValidator();
+
+    /** IPv4 RegexValidator */
+    private final RegexValidator ipv4Validator = new RegexValidator(IPV4_REGEX);
+
+    /**
+     * Returns the singleton instance of this validator.
+     * @return the singleton instance of this validator
+     */
+    public static InetAddressValidator getInstance() {
+        return VALIDATOR;
+    }
+
+    /**
+     * Checks if the specified string is a valid IP address.
+     * @param inetAddress the string to validate
+     * @return true if the string validates as an IP address
+     */
+    public boolean isValid(String inetAddress) {
+        return isValidInet4Address(inetAddress) || isValidInet6Address(inetAddress);
+    }
+
+    /**
+     * Validates an IPv4 address. Returns true if valid.
+     * @param inet4Address the IPv4 address to validate
+     * @return true if the argument contains a valid IPv4 address
+     */
+    public boolean isValidInet4Address(String inet4Address) {
+        // verify that address conforms to generic IPv4 format
+        String[] groups = ipv4Validator.match(inet4Address);
+
+        if (groups == null) {
+            return false;
+        }
+
+        // verify that address subgroups are legal
+        for (String ipSegment : groups) {
+            if (ipSegment == null || ipSegment.length() == 0) {
+                return false;
+            }
+
+            int iIpSegment = 0;
+
+            try {
+                iIpSegment = Integer.parseInt(ipSegment);
+            } catch(NumberFormatException e) {
+                return false;
+            }
+
+            if (iIpSegment > IPV4_MAX_OCTET_VALUE) {
+                return false;
+            }
+
+            if (ipSegment.length() > 1 && ipSegment.startsWith("0")) {
+                return false;
+            }
+
+        }
+
+        return true;
+    }
+
+    /**
+     * Validates an IPv6 address. Returns true if valid.
+     * @param inet6Address the IPv6 address to validate
+     * @return true if the argument contains a valid IPv6 address
+     * 
+     * @since 1.4.1
+     */
+    public boolean isValidInet6Address(String inet6Address) {
+        boolean containsCompressedZeroes = inet6Address.contains("::");
+        if (containsCompressedZeroes && (inet6Address.indexOf("::") != inet6Address.lastIndexOf("::"))) {
+            return false;
+        }
+        if ((inet6Address.startsWith(":") && !inet6Address.startsWith("::"))
+                || (inet6Address.endsWith(":") && !inet6Address.endsWith("::"))) {
+            return false;
+        }
+        String[] octets = inet6Address.split(":");
+        if (containsCompressedZeroes) {
+            List<String> octetList = new ArrayList<String>(Arrays.asList(octets));
+            if (inet6Address.endsWith("::")) {
+                // String.split() drops ending empty segments
+                octetList.add("");
+            } else if (inet6Address.startsWith("::") && !octetList.isEmpty()) {
+                octetList.remove(0);
+            }
+            octets = octetList.toArray(new String[octetList.size()]);
+        }
+        if (octets.length > IPV6_MAX_HEX_GROUPS) {
+            return false;
+        }
+        int validOctets = 0;
+        int emptyOctets = 0; // consecutive empty chunks
+        for (int index = 0; index < octets.length; index++) {
+            String octet = octets[index];
+            if (octet.length() == 0) {
+                emptyOctets++;
+                if (emptyOctets > 1) {
+                    return false;
+                }
+            } else {
+                emptyOctets = 0;
+                // Is last chunk an IPv4 address?
+                if (index == octets.length - 1 && octet.contains(".")) {
+                    if (!isValidInet4Address(octet)) {
+                        return false;
+                    }
+                    validOctets += 2;
+                    continue;
+                }
+                if (octet.length() > IPV6_MAX_HEX_DIGITS_PER_GROUP) {
+                    return false;
+                }
+                int octetInt = 0;
+                try {
+                    octetInt = Integer.parseInt(octet, BASE_16);
+                } catch (NumberFormatException e) {
+                    return false;
+                }
+                if (octetInt < 0 || octetInt > MAX_UNSIGNED_SHORT) {
+                    return false;
+                }
+            }
+            validOctets++;
+        }
+        if (validOctets > IPV6_MAX_HEX_GROUPS || (validOctets < IPV6_MAX_HEX_GROUPS && !containsCompressedZeroes)) {
+            return false;
+        }
+        return true;
+    }
+}
diff --git a/src/main/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/RegexValidator.java b/src/main/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/RegexValidator.java
new file mode 100644
index 000000000..b5e9e3e3d
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/RegexValidator.java
@@ -0,0 +1,241 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/* Copied from commons-validator:commons-validator:1.6, with [PATCH] modifications */
+package org.jenkinsci.remoting.org.apache.commons.validator.routines;
+
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import java.io.Serializable;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * <b>Regular Expression</b> validation (using JDK 1.4+ regex support).
+ * <p>
+ * Construct the validator either for a single regular expression or a set (array) of
+ * regular expressions. By default validation is <i>case sensitive</i> but constructors
+ * are provided to allow  <i>case in-sensitive</i> validation. For example to create
+ * a validator which does <i>case in-sensitive</i> validation for a set of regular
+ * expressions:
+ * </p>
+ * <pre>
+ * <code>
+ * String[] regexs = new String[] {...};
+ * RegexValidator validator = new RegexValidator(regexs, false);
+ * </code>
+ * </pre>
+ *
+ * <ul>
+ *   <li>Validate <code>true</code> or <code>false</code>:</li>
+ *   <li>
+ *     <ul>
+ *       <li><code>boolean valid = validator.isValidRootUrl(value);</code></li>
+ *     </ul>
+ *   </li>
+ *   <li>Validate returning an aggregated String of the matched groups:</li>
+ *   <li>
+ *     <ul>
+ *       <li><code>String result = validator.validate(value);</code></li>
+ *     </ul>
+ *   </li>
+ *   <li>Validate returning the matched groups:</li>
+ *   <li>
+ *     <ul>
+ *       <li><code>String[] result = validator.match(value);</code></li>
+ *     </ul>
+ *   </li>
+ * </ul>
+ *
+ * <b>Note that patterns are matched against the entire input.</b>
+ *
+ * <p>
+ * Cached instances pre-compile and re-use {@link Pattern}(s) - which according
+ * to the {@link Pattern} API are safe to use in a multi-threaded environment.
+ * </p>
+ *
+ * @version $Revision: 1739356 $
+ * @since Validator 1.4
+ */
+//[PATCH]
+@Restricted(NoExternalUse.class)
+// end of [PATCH]
+public class RegexValidator implements Serializable {
+
+    private static final long serialVersionUID = -8832409930574867162L;
+
+    private final Pattern[] patterns;
+
+    /**
+     * Construct a <i>case sensitive</i> validator for a single
+     * regular expression.
+     *
+     * @param regex The regular expression this validator will
+     * validate against
+     */
+    public RegexValidator(String regex) {
+        this(regex, true);
+    }
+
+    /**
+     * Construct a validator for a single regular expression
+     * with the specified case sensitivity.
+     *
+     * @param regex The regular expression this validator will
+     * validate against
+     * @param caseSensitive when <code>true</code> matching is <i>case
+     * sensitive</i>, otherwise matching is <i>case in-sensitive</i>
+     */
+    public RegexValidator(String regex, boolean caseSensitive) {
+        this(new String[] {regex}, caseSensitive);
+    }
+
+    /**
+     * Construct a <i>case sensitive</i> validator that matches any one
+     * of the set of regular expressions.
+     *
+     * @param regexs The set of regular expressions this validator will
+     * validate against
+     */
+    public RegexValidator(String[] regexs) {
+        this(regexs, true);
+    }
+
+    /**
+     * Construct a validator that matches any one of the set of regular
+     * expressions with the specified case sensitivity.
+     *
+     * @param regexs The set of regular expressions this validator will
+     * validate against
+     * @param caseSensitive when <code>true</code> matching is <i>case
+     * sensitive</i>, otherwise matching is <i>case in-sensitive</i>
+     */
+    public RegexValidator(String[] regexs, boolean caseSensitive) {
+        if (regexs == null || regexs.length == 0) {
+            throw new IllegalArgumentException("Regular expressions are missing");
+        }
+        patterns = new Pattern[regexs.length];
+        int flags =  (caseSensitive ? 0: Pattern.CASE_INSENSITIVE);
+        for (int i = 0; i < regexs.length; i++) {
+            if (regexs[i] == null || regexs[i].length() == 0) {
+                throw new IllegalArgumentException("Regular expression[" + i + "] is missing");
+            }
+            patterns[i] =  Pattern.compile(regexs[i], flags);
+        }
+    }
+
+    /**
+     * Validate a value against the set of regular expressions.
+     *
+     * @param value The value to validate.
+     * @return <code>true</code> if the value is valid
+     * otherwise <code>false</code>.
+     */
+    public boolean isValid(String value) {
+        if (value == null) {
+            return false;
+        }
+        for (int i = 0; i < patterns.length; i++) {
+            if (patterns[i].matcher(value).matches()) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Validate a value against the set of regular expressions
+     * returning the array of matched groups.
+     *
+     * @param value The value to validate.
+     * @return String array of the <i>groups</i> matched if
+     * valid or <code>null</code> if invalid
+     */
+//[PATCH]
+    @SuppressFBWarnings("PZLA") // Remoting uses Low threshold
+// end of [PATCH]
+    public String[] match(String value) {
+        if (value == null) {
+            return null;
+        }
+        for (int i = 0; i < patterns.length; i++) {
+            Matcher matcher = patterns[i].matcher(value);
+            if (matcher.matches()) {
+                int count = matcher.groupCount();
+                String[] groups = new String[count];
+                for (int j = 0; j < count; j++) {
+                    groups[j] = matcher.group(j+1);
+                }
+                return groups;
+            }
+        }
+        return null;
+    }
+
+
+    /**
+     * Validate a value against the set of regular expressions
+     * returning a String value of the aggregated groups.
+     *
+     * @param value The value to validate.
+     * @return Aggregated String value comprised of the
+     * <i>groups</i> matched if valid or <code>null</code> if invalid
+     */
+    public String validate(String value) {
+        if (value == null) {
+            return null;
+        }
+        for (int i = 0; i < patterns.length; i++) {
+            Matcher matcher = patterns[i].matcher(value);
+            if (matcher.matches()) {
+                int count = matcher.groupCount();
+                if (count == 1) {
+                    return matcher.group(1);
+                }
+                StringBuilder buffer = new StringBuilder();
+                for (int j = 0; j < count; j++) {
+                    String component = matcher.group(j+1);
+                    if (component != null) {
+                        buffer.append(component);
+                    }
+                }
+                return buffer.toString();
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Provide a String representation of this validator.
+     * @return A String representation of this validator
+     */
+    @Override
+    public String toString() {
+        StringBuilder buffer = new StringBuilder();
+        buffer.append("RegexValidator{");
+        for (int i = 0; i < patterns.length; i++) {
+            if (i > 0) {
+                buffer.append(",");
+            }
+            buffer.append(patterns[i].pattern());
+        }
+        buffer.append("}");
+        return buffer.toString();
+    }
+
+}
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/ApplicationLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/ApplicationLayer.java
index fbe875b15..059c17879 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/ApplicationLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/ApplicationLayer.java
@@ -41,7 +41,7 @@
  *
  * @param <T> the application specific API.
  *
- * @since FIXME
+ * @since 3.0
  */
 public abstract class ApplicationLayer<T> implements ProtocolLayer, ProtocolLayer.Recv {
 
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/FilterLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/FilterLayer.java
index d92c8a110..7472292b0 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/FilterLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/FilterLayer.java
@@ -44,7 +44,7 @@
  * <li>etc.</li>
  * </ul>
  *
- * @since FIXME
+ * @since 3.0
  */
 public abstract class FilterLayer implements ProtocolLayer, ProtocolLayer.Send, ProtocolLayer.Recv {
 
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/IOHub.java b/src/main/java/org/jenkinsci/remoting/protocol/IOHub.java
index c846b6bdf..f3ff30f7c 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/IOHub.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/IOHub.java
@@ -55,6 +55,7 @@
 import javax.annotation.Nonnull;
 import javax.annotation.OverridingMethodsMustInvokeSuper;
 import javax.annotation.concurrent.GuardedBy;
+
 import org.jenkinsci.remoting.util.ByteBufferPool;
 import org.jenkinsci.remoting.util.DirectByteBufferPool;
 import org.kohsuke.accmod.Restricted;
@@ -71,6 +72,13 @@ public class IOHub implements Executor, Closeable, Runnable, ByteBufferPool {
      * Our logger.
      */
     private static final Logger LOGGER = Logger.getLogger(IOHub.class.getName());
+
+    /**
+     * Defines the Selector wakeup timeout via a system property. Defaults to {@code 1000ms}.
+     * @since TODO
+     */
+    private static final long SELECTOR_WAKEUP_TIMEOUT_MS = Long.getLong(IOHub.class.getName() + ".selectorWakeupTimeout", 1000);
+
     /**
      * The next ID to use.
      */
@@ -83,6 +91,9 @@ public class IOHub implements Executor, Closeable, Runnable, ByteBufferPool {
      * Our selector.
      */
     private final Selector selector;
+    private volatile boolean ioHubRunning = false;
+    private final Object selectorLockObject = new Object();
+
     /**
      * Our executor.
      */
@@ -126,6 +137,7 @@ public class IOHub implements Executor, Closeable, Runnable, ByteBufferPool {
      */
     private IOHub(Executor executor) throws IOException {
         this.selector = Selector.open();
+        this.ioHubRunning = true;
         this.executor = executor;
         this.bufferPool = new DirectByteBufferPool(16916, Runtime.getRuntime().availableProcessors() * 4);
     }
@@ -140,6 +152,8 @@ private IOHub(Executor executor) throws IOException {
     public static IOHub create(Executor executor) throws IOException {
         IOHub result = new IOHub(executor);
         executor.execute(result);
+        LOGGER.log(Level.FINE, "Staring an additional Selector wakeup thread. See JENKINS-47965 for more info");
+        executor.execute(new IOHubSelectorWatcher(result));
         return result;
     }
 
@@ -408,6 +422,16 @@ public final void unregister(SelectableChannel channel) {
         selectionKey.attach(null);
     }
 
+    private String getThreadNameBase(String executorThreadName) {
+        int keySize;
+        try {
+            keySize = selector.keys().size();
+        } catch (ClosedSelectorException x) {
+            keySize = -1; // possibly a race condition, ignore
+        }
+        return "IOHub#" + _id + ": Selector[keys:" + keySize + ", gen:" + gen + "] / " + executorThreadName;
+    }
+
     /**
      * {@inheritDoc}
      */
@@ -419,9 +443,7 @@ public final void run() {
         long cpuOverheatProtection = System.nanoTime();
         try {
             while (isOpen()) {
-                selectorThread.setName(
-                        "IOHub#" + _id + ": Selector[keys:" + selector.keys().size() + ", gen:" + gen + "] / " + oldName
-                );
+                selectorThread.setName(getThreadNameBase(oldName));
                 try {
                     processScheduledTasks();
                     boolean wantSelectNow = processRegistrations();
@@ -433,8 +455,12 @@ public final void run() {
                         // in an immediately ready selection key, hence we use the non-blocking form
                         selected = selector.selectNow();
                     } else {
-                        selected = selector.select(); // WINDOWS!!! Waiting the whole timeout anyway if timeout specified?!?
+                        // On Windows the select(timeout) operation ALWAYS waits for the timeout,
+                        // so we workaround it by IOHubSelectorWatcher
+                        // "Ubuntu on Windows also qualifies as Windows, so we just rely on the wakeup thread ad use infinite timeout"
+                        selected = selector.select();
                     }
+
                     if (selected == 0) {
                         // don't stress the GC by creating instantiating the selected keys
                         continue;
@@ -489,6 +515,54 @@ public final void run() {
             // ignore, happens routinely
         } finally {
             selectorThread.setName(oldName);
+            ioHubRunning = false;
+            synchronized (selectorLockObject) {
+                selectorLockObject.notifyAll();
+            }
+        }
+    }
+
+    /**
+     * This is an artificial thread, which monitors IOHub Selector and wakes it up if it waits for more than 1 second.
+     * It is a workaround for Selector#select(long timeout) on Windows, where the call always waits for the entire timeout before returning back.
+     * Since the same behavior happens on Unix emulation layer in Windows, we run this thread on Unix platforms as well.
+     */
+    private static class IOHubSelectorWatcher implements Runnable {
+
+        private final IOHub iohub;
+
+        public IOHubSelectorWatcher(IOHub iohub) {
+            this.iohub = iohub;
+        }
+
+        @Override
+        public void run() {
+            final Thread watcherThread = Thread.currentThread();
+            final String oldName = watcherThread.getName();
+            final String watcherName = "Windows IOHub Watcher for " + iohub.getThreadNameBase(oldName);
+            LOGGER.log(Level.FINEST, "{0}: Started", watcherName);
+            try {
+                watcherThread.setName(watcherName);
+                while (true) {
+                    synchronized (iohub.selectorLockObject) {
+                        if (iohub.ioHubRunning) {
+                            iohub.selectorLockObject.wait(SELECTOR_WAKEUP_TIMEOUT_MS);
+                        } else {
+                            break;
+                        }
+                    }
+                    iohub.selector.wakeup();
+                }
+            } catch (InterruptedException ex) {
+                // interrupted
+                if (LOGGER.isLoggable(Level.FINE)) {
+                    LOGGER.log(Level.FINE, "{0}: Interrupted", ex);
+                }
+                return;
+            } finally {
+                watcherThread.setName(oldName);
+                LOGGER.log(Level.FINEST, "{0}: Finished", watcherName);
+            }
         }
     }
 
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/IOHubReadyListener.java b/src/main/java/org/jenkinsci/remoting/protocol/IOHubReadyListener.java
index 58c52e8f5..a1bf30942 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/IOHubReadyListener.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/IOHubReadyListener.java
@@ -42,7 +42,7 @@
  * @see IOHub#removeInterestWrite(SelectionKey)
  * @see IOHub#unregister(SelectableChannel)
  *
- * @since FIXME
+ * @since 3.0
  */
 public interface IOHubReadyListener {
     /**
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/IOHubRegistrationCallback.java b/src/main/java/org/jenkinsci/remoting/protocol/IOHubRegistrationCallback.java
index 9ae04a4e7..718e71d9d 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/IOHubRegistrationCallback.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/IOHubRegistrationCallback.java
@@ -31,7 +31,7 @@
  * Callback to be notified when a call to
  * {@link IOHub#register(SelectableChannel, IOHubReadyListener, boolean, boolean, boolean, boolean, IOHubRegistrationCallback)} has completed registration.
  *
- * @since FIXME
+ * @since 3.0
  */
 public interface IOHubRegistrationCallback {
 
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/IOHubRegistrationFutureAdapterImpl.java b/src/main/java/org/jenkinsci/remoting/protocol/IOHubRegistrationFutureAdapterImpl.java
index ab6dbc6ea..6c005dc14 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/IOHubRegistrationFutureAdapterImpl.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/IOHubRegistrationFutureAdapterImpl.java
@@ -31,7 +31,7 @@
 /**
  * Converts the {@link IOHubRegistrationCallback} pattern into a {@link Future}.
  *
- * @since FIXME
+ * @since 3.0
  */
 class IOHubRegistrationFutureAdapterImpl implements IOHubRegistrationCallback {
     /**
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/NetworkLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/NetworkLayer.java
index 4de74da24..73ac2e465 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/NetworkLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/NetworkLayer.java
@@ -38,7 +38,7 @@
  * the protocol
  * to the recipient and injecting the input from the recipient into the protocol stack.
  *
- * @since FIXME
+ * @since 3.0
  */
 public abstract class NetworkLayer implements ProtocolLayer, ProtocolLayer.Send {
 
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/ProtocolLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/ProtocolLayer.java
index 7ed40239b..95d712881 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/ProtocolLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/ProtocolLayer.java
@@ -27,15 +27,17 @@
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import javax.annotation.CheckForNull;
 import org.jenkinsci.remoting.util.ByteBufferUtils;
-import org.jenkinsci.remoting.util.Charsets;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.DoNotUse;
 
 /**
  * A network {@link ProtocolStack} consists of a number of {@link ProtocolLayer}s. This interface represents the general
  * contract of all layers in the stack.
  *
- * @since FIXME
+ * @since 3.0
  */
 public interface ProtocolLayer {
 
@@ -45,8 +47,12 @@ public interface ProtocolLayer {
     ByteBuffer EMPTY_BUFFER = ByteBufferUtils.EMPTY_BUFFER;
     /**
      * A handy constant until Java 7 compatibility can be assumed.
+     *
+     * @deprecated Use {@link StandardCharsets}
      */
-    Charset UTF_8 = Charsets.UTF_8; // TODO Replace with StandardCharsets.UTF_8 once Java 7
+    @Deprecated
+    @Restricted(DoNotUse.class)
+    Charset UTF_8 = StandardCharsets.UTF_8;
 
     /**
      * Initializes the layer with its {@link ProtocolStack.Ptr}. All lower layers in the stack will be initialized
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/ProtocolStack.java b/src/main/java/org/jenkinsci/remoting/protocol/ProtocolStack.java
index eaaf9b124..b9a96ee69 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/ProtocolStack.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/ProtocolStack.java
@@ -101,7 +101,7 @@
  * </ol>
  *
  * @param <T> the application specific API.
- * @since FIXME
+ * @since 3.0
  */
 public class ProtocolStack<T> implements Closeable, ByteBufferPool {
 
@@ -597,7 +597,6 @@ public class Ptr {
         /**
          * Flag to track this {@link ProtocolLayer} as removed from the stack.
          */
-        @GuardedBy("ProtocolStack.stackLock")
         private boolean removed;
 
         /**
@@ -752,22 +751,7 @@ public ProtocolStack<?> stack() {
          * Requests removal of this {@link ProtocolLayer} from the {@link ProtocolStack}
          */
         public void remove() {
-            stackLock.readLock().lock();
-            try {
-                if (removed) {
-                    return;
-                }
-                if (nextSend == null) {
-                    throw new UnsupportedOperationException("Network layer is not supposed to call remove");
-                }
-                if (nextRecv == null) {
-                    throw new UnsupportedOperationException("Application layer is not supposed to call remove");
-                }
-                // we just want to have a lock, we abuse the read lock here as the readers are eventually consistent
-                removed = true;
-            } finally {
-                stackLock.readLock().unlock();
-            }
+            removed = true;
         }
 
         /**
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/cert/BlindTrustX509ExtendedTrustManager.java b/src/main/java/org/jenkinsci/remoting/protocol/cert/BlindTrustX509ExtendedTrustManager.java
index 2a72873bc..e3c59bd51 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/cert/BlindTrustX509ExtendedTrustManager.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/cert/BlindTrustX509ExtendedTrustManager.java
@@ -33,7 +33,7 @@
 /**
  * An {@link X509ExtendedTrustManager} that trusts everything always.
  *
- * @since FIXME
+ * @since 3.0
  */
 @IgnoreJRERequirement // TODO We override some methods in Java 7, so remove this ignore when baseline is Java 7
 public class BlindTrustX509ExtendedTrustManager extends X509ExtendedTrustManager {
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/cert/DelegatingX509ExtendedTrustManager.java b/src/main/java/org/jenkinsci/remoting/protocol/cert/DelegatingX509ExtendedTrustManager.java
index f2e634a88..f3d360826 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/cert/DelegatingX509ExtendedTrustManager.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/cert/DelegatingX509ExtendedTrustManager.java
@@ -34,7 +34,7 @@
 /**
  * An {@link X509ExtendedTrustManager} that delegates to a runtime mutable delegate {@link X509ExtendedTrustManager}.
  *
- * @since FIXME
+ * @since 3.0
  */
 @IgnoreJRERequirement // TODO We override some methods in Java 7, so remove this ignore when baseline is Java 7
 public class DelegatingX509ExtendedTrustManager extends X509ExtendedTrustManager {
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/cert/PublicKeyMatchingX509ExtendedTrustManager.java b/src/main/java/org/jenkinsci/remoting/protocol/cert/PublicKeyMatchingX509ExtendedTrustManager.java
index 3ca093fe2..5a5285d2e 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/cert/PublicKeyMatchingX509ExtendedTrustManager.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/cert/PublicKeyMatchingX509ExtendedTrustManager.java
@@ -44,7 +44,7 @@
  * An {@link X509ExtendedTrustManager} that trusts any chain where the initial certificate was issued for a specific
  * set of trusted {@link PublicKey}s.
  *
- * @since FIXME
+ * @since 3.0
  */
 @IgnoreJRERequirement // TODO We override some methods in Java 7, so remove this ignore when baseline is Java 7
 public class PublicKeyMatchingX509ExtendedTrustManager extends X509ExtendedTrustManager {
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/cert/ValidityCheckingX509ExtendedTrustManager.java b/src/main/java/org/jenkinsci/remoting/protocol/cert/ValidityCheckingX509ExtendedTrustManager.java
index 63743c56f..b06196e89 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/cert/ValidityCheckingX509ExtendedTrustManager.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/cert/ValidityCheckingX509ExtendedTrustManager.java
@@ -37,7 +37,7 @@
  * An {@link X509ExtendedTrustManager} that checks the validity of the chain before continuing with the (optional)
  * delegate {@link X509ExtendedTrustManager}.
  *
- * @since FIXME
+ * @since 3.0
  */
 @IgnoreJRERequirement // TODO We override some methods in Java 7, so remove this ignore when baseline is Java 7
 public class ValidityCheckingX509ExtendedTrustManager extends X509ExtendedTrustManager {
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/AckFilterLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/AckFilterLayer.java
index 818412d40..a5cf06f2c 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/AckFilterLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/AckFilterLayer.java
@@ -38,7 +38,7 @@
  * A {@link FilterLayer} that ensures both sides will not proceed unless the acknowledgement has been sent and
  * received by both sides.
  *
- * @since FIXME
+ * @since 3.0
  */
 public class AckFilterLayer extends FilterLayer {
     /**
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/AgentProtocolClientFilterLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/AgentProtocolClientFilterLayer.java
index 806df8b73..7353d3674 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/AgentProtocolClientFilterLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/AgentProtocolClientFilterLayer.java
@@ -35,7 +35,7 @@
 /**
  * A {@link FilterLayer} that sends the AgentProtocol client handshake.
  *
- * @since FIXME
+ * @since 3.0
  */
 public class AgentProtocolClientFilterLayer extends FilterLayer {
     /**
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/BIONetworkLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/BIONetworkLayer.java
index 77fae88be..06a7a1bc9 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/BIONetworkLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/BIONetworkLayer.java
@@ -43,7 +43,7 @@
 /**
  * A {@link NetworkLayer} that uses a dedicated reader thread and runs on demand writer thread to manage I/O.
  *
- * @since FIXME
+ * @since 3.0
  */
 public class BIONetworkLayer extends NetworkLayer {
     /**
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/ChannelApplicationLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/ChannelApplicationLayer.java
index d5d33bc5f..33958b947 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/ChannelApplicationLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/ChannelApplicationLayer.java
@@ -42,6 +42,7 @@
 import java.util.concurrent.Future;
 import javax.annotation.Nullable;
 import org.jenkinsci.remoting.protocol.ApplicationLayer;
+import org.jenkinsci.remoting.util.AnonymousClassWarnings;
 import org.jenkinsci.remoting.util.ByteBufferUtils;
 import org.jenkinsci.remoting.util.SettableFuture;
 import org.jenkinsci.remoting.util.ThrowableUtils;
@@ -49,7 +50,7 @@
 /**
  * An {@link ApplicationLayer} that produces a {@link Channel}.
  *
- * @since FIXME
+ * @since 3.0
  */
 public class ChannelApplicationLayer extends ApplicationLayer<Future<Channel>> {
 
@@ -219,7 +220,7 @@ public void onReadClosed(IOException cause) throws IOException {
     public void start() throws IOException {
         try {
             ByteArrayOutputStream bos = new ByteArrayOutputStream();
-            ObjectOutputStream oos = new ObjectOutputStream(BinarySafeStream.wrap(bos));
+            ObjectOutputStream oos = AnonymousClassWarnings.checkingObjectOutputStream(BinarySafeStream.wrap(bos));
             try {
                 oos.writeObject(new Capability());
             } finally {
@@ -291,15 +292,17 @@ public ByteBufferCommandTransport(Capability remoteCapability) {
          */
         @Override
         protected void write(ByteBuffer header, ByteBuffer data) throws IOException {
+            //TODO: Any way to get channel information here
             if (isWriteOpen()) {
                 try {
                     ChannelApplicationLayer.this.write(header);
                     ChannelApplicationLayer.this.write(data);
                 } catch (ClosedChannelException e) {
-                    throw new ChannelClosedException(e);
+                    // Probably it should be another exception type at all
+                    throw new ChannelClosedException(null, "Protocol stack cannot write data anymore. ChannelApplicationLayer reports that the NIO Channel is closed", e);
                 }
             } else {
-                throw new ChannelClosedException(new ClosedChannelException());
+                throw new ChannelClosedException(null, "Protocol stack cannot write data anymore. It is not open for write", null);
             }
         }
 
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionHeaders.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionHeaders.java
index b15283345..933e1f0f1 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionHeaders.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionHeaders.java
@@ -57,7 +57,7 @@
  * </li>
  * </ul>
  *
- * @since FIXME
+ * @since 3.0
  */
 public final class ConnectionHeaders {
 
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionHeadersFilterLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionHeadersFilterLayer.java
index dab55f62d..d5a1126f8 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionHeadersFilterLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionHeadersFilterLayer.java
@@ -27,6 +27,7 @@
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.channels.ClosedChannelException;
+import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.concurrent.Future;
 import java.util.logging.Level;
@@ -40,7 +41,7 @@
 /**
  * Performs the connection header negotiation.
  *
- * @since FIXME
+ * @since 3.0
  */
 public class ConnectionHeadersFilterLayer extends FilterLayer {
     /**
@@ -181,7 +182,7 @@ public void onRecv(@Nonnull ByteBuffer data) throws IOException {
                 byte[] headerBytes = new byte[headerInputContent.capacity()];
                 headerInputContent.flip();
                 headerInputContent.get(headerBytes, 0, headerInputContent.remaining());
-                final String headerAsString = new String(headerBytes, UTF_8);
+                final String headerAsString = new String(headerBytes, StandardCharsets.UTF_8);
                 if (LOGGER.isLoggable(Level.FINER)) {
                     LOGGER.log(Level.FINER, "[{0}] Received headers \"{1}\"",
                             new Object[]{stack().name(), headerAsString});
@@ -298,7 +299,7 @@ public void onRecv(@Nonnull ByteBuffer data) throws IOException {
                 byte[] responseBytes = new byte[responseInputContent.capacity()];
                 responseInputContent.flip();
                 responseInputContent.get(responseBytes, 0, responseInputContent.remaining());
-                String response = new String(responseBytes, UTF_8);
+                String response = new String(responseBytes, StandardCharsets.UTF_8);
                 if (LOGGER.isLoggable(Level.FINE)) {
                     LOGGER.log(Level.FINE, "[{0}] Received response \"{1}\"",
                             new Object[]{stack().name(), response});
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionRefusalException.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionRefusalException.java
index 06fdc32d7..79cf71f30 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionRefusalException.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/ConnectionRefusalException.java
@@ -28,7 +28,7 @@
 /**
  * An exception to flag that the connection has been refused.
  *
- * @since FIXME
+ * @since 3.0
  * @see PermanentConnectionRefusalException for a permanent rejection of the connection.
  */
 public class ConnectionRefusalException extends IOException {
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/NIONetworkLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/NIONetworkLayer.java
index 5ddc2727c..b21d6a2ac 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/NIONetworkLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/NIONetworkLayer.java
@@ -48,7 +48,7 @@
 /**
  * A {@link NetworkLayer} that uses the NIO {@link Selector} of a {@link IOHub} to manage I/O.
  *
- * @since FIXME
+ * @since 3.0
  */
 public class NIONetworkLayer extends NetworkLayer implements IOHubReadyListener {
 
@@ -184,6 +184,7 @@ public void ready(boolean accept, boolean connect, boolean read, boolean write)
                                 LogRecord record = new LogRecord(Level.SEVERE, "[{0}] Uncaught {1}");
                                 record.setThrown(t);
                                 record.setParameters(new Object[]{stack().name(), t.getClass().getSimpleName()});
+                                LOGGER.log(record);
                             }
                         } finally {
                             // incase this was an OOMErr and logging caused another OOMErr
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/PermanentConnectionRefusalException.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/PermanentConnectionRefusalException.java
index d0caddd6d..7e5dfed1f 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/PermanentConnectionRefusalException.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/PermanentConnectionRefusalException.java
@@ -26,7 +26,7 @@
 /**
  * An exception to flag that the connection has been rejected and no further connection attempts should be made.
  *
- * @since FIXME
+ * @since 3.0
  */
 public class PermanentConnectionRefusalException extends ConnectionRefusalException {
     /**
diff --git a/src/main/java/org/jenkinsci/remoting/protocol/impl/SSLEngineFilterLayer.java b/src/main/java/org/jenkinsci/remoting/protocol/impl/SSLEngineFilterLayer.java
index 571d1fcec..2641ad462 100644
--- a/src/main/java/org/jenkinsci/remoting/protocol/impl/SSLEngineFilterLayer.java
+++ b/src/main/java/org/jenkinsci/remoting/protocol/impl/SSLEngineFilterLayer.java
@@ -38,7 +38,7 @@
  * A {@link FilterLayer} that encrypts the communication between the upper layers and the lower layers using
  * the supplied {@link SSLEngine}.
  *
- * @since FIXME
+ * @since 3.0
  */
 public class SSLEngineFilterLayer extends FilterLayer {
     /**
diff --git a/src/main/java/org/jenkinsci/remoting/util/AnonymousClassWarnings.java b/src/main/java/org/jenkinsci/remoting/util/AnonymousClassWarnings.java
new file mode 100644
index 000000000..917256545
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/util/AnonymousClassWarnings.java
@@ -0,0 +1,129 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2018 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.jenkinsci.remoting.util;
+
+import hudson.remoting.Channel;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
+import java.net.URL;
+import java.security.CodeSource;
+import java.util.Map;
+import java.util.WeakHashMap;
+import java.util.concurrent.RejectedExecutionException;
+import java.util.logging.Logger;
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
+
+/**
+ * Issues warnings about attempts to (de-)serialize anonymous, local, or synthetic classes.
+ * @see <a href="https://jenkins.io/redirect/serialization-of-anonymous-classes/">More information</a>
+ */
+public class AnonymousClassWarnings {
+
+    private static final Logger LOGGER = Logger.getLogger(AnonymousClassWarnings.class.getName());    
+    private static final Map<Class<?>, Boolean> checked = new WeakHashMap<>();
+
+    /**
+     * Checks a class which is being either serialized or deserialized.
+     * A warning will only be printed once per class per JVM session.
+     */
+    public static void check(@Nonnull Class<?> clazz) {
+        synchronized (checked) {
+            if (checked.containsKey(clazz)) {
+                return; // fast path
+            }
+        }
+        Channel channel = Channel.current();
+        if (channel == null) {
+            doCheck(clazz);
+        } else {
+            // May not call methods like Class#isAnonymousClass synchronously, since these can in turn trigger remote class loading.
+            try {
+                channel.executor.submit((Runnable) () -> doCheck(clazz));
+            } catch (RejectedExecutionException x) {
+                // never mind, we tried
+            }
+        }
+    }
+
+    private static void doCheck(@Nonnull Class<?> c) {
+        if (Enum.class.isAssignableFrom(c)) { // e.g., com.cloudbees.plugins.credentials.CredentialsScope$1 ~ CredentialsScope.SYSTEM
+            // ignore, enums serialize specially
+        } else if (c.isAnonymousClass()) { // e.g., pkg.Outer$1
+            warn(c, "anonymous");
+        } else if (c.isLocalClass()) { // e.g., pkg.Outer$1Local
+            warn(c, "local");
+        } else if (c.isSynthetic()) { // e.g., pkg.Outer$$Lambda$1/12345678
+            warn(c, "synthetic");
+        }
+    }
+
+    private static void warn(@Nonnull Class<?> c, String kind) {
+        String name = c.getName();
+        String codeSource = codeSource(c);
+        // Need to be very defensive about calling anything while holding this lock, lest we trigger class loading-related deadlocks.
+        boolean doWarn;
+        synchronized (checked) {
+            doWarn = checked.put(c, true) == null;
+        }
+        if (doWarn) {
+            if (codeSource == null) {
+                LOGGER.warning("Attempt to (de-)serialize " + kind + " class " + name + "; see: https://jenkins.io/redirect/serialization-of-anonymous-classes/");
+            } else {
+                // most easily tracked back to source using javap -classpath <location> -l '<name>'
+                LOGGER.warning("Attempt to (de-)serialize " + kind + " class " + name + " in " + codeSource + "; see: https://jenkins.io/redirect/serialization-of-anonymous-classes/");
+            }
+        }
+    }
+
+    private static @CheckForNull String codeSource(@Nonnull Class<?> c) {
+        CodeSource cs = c.getProtectionDomain().getCodeSource();
+        if (cs == null) {
+            return null;
+        }
+        URL loc = cs.getLocation();
+        if (loc == null) {
+            return null;
+        }
+        return loc.toString();
+    }
+
+    /**
+     * Like {@link ObjectOutputStream#ObjectOutputStream(OutputStream)} but applies {@link #check} when writing classes.
+     */
+    public static @Nonnull ObjectOutputStream checkingObjectOutputStream(@Nonnull OutputStream outputStream) throws IOException {
+        return new ObjectOutputStream(outputStream) {
+            @Override
+            protected void annotateClass(Class<?> c) throws IOException {
+                check(c);
+                super.annotateClass(c);
+            }
+        };
+    }
+
+    private AnonymousClassWarnings() {}
+
+}
diff --git a/src/main/java/org/jenkinsci/remoting/util/ByteBufferUtils.java b/src/main/java/org/jenkinsci/remoting/util/ByteBufferUtils.java
index c0d1477d5..28c416f28 100644
--- a/src/main/java/org/jenkinsci/remoting/util/ByteBufferUtils.java
+++ b/src/main/java/org/jenkinsci/remoting/util/ByteBufferUtils.java
@@ -26,6 +26,8 @@
 import java.nio.BufferOverflowException;
 import java.nio.BufferUnderflowException;
 import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+
 import org.jenkinsci.remoting.protocol.ProtocolLayer;
 
 /**
@@ -75,7 +77,7 @@ public static void put(ByteBuffer src, ByteBuffer dst) {
      * @param dst the destination.
      */
     public static void putUTF8(String src, ByteBuffer dst) {
-        byte[] bytes = src.getBytes(ProtocolLayer.UTF_8);
+        byte[] bytes = src.getBytes(StandardCharsets.UTF_8);
         if (bytes.length > 65535) {
             throw new IllegalArgumentException("UTF-8 encoded string must be less than 65536 bytes");
         }
@@ -106,7 +108,7 @@ public static String getUTF8(ByteBuffer src) {
         src.position(src.position() + 2);
         byte[] bytes = new byte[length];
         src.get(bytes);
-        return new String(bytes, ProtocolLayer.UTF_8);
+        return new String(bytes, StandardCharsets.UTF_8);
     }
 
     /**
@@ -116,7 +118,7 @@ public static String getUTF8(ByteBuffer src) {
      * @return a {@link ByteBuffer} containing the two byte length followed by the string encoded as UTF-8.
      */
     public static ByteBuffer wrapUTF8(String string) {
-        byte[] bytes = string.getBytes(ProtocolLayer.UTF_8);
+        byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
         if (bytes.length > 65535) {
             throw new IllegalArgumentException("UTF-8 encoded string must be less than 65536 bytes");
         }
diff --git a/src/main/java/org/jenkinsci/remoting/util/Charsets.java b/src/main/java/org/jenkinsci/remoting/util/Charsets.java
index 9694380be..7f1e6f4ab 100644
--- a/src/main/java/org/jenkinsci/remoting/util/Charsets.java
+++ b/src/main/java/org/jenkinsci/remoting/util/Charsets.java
@@ -24,17 +24,20 @@
 package org.jenkinsci.remoting.util;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+
 import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.DoNotUse;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
  * Local implementation of standard charsets as the remoting library currently needs to be compiled against Java 6
  * signatures.
  *
- * @since FIXME
+ * @deprecated Use {@link StandardCharsets}
  */
-// TODO replace with StandardCharsets once Java 7
-@Restricted(NoExternalUse.class)
+@Deprecated
+@Restricted(DoNotUse.class)
 public final class Charsets {
     /**
      * Utility class.
@@ -46,26 +49,26 @@ private Charsets() {
     /**
      * Seven-bit ASCII.
      */
-    public static final Charset US_ASCII = Charset.forName("US-ASCII");
+    public static final Charset US_ASCII = StandardCharsets.US_ASCII;
     /**
      * ISO Latin Alphabet 1.
      */
-    public static final Charset ISO_8859_1 = Charset.forName("ISO-8859-1");
+    public static final Charset ISO_8859_1 = StandardCharsets.ISO_8859_1;
     /**
      * UTF-8.
      */
-    public static final Charset UTF_8 = Charset.forName("UTF-8");
+    public static final Charset UTF_8 = StandardCharsets.UTF_8;
     /**
      * Big-endian byte order UTF-16.
      */
-    public static final Charset UTF_16BE = Charset.forName("UTF-16BE");
+    public static final Charset UTF_16BE = StandardCharsets.UTF_16BE;
     /**
      * Little-endian byte order UTF-16.
      */
-    public static final Charset UTF_16LE = Charset.forName("UTF-16LE");
+    public static final Charset UTF_16LE = StandardCharsets.UTF_16LE;
     /**
      * Byte order mark detected UTF-16.
      */
-    public static final Charset UTF_16 = Charset.forName("UTF-16");
+    public static final Charset UTF_16 = StandardCharsets.UTF_16;
 
 }
diff --git a/src/main/java/org/jenkinsci/remoting/util/ExecutorServiceUtils.java b/src/main/java/org/jenkinsci/remoting/util/ExecutorServiceUtils.java
new file mode 100644
index 000000000..f37537c82
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/util/ExecutorServiceUtils.java
@@ -0,0 +1,166 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2017 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.jenkinsci.remoting.util;
+
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.RejectedExecutionException;
+import javax.annotation.Nonnull;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Helper class for {@link ExecutorService} operations.
+ * @author Oleg Nenashev
+ */
+@Restricted(NoExternalUse.class)
+public class ExecutorServiceUtils {
+    
+    private ExecutorServiceUtils() {
+        // The class cannot be constructed
+    }
+    
+    /**
+     * Submits a task to the executor service without further handling. 
+     * The original {@link ExecutorService#submit(java.lang.Runnable)} method actually expects this return value 
+     * to be handled, but this method explicitly relies on the external logic to handle the future operation.
+     * Use on your own risk.
+     * @param es Executor service
+     * @param runnable Operation to be executed
+     * @throws ExecutionRejectedException Execution is rejected by the executor service
+     */
+    @Nonnull
+    @SuppressFBWarnings(value = "RV_RETURN_VALUE_IGNORED_BAD_PRACTICE", 
+            justification = "User of this API explicitly submits the task in the async mode on his own risk")
+    public static void submitAsync(@Nonnull ExecutorService es, @Nonnull Runnable runnable) 
+            throws ExecutionRejectedException {
+        try {
+            es.submit(runnable);
+        } catch (RejectedExecutionException ex) {
+            // Rethrow and make API users handle this.
+            throw new ExecutionRejectedException(runnable, es, ex);
+        }
+    }
+    
+    /**
+     * Creates a runtime {@link RejectedExecutionException} for {@link ExecutionRejectedException}.
+     * This version takes the {@link ExecutionRejectedException#isFatal()} value into account
+     * and creates {@link FatalRejectedExecutionException} if required.
+     * @param message Message
+     * @param cause Base non-Runtime exception
+     * @return Created Runtime exception
+     */
+    @Nonnull
+    public static RejectedExecutionException createRuntimeException(
+            @Nonnull String message, 
+            @Nonnull ExecutionRejectedException cause) {
+        if (cause.isFatal()) {
+            return new FatalRejectedExecutionException(message, cause);
+        } else {
+            return new RejectedExecutionException(message, cause);
+        }
+    }
+    
+    /**
+     * Version of {@link RejectedExecutionException}, which treats the error as fatal.
+     * It means that the Executor Service will never accept this or any other task in the future.
+     */
+    @Restricted(NoExternalUse.class)
+    public static class FatalRejectedExecutionException extends RejectedExecutionException {
+
+        private static final long serialVersionUID = 1L;
+        
+        public FatalRejectedExecutionException(String message) {
+            super(message);
+        }
+        
+        public FatalRejectedExecutionException(String message, Throwable cause) {
+            super(message, cause);
+        }
+        
+        public FatalRejectedExecutionException(Throwable cause) {
+            super(cause);
+        }
+    }
+    
+    /**
+     * Wraps the runtime {@link RejectedExecutionException}.
+     * The exception also caches the serializable metadata.
+     */
+    @Restricted(NoExternalUse.class)
+    public static class ExecutionRejectedException extends Exception {
+
+        private static final long serialVersionUID = 1L;
+        private final String executorServiceDisplayName;
+        private final String runnableDisplayName;
+        private final boolean fatal;
+        
+        /**
+         * Constructor of the new exception.
+         * @param runnable Runnable, which has been rejected
+         * @param es Executor service, which rejected the exception
+         * @param message Message
+         * @param fatal Indicates if the issue is fatal.
+         *              Fatal issue means that the {@link ExecutorService} will never accept any other task,
+         *              e.g. due to the pending shutdown.
+         */
+        public ExecutionRejectedException(Runnable runnable, ExecutorService es, String message, boolean fatal) {
+            super(message);
+            this.executorServiceDisplayName = es.toString();
+            this.runnableDisplayName = es.toString();
+            this.fatal = fatal;
+        }
+        
+        /**
+         * Constructor of the new exception.
+         * @param runnable Runnable, which has been rejected
+         * @param es Executor service, which rejected the exception
+         * @param cause Cause passed as a runtime exception
+         */
+        public ExecutionRejectedException(Runnable runnable, ExecutorService es, RejectedExecutionException cause) {
+            super(cause);
+            this.executorServiceDisplayName = es.toString();
+            this.runnableDisplayName = es.toString();
+            this.fatal = cause instanceof FatalRejectedExecutionException;
+        }
+
+        public String getExecutorServiceDisplayName() {
+            return executorServiceDisplayName;
+        }
+
+        public String getRunnableDisplayName() {
+            return runnableDisplayName;
+        }
+
+        /**
+         * Checks if the issue is fatal.
+         * @return If {@code true}, the {@link ExecutorService} will never accept any other task
+         */
+        public boolean isFatal() {
+            return fatal;
+        }
+        
+        //TODO: inject the metadata into the toString() call?
+    }
+}
diff --git a/src/main/java/org/jenkinsci/remoting/util/LoggingChannelListener.java b/src/main/java/org/jenkinsci/remoting/util/LoggingChannelListener.java
new file mode 100644
index 000000000..491ea3052
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/util/LoggingChannelListener.java
@@ -0,0 +1,85 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2018 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.jenkinsci.remoting.util;
+
+import hudson.remoting.Channel;
+import hudson.remoting.Command;
+import hudson.remoting.Request;
+import hudson.remoting.Response;
+import java.io.File;
+import java.io.IOException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * Channel listener which merely formats events to a logger.
+ * @since 3.17
+ */
+public class LoggingChannelListener extends Channel.Listener {
+
+    @SuppressWarnings("NonConstantLogger")
+    private final Logger logger;
+    private final Level level;
+
+    public LoggingChannelListener(Logger logger, Level level) {
+        this.logger = logger;
+        this.level = level;
+    }
+
+    @Override
+    public void onClosed(Channel channel, IOException cause) {
+        if (logger.isLoggable(level)) {
+            logger.log(level, null, cause);
+        }
+    }
+
+    @Override
+    public void onRead(Channel channel, Command cmd, long blockSize) {
+        if (logger.isLoggable(level)) {
+            logger.log(level, channel.getName() + " read " + blockSize + ": " + cmd);
+        }
+    }
+
+    @Override
+    public void onWrite(Channel channel, Command cmd, long blockSize) {
+        if (logger.isLoggable(level)) {
+            logger.log(level, channel.getName() + " wrote " + blockSize + ": " + cmd);
+        }
+    }
+
+    @Override
+    public void onResponse(Channel channel, Request<?, ?> req, Response<?, ?> rsp, long totalTime) {
+        if (logger.isLoggable(level)) {
+            logger.log(level, channel.getName() + " received response in " + totalTime / 1_000_000 + "ms: " + req);
+        }
+    }
+
+    @Override
+    public void onJar(Channel channel, File jar) {
+        if (logger.isLoggable(level)) {
+            logger.log(level, channel.getName() + " sending " + jar + " of length " + jar.length());
+        }
+    }
+}
diff --git a/src/main/java/org/jenkinsci/remoting/util/PathUtils.java b/src/main/java/org/jenkinsci/remoting/util/PathUtils.java
new file mode 100644
index 000000000..d2c31cd32
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/util/PathUtils.java
@@ -0,0 +1,62 @@
+/*
+ *
+ * The MIT License
+ *
+ * Copyright (c) 2017 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ *
+ */
+
+package org.jenkinsci.remoting.util;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import javax.annotation.Nonnull;
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.InvalidPathException;
+import java.nio.file.Path;
+
+/**
+ * Utilities for {@link Path} handling.
+ */
+@Restricted(NoExternalUse.class)
+public class PathUtils {
+
+    private PathUtils() {}
+
+    /**
+     * Converts {@link File} to {@link Path} and checks runtime exceptions.
+     * @param file File
+     * @return Resulting path
+     * @throws IOException Conversion error caused by {@link InvalidPathException}
+     * @since TODO
+     */
+    @Nonnull
+    @Restricted(NoExternalUse.class)
+    public static Path fileToPath(@Nonnull File file) throws IOException {
+        try {
+            return file.toPath();
+        } catch (InvalidPathException ex) {
+            throw new IOException(ex);
+        }
+    }
+}
diff --git a/src/main/java/org/jenkinsci/remoting/util/https/NoCheckHostnameVerifier.java b/src/main/java/org/jenkinsci/remoting/util/https/NoCheckHostnameVerifier.java
new file mode 100644
index 000000000..943bb0274
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/util/https/NoCheckHostnameVerifier.java
@@ -0,0 +1,45 @@
+/*
+ *
+ * The MIT License
+ *
+ * Copyright (c) 2017 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ *
+ */
+
+package org.jenkinsci.remoting.util.https;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLSession;
+
+/**
+ * Hostname verifier, which accepts any hostname.
+ */
+@Restricted(NoExternalUse.class)
+public class NoCheckHostnameVerifier implements HostnameVerifier {
+
+    @Override
+    public boolean verify(String s, SSLSession sslSession) {
+        return true;
+    }
+}
diff --git a/src/main/java/org/jenkinsci/remoting/util/https/NoCheckTrustManager.java b/src/main/java/org/jenkinsci/remoting/util/https/NoCheckTrustManager.java
new file mode 100644
index 000000000..18f9909fa
--- /dev/null
+++ b/src/main/java/org/jenkinsci/remoting/util/https/NoCheckTrustManager.java
@@ -0,0 +1,50 @@
+/*
+ *
+ * The MIT License
+ *
+ * Copyright (c) 2016- CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ *  The above copyright notice and this permission notice shall be included in
+ *  all copies or substantial portions of the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *  THE SOFTWARE.
+ *
+ */
+
+package org.jenkinsci.remoting.util.https;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ * {@link X509TrustManager} that performs no check at all.
+ */
+@Restricted(NoExternalUse.class)
+public class NoCheckTrustManager implements X509TrustManager {
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+    }
+
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+    }
+
+    public X509Certificate[] getAcceptedIssuers() {
+        return new X509Certificate[0];
+    }
+}
diff --git a/src/test/java/hudson/remoting/ChannelFilterTest.java b/src/test/java/hudson/remoting/ChannelFilterTest.java
index 657becddd..49669da41 100644
--- a/src/test/java/hudson/remoting/ChannelFilterTest.java
+++ b/src/test/java/hudson/remoting/ChannelFilterTest.java
@@ -62,11 +62,20 @@ public <V, T extends Throwable> hudson.remoting.Callable<V, T> userRequest(hudso
         try {
             channel.call(new ReverseGunImporter());
             fail("should have failed");
-        } catch (SecurityException e) {
-            assertEquals("Rejecting "+GunImporter.class.getName(),e.getMessage());
+        } catch (Exception e) {
+            assertEquals("Rejecting "+GunImporter.class.getName(), findSecurityException(e).getMessage());
 //            e.printStackTrace();
         }
     }
+    private static SecurityException findSecurityException(Throwable x) {
+        if (x instanceof SecurityException) {
+            return (SecurityException) x;
+        } else if (x == null) {
+            throw new AssertionError("no SecurityException detected");
+        } else {
+            return findSecurityException(x.getCause());
+        }
+    }
 
     /*
         Option 1:
@@ -86,7 +95,7 @@ public String call() {
 
     static class ReverseGunImporter extends CallableBase<String, Exception> {
         public String call() throws Exception {
-            return Channel.current().call(new GunImporter());
+            return Channel.currentOrFail().call(new GunImporter());
         }
     }
 }
diff --git a/src/test/java/hudson/remoting/ChannelTest.java b/src/test/java/hudson/remoting/ChannelTest.java
index 4eb53febf..5aaf1639a 100644
--- a/src/test/java/hudson/remoting/ChannelTest.java
+++ b/src/test/java/hudson/remoting/ChannelTest.java
@@ -1,23 +1,29 @@
 package hudson.remoting;
 
 import hudson.remoting.util.GCTask;
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
 import org.jvnet.hudson.test.Bug;
 
 import java.io.IOException;
 import java.io.ObjectInputStream;
+import java.io.ObjectStreamException;
 import java.io.PrintWriter;
-import java.io.Serializable;
 import java.io.StringWriter;
-import java.lang.reflect.Proxy;
 import java.net.URL;
 import java.net.URLClassLoader;
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import javax.annotation.Nonnull;
 import static junit.framework.TestCase.assertFalse;
 import static junit.framework.TestCase.assertTrue;
+
 import org.jenkinsci.remoting.RoleChecker;
+import org.jvnet.hudson.test.Issue;
 
 /**
  * @author Kohsuke Kawaguchi
@@ -121,7 +127,7 @@ public void testWaitForRemoteProperty() throws Exception {
     private static class WaitForRemotePropertyCallable extends CallableBase<Void, Exception> {
         public Void call() throws Exception {
             Thread.sleep(500);
-            Channel.current().setProperty("foo","bar");
+            getChannelOrFail().setProperty("foo","bar");
             return null;
         }
     }
@@ -130,14 +136,14 @@ public interface Greeter {
         void greet(String name);
     }
 
-    private static class GreeterImpl implements Greeter, Serializable {
+    private static class GreeterImpl implements Greeter, SerializableOnlyOverRemoting {
         String name;
         public void greet(String name) {
             this.name = name;
         }
 
-        private Object writeReplace() {
-            return Channel.current().export(Greeter.class,this);
+        private Object writeReplace() throws ObjectStreamException {
+            return getChannelForSerialization().export(Greeter.class,this);
         }
     }
 
@@ -183,6 +189,39 @@ public void testDiagnostics() throws Exception {
         assertTrue(sw.toString().contains("Commands sent=0"));
         assertTrue(sw.toString().contains("Commands received=0"));
     }
+
+    public void testCallSiteStacktrace() throws Exception {
+        try {
+            failRemotelyToBeWrappedLocally();
+            fail();
+        } catch (Exception e) {
+            assertEquals("Local Nested", e.getMessage());
+            assertEquals(Exception.class, e.getClass());
+            Throwable cause = e.getCause();
+            assertEquals("Node Nested", cause.getMessage());
+            assertEquals(IOException.class, cause.getClass());
+            Throwable rootCause = cause.getCause();
+            assertEquals("Node says hello!", rootCause.getMessage());
+            assertEquals(RuntimeException.class, rootCause.getClass());
+            Throwable callSite = cause.getSuppressed()[0];
+            assertEquals("Remote call to north", callSite.getMessage());
+            assertEquals("hudson.remoting.Channel$CallSiteStackTrace", callSite.getClass().getName());
+        }
+    }
+
+    private void failRemotelyToBeWrappedLocally() throws Exception {
+        try {
+            channel.call(new ThrowingCallable());
+        } catch (IOException e) {
+            throw new Exception("Local Nested", e);
+        }
+    }
+
+    private static class ThrowingCallable extends CallableBase<Void, IOException> {
+        @Override public Void call() throws IOException {
+            throw new IOException("Node Nested", new RuntimeException("Node says hello!"));
+        }
+    }
     
     /**
      * Checks if {@link UserRequest}s can be executed during the pending close operation.
@@ -206,7 +245,57 @@ public void testShouldNotAcceptUserRequestsWhenIsBeingClosed() throws Exception
             assertFailsWithChannelClosedException(TestRunnable.forUserRequest_callAsync(delayedRequest, testPayload));
         }
     }
-    
+
+    /**
+     * Checks if {@link UserRequest}s can be executed during the pending close operation.
+     * @throws Exception Test Error
+     */
+    @Issue("JENKINS-45294")
+    public void testShouldNotAcceptUserRPCRequestsWhenIsBeingClosed() throws Exception {
+
+        Collection<String> src = new ArrayList<>();
+        src.add("Hello");
+        src.add("World");
+
+        //TODO: System request will just hang. Once JENKINS-44785 is implemented, all system requests
+        // in Remoting codebase must have a timeout.
+        final Collection remoteList = channel.call(new RMIObjectExportedCallable<>(src, Collection.class, true));
+
+        try (ChannelCloseLock lock = new ChannelCloseLock(channel)) {
+            // Call Async
+            assertFailsWithChannelClosedException(new TestRunnable() {
+                @Override
+                public void run(Channel channel) throws Exception, AssertionError {
+                    remoteList.size();
+                }
+            });
+        }
+    }
+
+    private static class RMIObjectExportedCallable<TInterface> implements Callable<TInterface, Exception> {
+
+        private final TInterface object;
+        private final Class<TInterface> clazz;
+        private final boolean userSpace;
+
+        RMIObjectExportedCallable(TInterface object, Class<TInterface> clazz, boolean userSpace) {
+            this.object = object;
+            this.clazz = clazz;
+            this.userSpace = userSpace;
+        }
+
+        @Override
+        public TInterface call() throws Exception {
+            // UserProxy is used only for the user space, otherwise it will be wrapped into UserRequest
+            return Channel.current().export(clazz, object, userSpace, userSpace, true);
+        }
+
+        @Override
+        public void checkRoles(RoleChecker checker) throws SecurityException {
+
+        }
+    }
+
     private static final class NeverEverCallable implements Callable<Void, Exception> {
 
         private static final long serialVersionUID = 1L;
@@ -326,11 +415,13 @@ private void assertFailsWithChannelClosedException(TestRunnable call) throws Ass
         try {
             call.run(channel);
         } catch(Exception ex) {
-            if (ex instanceof ChannelClosedException) {
+            Logger.getLogger(ChannelTest.class.getName()).log(Level.WARNING, "Call execution failed with exception", ex);
+            Throwable cause = ex instanceof RemotingSystemException ? ex.getCause() : ex;
+            if (cause instanceof ChannelClosedException) {
                 // Fine
                 return;
             } else {
-                throw new AssertionError("Expected ChannelClosedException, but got another exception", ex);
+                throw new AssertionError("Expected ChannelClosedException, but got another exception", cause);
             }
         }
         fail("Expected ChannelClosedException, but the call has completed without any exception");
diff --git a/src/test/java/hudson/remoting/ChecksumTest.java b/src/test/java/hudson/remoting/ChecksumTest.java
index 4eddacb9f..4b52e2929 100644
--- a/src/test/java/hudson/remoting/ChecksumTest.java
+++ b/src/test/java/hudson/remoting/ChecksumTest.java
@@ -3,7 +3,6 @@
 import com.google.common.hash.HashCode;
 import com.google.common.hash.Hashing;
 import com.google.common.io.Files;
-import org.jenkinsci.remoting.util.Charsets;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
@@ -12,6 +11,7 @@
 import java.io.DataInputStream;
 import java.io.File;
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -47,7 +47,7 @@ public void testForFileAndURL() throws Exception {
 
     private File createTmpFile(String name, String contents) throws Exception {
         File tmpFile = tmp.newFile(name);
-        Files.append(contents, tmpFile, Charsets.UTF_8);
+        Files.append(contents, tmpFile, StandardCharsets.UTF_8);
         return tmpFile;
     }
 
diff --git a/src/test/java/hudson/remoting/ClassFilterTest.java b/src/test/java/hudson/remoting/ClassFilterTest.java
index 08f9845a5..07fba2d90 100644
--- a/src/test/java/hudson/remoting/ClassFilterTest.java
+++ b/src/test/java/hudson/remoting/ClassFilterTest.java
@@ -2,6 +2,7 @@
 
 import hudson.remoting.Channel.Mode;
 import hudson.remoting.CommandTransport.CommandReceiver;
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
 import org.jenkinsci.remoting.nio.NioChannelBuilder;
 import org.junit.After;
 import org.junit.Test;
@@ -47,7 +48,7 @@ public class ClassFilterTest implements Serializable {
 
     private static class TestFilter extends ClassFilter {
         @Override
-        protected boolean isBlacklisted(String name) {
+        public boolean isBlacklisted(String name) {
             return name.contains("Security218");
         }
     }
@@ -159,13 +160,7 @@ private void userRequestTestSequence() throws Exception {
      */
     private void fire(String name, Channel from) throws Exception {
         final Security218 a = new Security218(name);
-        from.call(new CallableBase<Void, IOException>() {
-            @Override
-            public Void call() throws IOException {
-                a.toString();   // this will ensure 'a' gets sent over
-                return null;
-            }
-        });
+        from.call(new Security218Callable(a));
     }
 
     /**
@@ -250,7 +245,7 @@ private String toString(Throwable t) {
      * An attack payload that leaves a trace on the receiver side if it gets read from the stream.
      * Extends from {@link Command} to be able to test command stream.
      */
-    static class Security218 extends Command implements Serializable {
+    static class Security218 extends Command implements SerializableOnlyOverRemoting {
         private final String attack;
 
         public Security218(String attack) {
@@ -259,13 +254,18 @@ public Security218(String attack) {
 
         private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
             ois.defaultReadObject();
-            System.setProperty("attack", attack + ">" + Channel.current().getName());
+            System.setProperty("attack", attack + ">" + getChannelForSerialization().getName());
         }
 
         @Override
         protected void execute(Channel channel) {
             // nothing to do here
         }
+
+        @Override
+        public String toString() {
+            return "Security218";
+        }
     }
 
     private String getAttack() {
@@ -275,4 +275,18 @@ private String getAttack() {
     private void clearRecord() {
         System.setProperty("attack", "");
     }
+
+    private static class Security218Callable extends CallableBase<Void, IOException> {
+        private final Security218 a;
+
+        public Security218Callable(Security218 a) {
+            this.a = a;
+        }
+
+        @Override
+        public Void call() throws IOException {
+            a.toString();   // this will ensure 'a' gets sent over
+            return null;
+        }
+    }
 }
\ No newline at end of file
diff --git a/src/test/java/hudson/remoting/ClassRemotingTest.java b/src/test/java/hudson/remoting/ClassRemotingTest.java
index 447bf02c3..b990c92ac 100644
--- a/src/test/java/hudson/remoting/ClassRemotingTest.java
+++ b/src/test/java/hudson/remoting/ClassRemotingTest.java
@@ -204,7 +204,7 @@ public static Test suite() throws Exception {
 
     private static class RemotePropertyVerifier extends CallableBase<Object, IOException> {
         public Object call() throws IOException {
-            Object o = Channel.current().getRemoteProperty("test");
+            Object o = getOpenChannelOrFail().getRemoteProperty("test");
             assertEquals(o.getClass().getName(), CLASSNAME);
             assertTrue(Channel.class.getClassLoader() != o.getClass().getClassLoader());
             assertTrue(o.getClass().getClassLoader() instanceof RemoteClassLoader);
diff --git a/src/test/java/hudson/remoting/DeadRemoteOutputStreamTest.java b/src/test/java/hudson/remoting/DeadRemoteOutputStreamTest.java
index c946aabf2..304064a1c 100644
--- a/src/test/java/hudson/remoting/DeadRemoteOutputStreamTest.java
+++ b/src/test/java/hudson/remoting/DeadRemoteOutputStreamTest.java
@@ -24,29 +24,37 @@ public void write(int b) throws IOException {
             }
         });
 
-        channel.call(new CallableBase<Void, Exception>() {
-            public Void call() throws Exception {
-                os.write(0); // this write will go through because we won't notice that it's dead
-                System.gc();
-                Thread.sleep(1000);
-
-                try {
-                    for (int i=0; i<100; i++) {
-                        os.write(0);
-                        System.gc();
-                        Thread.sleep(10);
-                    }
-                    fail("Expected to see the failure");
-                } catch (IOException e) {
-                    StringWriter sw = new StringWriter();
-                    e.printStackTrace(new PrintWriter(sw));
-                    String whole = sw.toString();
-                    assertTrue(whole, whole.contains(MESSAGE) && whole.contains("hudson.rem0ting.TestCallable"));
-                }
-                return null;
-            }
-        });
+        channel.call(new DeadWriterCallable(os));
     }
 
     public static final String MESSAGE = "dead man walking";
+
+    private static class DeadWriterCallable extends CallableBase<Void, Exception> {
+        private final OutputStream os;
+
+        public DeadWriterCallable(OutputStream os) {
+            this.os = os;
+        }
+
+        public Void call() throws Exception {
+            os.write(0); // this write will go through because we won't notice that it's dead
+            System.gc();
+            Thread.sleep(1000);
+
+            try {
+                for (int i=0; i<100; i++) {
+                    os.write(0);
+                    System.gc();
+                    Thread.sleep(10);
+                }
+                fail("Expected to see the failure");
+            } catch (IOException e) {
+                StringWriter sw = new StringWriter();
+                e.printStackTrace(new PrintWriter(sw));
+                String whole = sw.toString();
+                assertTrue(whole, whole.contains(MESSAGE) && whole.contains("hudson.rem0ting.TestCallable"));
+            }
+            return null;
+        }
+    }
 }
diff --git a/src/test/java/hudson/remoting/FileSystemJarCacheTest.java b/src/test/java/hudson/remoting/FileSystemJarCacheTest.java
index c06eb3a33..e92eb1833 100644
--- a/src/test/java/hudson/remoting/FileSystemJarCacheTest.java
+++ b/src/test/java/hudson/remoting/FileSystemJarCacheTest.java
@@ -3,7 +3,6 @@
 import com.google.common.hash.Hashing;
 import com.google.common.io.Files;
 import org.hamcrest.core.StringContains;
-import org.jenkinsci.remoting.util.Charsets;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@@ -19,6 +18,7 @@
 import java.io.FileWriter;
 import java.io.IOException;
 import java.net.URL;
+import java.nio.charset.StandardCharsets;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@@ -54,7 +54,7 @@ public void setUp() throws Exception {
         fileSystemJarCache = new FileSystemJarCache(tmp.getRoot(), true);
 
         expectedChecksum = ChecksumTest.createdExpectedChecksum(
-                Hashing.sha256().hashBytes(CONTENTS.getBytes(Charsets.UTF_8)));
+                Hashing.sha256().hashBytes(CONTENTS.getBytes(StandardCharsets.UTF_8)));
     }
 
     @Test
@@ -92,7 +92,7 @@ public void testRetrieveChecksumDifferent() throws Exception {
             @Override
             public Void answer(InvocationOnMock invocationOnMock) throws Throwable {
                 RemoteOutputStream o = (RemoteOutputStream) invocationOnMock.getArguments()[2];
-                o.write("Some other contents".getBytes(Charsets.UTF_8));
+                o.write("Some other contents".getBytes(StandardCharsets.UTF_8));
                 return null;
             }
         }).when(mockJarLoader).writeJarTo(
@@ -162,7 +162,7 @@ public void testRenameFailsAndBadPreviousTarget() throws Exception {
             public Boolean answer(InvocationOnMock invocationOnMock) throws Throwable {
                 Files.createParentDirs(expectedFile);
                 expectedFile.createNewFile();
-                Files.append("Some other contents", expectedFile, Charsets.UTF_8);
+                Files.append("Some other contents", expectedFile, StandardCharsets.UTF_8);
                 return false;
             }
         }).when(fileSpy).renameTo(expectedFile);
@@ -180,7 +180,7 @@ private void mockCorrectLoad() throws IOException, InterruptedException {
             @Override
             public Void answer(InvocationOnMock invocationOnMock) throws Throwable {
                 RemoteOutputStream o = (RemoteOutputStream) invocationOnMock.getArguments()[2];
-                o.write(CONTENTS.getBytes(Charsets.UTF_8));
+                o.write(CONTENTS.getBytes(StandardCharsets.UTF_8));
                 return null;
             }
         }).when(mockJarLoader).writeJarTo(
diff --git a/src/test/java/hudson/remoting/NoProxyEvaluatorTest.java b/src/test/java/hudson/remoting/NoProxyEvaluatorTest.java
new file mode 100644
index 000000000..bc6d9909a
--- /dev/null
+++ b/src/test/java/hudson/remoting/NoProxyEvaluatorTest.java
@@ -0,0 +1,251 @@
+package hudson.remoting;
+
+import org.junit.Ignore;
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+public class NoProxyEvaluatorTest {
+
+    @Test
+    public void testWrongIPV4() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("127.0.0.1");
+
+        assertTrue(evaluator.shouldProxyHost("10.0.0.1"));
+    }
+
+    @Test
+    public void testIPV6() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("2001:0db8:85a3:0000:0000:8a2e:0370:7334");
+        assertFalse(evaluator.shouldProxyHost("2001:0db8:85a3:0000:0000:8a2e:0370:7334"));
+    }
+
+    @Test
+    public void testWrongIPV6() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("0:0:0:0:0:0:0:1");
+
+        assertTrue(evaluator.shouldProxyHost("2001:0db8:85a3:0000:0000:8a2e:0370:7334"));
+    }
+
+    @Test
+    public void testFQDN() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("foobar.com");
+
+        assertFalse(evaluator.shouldProxyHost("foobar.com"));
+        assertFalse(evaluator.shouldProxyHost("sub.foobar.com"));
+        assertFalse(evaluator.shouldProxyHost("sub.sub.foobar.com"));
+
+        assertTrue(evaluator.shouldProxyHost("foobar.org"));
+        assertTrue(evaluator.shouldProxyHost("jenkins.com"));
+    }
+
+    @Test
+    public void testSubFQDN() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("sub.foobar.com");
+
+        assertFalse(evaluator.shouldProxyHost("sub.foobar.com"));
+        assertFalse(evaluator.shouldProxyHost("sub.sub.foobar.com"));
+
+        assertTrue(evaluator.shouldProxyHost("foobar.com"));
+    }
+
+    @Test
+    public void testFQDNWithDot() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(".foobar.com");
+
+        assertFalse(evaluator.shouldProxyHost("foobar.com"));
+        assertFalse(evaluator.shouldProxyHost("sub.foobar.com"));
+        assertFalse(evaluator.shouldProxyHost("sub.sub.foobar.com"));
+
+        assertTrue(evaluator.shouldProxyHost("foobar.org"));
+        assertTrue(evaluator.shouldProxyHost("jenkins.com"));
+    }
+
+    @Test
+    public void testSubFQDNWithDot() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(".sub.foobar.com");
+
+        assertFalse(evaluator.shouldProxyHost("sub.foobar.com"));
+        assertFalse(evaluator.shouldProxyHost("sub.sub.foobar.com"));
+
+        assertTrue(evaluator.shouldProxyHost("foobar.com"));
+    }
+
+    @Test
+    public void testSubFWDNWithDotMinimalSuffix() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(".svc");
+
+        assertFalse(evaluator.shouldProxyHost("bn-myproj.svc"));
+    }
+
+    @Test
+    public void testSubFWDNWithDotMinimalSuffixMixedCase() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(".svc,.default,.local,localhost,.boehringer.com,10.250.0.0/16,10.251.0.0/16,10.183.195.106,10.183.195.107,10.183.195.108,10.183.195.109,10.183.195.11,10.183.195.111,10.183.195.112,10.183.195.113,10.183.195.13,10.250.127.");
+
+        assertFalse(evaluator.shouldProxyHost("bn-myproj.svc"));
+    }
+
+    @Test
+    public void testWithInvalidCharsMatching() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("foo+.co=m");
+
+        assertFalse(evaluator.shouldProxyHost("foo+.co=m"));
+    }
+
+    @Test
+    public void testWithInvalidCharsNonMatching() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("foo+.co=m");
+
+        assertTrue(evaluator.shouldProxyHost("foo.com"));
+    }
+
+    @Test
+    public void testMixed() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(" 127.0.0.1,  0:0:0:0:0:0:0:1,\tfoobar.com, .jenkins.com");
+
+        assertFalse(evaluator.shouldProxyHost("127.0.0.1"));
+        assertFalse(evaluator.shouldProxyHost("0:0:0:0:0:0:0:1"));
+        assertFalse(evaluator.shouldProxyHost("foobar.com"));
+        assertFalse(evaluator.shouldProxyHost("sub.foobar.com"));
+        assertFalse(evaluator.shouldProxyHost("sub.jenkins.com"));
+
+        assertTrue(evaluator.shouldProxyHost("foobar.org"));
+        assertTrue(evaluator.shouldProxyHost("jenkins.org"));
+        assertTrue(evaluator.shouldProxyHost("sub.foobar.org"));
+        assertTrue(evaluator.shouldProxyHost("sub.jenkins.org"));
+    }
+
+    @Test
+    public void testSimpleHostname() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("jenkinsmaster");
+
+        assertFalse(evaluator.shouldProxyHost("jenkinsmaster"));
+    }
+
+    @Test
+    public void testIPv4Loopback() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(null);
+
+        assertFalse(evaluator.shouldProxyHost("127.0.0.1"));
+    }
+
+    @Test
+    public void testIPv6LoopbackAbbreviated() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(null);
+
+        assertFalse(evaluator.shouldProxyHost("::1"));
+    }
+
+    @Test
+    public void testIPv6LoopbackFullLength() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(null);
+
+        assertFalse(evaluator.shouldProxyHost("0000:0000:0000:0000:0000:0000:0000:0001"));
+    }
+
+    @Test
+    public void testLocalhost() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(null);
+
+        assertFalse(evaluator.shouldProxyHost("localhost"));
+    }
+
+    @Test
+    public void testNullSpecification() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator(null);
+
+        assertTrue(evaluator.shouldProxyHost("jenkins.io"));
+    }
+
+    @Test
+    public void testEmptySpecification() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("");
+
+        assertTrue(evaluator.shouldProxyHost("jenkins.io"));
+    }
+
+    @Test
+    public void testBlankSpecification() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("    ");
+
+        assertTrue(evaluator.shouldProxyHost("jenkins.io"));
+    }
+
+    @Test(expected = NullPointerException.class)
+    public void testNullHost() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("jenkins.io");
+
+        assertTrue(evaluator.shouldProxyHost(null));
+    }
+
+    @Test
+    public void testEmptyHost() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("jenkins.io");
+
+        assertTrue(evaluator.shouldProxyHost(""));
+    }
+
+    @Test
+    public void testBlankHost() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("jenkins.io");
+
+        assertTrue(evaluator.shouldProxyHost("     "));
+    }
+
+    @Test
+    public void testCidrWithin() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("1.232.12.0/20");
+
+        assertFalse(evaluator.shouldProxyHost("1.232.12.3"));
+    }
+
+    @Test
+    public void testCidrBelow() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("1.232.12.0/20");
+
+        assertFalse(evaluator.shouldProxyHost("1.232.11.3"));
+    }
+
+    @Test
+    public void testCidrAbove() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("1.232.12.0/24");
+
+        assertTrue(evaluator.shouldProxyHost("1.232.13.3"));
+    }
+
+    @Test
+    public void testJavaStyleSeparator() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("foobar.com| .jenkins.io");
+
+        assertFalse(evaluator.shouldProxyHost("sub.foobar.com"));
+        assertFalse(evaluator.shouldProxyHost("repo.jenkins.io"));
+        assertTrue(evaluator.shouldProxyHost("foo.com"));
+    }
+
+    @Test
+    public void testMixedSeparators() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("foobar.com| .jenkins.io,fred.com");
+
+        assertFalse(evaluator.shouldProxyHost("sub.fred.com"));
+        assertTrue(evaluator.shouldProxyHost("sub.foobar.com"));
+        assertTrue(evaluator.shouldProxyHost("repo.jenkins.io"));
+        assertTrue(evaluator.shouldProxyHost("foo.com"));
+    }
+
+    @Test
+    public void testIPv6Full() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("2001:0db8:0a0b:12f0:0000:0000:0000:0001");
+
+        assertFalse(evaluator.shouldProxyHost("2001:0db8:0a0b:12f0:0000:0000:0000:0001"));
+        assertFalse(evaluator.shouldProxyHost("2001:0db8:0a0b:12f0::0001"));
+    }
+
+    @Test
+    public void testIPv6Compressed() {
+        NoProxyEvaluator evaluator = new NoProxyEvaluator("2001:0db8:0a0b:12f0::0001");
+
+        assertFalse(evaluator.shouldProxyHost("2001:0db8:0a0b:12f0:0000:0000:0000:0001"));
+        assertFalse(evaluator.shouldProxyHost("2001:0db8:0a0b:12f0::0001"));
+    }
+
+}
\ No newline at end of file
diff --git a/src/test/java/hudson/remoting/PipeTest.java b/src/test/java/hudson/remoting/PipeTest.java
index 7d7b118ae..6d0e7c3bb 100644
--- a/src/test/java/hudson/remoting/PipeTest.java
+++ b/src/test/java/hudson/remoting/PipeTest.java
@@ -197,7 +197,7 @@ public CreateSaturationTestProxy(Pipe pipe) {
         }
 
         public ISaturationTest call() throws IOException {
-            return Channel.current().export(ISaturationTest.class, new ISaturationTest() {
+            return Channel.currentOrFail().export(ISaturationTest.class, new ISaturationTest() {
                 private InputStream in;
                 public void ensureConnected() throws IOException {
                     in = pipe.getIn();
@@ -222,7 +222,12 @@ public ReadingCallable(Pipe pipe) {
         }
 
         public Integer call() throws IOException {
-            read(pipe);
+            try {
+                read(pipe);
+            } catch(AssertionError ex) {
+                // Propagate the assetion to the remote side
+                throw new IOException("Assertion failed", ex);
+            }
             return 5;
         }
 
@@ -238,12 +243,13 @@ private static void write(Pipe pipe) throws IOException {
         os.close();
     }
 
-    private static void read(Pipe p) throws IOException {
-        InputStream in = p.getIn();
-        for( int cnt=0; cnt<256*256; cnt++ )
-            assertEquals(cnt/256,in.read());
-        assertEquals(-1,in.read());
-        in.close();
+    private static void read(Pipe p) throws IOException, AssertionError {
+        try (InputStream in = p.getIn()) {
+            for( int cnt=0; cnt<256*256; cnt++ ) {
+                assertEquals(cnt/256,in.read());
+            }
+            assertEquals(-1,in.read());
+        }
     }
 
 
@@ -260,13 +266,7 @@ public void _testSendBigStuff() throws Exception {
      */
     public void testQuickBurstWrite() throws Exception {
         final Pipe p = Pipe.createLocalToRemote();
-        Future<Integer> f = channel.callAsync(new CallableBase<Integer, IOException>() {
-            public Integer call() throws IOException {
-                ByteArrayOutputStream baos = new ByteArrayOutputStream();
-                IOUtils.copy(p.getIn(), baos);
-                return baos.size();
-            }
-        });
+        Future<Integer> f = channel.callAsync(new QuickBurstCallable(p));
         OutputStream os = p.getOut();
         os.write(1);
         os.close();
@@ -291,4 +291,18 @@ public static Test suite() throws Exception {
     private Object writeReplace() {
         return null;
     }
+
+    private static class QuickBurstCallable extends CallableBase<Integer, IOException> {
+        private final Pipe p;
+
+        public QuickBurstCallable(Pipe p) {
+            this.p = p;
+        }
+
+        public Integer call() throws IOException {
+            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            IOUtils.copy(p.getIn(), baos);
+            return baos.size();
+        }
+    }
 }
diff --git a/src/test/java/hudson/remoting/PipeWriterTest.java b/src/test/java/hudson/remoting/PipeWriterTest.java
index 53f6dbacc..44897de69 100644
--- a/src/test/java/hudson/remoting/PipeWriterTest.java
+++ b/src/test/java/hudson/remoting/PipeWriterTest.java
@@ -23,7 +23,8 @@ public class PipeWriterTest extends RmiTestBase implements Serializable, PipeWri
     @Override
     protected void setUp() throws Exception {
         super.setUp();
-        checker = channel.export(PipeWriterTestChecker.class, this, false);
+        // Checker operates using the user-space RMI
+        checker = channel.export(PipeWriterTestChecker.class, this, false, true, true);
     }
 
     /**
@@ -74,11 +75,7 @@ public void run() {
      * coordinated.
      */
     public void testResponseIoCoord() throws Exception {
-        channel.call(new ResponseIoCoordCallable() {
-            void touch() throws IOException {
-                ros.write(0);
-            }
-        });
+        channel.call(new ResponseCallableWriter());
         // but I/O should be complete before the call returns.
         assertTrue(slow.written);
     }
@@ -87,11 +84,7 @@ void touch() throws IOException {
      * Ditto for {@link OutputStream#flush()}
      */
     public void testResponseIoCoordFlush() throws Exception {
-        channel.call(new ResponseIoCoordCallable() {
-            void touch() throws IOException {
-                ros.flush();
-            }
-        });
+        channel.call(new ResponseCallableFlusher());
         assertTrue(slow.flushed);
     }
 
@@ -99,11 +92,7 @@ void touch() throws IOException {
      * Ditto for {@link OutputStream#close()}
      */
     public void testResponseIoCoordClose() throws Exception {
-        channel.call(new ResponseIoCoordCallable() {
-            void touch() throws IOException {
-                ros.close();
-            }
-        });
+        channel.call(new ResponseCallableCloser());
         assertTrue(slow.closed);
     }
 
@@ -130,29 +119,17 @@ public Object call() throws IOException {
     }
 
     public void testRequestIoCoord() throws Exception {
-        channel.call(new RequestIoCoordCallable() {
-            void touch() throws IOException {
-                ros.write(0);
-            }
-        });
+        channel.call(new RequestCallableWriter());
         assertSlowStreamTouched();
     }
 
     public void testRequestIoCoordFlush() throws Exception {
-        channel.call(new RequestIoCoordCallable() {
-            void touch() throws IOException {
-                ros.flush();
-            }
-        });
+        channel.call(new RequestCallableFlusher());
         assertSlowStreamTouched();
     }
 
     public void testRequestIoCoordClose() throws Exception {
-        channel.call(new RequestIoCoordCallable() {
-            void touch() throws IOException {
-                ros.close();
-            }
-        });
+        channel.call(new RequestCallableCloser());
         assertSlowStreamTouched();
     }
 
@@ -198,4 +175,40 @@ private void slow() throws InterruptedIOException {
             }
         }
     }
+
+    private class ResponseCallableWriter extends ResponseIoCoordCallable {
+        void touch() throws IOException {
+            ros.write(0);
+        }
+    }
+
+    private class ResponseCallableFlusher extends ResponseIoCoordCallable {
+        void touch() throws IOException {
+            ros.flush();
+        }
+    }
+
+    private class ResponseCallableCloser extends ResponseIoCoordCallable {
+        void touch() throws IOException {
+            ros.close();
+        }
+    }
+
+    private class RequestCallableWriter extends RequestIoCoordCallable {
+        void touch() throws IOException {
+            ros.write(0);
+        }
+    }
+
+    private class RequestCallableFlusher extends RequestIoCoordCallable {
+        void touch() throws IOException {
+            ros.flush();
+        }
+    }
+
+    private class RequestCallableCloser extends RequestIoCoordCallable {
+        void touch() throws IOException {
+            ros.close();
+        }
+    }
 }
diff --git a/src/test/java/hudson/remoting/PrefetchingTest.java b/src/test/java/hudson/remoting/PrefetchingTest.java
index a8cb21452..036dfdbd2 100644
--- a/src/test/java/hudson/remoting/PrefetchingTest.java
+++ b/src/test/java/hudson/remoting/PrefetchingTest.java
@@ -30,7 +30,7 @@ public class PrefetchingTest extends RmiTestBase implements Serializable {
     private Checksum sum1,sum2;
 
     @Override
-    protected void setUp() throws Exception {
+    protected void setUp() throws Exception {        
         super.setUp();
 
         URL jar1 = getClass().getClassLoader().getResource("remoting-test-client.jar");
@@ -45,12 +45,7 @@ protected void setUp() throws Exception {
         dir.mkdirs();
 
         channel.setJarCache(new FileSystemJarCache(dir, true));
-        channel.call(new CallableBase<Void, IOException>() {
-            public Void call() throws IOException {
-                Channel.current().setJarCache(new FileSystemJarCache(dir, true));
-                return null;
-            }
-        });
+        channel.call(new JarCacherCallable());
         sum1 = channel.jarLoader.calcChecksum(jar1);
         sum2 = channel.jarLoader.calcChecksum(jar2);
     }
@@ -68,6 +63,13 @@ protected void tearDown() throws Exception {
         cl.cleanup();
         super.tearDown();
 
+        if (Launcher.isWindows()) {
+            // Current Resource loader implementation keep files open even if we close the classloader.
+            // This check has been never working correctly in Windows.
+            // TODO: Fix it as a part of JENKINS-38696
+            return;
+        }
+        
         // because the dir is used by FIleSystemJarCache to asynchronously load stuff
         // we might fail to shut it down right away
         for (int i=0; ; i++) {
@@ -214,8 +216,12 @@ private ForceJarLoad(Checksum sum) {
 
         public Void call() throws IOException {
             try {
-                Channel ch = Channel.current();
-                ch.getJarCache().resolve(ch,sum1,sum2).get();
+                final Channel ch = Channel.currentOrFail();
+                final JarCache jarCache = ch.getJarCache();
+                if (jarCache == null) {
+                    throw new IOException("Cannot Force JAR load, JAR cache is disabled");
+                }
+                jarCache.resolve(ch,sum1,sum2).get();
                 return null;
             } catch (InterruptedException e) {
                 throw new IOException(e);
@@ -224,4 +230,11 @@ public Void call() throws IOException {
             }
         }
     }
+
+    private class JarCacherCallable extends CallableBase<Void, IOException> {
+        public Void call() throws IOException {
+            Channel.currentOrFail().setJarCache(new FileSystemJarCache(dir, true));
+            return null;
+        }
+    }
 }
diff --git a/src/test/java/hudson/remoting/ProxyWriterTest.java b/src/test/java/hudson/remoting/ProxyWriterTest.java
index 7cc94f096..b46290c68 100644
--- a/src/test/java/hudson/remoting/ProxyWriterTest.java
+++ b/src/test/java/hudson/remoting/ProxyWriterTest.java
@@ -51,12 +51,7 @@ public void testAllCalls() throws Exception {
         StringWriter sw = new StringWriter();
         final RemoteWriter w = new RemoteWriter(sw);
 
-        channel.call(new CallableBase<Void, IOException>() {
-            public Void call() throws IOException {
-                writeBunchOfData(w);
-                return null;
-            }
-        });
+        channel.call(new WriteBunchOfDataCallable(w));
 
         StringWriter correct = new StringWriter();
         writeBunchOfData(correct);
@@ -96,13 +91,7 @@ public void close() throws IOException {
         };
         final RemoteWriter w = new RemoteWriter(sw);
 
-        channel.call(new CallableBase<Void, IOException>() {
-            public Void call() throws IOException {
-                w.write("hello");
-                W = new WeakReference<RemoteWriter>(w);
-                return null;
-            }
-        });
+        channel.call(new WeakReferenceCallable(w));
 
         // induce a GC. There's no good reliable way to do this,
         // and if GC doesn't happen within this loop, the test can pass
@@ -111,12 +100,7 @@ public Void call() throws IOException {
             assertTrue("There shouldn't be any errors: " + log.toString(), log.size() == 0);
 
             Thread.sleep(100);
-            if (channel.call(new CallableBase<Boolean, IOException>() {
-                public Boolean call() throws IOException {
-                    System.gc();
-                    return W.get()==null;
-                }
-            }))
+            if (channel.call(new GcCallable()))
                 break;
         }
 
@@ -136,12 +120,7 @@ public void testWriteAndSync() throws InterruptedException, IOException {
         final RemoteWriter w = new RemoteWriter(sw);
 
         for (int i=0; i<16; i++) {
-            channel.call(new CallableBase<Void, IOException>() {
-                public Void call() throws IOException {
-                    w.write("1--",0,1);
-                    return null;
-                }
-            });
+            channel.call(new WriterCallable(w));
             w.write("2");
         }
 
@@ -155,4 +134,51 @@ private Object writeReplace() {
     public static Test suite() throws Exception {
         return buildSuite(ProxyWriterTest.class);
     }
+
+    private static class WriteBunchOfDataCallable extends CallableBase<Void, IOException> {
+        private final RemoteWriter w;
+
+        public WriteBunchOfDataCallable(RemoteWriter w) {
+            this.w = w;
+        }
+
+        public Void call() throws IOException {
+            writeBunchOfData(w);
+            return null;
+        }
+    }
+
+    private static class WeakReferenceCallable extends CallableBase<Void, IOException> {
+        private final RemoteWriter w;
+
+        public WeakReferenceCallable(RemoteWriter w) {
+            this.w = w;
+        }
+
+        public Void call() throws IOException {
+            w.write("hello");
+            W = new WeakReference<RemoteWriter>(w);
+            return null;
+        }
+    }
+
+    private static class GcCallable extends CallableBase<Boolean, IOException> {
+        public Boolean call() throws IOException {
+            System.gc();
+            return W.get() == null;
+        }
+    }
+
+    private static class WriterCallable extends CallableBase<Void, IOException> {
+        private final RemoteWriter w;
+
+        public WriterCallable(RemoteWriter w) {
+            this.w = w;
+        }
+
+        public Void call() throws IOException {
+            w.write("1--", 0, 1);
+            return null;
+        }
+    }
 }
diff --git a/src/test/java/hudson/remoting/RemoteInvocationHandlerTest.java b/src/test/java/hudson/remoting/RemoteInvocationHandlerTest.java
index b9eea6c4a..5d9ae79a6 100644
--- a/src/test/java/hudson/remoting/RemoteInvocationHandlerTest.java
+++ b/src/test/java/hudson/remoting/RemoteInvocationHandlerTest.java
@@ -1,5 +1,8 @@
 package hudson.remoting;
 
+import org.jenkinsci.remoting.SerializableOnlyOverRemoting;
+
+import java.io.ObjectStreamException;
 import java.io.Serializable;
 
 public class RemoteInvocationHandlerTest extends RmiTestBase {
@@ -34,7 +37,7 @@ public interface Contract2 {
         void meth2(String arg);
     }
 
-    private static class Impl implements Contract, Serializable, Contract2 {
+    private static class Impl implements Contract, SerializableOnlyOverRemoting, Contract2 {
         String arg;
         public void meth(String arg1, String arg2) {
             assert false : "should be ignored";
@@ -45,8 +48,9 @@ public void meth(String arg1) {
         public void meth2(String arg) {
             this.arg = arg;
         }
-        private Object writeReplace() {
-            return Channel.current().export(Contract.class, this);
+
+        private Object writeReplace() throws ObjectStreamException {
+            return getChannelForSerialization().export(Contract.class, this);
         }
     }
 
diff --git a/src/test/java/hudson/remoting/UtilTest.java b/src/test/java/hudson/remoting/UtilTest.java
index e49988b08..d1b786d44 100644
--- a/src/test/java/hudson/remoting/UtilTest.java
+++ b/src/test/java/hudson/remoting/UtilTest.java
@@ -1,7 +1,7 @@
 /*
  * The MIT License
  *
- * Copyright (c) 2016, Schneider Electric
+ * Copyright (c) 2016-2018, Schneider Electric, CloudBees, Inc.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -24,120 +24,22 @@
 
 package hudson.remoting;
 
-import junit.framework.TestCase;
-import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
-import org.junit.runner.RunWith;
-import org.powermock.api.mockito.PowerMockito;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-import org.powermock.modules.junit4.PowerMockRunner;
 
 import java.io.File;
 import java.io.IOException;
 
+import static org.junit.Assert.*;
+
 /**
  * @author Etienne Bec
  */
-@RunWith(PowerMockRunner.class)
-@PrepareForTest(Util.class)
-public class UtilTest extends TestCase {
+public class UtilTest {
 
     @Rule public TemporaryFolder temp = new TemporaryFolder();
 
-    @Before
-    public void mockSystem() {
-        PowerMockito.mockStatic(System.class);
-    }
-
-    @Test
-    public void testIPV4() {
-        PowerMockito.when(System.getenv("no_proxy")).thenReturn("10.0.0.1");
-
-        assertEquals(true, Util.inNoProxyEnvVar("10.0.0.1"));
-    }
-
-    @Test
-    public void testWrongIPV4() {
-        PowerMockito.when(System.getenv("no_proxy")).thenReturn("127.0.0.1");
-
-        assertEquals(false, Util.inNoProxyEnvVar("10.0.0.1"));
-    }
-
-    @Test
-    public void testIPV6() {
-        PowerMockito.when(System.getenv("no_proxy")).thenReturn("2001:0db8:85a3:0000:0000:8a2e:0370:7334");
-        assertEquals(true, Util.inNoProxyEnvVar("2001:0db8:85a3:0000:0000:8a2e:0370:7334"));
-    }
-
-    @Test
-    public void testWrongIPV6() {
-        PowerMockito.when(System.getenv("no_proxy")).thenReturn("0:0:0:0:0:0:0:1");
-
-        assertEquals(false, Util.inNoProxyEnvVar("2001:0db8:85a3:0000:0000:8a2e:0370:7334"));
-    }
-
-    @Test
-    public void testFQDN() {
-        PowerMockito.when(System.getenv("no_proxy")).thenReturn("foobar.com");
-
-        assertEquals(true, Util.inNoProxyEnvVar("foobar.com"));
-        assertEquals(true, Util.inNoProxyEnvVar("sub.foobar.com"));
-        assertEquals(true, Util.inNoProxyEnvVar("sub.sub.foobar.com"));
-
-        assertEquals(false, Util.inNoProxyEnvVar("foobar.org"));
-        assertEquals(false, Util.inNoProxyEnvVar("jenkins.com"));
-    }
-
-    @Test
-    public void testSubFQDN() {
-        PowerMockito.when(System.getenv("no_proxy")).thenReturn("sub.foobar.com");
-
-        assertEquals(true, Util.inNoProxyEnvVar("sub.foobar.com"));
-        assertEquals(true, Util.inNoProxyEnvVar("sub.sub.foobar.com"));
-
-        assertEquals(false, Util.inNoProxyEnvVar("foobar.com"));
-    }
-
-    @Test
-    public void testFQDNWithDot() {
-        PowerMockito.when(System.getenv("no_proxy")).thenReturn(".foobar.com");
-
-        assertEquals(true, Util.inNoProxyEnvVar("foobar.com"));
-        assertEquals(true, Util.inNoProxyEnvVar("sub.foobar.com"));
-        assertEquals(true, Util.inNoProxyEnvVar("sub.sub.foobar.com"));
-
-        assertEquals(false, Util.inNoProxyEnvVar("foobar.org"));
-        assertEquals(false, Util.inNoProxyEnvVar("jenkins.com"));
-    }
-
-    @Test
-    public void testSubFQDNWithDot() {
-        PowerMockito.when(System.getenv("no_proxy")).thenReturn(".sub.foobar.com");
-
-        assertEquals(true, Util.inNoProxyEnvVar("sub.foobar.com"));
-        assertEquals(true, Util.inNoProxyEnvVar("sub.sub.foobar.com"));
-
-        assertEquals(false, Util.inNoProxyEnvVar("foobar.com"));
-    }
-
-    @Test
-    public void testMixed() {
-        PowerMockito.when(System.getenv("no_proxy")).thenReturn(" 127.0.0.1,  0:0:0:0:0:0:0:1,\tfoobar.com, .jenkins.com");
-
-        assertEquals(true, Util.inNoProxyEnvVar("127.0.0.1"));
-        assertEquals(true, Util.inNoProxyEnvVar("0:0:0:0:0:0:0:1"));
-        assertEquals(true, Util.inNoProxyEnvVar("foobar.com"));
-        assertEquals(true, Util.inNoProxyEnvVar("sub.foobar.com"));
-        assertEquals(true, Util.inNoProxyEnvVar("sub.jenkins.com"));
-
-        assertEquals(false, Util.inNoProxyEnvVar("foobar.org"));
-        assertEquals(false, Util.inNoProxyEnvVar("jenkins.org"));
-        assertEquals(false, Util.inNoProxyEnvVar("sub.foobar.org"));
-        assertEquals(false, Util.inNoProxyEnvVar("sub.jenkins.org"));
-    }
-
     @Test
     public void mkdirs() throws IOException {
         File sandbox = temp.newFolder();
@@ -161,13 +63,15 @@ public void mkdirs() throws IOException {
         assertTrue(file.exists());
         assertTrue(file.isFile());
 
-        // Fail to create aloud
-        try {
-            File forbidden = new File("/proc/nonono");
-            Util.mkdirs(forbidden);
-            fail();
-        } catch (IOException ex) {
-            // Expected
+        // Fail to create aloud, do not try on Windows
+        if (!Launcher.isWindows()) {
+            try {
+                File forbidden = new File("/proc/nonono");
+                Util.mkdirs(forbidden);
+                fail("The directory has been created when it should not: " + forbidden);
+            } catch (IOException ex) {
+                // Expected
+            }
         }
     }
 }
diff --git a/src/test/java/hudson/remoting/throughput/Sender.java b/src/test/java/hudson/remoting/throughput/Sender.java
index f8da1e3ef..7fe19de73 100644
--- a/src/test/java/hudson/remoting/throughput/Sender.java
+++ b/src/test/java/hudson/remoting/throughput/Sender.java
@@ -41,11 +41,7 @@ public static void main(String[] args) throws Exception {
                     new BufferedOutputStream(SocketChannelStream.out(s)));
 
             final Pipe p = Pipe.createLocalToRemote();
-            Future<byte[]> f = ch.callAsync(new CallableBase<byte[], Throwable>() {
-                public byte[] call() throws Exception {
-                    return digest(p.getIn());
-                }
-            });
+            Future<byte[]> f = ch.callAsync(new DigestCallable(p));
 
             System.out.println("Started");
             long start = System.nanoTime();
@@ -73,4 +69,16 @@ private static byte[] getRandomSequence() {
         new Random(0).nextBytes(buf);
         return buf;
     }
+
+    private static class DigestCallable extends CallableBase<byte[], Throwable> {
+        private final Pipe p;
+
+        public DigestCallable(Pipe p) {
+            this.p = p;
+        }
+
+        public byte[] call() throws Exception {
+            return digest(p.getIn());
+        }
+    }
 }
diff --git a/src/test/java/org/jenkinsci/remoting/engine/ChannelCiphersTest.java b/src/test/java/org/jenkinsci/remoting/engine/ChannelCiphersTest.java
index 5555a711a..82b2d9476 100644
--- a/src/test/java/org/jenkinsci/remoting/engine/ChannelCiphersTest.java
+++ b/src/test/java/org/jenkinsci/remoting/engine/ChannelCiphersTest.java
@@ -23,9 +23,9 @@
  */
 package org.jenkinsci.remoting.engine;
 
+import java.nio.charset.StandardCharsets;
 import java.security.SecureRandom;
 import java.util.Random;
-import org.jenkinsci.remoting.util.Charsets;
 import org.junit.Test;
 
 import static org.junit.Assert.assertEquals;
@@ -44,9 +44,9 @@ public void testEncryptDecrypt() throws Exception {
         ChannelCiphers ciphers = ChannelCiphers.create(ENTROPY);
 
         byte[] encrypted = ciphers.getEncryptCipher().doFinal(
-                "string 1".getBytes(Charsets.UTF_8));
+                "string 1".getBytes(StandardCharsets.UTF_8));
         String decrypted = new String(
-                ciphers.getDecryptCipher().doFinal(encrypted), Charsets.UTF_8);
+                ciphers.getDecryptCipher().doFinal(encrypted), StandardCharsets.UTF_8);
         assertEquals("string 1", decrypted);
     }
 
@@ -57,9 +57,9 @@ public void testMatchingWithKeys() throws Exception {
                 ciphers1.getAesKey(), ciphers1.getSpecKey());
 
         byte[] encrypted = ciphers1.getEncryptCipher().doFinal(
-                "string 1".getBytes(Charsets.UTF_8));
+                "string 1".getBytes(StandardCharsets.UTF_8));
         String decrypted = new String(
-                ciphers2.getDecryptCipher().doFinal(encrypted), Charsets.UTF_8);
+                ciphers2.getDecryptCipher().doFinal(encrypted), StandardCharsets.UTF_8);
         assertEquals("string 1", decrypted);
         assertEquals(16, ciphers1.getAesKey().length);
         assertEquals(16, ciphers1.getSpecKey().length);
diff --git a/src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java b/src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
index 013ef1181..8253fac01 100644
--- a/src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
+++ b/src/test/java/org/jenkinsci/remoting/engine/EngineUtilTest.java
@@ -23,12 +23,11 @@
  */
 package org.jenkinsci.remoting.engine;
 
-import org.jenkinsci.remoting.util.Charsets;
 import org.junit.Test;
 
 import java.io.BufferedInputStream;
 import java.io.ByteArrayInputStream;
-import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.util.Properties;
 
 import static org.junit.Assert.assertEquals;
@@ -78,6 +77,6 @@ public void testReadResponseHeadersMultipleFound() throws Exception {
     }
 
     private BufferedInputStream stringToStream(String str) {
-        return new BufferedInputStream(new ByteArrayInputStream(str.getBytes(Charsets.UTF_8)));
+        return new BufferedInputStream(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)));
     }
 }
diff --git a/src/test/java/org/jenkinsci/remoting/engine/HandlerLoopbackLoadStress.java b/src/test/java/org/jenkinsci/remoting/engine/HandlerLoopbackLoadStress.java
index 01701584d..8d9be79aa 100644
--- a/src/test/java/org/jenkinsci/remoting/engine/HandlerLoopbackLoadStress.java
+++ b/src/test/java/org/jenkinsci/remoting/engine/HandlerLoopbackLoadStress.java
@@ -45,6 +45,7 @@
 import java.nio.channels.SelectionKey;
 import java.nio.channels.ServerSocketChannel;
 import java.nio.channels.SocketChannel;
+import java.nio.charset.StandardCharsets;
 import java.security.KeyManagementException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
@@ -76,6 +77,7 @@
 import java.util.concurrent.TimeoutException;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicLong;
+import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
@@ -99,7 +101,6 @@
 import org.jenkinsci.remoting.protocol.IOHubReadyListener;
 import org.jenkinsci.remoting.protocol.IOHubRegistrationCallback;
 import org.jenkinsci.remoting.protocol.cert.BlindTrustX509ExtendedTrustManager;
-import org.jenkinsci.remoting.util.Charsets;
 import org.jenkinsci.remoting.util.SettableFuture;
 import org.kohsuke.args4j.CmdLineException;
 import org.kohsuke.args4j.CmdLineParser;
@@ -140,7 +141,7 @@ public class HandlerLoopbackLoadStress {
     private final RuntimeMXBean runtimeMXBean;
     private final List<GarbageCollectorMXBean> garbageCollectorMXBeans;
     private final OperatingSystemMXBean operatingSystemMXBean;
-    private final Method _getProcessCpuTime;
+    private final @CheckForNull Method _getProcessCpuTime;
     private final Config config;
     private final Stats stats;
 
@@ -241,7 +242,12 @@ public String getSecretOf(@Nonnull String clientName) {
         acceptor = new Acceptor(serverSocketChannel);
         runtimeMXBean = ManagementFactory.getRuntimeMXBean();
         operatingSystemMXBean = ManagementFactory.getOperatingSystemMXBean();
-        _getProcessCpuTime = _getProcessCpuTime(operatingSystemMXBean);
+        if (operatingSystemMXBean instanceof com.sun.management.OperatingSystemMXBean) {
+            // YAGNI, we will do it without reflection then
+            _getProcessCpuTime = null;
+        } else {
+            _getProcessCpuTime = _getProcessCpuTime(operatingSystemMXBean);
+        }
         garbageCollectorMXBeans = new ArrayList<GarbageCollectorMXBean>(ManagementFactory.getGarbageCollectorMXBeans());
         Collections.sort(garbageCollectorMXBeans, new Comparator<GarbageCollectorMXBean>() {
             @Override
@@ -257,7 +263,7 @@ private static String secretFor(@Nonnull String clientName) {
             MessageDigest digest = MessageDigest.getInstance("MD5");
             digest.reset();
             byte[] bytes = digest.digest(
-                    (HandlerLoopbackLoadStress.class.getName() + clientName).getBytes(Charsets.UTF_8));
+                    (HandlerLoopbackLoadStress.class.getName() + clientName).getBytes(StandardCharsets.UTF_8));
             StringBuilder result = new StringBuilder(Math.max(0, bytes.length * 3 - 1));
             for (int i = 0; i < bytes.length; i++) {
                 if (i > 0) {
@@ -358,6 +364,14 @@ public Void call() throws Exception {
         }
     }
 
+    /**
+     * Resolves the {@code getProcessCpuTime} method.
+     * This method is guaranteed to be available in {@link com.sun.management.OperatingSystemMXBean},
+     * but not in the universal package.
+     * @param operatingSystemMXBean Bean
+     * @return Method or {@code null} if it does not exist
+     */
+    @CheckForNull
     private static Method _getProcessCpuTime(OperatingSystemMXBean operatingSystemMXBean) {
         Method getProcessCpuTime;
         try {
@@ -388,14 +402,18 @@ private SocketAddress startServer(String listen)
         return addr.get();
     }
 
+    @CheckForNull
     private Long getProcessCpuTime() {
         Object r = null;
-        try {
-            r = _getProcessCpuTime.invoke(operatingSystemMXBean);
-        } catch (IllegalAccessException e) {
-            r = null;
-        } catch (InvocationTargetException e) {
-            r = null;
+        if (operatingSystemMXBean instanceof com.sun.management.OperatingSystemMXBean) {
+            r = ((com.sun.management.OperatingSystemMXBean)operatingSystemMXBean).getProcessCpuTime();
+        } else if (_getProcessCpuTime != null) {
+            // Then we try reflection, if the method was located
+            try {
+                r = _getProcessCpuTime.invoke(operatingSystemMXBean);
+            } catch (IllegalAccessException | InvocationTargetException e) {
+                r = null;
+            }
         }
         if (r instanceof Number) {
             long value = ((Number) r).longValue();
@@ -730,7 +748,7 @@ private class Metrics {
         private long time;
         private long noops;
         private long uptime;
-        private Long cpu;
+        private @CheckForNull Long cpu;
         private Map<String,GCStats> gc;
 
         public Metrics() {
@@ -756,6 +774,11 @@ public long getUptime() {
             return uptime;
         }
 
+        /**
+         * Gets CPU load stats.
+         * @return CPU Load stats. {@code null} if it cannot be determined.
+         */
+        @CheckForNull
         public Long getCpu() {
             return cpu;
         }
diff --git a/src/test/java/org/jenkinsci/remoting/engine/Jnlp3UtilTest.java b/src/test/java/org/jenkinsci/remoting/engine/Jnlp3UtilTest.java
index beaddd962..04b4fc8d8 100644
--- a/src/test/java/org/jenkinsci/remoting/engine/Jnlp3UtilTest.java
+++ b/src/test/java/org/jenkinsci/remoting/engine/Jnlp3UtilTest.java
@@ -23,11 +23,11 @@
  */
 package org.jenkinsci.remoting.engine;
 
+import java.nio.charset.StandardCharsets;
 import java.security.SecureRandom;
 import java.util.Random;
 import org.hamcrest.core.IsEqual;
 import org.hamcrest.core.IsNot;
-import org.jenkinsci.remoting.util.Charsets;
 import org.junit.Test;
 
 import java.security.MessageDigest;
@@ -69,15 +69,15 @@ public void testGenerate128BitKeyFromString() throws Exception {
 
     @Test
     public void testKeyToString() throws Exception {
-        byte[] key = "This is a string".getBytes(Charsets.UTF_8);
-        assertEquals(new String(key, Charsets.ISO_8859_1), Jnlp3Util.keyToString(key));
+        byte[] key = "This is a string".getBytes(StandardCharsets.UTF_8);
+        assertEquals(new String(key, StandardCharsets.ISO_8859_1), Jnlp3Util.keyToString(key));
     }
 
     @Test
     public void testKeyFromString() throws Exception {
-        byte[] key = "This is a string".getBytes(Charsets.UTF_8);
+        byte[] key = "This is a string".getBytes(StandardCharsets.UTF_8);
         assertArrayEquals(key,
-                Jnlp3Util.keyFromString(new String(key, Charsets.ISO_8859_1)));
+                Jnlp3Util.keyFromString(new String(key, StandardCharsets.ISO_8859_1)));
     }
 
     @Test
@@ -91,8 +91,8 @@ public void testGenerateChallenge() {
     public void testCreateChallengeResponse() throws Exception {
         String challenge = "This is a challenge string";
         MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
-        messageDigest.update(challenge.getBytes(Charsets.UTF_8));
-        String expectedResponse = new String(messageDigest.digest(), Charsets.UTF_8);
+        messageDigest.update(challenge.getBytes(StandardCharsets.UTF_8));
+        String expectedResponse = new String(messageDigest.digest(), StandardCharsets.UTF_8);
         assertEquals(expectedResponse, Jnlp3Util.createChallengeResponse(challenge));
     }
 
@@ -100,8 +100,8 @@ public void testCreateChallengeResponse() throws Exception {
     public void testValidateChallengeResponse() throws Exception {
         String challenge = "This is a challenge string";
         MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
-        messageDigest.update(challenge.getBytes(Charsets.UTF_8));
-        String challengeResponse = new String(messageDigest.digest(), Charsets.UTF_8);
+        messageDigest.update(challenge.getBytes(StandardCharsets.UTF_8));
+        String challengeResponse = new String(messageDigest.digest(), StandardCharsets.UTF_8);
 
         assertTrue(Jnlp3Util.validateChallengeResponse(challenge, challengeResponse));
         assertFalse(Jnlp3Util.validateChallengeResponse(challenge, "some string"));
diff --git a/src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolHandlerTest.java b/src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolHandlerTest.java
index fb0479f73..b19d6fe3b 100644
--- a/src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolHandlerTest.java
+++ b/src/test/java/org/jenkinsci/remoting/engine/JnlpProtocolHandlerTest.java
@@ -3,35 +3,38 @@
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.remoting.Channel;
 import hudson.remoting.TestCallable;
+
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
 import java.nio.channels.ServerSocketChannel;
 import java.nio.channels.SocketChannel;
+import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 import java.util.concurrent.TimeUnit;
+import java.util.function.Consumer;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import javax.annotation.Nonnull;
 import javax.net.ssl.SSLContext;
+
 import org.apache.commons.io.IOUtils;
 import org.jenkinsci.remoting.nio.NioChannelHub;
 import org.jenkinsci.remoting.protocol.IOHub;
-import org.jenkinsci.remoting.protocol.Repeat;
-import org.jenkinsci.remoting.protocol.RepeatRule;
 import org.jenkinsci.remoting.protocol.cert.RSAKeyPairRule;
 import org.jenkinsci.remoting.protocol.cert.SSLContextRule;
 import org.jenkinsci.remoting.protocol.cert.X509CertificateRule;
+import org.jenkinsci.remoting.protocol.impl.ConnectionHeadersFilterLayer;
 import org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException;
-import org.jenkinsci.remoting.util.Charsets;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
-import org.junit.Rule;
 import org.junit.experimental.theories.DataPoints;
 import org.junit.experimental.theories.Theories;
 import org.junit.experimental.theories.Theory;
@@ -40,15 +43,19 @@
 
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.fail;
-import static org.junit.Assume.assumeThat;
 
 @RunWith(Theories.class)
 public class JnlpProtocolHandlerTest {
 
+    private static final Consumer<JnlpConnectionState> APPROVING_STATE_CONSUMER = JnlpConnectionState::approve;
+    private static final Consumer<JnlpConnectionState> REJECTING_STATE_CONSUMER = (event) -> event.reject(new ConnectionRefusalException("I don't like you"));
+    private static final Consumer<JnlpConnectionState> IGNORING_STATE_CONSUMER = (event) -> {
+    };
+    private static final String SECRET_KEY = "SecretKey-1234";
+
     private static ExecutorService executorService;
     private IOHub selector;
     private NioChannelHub hub;
@@ -106,590 +113,197 @@ public class JnlpProtocolHandlerTest {
             .around(notYetValidServerCtx)
             .around(untrustingClientCtx)
             .around(untrustingServerCtx);
-    @Rule
-    public RepeatRule repeater = new RepeatRule();
-    private ServerSocketChannel eastServer;
-    private SocketChannel westChannel;
-    private SocketChannel eastChannel;
-    private Channel eastRemoting;
-    private Channel westRemoting;
+
+    private ServerSocketChannel baseServerSocket;
+    private SocketChannel clientSocketChannel;
+    private SocketChannel serverSocketChannel;
+    private Channel serverRemotingChannel;
+    private Channel clientRemotingChannel;
 
     @BeforeClass
-    public static void setUpClass() throws Exception {
+    public static void setUpClass() {
+        Logger.getLogger(ConnectionHeadersFilterLayer.class.getName()).setLevel(Level.WARNING);
         executorService = Executors.newCachedThreadPool();
     }
 
     @AfterClass
-    public static void tearDownClass() throws Exception {
+    public static void tearDownClass() {
         executorService.shutdownNow();
     }
 
-
     @Before
     public void setUp() throws Exception {
         selector = IOHub.create(executorService);
         hub = new NioChannelHub(executorService);
         executorService.submit(hub);
-        eastServer = ServerSocketChannel.open();
-        eastServer.socket().bind(new InetSocketAddress(0));
-        westChannel = SocketChannel.open();
-        westChannel.connect(eastServer.getLocalAddress());
-        eastChannel = eastServer.accept();
+        baseServerSocket = ServerSocketChannel.open();
+        baseServerSocket.socket().bind(new InetSocketAddress(0));
+        clientSocketChannel = SocketChannel.open();
+        clientSocketChannel.connect(baseServerSocket.getLocalAddress());
+        serverSocketChannel = baseServerSocket.accept();
     }
 
     @After
-    public void tearDown() throws Exception {
-        IOUtils.closeQuietly(eastRemoting);
-        IOUtils.closeQuietly(westRemoting);
-        Thread.sleep(10);
-        IOUtils.closeQuietly(westChannel);
-        IOUtils.closeQuietly(eastChannel);
-        IOUtils.closeQuietly(eastServer);
+    public void tearDown() {
+        IOUtils.closeQuietly(serverRemotingChannel);
+        IOUtils.closeQuietly(clientRemotingChannel);
+        IOUtils.closeQuietly(clientSocketChannel);
+        IOUtils.closeQuietly(serverSocketChannel);
+        IOUtils.closeQuietly(baseServerSocket);
         IOUtils.closeQuietly(hub);
         IOUtils.closeQuietly(selector);
     }
 
     @Theory
-    @Repeat(value = 25, stopAfter = 10, stopAfterUnits = TimeUnit.SECONDS)
     public void happyPath(Factory factory, boolean useNioHubServer, boolean useNioHubClient) throws Exception {
-        if (useNioHubClient) {
-            assumeThat(factory.toString(), not(is("JNLP4-connect")));
-        }
-        if (lastFactory != factory) {
-            System.out.println("Testing factory " + factory);
-            lastFactory = factory;
-        }
-        JnlpProtocolHandler<? extends JnlpConnectionState> eastProto = factory.create(new JnlpClientDatabase() {
-            @Override
-            public boolean exists(String clientName) {
-                return true;
-            }
-
-            @Override
-            public String getSecretOf(@Nonnull String clientName) {
-                return "SuperSecret-" + clientName;
-            }
-        }, executorService, selector, hub, serverCtx.context(), useNioHubServer);
-        JnlpProtocolHandler<? extends JnlpConnectionState> westProto =
-                factory.create(null, executorService, selector, useNioHubClient ? hub : null, clientCtx.context()
-                        , useNioHubClient);
-        HashMap<String, String> westProps = new HashMap<String, String>();
-        westProps.put(JnlpConnectionState.CLIENT_NAME_KEY, "happy-path-" + factory);
-        westProps.put(JnlpConnectionState.SECRET_KEY, "SuperSecret-happy-path-" + factory);
-        Future<Channel> westChan = westProto
-                .connect(westChannel.socket(), westProps, new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.approve();
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.BINARY);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        ByteBuffer len = ByteBuffer.wrap(new byte[2]);
-        while (len.hasRemaining()) {
-            eastChannel.read(len);
-        }
-        byte[] bytes = new byte[((len.get(0) << 8) & 0xff00) + (len.get(1) & 0xff)];
-        ByteBuffer content = ByteBuffer.wrap(bytes);
-        while (content.hasRemaining()) {
-            eastChannel.read(content);
-        }
-        assertThat(new String(bytes, Charsets.UTF_8), is("Protocol:" + factory.toString()));
-        Future<Channel> eastChan = eastProto
-                .handle(eastChannel.socket(), new HashMap<String, String>(), new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.approve();
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.NEGOTIATE);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        eastRemoting = eastChan.get(10, TimeUnit.SECONDS);
-        assertThat(eastRemoting, notNullValue());
-        eastRemoting.callAsync(new TestCallable());
-        westRemoting = westChan.get(10, TimeUnit.SECONDS);
-        assertThat(westRemoting, notNullValue());
+        JnlpProtocolHandler<? extends JnlpConnectionState> serverProtocolHandler = createServerProtocolHandler(factory, useNioHubServer, SECRET_KEY, true);
+        JnlpProtocolHandler<? extends JnlpConnectionState> clientProtocolHandler = createClientProtocolHandler(factory, useNioHubClient);
+        HashMap<String, String> clientProps = createClientProperties(factory, SECRET_KEY);
+        Future<Channel> clientChannelFuture = createChannelConnector(clientSocketChannel, clientProtocolHandler, clientProps, APPROVING_STATE_CONSUMER);
+        readAndCheckProtocol(factory);
+        Future<Channel> serverChannelFuture = createChannelHandler(serverSocketChannel, serverProtocolHandler, new HashMap<>(), APPROVING_STATE_CONSUMER);
+        serverRemotingChannel = serverChannelFuture.get(10, TimeUnit.SECONDS);
+        assertThat(serverRemotingChannel, notNullValue());
+        serverRemotingChannel.call(new TestCallable());
+        clientRemotingChannel = clientChannelFuture.get(10, TimeUnit.SECONDS);
+        assertThat(clientRemotingChannel, notNullValue());
     }
 
-    private Factory lastFactory;
-
     @Theory
     public void serverRejects(Factory factory, boolean useNioHubServer, boolean useNioHubClient) throws Exception {
-        if (lastFactory != factory) {
-            System.out.println("Testing factory " + factory);
-            lastFactory = factory;
-        }
-        JnlpProtocolHandler<? extends JnlpConnectionState> eastProto = factory.create(new JnlpClientDatabase() {
-            @Override
-            public boolean exists(String clientName) {
-                return true;
-            }
-
-            @Override
-            public String getSecretOf(@Nonnull String clientName) {
-                return "SuperSecret-" + clientName;
-            }
-        }, executorService, selector, hub, serverCtx.context(), useNioHubServer);
-        JnlpProtocolHandler<? extends JnlpConnectionState> westProto =
-                factory.create(null, executorService, selector, useNioHubClient ? hub : null, clientCtx.context(),
-                        useNioHubClient);
-        HashMap<String, String> westProps = new HashMap<String, String>();
-        westProps.put(JnlpConnectionState.CLIENT_NAME_KEY, "happy-path-" + factory);
-        westProps.put(JnlpConnectionState.SECRET_KEY, "SuperSecret-happy-path-" + factory);
-        Future<Channel> westChan = westProto
-                .connect(westChannel.socket(), westProps, new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.approve();
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.BINARY);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        ByteBuffer len = ByteBuffer.wrap(new byte[2]);
-        while (len.hasRemaining()) {
-            eastChannel.read(len);
-        }
-        byte[] bytes = new byte[((len.get(0) << 8) & 0xff00) + (len.get(1) & 0xff)];
-        ByteBuffer content = ByteBuffer.wrap(bytes);
-        while (content.hasRemaining()) {
-            eastChannel.read(content);
-        }
-        assertThat(new String(bytes, Charsets.UTF_8), is("Protocol:" + factory.toString()));
-        Future<Channel> eastChan = eastProto
-                .handle(eastChannel.socket(), new HashMap<String, String>(), new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.reject(new ConnectionRefusalException("I don't like you"));
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.NEGOTIATE);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        try {
-            eastRemoting = eastChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(IOException.class));
-        }
-        try {
-            westRemoting = westChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(ConnectionRefusalException.class));
-        }
+        JnlpProtocolHandler<? extends JnlpConnectionState> serverProtocolHandler = createServerProtocolHandler(factory, useNioHubServer, SECRET_KEY, true);
+        JnlpProtocolHandler<? extends JnlpConnectionState> clientProtocolHandler = createClientProtocolHandler(factory, useNioHubClient);
+        HashMap<String, String> clientProps = createClientProperties(factory, SECRET_KEY);
+        Future<Channel> clientChannelFuture = createChannelConnector(clientSocketChannel, clientProtocolHandler, clientProps, APPROVING_STATE_CONSUMER);
+        readAndCheckProtocol(factory);
+        Future<Channel> serverChannelFuture = createChannelHandler(serverSocketChannel, serverProtocolHandler, new HashMap<>(), REJECTING_STATE_CONSUMER);
+        assertChannelFails(clientChannelFuture, serverChannelFuture, ConnectionRefusalException.class);
     }
 
     @Theory
     public void serverIgnores(Factory factory, boolean useNioHubServer, boolean useNioHubClient) throws Exception {
-        if (lastFactory != factory) {
-            System.out.println("Testing factory " + factory);
-            lastFactory = factory;
-        }
-        JnlpProtocolHandler<? extends JnlpConnectionState> eastProto = factory.create(new JnlpClientDatabase() {
-            @Override
-            public boolean exists(String clientName) {
-                return true;
-            }
-
-            @Override
-            public String getSecretOf(@Nonnull String clientName) {
-                return "SuperSecret-" + clientName;
-            }
-        }, executorService, selector, hub, serverCtx.context(), useNioHubServer);
-        JnlpProtocolHandler<? extends JnlpConnectionState> westProto =
-                factory.create(null, executorService, selector, useNioHubClient ? hub : null, clientCtx.context(),
-                        useNioHubClient);
-        HashMap<String, String> westProps = new HashMap<String, String>();
-        westProps.put(JnlpConnectionState.CLIENT_NAME_KEY, "happy-path-" + factory);
-        westProps.put(JnlpConnectionState.SECRET_KEY, "SuperSecret-happy-path-" + factory);
-        Future<Channel> westChan = westProto
-                .connect(westChannel.socket(), westProps, new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.BINARY);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        ByteBuffer len = ByteBuffer.wrap(new byte[2]);
-        while (len.hasRemaining()) {
-            eastChannel.read(len);
-        }
-        byte[] bytes = new byte[((len.get(0) << 8) & 0xff00) + (len.get(1) & 0xff)];
-        ByteBuffer content = ByteBuffer.wrap(bytes);
-        while (content.hasRemaining()) {
-            eastChannel.read(content);
-        }
-        assertThat(new String(bytes, Charsets.UTF_8), is("Protocol:" + factory.toString()));
-        Future<Channel> eastChan = eastProto
-                .handle(eastChannel.socket(), new HashMap<String, String>(), new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.reject(new ConnectionRefusalException("I don't like you"));
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.NEGOTIATE);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        try {
-            eastRemoting = eastChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(IOException.class));
-        }
-        try {
-            westRemoting = westChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(ConnectionRefusalException.class));
-        }
+        JnlpProtocolHandler<? extends JnlpConnectionState> serverProtocolHandler = createServerProtocolHandler(factory, useNioHubServer, SECRET_KEY, true);
+        JnlpProtocolHandler<? extends JnlpConnectionState> clientProtocolHandler = createClientProtocolHandler(factory, useNioHubClient);
+        HashMap<String, String> clientProps = createClientProperties(factory, SECRET_KEY);
+        Future<Channel> clientChannelFuture = createChannelConnector(clientSocketChannel, clientProtocolHandler, clientProps, IGNORING_STATE_CONSUMER);
+        readAndCheckProtocol(factory);
+        Future<Channel> serverChannelFuture = createChannelHandler(serverSocketChannel, serverProtocolHandler, new HashMap<>(), APPROVING_STATE_CONSUMER);
+        assertChannelFails(clientChannelFuture, serverChannelFuture, IOException.class);
     }
 
     @Theory
     public void clientRejects(Factory factory, boolean useNioHubServer, boolean useNioHubClient) throws Exception {
-        if (lastFactory != factory) {
-            System.out.println("Testing factory " + factory);
-            lastFactory = factory;
-        }
-        JnlpProtocolHandler<? extends JnlpConnectionState> eastProto = factory.create(new JnlpClientDatabase() {
-            @Override
-            public boolean exists(String clientName) {
-                return true;
-            }
-
-            @Override
-            public String getSecretOf(@Nonnull String clientName) {
-                return "SuperSecret-" + clientName;
-            }
-        }, executorService, selector, hub, serverCtx.context(), useNioHubServer);
-        JnlpProtocolHandler<? extends JnlpConnectionState> westProto =
-                factory.create(null, executorService, selector, useNioHubClient ? hub : null, clientCtx.context(),
-                        useNioHubClient);
-        HashMap<String, String> westProps = new HashMap<String, String>();
-        westProps.put(JnlpConnectionState.CLIENT_NAME_KEY, "happy-path-" + factory);
-        westProps.put(JnlpConnectionState.SECRET_KEY, "SuperSecret-happy-path-" + factory);
-        Future<Channel> westChan = westProto
-                .connect(westChannel.socket(), westProps, new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.reject(new ConnectionRefusalException("I don't like you"));
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.BINARY);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        ByteBuffer len = ByteBuffer.wrap(new byte[2]);
-        while (len.hasRemaining()) {
-            eastChannel.read(len);
-        }
-        byte[] bytes = new byte[((len.get(0) << 8) & 0xff00) + (len.get(1) & 0xff)];
-        ByteBuffer content = ByteBuffer.wrap(bytes);
-        while (content.hasRemaining()) {
-            eastChannel.read(content);
-        }
-        assertThat(new String(bytes, Charsets.UTF_8), is("Protocol:" + factory.toString()));
-        Future<Channel> eastChan = eastProto
-                .handle(eastChannel.socket(), new HashMap<String, String>(), new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.approve();
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.NEGOTIATE);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        try {
-            eastRemoting = eastChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(IOException.class));
-        }
-        try {
-            westRemoting = westChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(ConnectionRefusalException.class));
-        }
+        JnlpProtocolHandler<? extends JnlpConnectionState> serverProtocolHandler = createServerProtocolHandler(factory, useNioHubServer, SECRET_KEY, true);
+        JnlpProtocolHandler<? extends JnlpConnectionState> clientProtocolHandler = createClientProtocolHandler(factory, useNioHubClient);
+        HashMap<String, String> clientProps = createClientProperties(factory, SECRET_KEY);
+        Future<Channel> clientChannelFuture = createChannelConnector(clientSocketChannel, clientProtocolHandler, clientProps, APPROVING_STATE_CONSUMER);
+        readAndCheckProtocol(factory);
+        Future<Channel> serverChannelFuture = createChannelHandler(serverSocketChannel, serverProtocolHandler, new HashMap<>(), REJECTING_STATE_CONSUMER);
+        assertChannelFails(clientChannelFuture, serverChannelFuture, IOException.class);
     }
 
     @Theory
     public void clientIgnores(Factory factory, boolean useNioHubServer, boolean useNioHubClient) throws Exception {
-        if (lastFactory != factory) {
-            System.out.println("Testing factory " + factory);
-            lastFactory = factory;
-        }
-        JnlpProtocolHandler<? extends JnlpConnectionState> eastProto = factory.create(new JnlpClientDatabase() {
-            @Override
-            public boolean exists(String clientName) {
-                return true;
-            }
-
-            @Override
-            public String getSecretOf(@Nonnull String clientName) {
-                return "SuperSecret-" + clientName;
-            }
-        }, executorService, selector, hub, serverCtx.context(), useNioHubServer);
-        JnlpProtocolHandler<? extends JnlpConnectionState> westProto =
-                factory.create(null, executorService, selector, useNioHubClient ? hub : null, clientCtx.context(),
-                        useNioHubClient);
-        HashMap<String, String> westProps = new HashMap<String, String>();
-        westProps.put(JnlpConnectionState.CLIENT_NAME_KEY, "happy-path-" + factory);
-        westProps.put(JnlpConnectionState.SECRET_KEY, "SuperSecret-happy-path-" + factory);
-        Future<Channel> westChan = westProto
-                .connect(westChannel.socket(), westProps, new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.reject(new ConnectionRefusalException("I don't like you"));
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.BINARY);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        ByteBuffer len = ByteBuffer.wrap(new byte[2]);
-        while (len.hasRemaining()) {
-            eastChannel.read(len);
-        }
-        byte[] bytes = new byte[((len.get(0) << 8) & 0xff00) + (len.get(1) & 0xff)];
-        ByteBuffer content = ByteBuffer.wrap(bytes);
-        while (content.hasRemaining()) {
-            eastChannel.read(content);
-        }
-        assertThat(new String(bytes, Charsets.UTF_8), is("Protocol:" + factory.toString()));
-        Future<Channel> eastChan = eastProto
-                .handle(eastChannel.socket(), new HashMap<String, String>(), new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.approve();
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.NEGOTIATE);
-                    }
-
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        try {
-            eastRemoting = eastChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(IOException.class));
-        }
-        try {
-            westRemoting = westChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(ConnectionRefusalException.class));
-        }
+        JnlpProtocolHandler<? extends JnlpConnectionState> serverProtocolHandler = createServerProtocolHandler(factory, useNioHubServer, SECRET_KEY, true);
+        JnlpProtocolHandler<? extends JnlpConnectionState> clientProtocolHandler = createClientProtocolHandler(factory, useNioHubClient);
+        HashMap<String, String> clientProps = createClientProperties(factory, SECRET_KEY);
+        Future<Channel> clientChannelFuture = createChannelConnector(clientSocketChannel, clientProtocolHandler, clientProps, APPROVING_STATE_CONSUMER);
+        readAndCheckProtocol(factory);
+        Future<Channel> serverChannelFuture = createChannelHandler(serverSocketChannel, serverProtocolHandler, new HashMap<>(), IGNORING_STATE_CONSUMER);
+        assertChannelFails(clientChannelFuture, serverChannelFuture, ConnectionRefusalException.class);
     }
 
     @Theory
     public void doesNotExist(Factory factory, boolean useNioHubServer, boolean useNioHubClient) throws Exception {
-        System.out.println("Testing factory " + factory);
-        JnlpProtocolHandler<? extends JnlpConnectionState> eastProto = factory.create(new JnlpClientDatabase() {
-            @Override
-            public boolean exists(String clientName) {
-                return false;
-            }
+        JnlpProtocolHandler<? extends JnlpConnectionState> serverProtocolHandler = createServerProtocolHandler(factory, useNioHubServer, SECRET_KEY, false);
+        JnlpProtocolHandler<? extends JnlpConnectionState> clientProtocolHandler = createClientProtocolHandler(factory, useNioHubClient);
+        HashMap<String, String> clientProps = createClientProperties(factory, SECRET_KEY);
+        Future<Channel> clientChannelFuture = createChannelConnector(clientSocketChannel, clientProtocolHandler, clientProps, APPROVING_STATE_CONSUMER);
+        readAndCheckProtocol(factory);
+        Future<Channel> serverChannelFuture = createChannelHandler(serverSocketChannel, serverProtocolHandler, new HashMap<>(), APPROVING_STATE_CONSUMER);
+        assertChannelFails(clientChannelFuture, serverChannelFuture, ConnectionRefusalException.class);
+    }
 
-            @Override
-            public String getSecretOf(@Nonnull String clientName) {
-                return "SuperSecret-" + clientName;
-            }
-        }, executorService, selector, hub, serverCtx.context(), useNioHubServer);
-        JnlpProtocolHandler<? extends JnlpConnectionState> westProto =
-                factory.create(null, executorService, selector, useNioHubClient ? hub : null, clientCtx.context(),
-                        useNioHubClient);
-        HashMap<String, String> westProps = new HashMap<String, String>();
-        westProps.put(JnlpConnectionState.CLIENT_NAME_KEY, "happy-path-" + factory);
-        westProps.put(JnlpConnectionState.SECRET_KEY, "SuperSecret-happy-path-" + factory);
-        Future<Channel> westChan = westProto
-                .connect(westChannel.socket(), westProps, new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.approve();
-                    }
+    @Theory
+    public void wrongSecret(Factory factory, boolean useNioHubServer, boolean useNioHubClient) throws Exception {
+        Logger.getLogger(JnlpProtocol4PlainHandler.class.getName()).setLevel(Level.SEVERE);
+        Logger.getLogger(JnlpProtocol4Handler.class.getName()).setLevel(Level.SEVERE);
+        JnlpProtocolHandler<? extends JnlpConnectionState> serverProtocolHandler = createServerProtocolHandler(factory, useNioHubServer, SECRET_KEY, true);
+        JnlpProtocolHandler<? extends JnlpConnectionState> clientProtocolHandler = createClientProtocolHandler(factory, useNioHubClient);
+        HashMap<String, String> clientProps = createClientProperties(factory, "WrongSecret");
+        Future<Channel> clientChannelFuture = createChannelConnector(clientSocketChannel, clientProtocolHandler, clientProps, APPROVING_STATE_CONSUMER);
+        readAndCheckProtocol(factory);
+        Future<Channel> serverChannelFuture = createChannelHandler(serverSocketChannel, serverProtocolHandler, new HashMap<>(), APPROVING_STATE_CONSUMER);
+        assertChannelFails(clientChannelFuture, serverChannelFuture, ConnectionRefusalException.class);
+    }
 
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.BINARY);
-                    }
+    private Future<Channel> createChannelConnector(SocketChannel channel, JnlpProtocolHandler<? extends JnlpConnectionState> protocolHandler,
+                                                   HashMap<String, String> properties,
+                                                   Consumer<JnlpConnectionState> afterPropertiesConsumer) throws IOException {
+        return protocolHandler.connect(channel.socket(), properties, new StateListener(afterPropertiesConsumer, Channel.Mode.BINARY));
+    }
 
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        ByteBuffer len = ByteBuffer.wrap(new byte[2]);
-        while (len.hasRemaining()) {
-            eastChannel.read(len);
-        }
-        byte[] bytes = new byte[((len.get(0) << 8) & 0xff00) + (len.get(1) & 0xff)];
-        ByteBuffer content = ByteBuffer.wrap(bytes);
-        while (content.hasRemaining()) {
-            eastChannel.read(content);
-        }
-        assertThat(new String(bytes, Charsets.UTF_8), is("Protocol:" + factory.toString()));
-        Future<Channel> eastChan = eastProto
-                .handle(eastChannel.socket(), new HashMap<String, String>(), new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.approve();
-                    }
+    private Future<Channel> createChannelHandler(SocketChannel channel, JnlpProtocolHandler<? extends JnlpConnectionState> protocolHandler,
+                                                 HashMap<String, String> properties,
+                                                 Consumer<JnlpConnectionState> afterPropertiesConsumer) throws IOException {
+        return protocolHandler.handle(channel.socket(), properties, new StateListener(afterPropertiesConsumer, Channel.Mode.NEGOTIATE));
+    }
 
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.NEGOTIATE);
-                    }
+    private HashMap<String, String> createClientProperties(Factory factory, String secretKey) {
+        HashMap<String, String> clientProps = new HashMap<>();
+        clientProps.put(JnlpConnectionState.CLIENT_NAME_KEY, "client-" + factory);
+        clientProps.put(JnlpConnectionState.SECRET_KEY, secretKey);
+        return clientProps;
+    }
 
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
-        try {
-            eastRemoting = eastChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(ConnectionRefusalException.class));
-        }
-        try {
-            westRemoting = westChan.get(10, TimeUnit.SECONDS);
-            fail();
-        } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(ConnectionRefusalException.class));
-        }
+    private JnlpProtocolHandler<? extends JnlpConnectionState> createClientProtocolHandler(Factory factory, boolean useNioHubClient) {
+        return factory.create(null, executorService, selector, useNioHubClient ? hub : null, clientCtx.context(), useNioHubClient);
     }
 
-    @Theory
-    public void wrongSecret(Factory factory, boolean useNioHubServer, boolean useNioHubClient) throws Exception {
-        System.out.println("Testing factory " + factory);
-        JnlpProtocolHandler<? extends JnlpConnectionState> eastProto = factory.create(new JnlpClientDatabase() {
+    private JnlpProtocolHandler<? extends JnlpConnectionState> createServerProtocolHandler(Factory factory,
+                                                                                           boolean useNioHubServer,
+                                                                                           String secretKey,
+                                                                                           boolean exists) {
+        return factory.create(new JnlpClientDatabase() {
             @Override
             public boolean exists(String clientName) {
-                return true;
+                return exists;
             }
 
             @Override
             public String getSecretOf(@Nonnull String clientName) {
-                return "SuperSecret-" + clientName;
+                return secretKey;
             }
         }, executorService, selector, hub, serverCtx.context(), useNioHubServer);
-        JnlpProtocolHandler<? extends JnlpConnectionState> westProto =
-                factory.create(null, executorService, selector, useNioHubClient ? hub : null, clientCtx.context(), useNioHubClient);
-        HashMap<String, String> westProps = new HashMap<String, String>();
-        westProps.put(JnlpConnectionState.CLIENT_NAME_KEY, "happy-path-" + factory);
-        westProps.put(JnlpConnectionState.SECRET_KEY, "WrongSecret-happy-path-" + factory);
-        Future<Channel> westChan = westProto
-                .connect(westChannel.socket(), westProps, new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.approve();
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.BINARY);
-                    }
+    }
 
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
+    private void readAndCheckProtocol(Factory factory) throws IOException {
         ByteBuffer len = ByteBuffer.wrap(new byte[2]);
         while (len.hasRemaining()) {
-            eastChannel.read(len);
+            serverSocketChannel.read(len);
         }
         byte[] bytes = new byte[((len.get(0) << 8) & 0xff00) + (len.get(1) & 0xff)];
         ByteBuffer content = ByteBuffer.wrap(bytes);
         while (content.hasRemaining()) {
-            eastChannel.read(content);
+            serverSocketChannel.read(content);
         }
-        assertThat(new String(bytes, Charsets.UTF_8), is("Protocol:" + factory.toString()));
-        Future<Channel> eastChan = eastProto
-                .handle(eastChannel.socket(), new HashMap<String, String>(), new JnlpConnectionStateListener() {
-                    @Override
-                    public void afterProperties(@NonNull JnlpConnectionState event) {
-                        event.approve();
-                    }
-
-                    @Override
-                    public void beforeChannel(@NonNull JnlpConnectionState event) {
-                        event.getChannelBuilder().withMode(Channel.Mode.NEGOTIATE);
-                    }
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("Protocol:" + factory.toString()));
+    }
 
-                    @Override
-                    public void afterChannel(@NonNull JnlpConnectionState event) {
-                    }
-                });
+    private void assertChannelFails(Future<Channel> clientChannelFuture,
+                                    Future<Channel> serverChannelFuture,
+                                    Class<? extends Exception> serverExceptionType) throws InterruptedException, java.util.concurrent.TimeoutException {
         try {
-            eastRemoting = eastChan.get(10, TimeUnit.SECONDS);
+            serverRemotingChannel = serverChannelFuture.get(10, TimeUnit.SECONDS);
             fail();
         } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(ConnectionRefusalException.class));
+            assertThat(e.getCause(), instanceOf(serverExceptionType));
         }
         try {
-            westRemoting = westChan.get(10, TimeUnit.SECONDS);
+            clientRemotingChannel = clientChannelFuture.get(10, TimeUnit.SECONDS);
             fail();
         } catch (ExecutionException e) {
-            assertThat(e.getCause(), instanceOf(ConnectionRefusalException.class));
+            assertThat(e.getCause(), instanceOf(IOException.class));
         }
     }
 
@@ -701,51 +315,6 @@ public static boolean[] useNioHub() {
     @DataPoints
     public static Factory[] protocols() {
         return new Factory[]{
-                new Factory() {
-                    @Override
-                    public JnlpProtocolHandler<? extends JnlpConnectionState> create(JnlpClientDatabase db,
-                                                                                     ExecutorService svc,
-                                                                                     IOHub selector, NioChannelHub hub,
-                                                                                     SSLContext ctx,
-                                                                                     boolean preferNio) {
-                        return new JnlpProtocol1Handler(db, svc, hub, preferNio);
-                    }
-
-                    @Override
-                    public String toString() {
-                        return "JNLP-connect";
-                    }
-                },
-                new Factory() {
-                    @Override
-                    public JnlpProtocolHandler<? extends JnlpConnectionState> create(JnlpClientDatabase db,
-                                                                                     ExecutorService svc,
-                                                                                     IOHub selector, NioChannelHub hub,
-                                                                                     SSLContext ctx,
-                                                                                     boolean preferNio) {
-                        return new JnlpProtocol2Handler(db, svc, hub, preferNio);
-                    }
-
-                    @Override
-                    public String toString() {
-                        return "JNLP2-connect";
-                    }
-                },
-                new Factory() {
-                    @Override
-                    public JnlpProtocolHandler<? extends JnlpConnectionState> create(JnlpClientDatabase db,
-                                                                                     ExecutorService svc,
-                                                                                     IOHub selector, NioChannelHub hub,
-                                                                                     SSLContext ctx,
-                                                                                     boolean preferNio) {
-                        return new JnlpProtocol3Handler(db, svc, hub, preferNio);
-                    }
-
-                    @Override
-                    public String toString() {
-                        return "JNLP3-connect";
-                    }
-                },
                 new Factory() {
                     @Override
                     public JnlpProtocolHandler<? extends JnlpConnectionState> create(JnlpClientDatabase db,
@@ -781,6 +350,29 @@ public String toString() {
         };
     }
 
+    private class StateListener extends JnlpConnectionStateListener {
+        private Channel.Mode mode;
+        private Consumer<JnlpConnectionState> afterPropertiesConsumer;
+
+        StateListener(Consumer<JnlpConnectionState> afterPropertiesConsumer, Channel.Mode mode) {
+            this.mode = mode;
+            this.afterPropertiesConsumer = afterPropertiesConsumer;
+        }
+
+        @Override
+        public void afterProperties(@NonNull JnlpConnectionState event) {
+            afterPropertiesConsumer.accept(event);
+        }
+
+        @Override
+        public void beforeChannel(@NonNull JnlpConnectionState event) {
+            event.getChannelBuilder().withMode(mode);
+        }
+
+        @Override
+        public void afterChannel(@NonNull JnlpConnectionState event) {
+        }
+    }
 
     public interface Factory {
         JnlpProtocolHandler<? extends JnlpConnectionState> create(JnlpClientDatabase db, ExecutorService svc,
diff --git a/src/test/java/org/jenkinsci/remoting/engine/WorkDirManagerTest.java b/src/test/java/org/jenkinsci/remoting/engine/WorkDirManagerTest.java
index 83efda883..c120067b7 100644
--- a/src/test/java/org/jenkinsci/remoting/engine/WorkDirManagerTest.java
+++ b/src/test/java/org/jenkinsci/remoting/engine/WorkDirManagerTest.java
@@ -26,6 +26,7 @@
 
 package org.jenkinsci.remoting.engine;
 
+import static hudson.remoting.Launcher.isWindows;
 import org.apache.commons.io.FileUtils;
 import org.junit.Assert;
 import org.junit.Rule;
@@ -34,10 +35,13 @@
 
 import java.io.File;
 import java.io.FileInputStream;
+import java.io.FileOutputStream;
 import java.io.FileWriter;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.Properties;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.Nonnull;
@@ -48,6 +52,7 @@
 
 import org.jenkinsci.remoting.engine.WorkDirManager.DirType;
 import org.junit.After;
+import org.junit.Assume;
 import org.junit.Before;
 import org.jvnet.hudson.test.Bug;
 
@@ -255,14 +260,15 @@ private void doTestLoggingConfig(File loggingConfigFile, boolean passToManager)
         final File workDir = tmpDir.newFolder("workDir");
         final File customLogDir = tmpDir.newFolder("mylogs");
         
+        Properties p = new Properties();
+        p.setProperty("handlers", "java.util.logging.FileHandler");
+        p.setProperty("java.util.logging.FileHandler.pattern", customLogDir.getAbsolutePath() + File.separator  + "mylog.log.%g");
+        p.setProperty("java.util.logging.FileHandler.limit", "81920");
+        p.setProperty("java.util.logging.FileHandler.count", "5");
+        
         // Create config file
-        try (FileWriter wr = new FileWriter(loggingConfigFile)) {
-            // Init FileHandler with default XML formatter
-            wr.write("handlers= java.util.logging.FileHandler\n");
-            // TODO: It won't work well on Windows
-            wr.write("java.util.logging.FileHandler.pattern=" + customLogDir.getAbsolutePath() + "/mylog.log.%g\n");
-            wr.write("java.util.logging.FileHandler.limit=81920\n");
-            wr.write("java.util.logging.FileHandler.count=5\n");
+        try (OutputStream out = new FileOutputStream(loggingConfigFile)) {
+            p.store(out, "Just a config file");
         }
         
         // Init WorkDirManager
@@ -284,7 +290,7 @@ private void doTestLoggingConfig(File loggingConfigFile, boolean passToManager)
                 defaultLog0.exists());
         
         // Assert that logs have been written to the specified custom destination
-        assertFileLogsExist(customLogDir, "mylog.log", 0);
+        assertFileLogsExist(customLogDir, "mylog.log", 1);
         File log0 = new File(customLogDir, "mylog.log.0");
         try (FileInputStream istr = new FileInputStream(log0)) {
             String contents = IOUtils.toString(istr);
@@ -343,20 +349,23 @@ private void assertDoesNotCreateDisabledDir(File workDir, DirType type) throws A
 
     private void verifyDirectoryFlag(DirType type, DirectoryFlag flag) throws IOException, AssertionError {
         final File dir = tmpDir.newFolder("test-" + type.getClass().getSimpleName() + "-" + flag);
-
+        
+        boolean success = false;
+        File dirToModify = dir;
         switch (type) {
             case WORK_DIR:
-                flag.modifyFile(dir);
+                success = flag.modifyFile(dir);
                 break;
             case INTERNAL_DIR:
                 // Then we create remoting dir and also modify it
-                File remotingDir = new File(dir, DirType.INTERNAL_DIR.getDefaultLocation());
-                remotingDir.mkdir();
-                flag.modifyFile(remotingDir);
+                dirToModify = new File(dir, DirType.INTERNAL_DIR.getDefaultLocation());
+                Files.createDirectory(dirToModify.toPath());
+                success = flag.modifyFile(dirToModify);
                 break;
             default:
                 Assert.fail("Unsupported Directory type: " + type);
         }
+        Assume.assumeTrue(String.format("Failed to modify flag %s of %s", flag, dirToModify), success);
 
         try {
             WorkDirManager.getInstance().initializeWorkDir(dir, DirType.INTERNAL_DIR.getDefaultLocation(), false);
@@ -373,19 +382,22 @@ private enum DirectoryFlag {
         NOT_READABLE,
         NOT_EXECUTABLE;
 
-        public void modifyFile(File file) throws AssertionError {
+        /**
+         * Modifies the file's flag.
+         * @param file File to modify
+         * @return {@code true} if the operation succeeds
+         */
+        public boolean modifyFile(File file) throws AssertionError {
             switch (this) {
                 case NOT_EXECUTABLE:
-                    file.setExecutable(false);
-                    break;
+                    return file.setExecutable(false);
                 case NOT_WRITABLE:
-                    file.setWritable(false);
-                    break;
+                    return file.setWritable(false);
                 case NOT_READABLE:
-                    file.setReadable(false);
-                    break;
+                    return file.setReadable(false);
                 default:
                     Assert.fail("Unsupported file mode " + this);
+                    return false;
             }
         }
     }
diff --git a/src/test/java/org/jenkinsci/remoting/nio/SocketClientMain.java b/src/test/java/org/jenkinsci/remoting/nio/SocketClientMain.java
index 98bd22fb5..b2d38a0a7 100644
--- a/src/test/java/org/jenkinsci/remoting/nio/SocketClientMain.java
+++ b/src/test/java/org/jenkinsci/remoting/nio/SocketClientMain.java
@@ -42,13 +42,21 @@ public static void main(String[] args) throws Exception {
     }
 
     private static String echo(Channel ch, final String arg) throws Exception {
-        return ch.call(new CallableBase<String, Exception>() {
-            public String call() throws Exception {
-                LOGGER.info("Echoing back "+arg);
-                return arg;
-            }
-        });
+        return ch.call(new EchoingCallable(arg));
     }
 
     private static final Logger LOGGER = Logger.getLogger(SocketClientMain.class.getName());
+
+    private static class EchoingCallable extends CallableBase<String, Exception> {
+        private final String arg;
+
+        public EchoingCallable(String arg) {
+            this.arg = arg;
+        }
+
+        public String call() throws Exception {
+            LOGGER.info("Echoing back " + arg);
+            return arg;
+        }
+    }
 }
diff --git a/src/test/java/org/jenkinsci/remoting/org/apache/commons/net/util/SubnetUtilsTest.java b/src/test/java/org/jenkinsci/remoting/org/apache/commons/net/util/SubnetUtilsTest.java
new file mode 100644
index 000000000..3bb9e96c0
--- /dev/null
+++ b/src/test/java/org/jenkinsci/remoting/org/apache/commons/net/util/SubnetUtilsTest.java
@@ -0,0 +1,340 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.jenkinsci.remoting.org.apache.commons.net.util;
+
+import org.jenkinsci.remoting.org.apache.commons.net.util.SubnetUtils.SubnetInfo;
+
+import junit.framework.TestCase;
+
+@SuppressWarnings("deprecation") // deliberate use of deprecated methods
+public class SubnetUtilsTest extends TestCase {
+
+    // TODO Lower address test
+    public void testAddresses() {
+        SubnetUtils utils = new SubnetUtils("192.168.0.1/29");
+        SubnetInfo info = utils.getInfo();
+        assertTrue(info.isInRange("192.168.0.1"));
+        // We don't count the broadcast address as usable
+        assertFalse(info.isInRange("192.168.0.7"));
+        assertFalse(info.isInRange("192.168.0.8"));
+        assertFalse(info.isInRange("10.10.2.1"));
+        assertFalse(info.isInRange("192.168.1.1"));
+        assertFalse(info.isInRange("192.168.0.255"));
+    }
+
+    /**
+     * Test using the inclusiveHostCount flag, which includes the network and broadcast addresses in host counts
+     */
+    public void testCidrAddresses() {
+        SubnetUtils utils = new SubnetUtils("192.168.0.1/8");
+        utils.setInclusiveHostCount(true);
+        SubnetInfo info = utils.getInfo();
+        assertEquals("255.0.0.0", info.getNetmask());
+        assertEquals(16777216, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/9");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.128.0.0", info.getNetmask());
+        assertEquals(8388608, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/10");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.192.0.0", info.getNetmask());
+        assertEquals(4194304, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/11");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.224.0.0", info.getNetmask());
+        assertEquals(2097152, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/12");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.240.0.0", info.getNetmask());
+        assertEquals(1048576, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/13");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.248.0.0", info.getNetmask());
+        assertEquals(524288, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/14");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.252.0.0", info.getNetmask());
+        assertEquals(262144, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/15");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.254.0.0", info.getNetmask());
+        assertEquals(131072, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/16");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.0.0", info.getNetmask());
+        assertEquals(65536, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/17");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.128.0", info.getNetmask());
+        assertEquals(32768, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/18");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.192.0", info.getNetmask());
+        assertEquals(16384, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/19");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.224.0", info.getNetmask());
+        assertEquals(8192, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/20");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.240.0", info.getNetmask());
+        assertEquals(4096, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/21");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.248.0", info.getNetmask());
+        assertEquals(2048, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/22");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.252.0", info.getNetmask());
+        assertEquals(1024, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/23");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.254.0", info.getNetmask());
+        assertEquals(512, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/24");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.255.0", info.getNetmask());
+        assertEquals(256, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/25");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.255.128", info.getNetmask());
+        assertEquals(128, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/26");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.255.192", info.getNetmask());
+        assertEquals(64, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/27");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.255.224", info.getNetmask());
+        assertEquals(32, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/28");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.255.240", info.getNetmask());
+        assertEquals(16, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/29");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.255.248", info.getNetmask());
+        assertEquals(8, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/30");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.255.252", info.getNetmask());
+        assertEquals(4, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/31");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.255.254", info.getNetmask());
+        assertEquals(2, info.getAddressCount());
+
+        utils = new SubnetUtils("192.168.0.1/32");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("255.255.255.255", info.getNetmask());
+        assertEquals(1, info.getAddressCount());
+
+        new SubnetUtils("192.168.0.1/1");
+    }
+
+    public void testInvalidMasks() {
+        try {
+            new SubnetUtils("192.168.0.1/33");
+            fail("Should have thrown IllegalArgumentException");
+        } catch (IllegalArgumentException expected) {
+            // Ignored
+        }
+    }
+
+    public void testNET428_31() throws Exception {
+        final SubnetUtils subnetUtils = new SubnetUtils("1.2.3.4/31");
+        assertEquals(0, subnetUtils.getInfo().getAddressCount());
+        String[] address = subnetUtils.getInfo().getAllAddresses();
+        assertNotNull(address);
+        assertEquals(0, address.length);
+    }
+
+    public void testNET428_32() throws Exception {
+        final SubnetUtils subnetUtils = new SubnetUtils("1.2.3.4/32");
+        assertEquals(0, subnetUtils.getInfo().getAddressCount());
+        String[] address = subnetUtils.getInfo().getAllAddresses();
+        assertNotNull(address);
+        assertEquals(0, address.length);
+    }
+
+    public void testParseSimpleNetmask() {
+        final String address = "192.168.0.1";
+        final String masks[] = new String[] { "255.0.0.0", "255.255.0.0", "255.255.255.0", "255.255.255.248" };
+        final String bcastAddresses[] = new String[] { "192.255.255.255", "192.168.255.255", "192.168.0.255",
+                "192.168.0.7" };
+        final String lowAddresses[] = new String[] { "192.0.0.1", "192.168.0.1", "192.168.0.1", "192.168.0.1" };
+        final String highAddresses[] = new String[] { "192.255.255.254", "192.168.255.254", "192.168.0.254",
+                "192.168.0.6" };
+        final String networkAddresses[] = new String[] { "192.0.0.0", "192.168.0.0", "192.168.0.0", "192.168.0.0" };
+        final String cidrSignatures[] = new String[] { "192.168.0.1/8", "192.168.0.1/16", "192.168.0.1/24",
+                "192.168.0.1/29" };
+        final int usableAddresses[] = new int[] { 16777214, 65534, 254, 6 };
+
+        for (int i = 0; i < masks.length; ++i) {
+            SubnetUtils utils = new SubnetUtils(address, masks[i]);
+            SubnetInfo info = utils.getInfo();
+            assertEquals(bcastAddresses[i], info.getBroadcastAddress());
+            assertEquals(cidrSignatures[i], info.getCidrSignature());
+            assertEquals(lowAddresses[i], info.getLowAddress());
+            assertEquals(highAddresses[i], info.getHighAddress());
+            assertEquals(networkAddresses[i], info.getNetworkAddress());
+            assertEquals(usableAddresses[i], info.getAddressCount());
+        }
+    }
+
+    public void testParseSimpleNetmaskExclusive() {
+        String address = "192.168.15.7";
+        String masks[] = new String[] { "255.255.255.252", "255.255.255.254", "255.255.255.255" };
+        String bcast[] = new String[] { "192.168.15.7", "192.168.15.7", "192.168.15.7" };
+        String netwk[] = new String[] { "192.168.15.4", "192.168.15.6", "192.168.15.7" };
+        String lowAd[] = new String[] { "192.168.15.5", "0.0.0.0", "0.0.0.0" };
+        String highA[] = new String[] { "192.168.15.6", "0.0.0.0", "0.0.0.0" };
+        String cidrS[] = new String[] { "192.168.15.7/30", "192.168.15.7/31", "192.168.15.7/32" };
+        int usableAd[] = new int[] { 2, 0, 0 };
+        // low and high addresses don't exist
+
+        for (int i = 0; i < masks.length; ++i) {
+            SubnetUtils utils = new SubnetUtils(address, masks[i]);
+            utils.setInclusiveHostCount(false);
+            SubnetInfo info = utils.getInfo();
+            assertEquals("ci " + masks[i], cidrS[i], info.getCidrSignature());
+            assertEquals("bc " + masks[i], bcast[i], info.getBroadcastAddress());
+            assertEquals("nw " + masks[i], netwk[i], info.getNetworkAddress());
+            assertEquals("ac " + masks[i], usableAd[i], info.getAddressCount());
+            assertEquals("lo " + masks[i], lowAd[i], info.getLowAddress());
+            assertEquals("hi " + masks[i], highA[i], info.getHighAddress());
+        }
+    }
+
+    public void testParseSimpleNetmaskInclusive() {
+        String address = "192.168.15.7";
+        String masks[] = new String[] { "255.255.255.252", "255.255.255.254", "255.255.255.255" };
+        String bcast[] = new String[] { "192.168.15.7", "192.168.15.7", "192.168.15.7" };
+        String netwk[] = new String[] { "192.168.15.4", "192.168.15.6", "192.168.15.7" };
+        String lowAd[] = new String[] { "192.168.15.4", "192.168.15.6", "192.168.15.7" };
+        String highA[] = new String[] { "192.168.15.7", "192.168.15.7", "192.168.15.7" };
+        String cidrS[] = new String[] { "192.168.15.7/30", "192.168.15.7/31", "192.168.15.7/32" };
+        int usableAd[] = new int[] { 4, 2, 1 };
+
+        for (int i = 0; i < masks.length; ++i) {
+            SubnetUtils utils = new SubnetUtils(address, masks[i]);
+            utils.setInclusiveHostCount(true);
+            SubnetInfo info = utils.getInfo();
+            assertEquals("ci " + masks[i], cidrS[i], info.getCidrSignature());
+            assertEquals("bc " + masks[i], bcast[i], info.getBroadcastAddress());
+            assertEquals("ac " + masks[i], usableAd[i], info.getAddressCount());
+            assertEquals("nw " + masks[i], netwk[i], info.getNetworkAddress());
+            assertEquals("lo " + masks[i], lowAd[i], info.getLowAddress());
+            assertEquals("hi " + masks[i], highA[i], info.getHighAddress());
+        }
+    }
+
+    public void testZeroAddressAndCidr() {
+        new SubnetUtils("0.0.0.0/0");
+    }
+
+    public void testNET521() {
+        SubnetUtils utils;
+        SubnetInfo info;
+
+        utils = new SubnetUtils("0.0.0.0/0");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("0.0.0.0", info.getNetmask());
+        assertEquals(4294967296L, info.getAddressCountLong());
+        try {
+            info.getAddressCount();
+            fail("Expected RuntimeException");
+        } catch (RuntimeException expected) {
+            // ignored
+        }
+        utils = new SubnetUtils("128.0.0.0/1");
+        utils.setInclusiveHostCount(true);
+        info = utils.getInfo();
+        assertEquals("128.0.0.0", info.getNetmask());
+        assertEquals(2147483648L, info.getAddressCountLong());
+        try {
+            info.getAddressCount();
+            fail("Expected RuntimeException");
+        } catch (RuntimeException expected) {
+            // ignored
+        }
+        // if we exclude the broadcast and network addresses, the count is less than Integer.MAX_VALUE
+        utils.setInclusiveHostCount(false);
+        info = utils.getInfo();
+        assertEquals(2147483646, info.getAddressCount());
+    }
+
+    public void testNET520() {
+        SubnetUtils utils = new SubnetUtils("0.0.0.0/0");
+        utils.setInclusiveHostCount(true);
+        SubnetInfo info = utils.getInfo();
+        assertEquals("0.0.0.0",info.getNetworkAddress());
+        assertEquals("255.255.255.255",info.getBroadcastAddress());
+        assertTrue(info.isInRange("127.0.0.0"));
+        utils.setInclusiveHostCount(false);
+        assertTrue(info.isInRange("127.0.0.0"));
+    }
+}
diff --git a/src/test/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/InetAddressValidatorTest.java b/src/test/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/InetAddressValidatorTest.java
new file mode 100644
index 000000000..c2b14a415
--- /dev/null
+++ b/src/test/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/InetAddressValidatorTest.java
@@ -0,0 +1,604 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.jenkinsci.remoting.org.apache.commons.validator.routines;
+
+import junit.framework.TestCase;
+
+/**
+ * Test cases for InetAddressValidator.
+ *
+ * @version $Revision$
+ */
+public class InetAddressValidatorTest extends TestCase {
+
+    private InetAddressValidator validator;
+
+    /**
+     * Constructor.
+     * @param name
+     */
+    public InetAddressValidatorTest(String name) {
+        super(name);
+    }
+
+    @Override
+    protected void setUp() {
+        validator = new InetAddressValidator();
+    }
+
+    /**
+     * Test IPs that point to real, well-known hosts (without actually looking them up).
+     */
+    public void testInetAddressesFromTheWild() {
+        assertTrue("www.apache.org IP should be valid",       validator.isValid("140.211.11.130"));
+        assertTrue("www.l.google.com IP should be valid",     validator.isValid("72.14.253.103"));
+        assertTrue("fsf.org IP should be valid",              validator.isValid("199.232.41.5"));
+        assertTrue("appscs.ign.com IP should be valid",       validator.isValid("216.35.123.87"));
+    }
+
+    public void testVALIDATOR_335() {
+        assertTrue("2001:0438:FFFE:0000:0000:0000:0000:0A35 should be valid",       validator.isValid("2001:0438:FFFE:0000:0000:0000:0000:0A35"));
+    }
+
+    /**
+     * Test valid and invalid IPs from each address class.
+     */
+    public void testInetAddressesByClass() {
+        assertTrue("class A IP should be valid",              validator.isValid("24.25.231.12"));
+        assertFalse("illegal class A IP should be invalid",   validator.isValid("2.41.32.324"));
+
+        assertTrue("class B IP should be valid",              validator.isValid("135.14.44.12"));
+        assertFalse("illegal class B IP should be invalid",   validator.isValid("154.123.441.123"));
+
+        assertTrue("class C IP should be valid",              validator.isValid("213.25.224.32"));
+        assertFalse("illegal class C IP should be invalid",   validator.isValid("201.543.23.11"));
+
+        assertTrue("class D IP should be valid",              validator.isValid("229.35.159.6"));
+        assertFalse("illegal class D IP should be invalid",   validator.isValid("231.54.11.987"));
+
+        assertTrue("class E IP should be valid",              validator.isValid("248.85.24.92"));
+        assertFalse("illegal class E IP should be invalid",   validator.isValid("250.21.323.48"));
+    }
+
+    /**
+     * Test reserved IPs.
+     */
+    public void testReservedInetAddresses() {
+        assertTrue("localhost IP should be valid",            validator.isValid("127.0.0.1"));
+        assertTrue("broadcast IP should be valid",            validator.isValid("255.255.255.255"));
+    }
+
+    /**
+     * Test obviously broken IPs.
+     */
+    public void testBrokenInetAddresses() {
+        assertFalse("IP with characters should be invalid",     validator.isValid("124.14.32.abc"));
+        assertFalse("IP with leading zeroes should be invalid", validator.isValid("124.14.32.01"));
+        assertFalse("IP with three groups should be invalid",   validator.isValid("23.64.12"));
+        assertFalse("IP with five groups should be invalid",    validator.isValid("26.34.23.77.234"));
+    }
+
+    /**
+     * Test IPv6 addresses.
+     * <p>These tests were ported from a
+     * <a href="http://download.dartware.com/thirdparty/test-ipv6-regex.pl">Perl script</a>.</p>
+     * 
+     */
+    public void testIPv6() {
+        // The original Perl script contained a lot of duplicate tests.
+        // I removed the duplicates I noticed, but there may be more.
+        assertFalse("IPV6 empty string should be invalid", validator.isValidInet6Address(""));// empty string 
+        assertTrue("IPV6 ::1 should be valid", validator.isValidInet6Address("::1"));// loopback, compressed, non-routable 
+        assertTrue("IPV6 :: should be valid", validator.isValidInet6Address("::"));// unspecified, compressed, non-routable 
+        assertTrue("IPV6 0:0:0:0:0:0:0:1 should be valid", validator.isValidInet6Address("0:0:0:0:0:0:0:1"));// loopback, full 
+        assertTrue("IPV6 0:0:0:0:0:0:0:0 should be valid", validator.isValidInet6Address("0:0:0:0:0:0:0:0"));// unspecified, full 
+        assertTrue("IPV6 2001:DB8:0:0:8:800:200C:417A should be valid", validator.isValidInet6Address("2001:DB8:0:0:8:800:200C:417A"));// unicast, full 
+        assertTrue("IPV6 FF01:0:0:0:0:0:0:101 should be valid", validator.isValidInet6Address("FF01:0:0:0:0:0:0:101"));// multicast, full 
+        assertTrue("IPV6 2001:DB8::8:800:200C:417A should be valid", validator.isValidInet6Address("2001:DB8::8:800:200C:417A"));// unicast, compressed 
+        assertTrue("IPV6 FF01::101 should be valid", validator.isValidInet6Address("FF01::101"));// multicast, compressed 
+        assertFalse("IPV6 2001:DB8:0:0:8:800:200C:417A:221 should be invalid", validator.isValidInet6Address("2001:DB8:0:0:8:800:200C:417A:221"));// unicast, full 
+        assertFalse("IPV6 FF01::101::2 should be invalid", validator.isValidInet6Address("FF01::101::2"));// multicast, compressed 
+        assertTrue("IPV6 fe80::217:f2ff:fe07:ed62 should be valid", validator.isValidInet6Address("fe80::217:f2ff:fe07:ed62"));
+        assertTrue("IPV6 2001:0000:1234:0000:0000:C1C0:ABCD:0876 should be valid", validator.isValidInet6Address("2001:0000:1234:0000:0000:C1C0:ABCD:0876"));
+        assertTrue("IPV6 3ffe:0b00:0000:0000:0001:0000:0000:000a should be valid", validator.isValidInet6Address("3ffe:0b00:0000:0000:0001:0000:0000:000a"));
+        assertTrue("IPV6 FF02:0000:0000:0000:0000:0000:0000:0001 should be valid", validator.isValidInet6Address("FF02:0000:0000:0000:0000:0000:0000:0001"));
+        assertTrue("IPV6 0000:0000:0000:0000:0000:0000:0000:0001 should be valid", validator.isValidInet6Address("0000:0000:0000:0000:0000:0000:0000:0001"));
+        assertTrue("IPV6 0000:0000:0000:0000:0000:0000:0000:0000 should be valid", validator.isValidInet6Address("0000:0000:0000:0000:0000:0000:0000:0000"));
+        assertFalse("IPV6 02001:0000:1234:0000:0000:C1C0:ABCD:0876 should be invalid", validator.isValidInet6Address("02001:0000:1234:0000:0000:C1C0:ABCD:0876")); // extra 0 not allowed! 
+        assertFalse("IPV6 2001:0000:1234:0000:00001:C1C0:ABCD:0876 should be invalid", validator.isValidInet6Address("2001:0000:1234:0000:00001:C1C0:ABCD:0876")); // extra 0 not allowed! 
+        assertFalse("IPV6 2001:0000:1234:0000:0000:C1C0:ABCD:0876 0 should be invalid", validator.isValidInet6Address("2001:0000:1234:0000:0000:C1C0:ABCD:0876 0")); // junk after valid address
+        assertFalse("IPV6 2001:0000:1234: 0000:0000:C1C0:ABCD:0876 should be invalid", validator.isValidInet6Address("2001:0000:1234: 0000:0000:C1C0:ABCD:0876")); // internal space
+        assertFalse("IPV6 3ffe:0b00:0000:0001:0000:0000:000a should be invalid", validator.isValidInet6Address("3ffe:0b00:0000:0001:0000:0000:000a")); // seven segments
+        assertFalse("IPV6 FF02:0000:0000:0000:0000:0000:0000:0000:0001 should be invalid", validator.isValidInet6Address("FF02:0000:0000:0000:0000:0000:0000:0000:0001")); // nine segments
+        assertFalse("IPV6 3ffe:b00::1::a should be invalid", validator.isValidInet6Address("3ffe:b00::1::a")); // double "::"
+        assertFalse("IPV6 ::1111:2222:3333:4444:5555:6666:: should be invalid", validator.isValidInet6Address("::1111:2222:3333:4444:5555:6666::")); // double "::"
+        assertTrue("IPV6 2::10 should be valid", validator.isValidInet6Address("2::10"));
+        assertTrue("IPV6 ff02::1 should be valid", validator.isValidInet6Address("ff02::1"));
+        assertTrue("IPV6 fe80:: should be valid", validator.isValidInet6Address("fe80::"));
+        assertTrue("IPV6 2002:: should be valid", validator.isValidInet6Address("2002::"));
+        assertTrue("IPV6 2001:db8:: should be valid", validator.isValidInet6Address("2001:db8::"));
+        assertTrue("IPV6 2001:0db8:1234:: should be valid", validator.isValidInet6Address("2001:0db8:1234::"));
+        assertTrue("IPV6 ::ffff:0:0 should be valid", validator.isValidInet6Address("::ffff:0:0"));
+        assertTrue("IPV6 1:2:3:4:5:6:7:8 should be valid", validator.isValidInet6Address("1:2:3:4:5:6:7:8"));
+        assertTrue("IPV6 1:2:3:4:5:6::8 should be valid", validator.isValidInet6Address("1:2:3:4:5:6::8"));
+        assertTrue("IPV6 1:2:3:4:5::8 should be valid", validator.isValidInet6Address("1:2:3:4:5::8"));
+        assertTrue("IPV6 1:2:3:4::8 should be valid", validator.isValidInet6Address("1:2:3:4::8"));
+        assertTrue("IPV6 1:2:3::8 should be valid", validator.isValidInet6Address("1:2:3::8"));
+        assertTrue("IPV6 1:2::8 should be valid", validator.isValidInet6Address("1:2::8"));
+        assertTrue("IPV6 1::8 should be valid", validator.isValidInet6Address("1::8"));
+        assertTrue("IPV6 1::2:3:4:5:6:7 should be valid", validator.isValidInet6Address("1::2:3:4:5:6:7"));
+        assertTrue("IPV6 1::2:3:4:5:6 should be valid", validator.isValidInet6Address("1::2:3:4:5:6"));
+        assertTrue("IPV6 1::2:3:4:5 should be valid", validator.isValidInet6Address("1::2:3:4:5"));
+        assertTrue("IPV6 1::2:3:4 should be valid", validator.isValidInet6Address("1::2:3:4"));
+        assertTrue("IPV6 1::2:3 should be valid", validator.isValidInet6Address("1::2:3"));
+        assertTrue("IPV6 ::2:3:4:5:6:7:8 should be valid", validator.isValidInet6Address("::2:3:4:5:6:7:8"));
+        assertTrue("IPV6 ::2:3:4:5:6:7 should be valid", validator.isValidInet6Address("::2:3:4:5:6:7"));
+        assertTrue("IPV6 ::2:3:4:5:6 should be valid", validator.isValidInet6Address("::2:3:4:5:6"));
+        assertTrue("IPV6 ::2:3:4:5 should be valid", validator.isValidInet6Address("::2:3:4:5"));
+        assertTrue("IPV6 ::2:3:4 should be valid", validator.isValidInet6Address("::2:3:4"));
+        assertTrue("IPV6 ::2:3 should be valid", validator.isValidInet6Address("::2:3"));
+        assertTrue("IPV6 ::8 should be valid", validator.isValidInet6Address("::8"));
+        assertTrue("IPV6 1:2:3:4:5:6:: should be valid", validator.isValidInet6Address("1:2:3:4:5:6::"));
+        assertTrue("IPV6 1:2:3:4:5:: should be valid", validator.isValidInet6Address("1:2:3:4:5::"));
+        assertTrue("IPV6 1:2:3:4:: should be valid", validator.isValidInet6Address("1:2:3:4::"));
+        assertTrue("IPV6 1:2:3:: should be valid", validator.isValidInet6Address("1:2:3::"));
+        assertTrue("IPV6 1:2:: should be valid", validator.isValidInet6Address("1:2::"));
+        assertTrue("IPV6 1:: should be valid", validator.isValidInet6Address("1::"));
+        assertTrue("IPV6 1:2:3:4:5::7:8 should be valid", validator.isValidInet6Address("1:2:3:4:5::7:8"));
+        assertFalse("IPV6 1:2:3::4:5::7:8 should be invalid", validator.isValidInet6Address("1:2:3::4:5::7:8")); // Double "::"
+        assertFalse("IPV6 12345::6:7:8 should be invalid", validator.isValidInet6Address("12345::6:7:8"));
+        assertTrue("IPV6 1:2:3:4::7:8 should be valid", validator.isValidInet6Address("1:2:3:4::7:8"));
+        assertTrue("IPV6 1:2:3::7:8 should be valid", validator.isValidInet6Address("1:2:3::7:8"));
+        assertTrue("IPV6 1:2::7:8 should be valid", validator.isValidInet6Address("1:2::7:8"));
+        assertTrue("IPV6 1::7:8 should be valid", validator.isValidInet6Address("1::7:8"));
+        // IPv4 addresses as dotted-quads
+        assertTrue("IPV6 1:2:3:4:5:6:1.2.3.4 should be valid", validator.isValidInet6Address("1:2:3:4:5:6:1.2.3.4"));
+        assertTrue("IPV6 1:2:3:4:5::1.2.3.4 should be valid", validator.isValidInet6Address("1:2:3:4:5::1.2.3.4"));
+        assertTrue("IPV6 1:2:3:4::1.2.3.4 should be valid", validator.isValidInet6Address("1:2:3:4::1.2.3.4"));
+        assertTrue("IPV6 1:2:3::1.2.3.4 should be valid", validator.isValidInet6Address("1:2:3::1.2.3.4"));
+        assertTrue("IPV6 1:2::1.2.3.4 should be valid", validator.isValidInet6Address("1:2::1.2.3.4"));
+        assertTrue("IPV6 1::1.2.3.4 should be valid", validator.isValidInet6Address("1::1.2.3.4"));
+        assertTrue("IPV6 1:2:3:4::5:1.2.3.4 should be valid", validator.isValidInet6Address("1:2:3:4::5:1.2.3.4"));
+        assertTrue("IPV6 1:2:3::5:1.2.3.4 should be valid", validator.isValidInet6Address("1:2:3::5:1.2.3.4"));
+        assertTrue("IPV6 1:2::5:1.2.3.4 should be valid", validator.isValidInet6Address("1:2::5:1.2.3.4"));
+        assertTrue("IPV6 1::5:1.2.3.4 should be valid", validator.isValidInet6Address("1::5:1.2.3.4"));
+        assertTrue("IPV6 1::5:11.22.33.44 should be valid", validator.isValidInet6Address("1::5:11.22.33.44"));
+        assertFalse("IPV6 1::5:400.2.3.4 should be invalid", validator.isValidInet6Address("1::5:400.2.3.4"));
+        assertFalse("IPV6 1::5:260.2.3.4 should be invalid", validator.isValidInet6Address("1::5:260.2.3.4"));
+        assertFalse("IPV6 1::5:256.2.3.4 should be invalid", validator.isValidInet6Address("1::5:256.2.3.4"));
+        assertFalse("IPV6 1::5:1.256.3.4 should be invalid", validator.isValidInet6Address("1::5:1.256.3.4"));
+        assertFalse("IPV6 1::5:1.2.256.4 should be invalid", validator.isValidInet6Address("1::5:1.2.256.4"));
+        assertFalse("IPV6 1::5:1.2.3.256 should be invalid", validator.isValidInet6Address("1::5:1.2.3.256"));
+        assertFalse("IPV6 1::5:300.2.3.4 should be invalid", validator.isValidInet6Address("1::5:300.2.3.4"));
+        assertFalse("IPV6 1::5:1.300.3.4 should be invalid", validator.isValidInet6Address("1::5:1.300.3.4"));
+        assertFalse("IPV6 1::5:1.2.300.4 should be invalid", validator.isValidInet6Address("1::5:1.2.300.4"));
+        assertFalse("IPV6 1::5:1.2.3.300 should be invalid", validator.isValidInet6Address("1::5:1.2.3.300"));
+        assertFalse("IPV6 1::5:900.2.3.4 should be invalid", validator.isValidInet6Address("1::5:900.2.3.4"));
+        assertFalse("IPV6 1::5:1.900.3.4 should be invalid", validator.isValidInet6Address("1::5:1.900.3.4"));
+        assertFalse("IPV6 1::5:1.2.900.4 should be invalid", validator.isValidInet6Address("1::5:1.2.900.4"));
+        assertFalse("IPV6 1::5:1.2.3.900 should be invalid", validator.isValidInet6Address("1::5:1.2.3.900"));
+        assertFalse("IPV6 1::5:300.300.300.300 should be invalid", validator.isValidInet6Address("1::5:300.300.300.300"));
+        assertFalse("IPV6 1::5:3000.30.30.30 should be invalid", validator.isValidInet6Address("1::5:3000.30.30.30"));
+        assertFalse("IPV6 1::400.2.3.4 should be invalid", validator.isValidInet6Address("1::400.2.3.4"));
+        assertFalse("IPV6 1::260.2.3.4 should be invalid", validator.isValidInet6Address("1::260.2.3.4"));
+        assertFalse("IPV6 1::256.2.3.4 should be invalid", validator.isValidInet6Address("1::256.2.3.4"));
+        assertFalse("IPV6 1::1.256.3.4 should be invalid", validator.isValidInet6Address("1::1.256.3.4"));
+        assertFalse("IPV6 1::1.2.256.4 should be invalid", validator.isValidInet6Address("1::1.2.256.4"));
+        assertFalse("IPV6 1::1.2.3.256 should be invalid", validator.isValidInet6Address("1::1.2.3.256"));
+        assertFalse("IPV6 1::300.2.3.4 should be invalid", validator.isValidInet6Address("1::300.2.3.4"));
+        assertFalse("IPV6 1::1.300.3.4 should be invalid", validator.isValidInet6Address("1::1.300.3.4"));
+        assertFalse("IPV6 1::1.2.300.4 should be invalid", validator.isValidInet6Address("1::1.2.300.4"));
+        assertFalse("IPV6 1::1.2.3.300 should be invalid", validator.isValidInet6Address("1::1.2.3.300"));
+        assertFalse("IPV6 1::900.2.3.4 should be invalid", validator.isValidInet6Address("1::900.2.3.4"));
+        assertFalse("IPV6 1::1.900.3.4 should be invalid", validator.isValidInet6Address("1::1.900.3.4"));
+        assertFalse("IPV6 1::1.2.900.4 should be invalid", validator.isValidInet6Address("1::1.2.900.4"));
+        assertFalse("IPV6 1::1.2.3.900 should be invalid", validator.isValidInet6Address("1::1.2.3.900"));
+        assertFalse("IPV6 1::300.300.300.300 should be invalid", validator.isValidInet6Address("1::300.300.300.300"));
+        assertFalse("IPV6 1::3000.30.30.30 should be invalid", validator.isValidInet6Address("1::3000.30.30.30"));
+        assertFalse("IPV6 ::400.2.3.4 should be invalid", validator.isValidInet6Address("::400.2.3.4"));
+        assertFalse("IPV6 ::260.2.3.4 should be invalid", validator.isValidInet6Address("::260.2.3.4"));
+        assertFalse("IPV6 ::256.2.3.4 should be invalid", validator.isValidInet6Address("::256.2.3.4"));
+        assertFalse("IPV6 ::1.256.3.4 should be invalid", validator.isValidInet6Address("::1.256.3.4"));
+        assertFalse("IPV6 ::1.2.256.4 should be invalid", validator.isValidInet6Address("::1.2.256.4"));
+        assertFalse("IPV6 ::1.2.3.256 should be invalid", validator.isValidInet6Address("::1.2.3.256"));
+        assertFalse("IPV6 ::300.2.3.4 should be invalid", validator.isValidInet6Address("::300.2.3.4"));
+        assertFalse("IPV6 ::1.300.3.4 should be invalid", validator.isValidInet6Address("::1.300.3.4"));
+        assertFalse("IPV6 ::1.2.300.4 should be invalid", validator.isValidInet6Address("::1.2.300.4"));
+        assertFalse("IPV6 ::1.2.3.300 should be invalid", validator.isValidInet6Address("::1.2.3.300"));
+        assertFalse("IPV6 ::900.2.3.4 should be invalid", validator.isValidInet6Address("::900.2.3.4"));
+        assertFalse("IPV6 ::1.900.3.4 should be invalid", validator.isValidInet6Address("::1.900.3.4"));
+        assertFalse("IPV6 ::1.2.900.4 should be invalid", validator.isValidInet6Address("::1.2.900.4"));
+        assertFalse("IPV6 ::1.2.3.900 should be invalid", validator.isValidInet6Address("::1.2.3.900"));
+        assertFalse("IPV6 ::300.300.300.300 should be invalid", validator.isValidInet6Address("::300.300.300.300"));
+        assertFalse("IPV6 ::3000.30.30.30 should be invalid", validator.isValidInet6Address("::3000.30.30.30"));
+        assertTrue("IPV6 fe80::217:f2ff:254.7.237.98 should be valid", validator.isValidInet6Address("fe80::217:f2ff:254.7.237.98"));
+        assertTrue("IPV6 ::ffff:192.168.1.26 should be valid", validator.isValidInet6Address("::ffff:192.168.1.26"));
+        assertFalse("IPV6 2001:1:1:1:1:1:255Z255X255Y255 should be invalid", validator.isValidInet6Address("2001:1:1:1:1:1:255Z255X255Y255")); // garbage instead of "." in IPv4
+        assertFalse("IPV6 ::ffff:192x168.1.26 should be invalid", validator.isValidInet6Address("::ffff:192x168.1.26")); // ditto
+        assertTrue("IPV6 ::ffff:192.168.1.1 should be valid", validator.isValidInet6Address("::ffff:192.168.1.1"));
+        assertTrue("IPV6 0:0:0:0:0:0:13.1.68.3 should be valid", validator.isValidInet6Address("0:0:0:0:0:0:13.1.68.3"));// IPv4-compatible IPv6 address, full, deprecated 
+        assertTrue("IPV6 0:0:0:0:0:FFFF:129.144.52.38 should be valid", validator.isValidInet6Address("0:0:0:0:0:FFFF:129.144.52.38"));// IPv4-mapped IPv6 address, full 
+        assertTrue("IPV6 ::13.1.68.3 should be valid", validator.isValidInet6Address("::13.1.68.3"));// IPv4-compatible IPv6 address, compressed, deprecated 
+        assertTrue("IPV6 ::FFFF:129.144.52.38 should be valid", validator.isValidInet6Address("::FFFF:129.144.52.38"));// IPv4-mapped IPv6 address, compressed 
+        assertTrue("IPV6 fe80:0:0:0:204:61ff:254.157.241.86 should be valid", validator.isValidInet6Address("fe80:0:0:0:204:61ff:254.157.241.86"));
+        assertTrue("IPV6 fe80::204:61ff:254.157.241.86 should be valid", validator.isValidInet6Address("fe80::204:61ff:254.157.241.86"));
+        assertTrue("IPV6 ::ffff:12.34.56.78 should be valid", validator.isValidInet6Address("::ffff:12.34.56.78"));
+        assertFalse("IPV6 ::ffff:2.3.4 should be invalid", validator.isValidInet6Address("::ffff:2.3.4"));
+        assertFalse("IPV6 ::ffff:257.1.2.3 should be invalid", validator.isValidInet6Address("::ffff:257.1.2.3"));
+        assertFalse("IPV6 1.2.3.4 should be invalid", validator.isValidInet6Address("1.2.3.4"));
+        assertFalse("IPV6 1.2.3.4:1111:2222:3333:4444::5555 should be invalid", validator.isValidInet6Address("1.2.3.4:1111:2222:3333:4444::5555"));
+        assertFalse("IPV6 1.2.3.4:1111:2222:3333::5555 should be invalid", validator.isValidInet6Address("1.2.3.4:1111:2222:3333::5555"));
+        assertFalse("IPV6 1.2.3.4:1111:2222::5555 should be invalid", validator.isValidInet6Address("1.2.3.4:1111:2222::5555"));
+        assertFalse("IPV6 1.2.3.4:1111::5555 should be invalid", validator.isValidInet6Address("1.2.3.4:1111::5555"));
+        assertFalse("IPV6 1.2.3.4::5555 should be invalid", validator.isValidInet6Address("1.2.3.4::5555"));
+        assertFalse("IPV6 1.2.3.4:: should be invalid", validator.isValidInet6Address("1.2.3.4::"));
+        // Testing IPv4 addresses represented as dotted-quads
+        // Leading zeroes in IPv4 addresses not allowed: some systems treat the leading "0" in ".086" as the start of an octal number
+        // Update: The BNF in RFC-3986 explicitly defines the dec-octet (for IPv4 addresses) not to have a leading zero
+        assertFalse("IPV6 fe80:0000:0000:0000:0204:61ff:254.157.241.086 should be invalid", validator.isValidInet6Address("fe80:0000:0000:0000:0204:61ff:254.157.241.086"));
+        assertTrue("IPV6 ::ffff:192.0.2.128 should be valid", validator.isValidInet6Address("::ffff:192.0.2.128")); // but this is OK, since there's a single digit
+        assertFalse("IPV6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:1.2.3.4 should be invalid", validator.isValidInet6Address("XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:00.00.00.00 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:00.00.00.00"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:000.000.000.000 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:000.000.000.000"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:256.256.256.256 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:256.256.256.256"));
+        assertTrue("IPV6 fe80:0000:0000:0000:0204:61ff:fe9d:f156 should be valid", validator.isValidInet6Address("fe80:0000:0000:0000:0204:61ff:fe9d:f156"));
+        assertTrue("IPV6 fe80:0:0:0:204:61ff:fe9d:f156 should be valid", validator.isValidInet6Address("fe80:0:0:0:204:61ff:fe9d:f156"));
+        assertTrue("IPV6 fe80::204:61ff:fe9d:f156 should be valid", validator.isValidInet6Address("fe80::204:61ff:fe9d:f156"));
+        assertFalse("IPV6 : should be invalid", validator.isValidInet6Address(":"));
+        assertTrue("IPV6 ::ffff:c000:280 should be valid", validator.isValidInet6Address("::ffff:c000:280"));
+        assertFalse("IPV6 1111:2222:3333:4444::5555: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444::5555:"));
+        assertFalse("IPV6 1111:2222:3333::5555: should be invalid", validator.isValidInet6Address("1111:2222:3333::5555:"));
+        assertFalse("IPV6 1111:2222::5555: should be invalid", validator.isValidInet6Address("1111:2222::5555:"));
+        assertFalse("IPV6 1111::5555: should be invalid", validator.isValidInet6Address("1111::5555:"));
+        assertFalse("IPV6 ::5555: should be invalid", validator.isValidInet6Address("::5555:"));
+        assertFalse("IPV6 ::: should be invalid", validator.isValidInet6Address(":::"));
+        assertFalse("IPV6 1111: should be invalid", validator.isValidInet6Address("1111:"));
+        assertFalse("IPV6 :1111:2222:3333:4444::5555 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444::5555"));
+        assertFalse("IPV6 :1111:2222:3333::5555 should be invalid", validator.isValidInet6Address(":1111:2222:3333::5555"));
+        assertFalse("IPV6 :1111:2222::5555 should be invalid", validator.isValidInet6Address(":1111:2222::5555"));
+        assertFalse("IPV6 :1111::5555 should be invalid", validator.isValidInet6Address(":1111::5555"));
+        assertFalse("IPV6 :::5555 should be invalid", validator.isValidInet6Address(":::5555"));
+        assertTrue("IPV6 2001:0db8:85a3:0000:0000:8a2e:0370:7334 should be valid", validator.isValidInet6Address("2001:0db8:85a3:0000:0000:8a2e:0370:7334"));
+        assertTrue("IPV6 2001:db8:85a3:0:0:8a2e:370:7334 should be valid", validator.isValidInet6Address("2001:db8:85a3:0:0:8a2e:370:7334"));
+        assertTrue("IPV6 2001:db8:85a3::8a2e:370:7334 should be valid", validator.isValidInet6Address("2001:db8:85a3::8a2e:370:7334"));
+        assertTrue("IPV6 2001:0db8:0000:0000:0000:0000:1428:57ab should be valid", validator.isValidInet6Address("2001:0db8:0000:0000:0000:0000:1428:57ab"));
+        assertTrue("IPV6 2001:0db8:0000:0000:0000::1428:57ab should be valid", validator.isValidInet6Address("2001:0db8:0000:0000:0000::1428:57ab"));
+        assertTrue("IPV6 2001:0db8:0:0:0:0:1428:57ab should be valid", validator.isValidInet6Address("2001:0db8:0:0:0:0:1428:57ab"));
+        assertTrue("IPV6 2001:0db8:0:0::1428:57ab should be valid", validator.isValidInet6Address("2001:0db8:0:0::1428:57ab"));
+        assertTrue("IPV6 2001:0db8::1428:57ab should be valid", validator.isValidInet6Address("2001:0db8::1428:57ab"));
+        assertTrue("IPV6 2001:db8::1428:57ab should be valid", validator.isValidInet6Address("2001:db8::1428:57ab"));
+        assertTrue("IPV6 ::ffff:0c22:384e should be valid", validator.isValidInet6Address("::ffff:0c22:384e"));
+        assertTrue("IPV6 2001:0db8:1234:0000:0000:0000:0000:0000 should be valid", validator.isValidInet6Address("2001:0db8:1234:0000:0000:0000:0000:0000"));
+        assertTrue("IPV6 2001:0db8:1234:ffff:ffff:ffff:ffff:ffff should be valid", validator.isValidInet6Address("2001:0db8:1234:ffff:ffff:ffff:ffff:ffff"));
+        assertTrue("IPV6 2001:db8:a::123 should be valid", validator.isValidInet6Address("2001:db8:a::123"));
+        assertFalse("IPV6 123 should be invalid", validator.isValidInet6Address("123"));
+        assertFalse("IPV6 ldkfj should be invalid", validator.isValidInet6Address("ldkfj"));
+        assertFalse("IPV6 2001::FFD3::57ab should be invalid", validator.isValidInet6Address("2001::FFD3::57ab"));
+        assertFalse("IPV6 2001:db8:85a3::8a2e:37023:7334 should be invalid", validator.isValidInet6Address("2001:db8:85a3::8a2e:37023:7334"));
+        assertFalse("IPV6 2001:db8:85a3::8a2e:370k:7334 should be invalid", validator.isValidInet6Address("2001:db8:85a3::8a2e:370k:7334"));
+        assertFalse("IPV6 1:2:3:4:5:6:7:8:9 should be invalid", validator.isValidInet6Address("1:2:3:4:5:6:7:8:9"));
+        assertFalse("IPV6 1::2::3 should be invalid", validator.isValidInet6Address("1::2::3"));
+        assertFalse("IPV6 1:::3:4:5 should be invalid", validator.isValidInet6Address("1:::3:4:5"));
+        assertFalse("IPV6 1:2:3::4:5:6:7:8:9 should be invalid", validator.isValidInet6Address("1:2:3::4:5:6:7:8:9"));
+        assertTrue("IPV6 1111:2222:3333:4444:5555:6666:7777:8888 should be valid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777:8888"));
+        assertTrue("IPV6 1111:2222:3333:4444:5555:6666:7777:: should be valid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777::"));
+        assertTrue("IPV6 1111:2222:3333:4444:5555:6666:: should be valid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666::"));
+        assertTrue("IPV6 1111:2222:3333:4444:5555:: should be valid", validator.isValidInet6Address("1111:2222:3333:4444:5555::"));
+        assertTrue("IPV6 1111:2222:3333:4444:: should be valid", validator.isValidInet6Address("1111:2222:3333:4444::"));
+        assertTrue("IPV6 1111:2222:3333:: should be valid", validator.isValidInet6Address("1111:2222:3333::"));
+        assertTrue("IPV6 1111:2222:: should be valid", validator.isValidInet6Address("1111:2222::"));
+        assertTrue("IPV6 1111:: should be valid", validator.isValidInet6Address("1111::"));
+        assertTrue("IPV6 1111:2222:3333:4444:5555:6666::8888 should be valid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666::8888"));
+        assertTrue("IPV6 1111:2222:3333:4444:5555::8888 should be valid", validator.isValidInet6Address("1111:2222:3333:4444:5555::8888"));
+        assertTrue("IPV6 1111:2222:3333:4444::8888 should be valid", validator.isValidInet6Address("1111:2222:3333:4444::8888"));
+        assertTrue("IPV6 1111:2222:3333::8888 should be valid", validator.isValidInet6Address("1111:2222:3333::8888"));
+        assertTrue("IPV6 1111:2222::8888 should be valid", validator.isValidInet6Address("1111:2222::8888"));
+        assertTrue("IPV6 1111::8888 should be valid", validator.isValidInet6Address("1111::8888"));
+        assertTrue("IPV6 ::8888 should be valid", validator.isValidInet6Address("::8888"));
+        assertTrue("IPV6 1111:2222:3333:4444:5555::7777:8888 should be valid", validator.isValidInet6Address("1111:2222:3333:4444:5555::7777:8888"));
+        assertTrue("IPV6 1111:2222:3333:4444::7777:8888 should be valid", validator.isValidInet6Address("1111:2222:3333:4444::7777:8888"));
+        assertTrue("IPV6 1111:2222:3333::7777:8888 should be valid", validator.isValidInet6Address("1111:2222:3333::7777:8888"));
+        assertTrue("IPV6 1111:2222::7777:8888 should be valid", validator.isValidInet6Address("1111:2222::7777:8888"));
+        assertTrue("IPV6 1111::7777:8888 should be valid", validator.isValidInet6Address("1111::7777:8888"));
+        assertTrue("IPV6 ::7777:8888 should be valid", validator.isValidInet6Address("::7777:8888"));
+        assertTrue("IPV6 1111:2222:3333:4444::6666:7777:8888 should be valid", validator.isValidInet6Address("1111:2222:3333:4444::6666:7777:8888"));
+        assertTrue("IPV6 1111:2222:3333::6666:7777:8888 should be valid", validator.isValidInet6Address("1111:2222:3333::6666:7777:8888"));
+        assertTrue("IPV6 1111:2222::6666:7777:8888 should be valid", validator.isValidInet6Address("1111:2222::6666:7777:8888"));
+        assertTrue("IPV6 1111::6666:7777:8888 should be valid", validator.isValidInet6Address("1111::6666:7777:8888"));
+        assertTrue("IPV6 ::6666:7777:8888 should be valid", validator.isValidInet6Address("::6666:7777:8888"));
+        assertTrue("IPV6 1111:2222:3333::5555:6666:7777:8888 should be valid", validator.isValidInet6Address("1111:2222:3333::5555:6666:7777:8888"));
+        assertTrue("IPV6 1111:2222::5555:6666:7777:8888 should be valid", validator.isValidInet6Address("1111:2222::5555:6666:7777:8888"));
+        assertTrue("IPV6 1111::5555:6666:7777:8888 should be valid", validator.isValidInet6Address("1111::5555:6666:7777:8888"));
+        assertTrue("IPV6 ::5555:6666:7777:8888 should be valid", validator.isValidInet6Address("::5555:6666:7777:8888"));
+        assertTrue("IPV6 1111:2222::4444:5555:6666:7777:8888 should be valid", validator.isValidInet6Address("1111:2222::4444:5555:6666:7777:8888"));
+        assertTrue("IPV6 1111::4444:5555:6666:7777:8888 should be valid", validator.isValidInet6Address("1111::4444:5555:6666:7777:8888"));
+        assertTrue("IPV6 ::4444:5555:6666:7777:8888 should be valid", validator.isValidInet6Address("::4444:5555:6666:7777:8888"));
+        assertTrue("IPV6 1111::3333:4444:5555:6666:7777:8888 should be valid", validator.isValidInet6Address("1111::3333:4444:5555:6666:7777:8888"));
+        assertTrue("IPV6 ::3333:4444:5555:6666:7777:8888 should be valid", validator.isValidInet6Address("::3333:4444:5555:6666:7777:8888"));
+        assertTrue("IPV6 ::2222:3333:4444:5555:6666:7777:8888 should be valid", validator.isValidInet6Address("::2222:3333:4444:5555:6666:7777:8888"));
+        assertTrue("IPV6 1111:2222:3333:4444:5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:123.123.123.123"));
+        assertTrue("IPV6 1111:2222:3333:4444:5555::123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222:3333:4444:5555::123.123.123.123"));
+        assertTrue("IPV6 1111:2222:3333:4444::123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222:3333:4444::123.123.123.123"));
+        assertTrue("IPV6 1111:2222:3333::123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222:3333::123.123.123.123"));
+        assertTrue("IPV6 1111:2222::123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222::123.123.123.123"));
+        assertTrue("IPV6 1111::123.123.123.123 should be valid", validator.isValidInet6Address("1111::123.123.123.123"));
+        assertTrue("IPV6 ::123.123.123.123 should be valid", validator.isValidInet6Address("::123.123.123.123"));
+        assertTrue("IPV6 1111:2222:3333:4444::6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222:3333:4444::6666:123.123.123.123"));
+        assertTrue("IPV6 1111:2222:3333::6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222:3333::6666:123.123.123.123"));
+        assertTrue("IPV6 1111:2222::6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222::6666:123.123.123.123"));
+        assertTrue("IPV6 1111::6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111::6666:123.123.123.123"));
+        assertTrue("IPV6 ::6666:123.123.123.123 should be valid", validator.isValidInet6Address("::6666:123.123.123.123"));
+        assertTrue("IPV6 1111:2222:3333::5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222:3333::5555:6666:123.123.123.123"));
+        assertTrue("IPV6 1111:2222::5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222::5555:6666:123.123.123.123"));
+        assertTrue("IPV6 1111::5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111::5555:6666:123.123.123.123"));
+        assertTrue("IPV6 ::5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("::5555:6666:123.123.123.123"));
+        assertTrue("IPV6 1111:2222::4444:5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111:2222::4444:5555:6666:123.123.123.123"));
+        assertTrue("IPV6 1111::4444:5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111::4444:5555:6666:123.123.123.123"));
+        assertTrue("IPV6 ::4444:5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("::4444:5555:6666:123.123.123.123"));
+        assertTrue("IPV6 1111::3333:4444:5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("1111::3333:4444:5555:6666:123.123.123.123"));
+        assertTrue("IPV6 ::2222:3333:4444:5555:6666:123.123.123.123 should be valid", validator.isValidInet6Address("::2222:3333:4444:5555:6666:123.123.123.123"));
+        // Trying combinations of "0" and "::"
+        // These are all syntactically correct, but are bad form 
+        // because "0" adjacent to "::" should be combined into "::"
+        assertTrue("IPV6 ::0:0:0:0:0:0:0 should be valid", validator.isValidInet6Address("::0:0:0:0:0:0:0"));
+        assertTrue("IPV6 ::0:0:0:0:0:0 should be valid", validator.isValidInet6Address("::0:0:0:0:0:0"));
+        assertTrue("IPV6 ::0:0:0:0:0 should be valid", validator.isValidInet6Address("::0:0:0:0:0"));
+        assertTrue("IPV6 ::0:0:0:0 should be valid", validator.isValidInet6Address("::0:0:0:0"));
+        assertTrue("IPV6 ::0:0:0 should be valid", validator.isValidInet6Address("::0:0:0"));
+        assertTrue("IPV6 ::0:0 should be valid", validator.isValidInet6Address("::0:0"));
+        assertTrue("IPV6 ::0 should be valid", validator.isValidInet6Address("::0"));
+        assertTrue("IPV6 0:0:0:0:0:0:0:: should be valid", validator.isValidInet6Address("0:0:0:0:0:0:0::"));
+        assertTrue("IPV6 0:0:0:0:0:0:: should be valid", validator.isValidInet6Address("0:0:0:0:0:0::"));
+        assertTrue("IPV6 0:0:0:0:0:: should be valid", validator.isValidInet6Address("0:0:0:0:0::"));
+        assertTrue("IPV6 0:0:0:0:: should be valid", validator.isValidInet6Address("0:0:0:0::"));
+        assertTrue("IPV6 0:0:0:: should be valid", validator.isValidInet6Address("0:0:0::"));
+        assertTrue("IPV6 0:0:: should be valid", validator.isValidInet6Address("0:0::"));
+        assertTrue("IPV6 0:: should be valid", validator.isValidInet6Address("0::"));
+        // Invalid data
+        assertFalse("IPV6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX should be invalid", validator.isValidInet6Address("XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX"));
+        // Too many components
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:7777:8888:9999 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777:8888:9999"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:7777:8888:: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777:8888::"));
+        assertFalse("IPV6 ::2222:3333:4444:5555:6666:7777:8888:9999 should be invalid", validator.isValidInet6Address("::2222:3333:4444:5555:6666:7777:8888:9999"));
+        // Too few components
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:7777 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555"));
+        assertFalse("IPV6 1111:2222:3333:4444 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444"));
+        assertFalse("IPV6 1111:2222:3333 should be invalid", validator.isValidInet6Address("1111:2222:3333"));
+        assertFalse("IPV6 1111:2222 should be invalid", validator.isValidInet6Address("1111:2222"));
+        assertFalse("IPV6 1111 should be invalid", validator.isValidInet6Address("1111"));
+        // Missing :
+        assertFalse("IPV6 11112222:3333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address("11112222:3333:4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 1111:22223333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address("1111:22223333:4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 1111:2222:33334444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address("1111:2222:33334444:5555:6666:7777:8888"));
+        assertFalse("IPV6 1111:2222:3333:44445555:6666:7777:8888 should be invalid", validator.isValidInet6Address("1111:2222:3333:44445555:6666:7777:8888"));
+        assertFalse("IPV6 1111:2222:3333:4444:55556666:7777:8888 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:55556666:7777:8888"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:66667777:8888 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:66667777:8888"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:77778888 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:77778888"));
+        // Missing : intended for ::
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777:8888:"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:7777: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777:"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:"));
+        assertFalse("IPV6 1111:2222:3333:4444: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:"));
+        assertFalse("IPV6 1111:2222:3333: should be invalid", validator.isValidInet6Address("1111:2222:3333:"));
+        assertFalse("IPV6 1111:2222: should be invalid", validator.isValidInet6Address("1111:2222:"));
+        assertFalse("IPV6 :8888 should be invalid", validator.isValidInet6Address(":8888"));
+        assertFalse("IPV6 :7777:8888 should be invalid", validator.isValidInet6Address(":7777:8888"));
+        assertFalse("IPV6 :6666:7777:8888 should be invalid", validator.isValidInet6Address(":6666:7777:8888"));
+        assertFalse("IPV6 :5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":5555:6666:7777:8888"));
+        assertFalse("IPV6 :4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 :3333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":3333:4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 :2222:3333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":2222:3333:4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 :1111:2222:3333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555:6666:7777:8888"));
+        // :::
+        assertFalse("IPV6 :::2222:3333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":::2222:3333:4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 1111:::3333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address("1111:::3333:4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 1111:2222:::4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address("1111:2222:::4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 1111:2222:3333:::5555:6666:7777:8888 should be invalid", validator.isValidInet6Address("1111:2222:3333:::5555:6666:7777:8888"));
+        assertFalse("IPV6 1111:2222:3333:4444:::6666:7777:8888 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:::6666:7777:8888"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:::7777:8888 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:::7777:8888"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:::8888 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:::8888"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:7777::: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777:::"));
+        // Double ::
+        assertFalse("IPV6 ::2222::4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address("::2222::4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 ::2222:3333::5555:6666:7777:8888 should be invalid", validator.isValidInet6Address("::2222:3333::5555:6666:7777:8888"));
+        assertFalse("IPV6 ::2222:3333:4444::6666:7777:8888 should be invalid", validator.isValidInet6Address("::2222:3333:4444::6666:7777:8888"));
+        assertFalse("IPV6 ::2222:3333:4444:5555::7777:8888 should be invalid", validator.isValidInet6Address("::2222:3333:4444:5555::7777:8888"));
+        assertFalse("IPV6 ::2222:3333:4444:5555:7777::8888 should be invalid", validator.isValidInet6Address("::2222:3333:4444:5555:7777::8888"));
+        assertFalse("IPV6 ::2222:3333:4444:5555:7777:8888:: should be invalid", validator.isValidInet6Address("::2222:3333:4444:5555:7777:8888::"));
+        assertFalse("IPV6 1111::3333::5555:6666:7777:8888 should be invalid", validator.isValidInet6Address("1111::3333::5555:6666:7777:8888"));
+        assertFalse("IPV6 1111::3333:4444::6666:7777:8888 should be invalid", validator.isValidInet6Address("1111::3333:4444::6666:7777:8888"));
+        assertFalse("IPV6 1111::3333:4444:5555::7777:8888 should be invalid", validator.isValidInet6Address("1111::3333:4444:5555::7777:8888"));
+        assertFalse("IPV6 1111::3333:4444:5555:6666::8888 should be invalid", validator.isValidInet6Address("1111::3333:4444:5555:6666::8888"));
+        assertFalse("IPV6 1111::3333:4444:5555:6666:7777:: should be invalid", validator.isValidInet6Address("1111::3333:4444:5555:6666:7777::"));
+        assertFalse("IPV6 1111:2222::4444::6666:7777:8888 should be invalid", validator.isValidInet6Address("1111:2222::4444::6666:7777:8888"));
+        assertFalse("IPV6 1111:2222::4444:5555::7777:8888 should be invalid", validator.isValidInet6Address("1111:2222::4444:5555::7777:8888"));
+        assertFalse("IPV6 1111:2222::4444:5555:6666::8888 should be invalid", validator.isValidInet6Address("1111:2222::4444:5555:6666::8888"));
+        assertFalse("IPV6 1111:2222::4444:5555:6666:7777:: should be invalid", validator.isValidInet6Address("1111:2222::4444:5555:6666:7777::"));
+        assertFalse("IPV6 1111:2222:3333::5555::7777:8888 should be invalid", validator.isValidInet6Address("1111:2222:3333::5555::7777:8888"));
+        assertFalse("IPV6 1111:2222:3333::5555:6666::8888 should be invalid", validator.isValidInet6Address("1111:2222:3333::5555:6666::8888"));
+        assertFalse("IPV6 1111:2222:3333::5555:6666:7777:: should be invalid", validator.isValidInet6Address("1111:2222:3333::5555:6666:7777::"));
+        assertFalse("IPV6 1111:2222:3333:4444::6666::8888 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444::6666::8888"));
+        assertFalse("IPV6 1111:2222:3333:4444::6666:7777:: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444::6666:7777::"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555::7777:: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555::7777::"));
+        // Too many components"
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:7777:8888:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777:8888:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:7777:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666::1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666::1.2.3.4"));
+        assertFalse("IPV6 ::2222:3333:4444:5555:6666:7777:1.2.3.4 should be invalid", validator.isValidInet6Address("::2222:3333:4444:5555:6666:7777:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:1.2.3.4.5 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:1.2.3.4.5"));
+        // Too few components
+        assertFalse("IPV6 1111:2222:3333:4444:5555:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:4444:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:1.2.3.4"));
+        assertFalse("IPV6 1111:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:1.2.3.4"));
+        assertFalse("IPV6 1.2.3.4 should be invalid", validator.isValidInet6Address("1.2.3.4"));
+        // Missing :
+        assertFalse("IPV6 11112222:3333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("11112222:3333:4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 1111:22223333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:22223333:4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:33334444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:33334444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:44445555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:44445555:6666:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:4444:55556666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:55556666:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:66661.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:66661.2.3.4"));
+        // Missing .
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:255255.255.255 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:255255.255.255"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:255.255255.255 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:255.255255.255"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:255.255.255255 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:255.255.255255"));
+        // Missing : intended for ::
+        assertFalse("IPV6 :1.2.3.4 should be invalid", validator.isValidInet6Address(":1.2.3.4"));
+        assertFalse("IPV6 :6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":6666:1.2.3.4"));
+        assertFalse("IPV6 :5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :3333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":3333:4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :2222:3333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":2222:3333:4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :1111:2222:3333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555:6666:1.2.3.4"));
+        // :::
+        assertFalse("IPV6 :::2222:3333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":::2222:3333:4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 1111:::3333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:::3333:4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:::4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:::4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:::5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:::5555:6666:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:4444:::6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:::6666:1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:::1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:::1.2.3.4"));
+        // Double ::
+        assertFalse("IPV6 ::2222::4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("::2222::4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 ::2222:3333::5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("::2222:3333::5555:6666:1.2.3.4"));
+        assertFalse("IPV6 ::2222:3333:4444::6666:1.2.3.4 should be invalid", validator.isValidInet6Address("::2222:3333:4444::6666:1.2.3.4"));
+        assertFalse("IPV6 ::2222:3333:4444:5555::1.2.3.4 should be invalid", validator.isValidInet6Address("::2222:3333:4444:5555::1.2.3.4"));
+        assertFalse("IPV6 1111::3333::5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111::3333::5555:6666:1.2.3.4"));
+        assertFalse("IPV6 1111::3333:4444::6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111::3333:4444::6666:1.2.3.4"));
+        assertFalse("IPV6 1111::3333:4444:5555::1.2.3.4 should be invalid", validator.isValidInet6Address("1111::3333:4444:5555::1.2.3.4"));
+        assertFalse("IPV6 1111:2222::4444::6666:1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222::4444::6666:1.2.3.4"));
+        assertFalse("IPV6 1111:2222::4444:5555::1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222::4444:5555::1.2.3.4"));
+        assertFalse("IPV6 1111:2222:3333::5555::1.2.3.4 should be invalid", validator.isValidInet6Address("1111:2222:3333::5555::1.2.3.4"));
+        // Missing parts
+        assertFalse("IPV6 ::. should be invalid", validator.isValidInet6Address("::."));
+        assertFalse("IPV6 ::.. should be invalid", validator.isValidInet6Address("::.."));
+        assertFalse("IPV6 ::... should be invalid", validator.isValidInet6Address("::..."));
+        assertFalse("IPV6 ::1... should be invalid", validator.isValidInet6Address("::1..."));
+        assertFalse("IPV6 ::1.2.. should be invalid", validator.isValidInet6Address("::1.2.."));
+        assertFalse("IPV6 ::1.2.3. should be invalid", validator.isValidInet6Address("::1.2.3."));
+        assertFalse("IPV6 ::.2.. should be invalid", validator.isValidInet6Address("::.2.."));
+        assertFalse("IPV6 ::.2.3. should be invalid", validator.isValidInet6Address("::.2.3."));
+        assertFalse("IPV6 ::.2.3.4 should be invalid", validator.isValidInet6Address("::.2.3.4"));
+        assertFalse("IPV6 ::..3. should be invalid", validator.isValidInet6Address("::..3."));
+        assertFalse("IPV6 ::..3.4 should be invalid", validator.isValidInet6Address("::..3.4"));
+        assertFalse("IPV6 ::...4 should be invalid", validator.isValidInet6Address("::...4"));
+        // Extra : in front
+        assertFalse("IPV6 :1111:2222:3333:4444:5555:6666:7777:: should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555:6666:7777::"));
+        assertFalse("IPV6 :1111:2222:3333:4444:5555:6666:: should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555:6666::"));
+        assertFalse("IPV6 :1111:2222:3333:4444:5555:: should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555::"));
+        assertFalse("IPV6 :1111:2222:3333:4444:: should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444::"));
+        assertFalse("IPV6 :1111:2222:3333:: should be invalid", validator.isValidInet6Address(":1111:2222:3333::"));
+        assertFalse("IPV6 :1111:2222:: should be invalid", validator.isValidInet6Address(":1111:2222::"));
+        assertFalse("IPV6 :1111:: should be invalid", validator.isValidInet6Address(":1111::"));
+        assertFalse("IPV6 :1111:2222:3333:4444:5555:6666::8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555:6666::8888"));
+        assertFalse("IPV6 :1111:2222:3333:4444:5555::8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555::8888"));
+        assertFalse("IPV6 :1111:2222:3333:4444::8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444::8888"));
+        assertFalse("IPV6 :1111:2222:3333::8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333::8888"));
+        assertFalse("IPV6 :1111:2222::8888 should be invalid", validator.isValidInet6Address(":1111:2222::8888"));
+        assertFalse("IPV6 :1111::8888 should be invalid", validator.isValidInet6Address(":1111::8888"));
+        assertFalse("IPV6 :::8888 should be invalid", validator.isValidInet6Address(":::8888"));
+        assertFalse("IPV6 :1111:2222:3333:4444:5555::7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555::7777:8888"));
+        assertFalse("IPV6 :1111:2222:3333:4444::7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444::7777:8888"));
+        assertFalse("IPV6 :1111:2222:3333::7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333::7777:8888"));
+        assertFalse("IPV6 :1111:2222::7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222::7777:8888"));
+        assertFalse("IPV6 :1111::7777:8888 should be invalid", validator.isValidInet6Address(":1111::7777:8888"));
+        assertFalse("IPV6 :::7777:8888 should be invalid", validator.isValidInet6Address(":::7777:8888"));
+        assertFalse("IPV6 :1111:2222:3333:4444::6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444::6666:7777:8888"));
+        assertFalse("IPV6 :1111:2222:3333::6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333::6666:7777:8888"));
+        assertFalse("IPV6 :1111:2222::6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222::6666:7777:8888"));
+        assertFalse("IPV6 :1111::6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111::6666:7777:8888"));
+        assertFalse("IPV6 :::6666:7777:8888 should be invalid", validator.isValidInet6Address(":::6666:7777:8888"));
+        assertFalse("IPV6 :1111:2222:3333::5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222:3333::5555:6666:7777:8888"));
+        assertFalse("IPV6 :1111:2222::5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222::5555:6666:7777:8888"));
+        assertFalse("IPV6 :1111::5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111::5555:6666:7777:8888"));
+        assertFalse("IPV6 :::5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":::5555:6666:7777:8888"));
+        assertFalse("IPV6 :1111:2222::4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111:2222::4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 :1111::4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111::4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 :::4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":::4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 :1111::3333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":1111::3333:4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 :::3333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":::3333:4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 :::2222:3333:4444:5555:6666:7777:8888 should be invalid", validator.isValidInet6Address(":::2222:3333:4444:5555:6666:7777:8888"));
+        assertFalse("IPV6 :1111:2222:3333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :1111:2222:3333:4444:5555::1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444:5555::1.2.3.4"));
+        assertFalse("IPV6 :1111:2222:3333:4444::1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444::1.2.3.4"));
+        assertFalse("IPV6 :1111:2222:3333::1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222:3333::1.2.3.4"));
+        assertFalse("IPV6 :1111:2222::1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222::1.2.3.4"));
+        assertFalse("IPV6 :1111::1.2.3.4 should be invalid", validator.isValidInet6Address(":1111::1.2.3.4"));
+        assertFalse("IPV6 :::1.2.3.4 should be invalid", validator.isValidInet6Address(":::1.2.3.4"));
+        assertFalse("IPV6 :1111:2222:3333:4444::6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222:3333:4444::6666:1.2.3.4"));
+        assertFalse("IPV6 :1111:2222:3333::6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222:3333::6666:1.2.3.4"));
+        assertFalse("IPV6 :1111:2222::6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222::6666:1.2.3.4"));
+        assertFalse("IPV6 :1111::6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111::6666:1.2.3.4"));
+        assertFalse("IPV6 :::6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":::6666:1.2.3.4"));
+        assertFalse("IPV6 :1111:2222:3333::5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222:3333::5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :1111:2222::5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222::5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :1111::5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111::5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :::5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":::5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :1111:2222::4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111:2222::4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :1111::4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111::4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :::4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":::4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :1111::3333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":1111::3333:4444:5555:6666:1.2.3.4"));
+        assertFalse("IPV6 :::2222:3333:4444:5555:6666:1.2.3.4 should be invalid", validator.isValidInet6Address(":::2222:3333:4444:5555:6666:1.2.3.4"));
+        // Extra : at end
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666:7777::: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:7777:::"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666::: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666:::"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555::: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:::"));
+        assertFalse("IPV6 1111:2222:3333:4444::: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:::"));
+        assertFalse("IPV6 1111:2222:3333::: should be invalid", validator.isValidInet6Address("1111:2222:3333:::"));
+        assertFalse("IPV6 1111:2222::: should be invalid", validator.isValidInet6Address("1111:2222:::"));
+        assertFalse("IPV6 1111::: should be invalid", validator.isValidInet6Address("1111:::"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555:6666::8888: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555:6666::8888:"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555::8888: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555::8888:"));
+        assertFalse("IPV6 1111:2222:3333:4444::8888: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444::8888:"));
+        assertFalse("IPV6 1111:2222:3333::8888: should be invalid", validator.isValidInet6Address("1111:2222:3333::8888:"));
+        assertFalse("IPV6 1111:2222::8888: should be invalid", validator.isValidInet6Address("1111:2222::8888:"));
+        assertFalse("IPV6 1111::8888: should be invalid", validator.isValidInet6Address("1111::8888:"));
+        assertFalse("IPV6 ::8888: should be invalid", validator.isValidInet6Address("::8888:"));
+        assertFalse("IPV6 1111:2222:3333:4444:5555::7777:8888: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444:5555::7777:8888:"));
+        assertFalse("IPV6 1111:2222:3333:4444::7777:8888: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444::7777:8888:"));
+        assertFalse("IPV6 1111:2222:3333::7777:8888: should be invalid", validator.isValidInet6Address("1111:2222:3333::7777:8888:"));
+        assertFalse("IPV6 1111:2222::7777:8888: should be invalid", validator.isValidInet6Address("1111:2222::7777:8888:"));
+        assertFalse("IPV6 1111::7777:8888: should be invalid", validator.isValidInet6Address("1111::7777:8888:"));
+        assertFalse("IPV6 ::7777:8888: should be invalid", validator.isValidInet6Address("::7777:8888:"));
+        assertFalse("IPV6 1111:2222:3333:4444::6666:7777:8888: should be invalid", validator.isValidInet6Address("1111:2222:3333:4444::6666:7777:8888:"));
+        assertFalse("IPV6 1111:2222:3333::6666:7777:8888: should be invalid", validator.isValidInet6Address("1111:2222:3333::6666:7777:8888:"));
+        assertFalse("IPV6 1111:2222::6666:7777:8888: should be invalid", validator.isValidInet6Address("1111:2222::6666:7777:8888:"));
+        assertFalse("IPV6 1111::6666:7777:8888: should be invalid", validator.isValidInet6Address("1111::6666:7777:8888:"));
+        assertFalse("IPV6 ::6666:7777:8888: should be invalid", validator.isValidInet6Address("::6666:7777:8888:"));
+        assertFalse("IPV6 1111:2222:3333::5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("1111:2222:3333::5555:6666:7777:8888:"));
+        assertFalse("IPV6 1111:2222::5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("1111:2222::5555:6666:7777:8888:"));
+        assertFalse("IPV6 1111::5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("1111::5555:6666:7777:8888:"));
+        assertFalse("IPV6 ::5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("::5555:6666:7777:8888:"));
+        assertFalse("IPV6 1111:2222::4444:5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("1111:2222::4444:5555:6666:7777:8888:"));
+        assertFalse("IPV6 1111::4444:5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("1111::4444:5555:6666:7777:8888:"));
+        assertFalse("IPV6 ::4444:5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("::4444:5555:6666:7777:8888:"));
+        assertFalse("IPV6 1111::3333:4444:5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("1111::3333:4444:5555:6666:7777:8888:"));
+        assertFalse("IPV6 ::3333:4444:5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("::3333:4444:5555:6666:7777:8888:"));
+        assertFalse("IPV6 ::2222:3333:4444:5555:6666:7777:8888: should be invalid", validator.isValidInet6Address("::2222:3333:4444:5555:6666:7777:8888:"));
+        assertTrue("IPV6 0:a:b:c:d:e:f:: should be valid", validator.isValidInet6Address("0:a:b:c:d:e:f::"));
+        assertTrue("IPV6 ::0:a:b:c:d:e:f should be valid", validator.isValidInet6Address("::0:a:b:c:d:e:f")); // syntactically correct, but bad form (::0:... could be combined)
+        assertTrue("IPV6 a:b:c:d:e:f:0:: should be valid", validator.isValidInet6Address("a:b:c:d:e:f:0::"));
+        assertFalse("IPV6 ':10.0.0.1 should be invalid", validator.isValidInet6Address("':10.0.0.1"));
+    }
+}
+
+
diff --git a/src/test/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/RegexValidatorTest.java b/src/test/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/RegexValidatorTest.java
new file mode 100644
index 000000000..3c0fbc60e
--- /dev/null
+++ b/src/test/java/org/jenkinsci/remoting/org/apache/commons/validator/routines/RegexValidatorTest.java
@@ -0,0 +1,296 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jenkinsci.remoting.org.apache.commons.validator.routines;
+
+import java.util.regex.PatternSyntaxException;
+
+import junit.framework.TestCase;
+
+/**
+ * Test Case for RegexValidatorTest.
+ *
+ * @version $Revision$
+ * @since Validator 1.4
+ */
+public class RegexValidatorTest extends TestCase {
+
+    private static final String REGEX         = "^([abc]*)(?:\\-)([DEF]*)(?:\\-)([123]*)$";
+
+    private static final String COMPONENT_1 = "([abc]{3})";
+    private static final String COMPONENT_2 = "([DEF]{3})";
+    private static final String COMPONENT_3 = "([123]{3})";
+    private static final String SEPARATOR_1  = "(?:\\-)";
+    private static final String SEPARATOR_2  = "(?:\\s)";
+    private static final String REGEX_1 = "^" + COMPONENT_1 + SEPARATOR_1 + COMPONENT_2 + SEPARATOR_1 + COMPONENT_3 + "$";
+    private static final String REGEX_2 = "^" + COMPONENT_1 + SEPARATOR_2 + COMPONENT_2 + SEPARATOR_2 + COMPONENT_3 + "$";
+    private static final String REGEX_3 = "^" + COMPONENT_1 + COMPONENT_2 + COMPONENT_3 + "$";
+    private static final String[] MULTIPLE_REGEX = new String[] {REGEX_1, REGEX_2, REGEX_3};
+
+    /**
+     * Constrct a new test case.
+     * @param name The name of the test
+     */
+    public RegexValidatorTest(String name) {
+        super(name);
+    }
+
+    /**
+     * Set Up.
+     */
+    @Override
+    protected void setUp() throws Exception {
+        super.setUp();
+    }
+
+    /**
+     * Tear Down.
+     */
+    @Override
+    protected void tearDown() throws Exception {
+        super.tearDown();
+    }
+
+    /**
+     * Test instance methods with single regular expression.
+     */
+    public void testSingle() {
+        RegexValidator sensitive   = new RegexValidator(REGEX);
+        RegexValidator insensitive = new RegexValidator(REGEX, false);
+
+        // isValid()
+        assertEquals("Sensitive isValid() valid",     true,   sensitive.isValid("ac-DE-1"));
+        assertEquals("Sensitive isValid() invalid",   false,  sensitive.isValid("AB-de-1"));
+        assertEquals("Insensitive isValid() valid",   true,   insensitive.isValid("AB-de-1"));
+        assertEquals("Insensitive isValid() invalid", false,  insensitive.isValid("ABd-de-1"));
+
+        // validate()
+        assertEquals("Sensitive validate() valid",     "acDE1", sensitive.validate("ac-DE-1"));
+        assertEquals("Sensitive validate() invalid",   null,    sensitive.validate("AB-de-1"));
+        assertEquals("Insensitive validate() valid",   "ABde1", insensitive.validate("AB-de-1"));
+        assertEquals("Insensitive validate() invalid", null,    insensitive.validate("ABd-de-1"));
+
+        // match()
+        checkArray("Sensitive match() valid",     new String[] {"ac", "DE", "1"}, sensitive.match("ac-DE-1"));
+        checkArray("Sensitive match() invalid",   null,                           sensitive.match("AB-de-1"));
+        checkArray("Insensitive match() valid",   new String[] {"AB", "de", "1"}, insensitive.match("AB-de-1"));
+        checkArray("Insensitive match() invalid", null,                           insensitive.match("ABd-de-1"));
+        assertEquals("validate one", "ABC", (new RegexValidator("^([A-Z]*)$")).validate("ABC"));
+        checkArray("match one", new String[] {"ABC"}, (new RegexValidator("^([A-Z]*)$")).match("ABC"));
+    }
+
+    /**
+     * Test with multiple regular expressions (case sensitive).
+     */
+    public void testMultipleSensitive() {
+
+        // ------------ Set up Sensitive Validators
+        RegexValidator multiple   = new RegexValidator(MULTIPLE_REGEX);
+        RegexValidator single1   = new RegexValidator(REGEX_1);
+        RegexValidator single2   = new RegexValidator(REGEX_2);
+        RegexValidator single3   = new RegexValidator(REGEX_3);
+
+        // ------------ Set up test values
+        String value = "aac FDE 321";
+        String expect = "aacFDE321";
+        String[] array = new String[] {"aac", "FDE", "321"};
+
+        // isValid()
+        assertEquals("Sensitive isValid() Multiple", true,  multiple.isValid(value));
+        assertEquals("Sensitive isValid() 1st",      false, single1.isValid(value));
+        assertEquals("Sensitive isValid() 2nd",      true,  single2.isValid(value));
+        assertEquals("Sensitive isValid() 3rd",      false, single3.isValid(value));
+
+        // validate()
+        assertEquals("Sensitive validate() Multiple", expect, multiple.validate(value));
+        assertEquals("Sensitive validate() 1st",      null,   single1.validate(value));
+        assertEquals("Sensitive validate() 2nd",      expect, single2.validate(value));
+        assertEquals("Sensitive validate() 3rd",      null,   single3.validate(value));
+
+        // match()
+        checkArray("Sensitive match() Multiple", array, multiple.match(value));
+        checkArray("Sensitive match() 1st",      null,  single1.match(value));
+        checkArray("Sensitive match() 2nd",      array, single2.match(value));
+        checkArray("Sensitive match() 3rd",      null,  single3.match(value));
+
+        // All invalid
+        value = "AAC*FDE*321";
+        assertEquals("isValid() Invalid",  false, multiple.isValid(value));
+        assertEquals("validate() Invalid", null,  multiple.validate(value));
+        assertEquals("match() Multiple",   null,  multiple.match(value));
+    }
+
+    /**
+     * Test with multiple regular expressions (case in-sensitive).
+     */
+    public void testMultipleInsensitive() {
+
+        // ------------ Set up In-sensitive Validators
+        RegexValidator multiple = new RegexValidator(MULTIPLE_REGEX, false);
+        RegexValidator single1   = new RegexValidator(REGEX_1, false);
+        RegexValidator single2   = new RegexValidator(REGEX_2, false);
+        RegexValidator single3   = new RegexValidator(REGEX_3, false);
+
+        // ------------ Set up test values
+        String value = "AAC FDE 321";
+        String expect = "AACFDE321";
+        String[] array = new String[] {"AAC", "FDE", "321"};
+
+        // isValid()
+        assertEquals("isValid() Multiple", true,  multiple.isValid(value));
+        assertEquals("isValid() 1st",      false, single1.isValid(value));
+        assertEquals("isValid() 2nd",      true,  single2.isValid(value));
+        assertEquals("isValid() 3rd",      false, single3.isValid(value));
+
+        // validate()
+        assertEquals("validate() Multiple", expect, multiple.validate(value));
+        assertEquals("validate() 1st",      null,   single1.validate(value));
+        assertEquals("validate() 2nd",      expect, single2.validate(value));
+        assertEquals("validate() 3rd",      null,   single3.validate(value));
+
+        // match()
+        checkArray("match() Multiple", array, multiple.match(value));
+        checkArray("match() 1st",      null,  single1.match(value));
+        checkArray("match() 2nd",      array, single2.match(value));
+        checkArray("match() 3rd",      null,  single3.match(value));
+
+        // All invalid
+        value = "AAC*FDE*321";
+        assertEquals("isValid() Invalid",  false, multiple.isValid(value));
+        assertEquals("validate() Invalid", null,  multiple.validate(value));
+        assertEquals("match() Multiple",   null,  multiple.match(value));
+    }
+
+    /**
+     * Test Null value
+     */
+    public void testNullValue() {
+
+        RegexValidator validator = new RegexValidator(REGEX);
+        assertEquals("Instance isValid()",  false, validator.isValid(null));
+        assertEquals("Instance validate()", null,  validator.validate(null));
+        assertEquals("Instance match()",    null,  validator.match(null));
+    }
+
+    /**
+     * Test exceptions
+     */
+    public void testMissingRegex() {
+
+        // Single Regular Expression - null
+        try {
+            new RegexValidator((String)null);
+            fail("Single Null - expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertEquals("Single Null", "Regular expression[0] is missing", e.getMessage());
+        }
+
+        // Single Regular Expression - Zero Length
+        try {
+            new RegexValidator("");
+            fail("Single Zero Length - expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertEquals("Single Zero Length", "Regular expression[0] is missing", e.getMessage());
+        }
+
+        // Multiple Regular Expression - Null array
+        try {
+            new RegexValidator((String[])null);
+            fail("Null Array - expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertEquals("Null Array", "Regular expressions are missing", e.getMessage());
+        }
+
+        // Multiple Regular Expression - Zero Length array
+        try {
+            new RegexValidator(new String[0]);
+            fail("Zero Length Array - expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertEquals("Zero Length Array", "Regular expressions are missing", e.getMessage());
+        }
+
+        // Multiple Regular Expression - Array has Null
+        String[] expressions = new String[] {"ABC", null};
+        try {
+            new RegexValidator(expressions);
+            fail("Array has Null - expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertEquals("Array has Null", "Regular expression[1] is missing", e.getMessage());
+        }
+
+        // Multiple Regular Expression - Array has Zero Length
+        expressions = new String[] {"", "ABC"};
+        try {
+            new RegexValidator(expressions);
+            fail("Array has Zero Length - expected IllegalArgumentException");
+        } catch (IllegalArgumentException e) {
+            assertEquals("Array has Zero Length", "Regular expression[0] is missing", e.getMessage());
+        }
+    }
+
+    /**
+     * Test exceptions
+     */
+    public void testExceptions() {
+        String invalidRegex = "^([abCD12]*$";
+        try {
+            new RegexValidator(invalidRegex);
+        } catch (PatternSyntaxException e) {
+            // expected
+        }
+    }
+
+    /**
+     * Test toString() method
+     */
+    public void testToString() {
+        RegexValidator single = new RegexValidator(REGEX);
+        assertEquals("Single", "RegexValidator{" + REGEX + "}", single.toString());
+
+        RegexValidator multiple = new RegexValidator(new String[] {REGEX, REGEX});
+        assertEquals("Multiple", "RegexValidator{" + REGEX + "," + REGEX + "}", multiple.toString());
+    }
+
+    /**
+     * Compare two arrays
+     * @param label Label for the test
+     * @param expect Expected array
+     * @param result Actual array
+     */
+    private void checkArray(String label, String[] expect, String[] result) {
+
+        // Handle nulls
+        if (expect == null || result == null) {
+            if (expect == null && result == null) {
+                return; // valid, both null
+            } else {
+                fail(label + " Null expect=" + expect + " result=" + result);
+            }
+            return; // not strictly necessary, but prevents possible NPE below
+        }
+
+        // Check Length
+        if (expect.length != result.length) {
+            fail(label + " Length expect=" + expect.length + " result=" + result.length);
+        }
+
+        // Check Values
+        for (int i = 0; i < expect.length; i++) {
+            assertEquals(label +" value[" + i + "]", expect[i], result[i]);
+        }
+    }
+
+}
diff --git a/src/test/java/org/jenkinsci/remoting/protocol/IOBufferMatcher.java b/src/test/java/org/jenkinsci/remoting/protocol/IOBufferMatcher.java
index 7325bd4ef..710ce40b3 100644
--- a/src/test/java/org/jenkinsci/remoting/protocol/IOBufferMatcher.java
+++ b/src/test/java/org/jenkinsci/remoting/protocol/IOBufferMatcher.java
@@ -46,6 +46,10 @@
 import org.apache.commons.io.IOUtils;
 import org.hamcrest.Matcher;
 
+import javax.annotation.CheckForNull;
+import javax.annotation.CheckReturnValue;
+import javax.annotation.Nonnull;
+
 /**
  * An {@link IOBufferMatcher} can {@link #send(ByteBuffer)} and {@link #receive(ByteBuffer)} streams of data as
  * {@link ByteBuffer}s. All the received data is accumulated. When there is no more data to receive then the
@@ -88,15 +92,21 @@ public boolean isOpen() {
         return !closed.isDone();
     }
 
-
-    public void close(IOException cause) {
-        if (name != null) {
-            LOGGER.log(Level.INFO, "[{0}] Closed", name);
+    /**
+     * Closes the buffer.
+     * @param cause Cause. If {@code null}, an artificial cause will be added
+     */
+    public void close(@CheckForNull IOException cause) {
+        // If the close cause is not specified, just add an artificial one to capture the stacktrace
+        // We do not close IOHub in production often, so it does not impact the performance
+        final IOException causeToReport = cause != null ? cause : new IOException("Close requested");
+        if (name != null && LOGGER.isLoggable(Level.INFO)) {
+            LOGGER.log(Level.INFO, String.format("[%s] Closed", name), causeToReport);
         }
-        innerClose(cause);
+        innerClose(causeToReport);
     }
 
-    private void innerClose(IOException cause) {
+    private void innerClose(@Nonnull IOException cause) {
         if (!closed.isDone()) {
             closed.set(cause);
             anything.countDown();
@@ -115,6 +125,12 @@ private void innerClose(IOException cause) {
         }
     }
 
+    /**
+     * Closes the buffer.
+     * @throws IOException Never happens in the current code
+     * @deprecated Use {@link #close(IOException)} instead
+     */
+    @Deprecated
     public void close() throws IOException {
         close(null);
     }
@@ -162,6 +178,13 @@ public String toString() {
         return sb.toString();
     }
 
+    /**
+     * Waits till the buffer is closed.
+     *
+     * This method will wait infinitely, so it's a responsibility of the API user to call it properly.
+     * {@link #awaitClose(long, TimeUnit)} is recommended if you are not sure.
+     * @throws InterruptedException Wait is interrupted.
+     */
     public void awaitClose() throws InterruptedException {
         try {
             closed.get();
@@ -170,6 +193,14 @@ public void awaitClose() throws InterruptedException {
         }
     }
 
+    /**
+     * Waits till the buffer is clsoed, with a timeout.
+     * @param timeout Wait timeout
+     * @param unit Timeout unit
+     * @return {@code true} if the bugffer has been closed successfully, {@code false} otherwise.
+     * @throws InterruptedException Wait has been interrupted.
+     */
+    @CheckReturnValue
     public boolean awaitClose(long timeout, TimeUnit unit) throws InterruptedException {
         try {
             closed.get(timeout, unit);
@@ -253,7 +284,4 @@ public boolean awaitByteContent(Matcher<byte[]> matcher, long timeout, TimeUnit
         }
     }
 
-    public void closeRead() throws IOException {
-        //innerClose(null);
-    }
 }
diff --git a/src/test/java/org/jenkinsci/remoting/protocol/IOBufferMatcherLayer.java b/src/test/java/org/jenkinsci/remoting/protocol/IOBufferMatcherLayer.java
index 302d4f2e7..90275ea05 100644
--- a/src/test/java/org/jenkinsci/remoting/protocol/IOBufferMatcherLayer.java
+++ b/src/test/java/org/jenkinsci/remoting/protocol/IOBufferMatcherLayer.java
@@ -29,6 +29,8 @@
 
 /**
  * An {@link ApplicationLayer} that produces a {@link IOBufferMatcher}
+ *
+ * @since 3.0
  */
 public class IOBufferMatcherLayer extends ApplicationLayer<IOBufferMatcher> {
 
@@ -50,11 +52,6 @@ public void close() throws IOException {
                 super.close();
             }
 
-            @Override
-            public void closeRead() throws IOException {
-                doCloseRead();
-                super.closeRead();
-            }
         };
     }
 
diff --git a/src/test/java/org/jenkinsci/remoting/protocol/ProtocolStackImplTest.java b/src/test/java/org/jenkinsci/remoting/protocol/ProtocolStackImplTest.java
index 4a48b320c..fe9ed55e0 100644
--- a/src/test/java/org/jenkinsci/remoting/protocol/ProtocolStackImplTest.java
+++ b/src/test/java/org/jenkinsci/remoting/protocol/ProtocolStackImplTest.java
@@ -51,7 +51,6 @@
 import java.nio.channels.SocketChannel;
 import java.util.concurrent.Future;
 import java.util.concurrent.TimeUnit;
-import java.util.logging.Logger;
 import javax.net.ssl.SSLEngine;
 import org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer;
 import org.junit.ClassRule;
@@ -1176,7 +1175,7 @@ private static class ProbeCallable implements Callable<String, IOException> {
 
         @Override
         public String call() throws IOException {
-            System.out.println("Hello from: " + Channel.current());
+            System.out.println("Hello from: " + getChannelOrFail());
             return null;
         }
 
@@ -1194,7 +1193,7 @@ public CreateSaturationTestProxy(hudson.remoting.Pipe pipe) {
         }
 
         public ISaturationTest call() throws IOException {
-            return Channel.current().export(ISaturationTest.class, new ISaturationTest() {
+            return getOpenChannelOrFail().export(ISaturationTest.class, new ISaturationTest() {
                 private InputStream in;
 
                 public void ensureConnected() throws IOException {
diff --git a/src/test/java/org/jenkinsci/remoting/protocol/impl/NetworkLayerTest.java b/src/test/java/org/jenkinsci/remoting/protocol/impl/NetworkLayerTest.java
index 6e8011f7e..09e94ea06 100644
--- a/src/test/java/org/jenkinsci/remoting/protocol/impl/NetworkLayerTest.java
+++ b/src/test/java/org/jenkinsci/remoting/protocol/impl/NetworkLayerTest.java
@@ -25,30 +25,20 @@
 
 import java.nio.ByteBuffer;
 import java.nio.channels.Pipe;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.concurrent.Future;
-import java.util.concurrent.TimeUnit;
-import java.util.logging.Level;
-import java.util.logging.Logger;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
 import org.apache.commons.io.IOUtils;
 import org.jenkinsci.remoting.protocol.IOBufferMatcher;
 import org.jenkinsci.remoting.protocol.IOBufferMatcherLayer;
-import org.jenkinsci.remoting.protocol.IOHubRule;
+import org.jenkinsci.remoting.protocol.IOHub;
 import org.jenkinsci.remoting.protocol.NetworkLayerFactory;
 import org.jenkinsci.remoting.protocol.ProtocolStack;
-import org.jenkinsci.remoting.protocol.Repeat;
-import org.jenkinsci.remoting.protocol.RepeatRule;
 import org.junit.After;
 import org.junit.Before;
-import org.junit.Rule;
 import org.junit.experimental.theories.DataPoint;
-import org.junit.experimental.theories.DataPoints;
 import org.junit.experimental.theories.Theories;
 import org.junit.experimental.theories.Theory;
-import org.junit.rules.RuleChain;
-import org.junit.rules.TestName;
-import org.junit.rules.Timeout;
 import org.junit.runner.RunWith;
 
 import static org.hamcrest.Matchers.is;
@@ -57,16 +47,10 @@
 @RunWith(Theories.class)
 public class NetworkLayerTest {
 
-    @Rule
-    public TestName name = new TestName();
-    private IOHubRule selector = new IOHubRule();
-    @Rule
-    public RuleChain chain = RuleChain.outerRule(selector)
-            .around(new RepeatRule())
-            .around(new Timeout(10, TimeUnit.MINUTES));
-
     private Pipe clientToServer;
     private Pipe serverToClient;
+    private ExecutorService executorService;
+    private IOHub hub;
 
     @DataPoint("blocking I/O")
     public static NetworkLayerFactory blocking() {
@@ -78,35 +62,18 @@ public static NetworkLayerFactory nonBlocking() {
         return new NetworkLayerFactory.NIO();
     }
 
-    @DataPoints
-    public static BatchSendBufferingFilterLayer[] batchSizes() {
-        List<BatchSendBufferingFilterLayer> result = new ArrayList<BatchSendBufferingFilterLayer>();
-        if (Boolean.getBoolean("fullTests")) {
-            int length = 16;
-            while (length < 65536) {
-                result.add(new BatchSendBufferingFilterLayer(length));
-                if (length < 16) {
-                    length = length * 2;
-                } else {
-                    length = length * 3 / 2;
-                }
-            }
-        } else {
-            result.add(new BatchSendBufferingFilterLayer(16));
-            result.add(new BatchSendBufferingFilterLayer(4096));
-            result.add(new BatchSendBufferingFilterLayer(65536));
-        }
-        return result.toArray(new BatchSendBufferingFilterLayer[result.size()]);
-    }
-
     @Before
-    public void setUpPipe() throws Exception {
+    public void setUp() throws Exception {
         clientToServer = Pipe.open();
         serverToClient = Pipe.open();
+        executorService = Executors.newFixedThreadPool(8);
+        hub = IOHub.create(executorService);
     }
 
     @After
-    public void tearDownPipe() throws Exception {
+    public void tearDown() throws Exception {
+        hub.close();
+        executorService.shutdownNow();
         IOUtils.closeQuietly(clientToServer.sink());
         IOUtils.closeQuietly(clientToServer.source());
         IOUtils.closeQuietly(serverToClient.sink());
@@ -114,16 +81,16 @@ public void tearDownPipe() throws Exception {
     }
 
     @Theory
-    public void smokes(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory) throws Exception {
+    public void doBasicSendReceive(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory) throws Exception {
         ProtocolStack<IOBufferMatcher> client =
                 ProtocolStack
-                        .on(clientFactory.create(selector.hub(), serverToClient.source(), clientToServer.sink()))
+                        .on(clientFactory.create(hub, serverToClient.source(), clientToServer.sink()))
                         .build(new IOBufferMatcherLayer());
 
 
         ProtocolStack<IOBufferMatcher> server =
                 ProtocolStack
-                        .on(serverFactory.create(selector.hub(), clientToServer.source(), serverToClient.sink()))
+                        .on(serverFactory.create(hub, clientToServer.source(), serverToClient.sink()))
                         .build(new IOBufferMatcherLayer());
 
         byte[] expected = "Here is some sample data".getBytes("UTF-8");
@@ -137,215 +104,4 @@ public void smokes(NetworkLayerFactory serverFactory, NetworkLayerFactory client
         client.get().awaitClose();
     }
 
-    @Theory
-    public void doCloseRecv(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory) throws Exception {
-        Logger.getAnonymousLogger().log(Level.INFO, "serverFactory: {0} clientFactory: {1}",
-                new Object[]{serverFactory.getClass().getSimpleName(), clientFactory.getClass().getSimpleName()});
-        ProtocolStack<IOBufferMatcher> client =
-                ProtocolStack
-                        .on(clientFactory.create(selector.hub(), serverToClient.source(), clientToServer.sink()))
-                        .build(new IOBufferMatcherLayer());
-
-
-        ProtocolStack<IOBufferMatcher> server =
-                ProtocolStack
-                        .on(serverFactory.create(selector.hub(), clientToServer.source(), serverToClient.sink()))
-                        .build(new IOBufferMatcherLayer());
-
-        byte[] expected = "Here is some sample data".getBytes("UTF-8");
-        ByteBuffer data = ByteBuffer.allocate(expected.length);
-        data.put(expected);
-        data.flip();
-        server.get().send(data);
-        client.get().awaitByteContent(is(expected));
-        assertThat(client.get().asByteArray(), is(expected));
-        server.get().closeRead();
-        client.get().awaitClose();
-    }
-
-    @Theory
-    @Repeat(value = 1024, stopAfter = 1)
-    public void concurrentStress_1_1(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory)
-            throws Exception {
-        concurrentStress(serverFactory, clientFactory, 1, 1);
-    }
-
-    @Theory
-    @Repeat(value = 1024, stopAfter = 1)
-    public void concurrentStress_64_1(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory)
-            throws Exception {
-        concurrentStress(serverFactory, clientFactory, 64, 1);
-    }
-
-    @Theory
-    @Repeat(value = 1024, stopAfter = 1)
-    public void concurrentStress_1_64(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory)
-            throws Exception {
-        concurrentStress(serverFactory, clientFactory, 1, 64);
-    }
-
-    @Theory
-    @Repeat(value = 1024, stopAfter = 1)
-    public void concurrentStress_1k_1k(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory)
-            throws Exception {
-        concurrentStress(serverFactory, clientFactory, 1024, 1024);
-    }
-
-    @Theory
-    @Repeat(value = 1024, stopAfter = 1)
-    public void concurrentStress_1k_64k(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory)
-            throws Exception {
-        concurrentStress(serverFactory, clientFactory, 1024, 65536);
-    }
-
-    @Theory
-    @Repeat(value = 1024, stopAfter = 1)
-    public void concurrentStress_64k_1k(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory)
-            throws Exception {
-        concurrentStress(serverFactory, clientFactory, 65536, 1024);
-    }
-
-    @Theory
-    @Repeat(value = 1024, stopAfter = 1)
-    public void concurrentStress_64k_64k(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory)
-            throws Exception {
-        concurrentStress(serverFactory, clientFactory, 65536, 65536);
-    }
-
-    @Theory
-    @Repeat(value = 16, stopAfter = 1)
-    public void concurrentStress_1m_2m(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory)
-            throws Exception {
-        concurrentStress(serverFactory, clientFactory, 1024 * 1024, 2048 * 1024);
-    }
-
-    @Theory
-    @Repeat(value = 16, stopAfter = 1)
-    public void concurrentStress_2m_1m(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory)
-            throws Exception {
-        concurrentStress(serverFactory, clientFactory, 2048 * 1024, 1024 * 1024);
-    }
-
-    private void concurrentStress(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory, int serverLimit,
-                                  int clientLimit)
-            throws java.io.IOException, InterruptedException, java.util.concurrent.ExecutionException {
-        Logger.getLogger(name.getMethodName()).log(
-                Level.INFO, "Starting test with server {0} client {1}",
-                new Object[]{serverFactory.getClass().getSimpleName(), clientFactory.getClass().getSimpleName()});
-        ProtocolStack<IOBufferMatcher> clientStack =
-                ProtocolStack
-                        .on(clientFactory.create(selector.hub(), serverToClient.source(), clientToServer.sink()))
-                        .build(new IOBufferMatcherLayer());
-
-
-        ProtocolStack<IOBufferMatcher> serverStack =
-                ProtocolStack
-                        .on(serverFactory.create(selector.hub(), clientToServer.source(), serverToClient.sink()))
-                        .build(new IOBufferMatcherLayer());
-
-        final IOBufferMatcher client = clientStack.get();
-        final IOBufferMatcher server = serverStack.get();
-        Future<Void> clientWork = selector.executorService().submit(new SequentialSender(client, clientLimit, 11));
-        Future<Void> serverWork = selector.executorService().submit(new SequentialSender(server, serverLimit, 13));
-
-        clientWork.get();
-        serverWork.get();
-
-        client.awaitByteContent(SequentialSender.matcher(serverLimit));
-        server.awaitByteContent(SequentialSender.matcher(clientLimit));
-
-        client.close();
-        server.close();
-
-        client.awaitClose();
-        server.awaitClose();
-
-        assertThat(client.asByteArray(), SequentialSender.matcher(serverLimit));
-        assertThat(server.asByteArray(), SequentialSender.matcher(clientLimit));
-    }
-
-    @Theory
-    public void sendingBiggerAndBiggerBatches(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory,
-                                              BatchSendBufferingFilterLayer batch)
-            throws java.io.IOException, InterruptedException, java.util.concurrent.ExecutionException {
-        Logger.getLogger(name.getMethodName()).log(
-                Level.INFO, "Starting test with server {0} client {1} batch {2}", new Object[]{
-                        serverFactory.getClass().getSimpleName(),
-                        clientFactory.getClass().getSimpleName(),
-                        batch
-                });
-        ProtocolStack<IOBufferMatcher> clientStack =
-                ProtocolStack
-                        .on(clientFactory.create(selector.hub(), serverToClient.source(), clientToServer.sink()))
-                        .build(new IOBufferMatcherLayer());
-
-
-        ProtocolStack<IOBufferMatcher> serverStack =
-                ProtocolStack
-                        .on(serverFactory.create(selector.hub(), clientToServer.source(), serverToClient.sink()))
-                        .filter(batch)
-                        .build(new IOBufferMatcherLayer());
-
-        final IOBufferMatcher client = clientStack.get();
-        final IOBufferMatcher server = serverStack.get();
-        Future<Void> serverWork = selector.executorService().submit(new SequentialSender(server, 65536 * 4, 13));
-
-        serverWork.get();
-        batch.flush();
-
-        client.awaitByteContent(SequentialSender.matcher(65536 * 4), 5, TimeUnit.SECONDS);
-
-        client.awaitByteContent(SequentialSender.matcher(65536 * 4));
-
-        client.close();
-        server.close();
-
-        client.awaitClose();
-        server.awaitClose();
-
-        assertThat(client.asByteArray(), SequentialSender.matcher(65536 * 4));
-    }
-
-    @Theory
-    public void bidiSendingBiggerAndBiggerBatches(NetworkLayerFactory serverFactory, NetworkLayerFactory clientFactory,
-                                                  BatchSendBufferingFilterLayer batch)
-            throws java.io.IOException, InterruptedException, java.util.concurrent.ExecutionException {
-        Logger.getLogger(name.getMethodName()).log(
-                Level.INFO, "Starting test with server {0} client {1} batch {2}", new Object[]{
-                        serverFactory.getClass().getSimpleName(),
-                        clientFactory.getClass().getSimpleName(),
-                        batch
-                });
-        BatchSendBufferingFilterLayer clientBatch = batch.clone();
-        ProtocolStack<IOBufferMatcher> clientStack =
-                ProtocolStack
-                        .on(clientFactory.create(selector.hub(), serverToClient.source(), clientToServer.sink()))
-                        .filter(new NoOpFilterLayer())
-                        .filter(clientBatch)
-                        .filter(new NoOpFilterLayer())
-                        .build(new IOBufferMatcherLayer());
-
-
-        ProtocolStack<IOBufferMatcher> serverStack =
-                ProtocolStack
-                        .on(serverFactory.create(selector.hub(), clientToServer.source(), serverToClient.sink()))
-                        .filter(new NoOpFilterLayer())
-                        .filter(batch)
-                        .filter(new NoOpFilterLayer())
-                        .build(new IOBufferMatcherLayer());
-
-        final IOBufferMatcher client = clientStack.get();
-        final IOBufferMatcher server = serverStack.get();
-        Future<Void> clientWork = selector.executorService().submit(new SequentialSender(client, 65536 * 4, 11));
-        Future<Void> serverWork = selector.executorService().submit(new SequentialSender(server, 65536 * 4, 13));
-
-        clientWork.get();
-        serverWork.get();
-        clientBatch.flush();
-        batch.flush();
-
-        client.awaitByteContent(SequentialSender.matcher(65536 * 4));
-        server.awaitByteContent(SequentialSender.matcher(65536 * 4));
-    }
-
 }
diff --git a/src/test/java/org/jenkinsci/remoting/util/ByteBufferQueueInputStreamTest.java b/src/test/java/org/jenkinsci/remoting/util/ByteBufferQueueInputStreamTest.java
index 4081f660d..fe29c59f3 100644
--- a/src/test/java/org/jenkinsci/remoting/util/ByteBufferQueueInputStreamTest.java
+++ b/src/test/java/org/jenkinsci/remoting/util/ByteBufferQueueInputStreamTest.java
@@ -27,6 +27,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+
 import org.junit.Test;
 
 import static org.hamcrest.Matchers.is;
@@ -39,7 +41,7 @@ public void readAll() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         ByteBufferQueueInputStream instance = new ByteBufferQueueInputStream(queue);
 
         assertThat(read(instance), is(str));
@@ -50,7 +52,7 @@ public void readLimit() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         ByteBufferQueueInputStream instance = new ByteBufferQueueInputStream(queue, 10);
 
         assertThat(read(instance, 10), is("AbCdEfGhIj"));
@@ -61,7 +63,7 @@ public void readSome() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         ByteBufferQueueInputStream instance = new ByteBufferQueueInputStream(queue);
 
         assertThat(read(instance, 10), is("AbCdEfGhIj"));
@@ -72,16 +74,16 @@ public void readBytes() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         ByteBufferQueueInputStream instance = new ByteBufferQueueInputStream(queue);
 
         byte[] bytes = new byte[10];
         assertThat(instance.read(bytes), is(10));
-        assertThat(new String(bytes, Charsets.UTF_8), is("AbCdEfGhIj"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("AbCdEfGhIj"));
         assertThat(instance.read(bytes), is(10));
-        assertThat(new String(bytes, Charsets.UTF_8), is("KlMnOpQrSt"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("KlMnOpQrSt"));
         assertThat(instance.read(bytes), is(6));
-        assertThat(new String(bytes, Charsets.UTF_8), is("UvWxYzQrSt"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("UvWxYzQrSt"));
     }
 
     @Test
@@ -89,20 +91,20 @@ public void readBytesOffset() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         ByteBufferQueueInputStream instance = new ByteBufferQueueInputStream(queue);
 
         byte[] bytes = new byte[10];
         assertThat(instance.read(bytes,5,3), is(3));
-        assertThat(new String(bytes, Charsets.UTF_8), is("\u0000\u0000\u0000\u0000\u0000AbC\u0000\u0000"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("\u0000\u0000\u0000\u0000\u0000AbC\u0000\u0000"));
         assertThat(instance.read(bytes, 0, 2), is(2));
-        assertThat(new String(bytes, Charsets.UTF_8), is("dE\u0000\u0000\u0000AbC\u0000\u0000"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("dE\u0000\u0000\u0000AbC\u0000\u0000"));
         assertThat(instance.read(bytes, 2, 8), is(8));
-        assertThat(new String(bytes, Charsets.UTF_8), is("dEfGhIjKlM"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("dEfGhIjKlM"));
         assertThat(instance.read(bytes, 2, 8), is(8));
-        assertThat(new String(bytes, Charsets.UTF_8), is("dEnOpQrStU"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("dEnOpQrStU"));
         assertThat(instance.read(bytes, 2, 8), is(5));
-        assertThat(new String(bytes, Charsets.UTF_8), is("dEvWxYzStU"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("dEvWxYzStU"));
     }
 
     @Test
@@ -110,7 +112,7 @@ public void skipRead() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         ByteBufferQueueInputStream instance = new ByteBufferQueueInputStream(queue);
 
         StringBuffer buf = new StringBuffer();
@@ -134,7 +136,7 @@ public void markRead() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         ByteBufferQueueInputStream instance = new ByteBufferQueueInputStream(queue);
         assumeThat(instance.markSupported(), is(true));
         instance.mark(4);
@@ -149,7 +151,7 @@ private static String read(InputStream is) throws IOException {
         while (-1 != (b = is.read())) {
             tmp.write(b);
         }
-        return new String(tmp.toByteArray(), Charsets.UTF_8);
+        return new String(tmp.toByteArray(), StandardCharsets.UTF_8);
     }
 
     private static String read(InputStream is, int count) throws IOException {
@@ -159,6 +161,6 @@ private static String read(InputStream is, int count) throws IOException {
             tmp.write(b);
             count--;
         }
-        return new String(tmp.toByteArray(), Charsets.UTF_8);
+        return new String(tmp.toByteArray(), StandardCharsets.UTF_8);
     }
 }
diff --git a/src/test/java/org/jenkinsci/remoting/util/ByteBufferQueueOutputStreamTest.java b/src/test/java/org/jenkinsci/remoting/util/ByteBufferQueueOutputStreamTest.java
index 8d8e882f1..f53a91df5 100644
--- a/src/test/java/org/jenkinsci/remoting/util/ByteBufferQueueOutputStreamTest.java
+++ b/src/test/java/org/jenkinsci/remoting/util/ByteBufferQueueOutputStreamTest.java
@@ -24,6 +24,8 @@
 package org.jenkinsci.remoting.util;
 
 import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+
 import org.junit.Test;
 
 import static org.hamcrest.Matchers.is;
@@ -37,7 +39,7 @@ public void writeAll() throws Exception {
         ByteBufferQueue queue = new ByteBufferQueue(10);
         ByteBufferQueueOutputStream instance = new ByteBufferQueueOutputStream(queue);
 
-        instance.write(str.getBytes(Charsets.UTF_8));
+        instance.write(str.getBytes(StandardCharsets.UTF_8));
 
         assertThat(read(queue), is(str));
     }
@@ -49,7 +51,7 @@ public void writeSome() throws Exception {
         ByteBufferQueue queue = new ByteBufferQueue(10);
         ByteBufferQueueOutputStream instance = new ByteBufferQueueOutputStream(queue);
 
-        instance.write(str.getBytes(Charsets.UTF_8), 0, 10);
+        instance.write(str.getBytes(StandardCharsets.UTF_8), 0, 10);
         assertThat(read(queue), is("AbCdEfGhIj"));
     }
 
diff --git a/src/test/java/org/jenkinsci/remoting/util/FastByteBufferQueueInputStreamTest.java b/src/test/java/org/jenkinsci/remoting/util/FastByteBufferQueueInputStreamTest.java
index c065e820e..2141aae53 100644
--- a/src/test/java/org/jenkinsci/remoting/util/FastByteBufferQueueInputStreamTest.java
+++ b/src/test/java/org/jenkinsci/remoting/util/FastByteBufferQueueInputStreamTest.java
@@ -27,6 +27,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+
 import org.junit.Test;
 
 import static org.hamcrest.Matchers.is;
@@ -39,7 +41,7 @@ public void readAll() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         FastByteBufferQueueInputStream instance = new FastByteBufferQueueInputStream(queue,26);
 
         assertThat(read(instance), is(str));
@@ -50,7 +52,7 @@ public void readLimit() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         FastByteBufferQueueInputStream instance = new FastByteBufferQueueInputStream(queue, 10);
 
         assertThat(read(instance, 10), is("AbCdEfGhIj"));
@@ -61,7 +63,7 @@ public void readSome() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         FastByteBufferQueueInputStream instance = new FastByteBufferQueueInputStream(queue,26);
 
         assertThat(read(instance, 10), is("AbCdEfGhIj"));
@@ -72,16 +74,16 @@ public void readBytes() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         FastByteBufferQueueInputStream instance = new FastByteBufferQueueInputStream(queue,26);
 
         byte[] bytes = new byte[10];
         assertThat(instance.read(bytes), is(10));
-        assertThat(new String(bytes, Charsets.UTF_8), is("AbCdEfGhIj"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("AbCdEfGhIj"));
         assertThat(instance.read(bytes), is(10));
-        assertThat(new String(bytes, Charsets.UTF_8), is("KlMnOpQrSt"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("KlMnOpQrSt"));
         assertThat(instance.read(bytes), is(6));
-        assertThat(new String(bytes, Charsets.UTF_8), is("UvWxYzQrSt"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("UvWxYzQrSt"));
     }
 
     @Test
@@ -89,20 +91,20 @@ public void readBytesOffset() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         FastByteBufferQueueInputStream instance = new FastByteBufferQueueInputStream(queue,26);
 
         byte[] bytes = new byte[10];
         assertThat(instance.read(bytes,5,3), is(3));
-        assertThat(new String(bytes, Charsets.UTF_8), is("\u0000\u0000\u0000\u0000\u0000AbC\u0000\u0000"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("\u0000\u0000\u0000\u0000\u0000AbC\u0000\u0000"));
         assertThat(instance.read(bytes, 0, 2), is(2));
-        assertThat(new String(bytes, Charsets.UTF_8), is("dE\u0000\u0000\u0000AbC\u0000\u0000"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("dE\u0000\u0000\u0000AbC\u0000\u0000"));
         assertThat(instance.read(bytes, 2, 8), is(8));
-        assertThat(new String(bytes, Charsets.UTF_8), is("dEfGhIjKlM"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("dEfGhIjKlM"));
         assertThat(instance.read(bytes, 2, 8), is(8));
-        assertThat(new String(bytes, Charsets.UTF_8), is("dEnOpQrStU"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("dEnOpQrStU"));
         assertThat(instance.read(bytes, 2, 8), is(5));
-        assertThat(new String(bytes, Charsets.UTF_8), is("dEvWxYzStU"));
+        assertThat(new String(bytes, StandardCharsets.UTF_8), is("dEvWxYzStU"));
     }
 
     @Test
@@ -110,7 +112,7 @@ public void skipRead() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         FastByteBufferQueueInputStream instance = new FastByteBufferQueueInputStream(queue,26);
 
         StringBuffer buf = new StringBuffer();
@@ -134,7 +136,7 @@ public void markRead() throws Exception {
         String str = "AbCdEfGhIjKlMnOpQrStUvWxYz";
 
         ByteBufferQueue queue = new ByteBufferQueue(10);
-        queue.put(ByteBuffer.wrap(str.getBytes(Charsets.UTF_8)));
+        queue.put(ByteBuffer.wrap(str.getBytes(StandardCharsets.UTF_8)));
         FastByteBufferQueueInputStream instance = new FastByteBufferQueueInputStream(queue,26);
         assertThat(instance.markSupported(), is(false));
     }
@@ -145,7 +147,7 @@ private static String read(InputStream is) throws IOException {
         while (-1 != (b = is.read())) {
             tmp.write(b);
         }
-        return new String(tmp.toByteArray(), Charsets.UTF_8);
+        return new String(tmp.toByteArray(), StandardCharsets.UTF_8);
     }
 
     private static String read(InputStream is, int count) throws IOException {
@@ -155,6 +157,6 @@ private static String read(InputStream is, int count) throws IOException {
             tmp.write(b);
             count--;
         }
-        return new String(tmp.toByteArray(), Charsets.UTF_8);
+        return new String(tmp.toByteArray(), StandardCharsets.UTF_8);
     }
 }