Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-1606

Applications lose ability to login after some period of time

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: ldap
    • Labels:
      None
    • Similar Issues:

      Description

      Saw this today across all the LDAP-connected applications. They were no longer to create new logins and weren't able to connect to LDAP properly.

       

      The account app popped a full stack trace which said something along the lines of "Invalid signature on ECDH server key exchange"

       

      The Atlassian apps didn't give me any useful information

        Attachments

          Activity

          Hide
          olblak Olivier Vernin added a comment -

          The current docker image is using alpine with openssl and I am deploying a new image based on debian that use gnutls

          Show
          olblak Olivier Vernin added a comment - The current docker image is using alpine with openssl and I am deploying a new image based on debian that use gnutls
          Hide
          olblak Olivier Vernin added a comment -

          Current settings (with gnutls)
          root@ldap-0:/# gnutls-cli-debug -p 636 ldap.jenkins.io
          GnuTLS debug client 3.5.8
          Checking ldap.jenkins.io:636
          unknown protocol 'ldaps'
          for SSL 3.0 (RFC6101) support... no
          whether we need to disable TLS 1.2... no
          whether we need to disable TLS 1.1... no
          whether we need to disable TLS 1.0... no
          whether %NO_EXTENSIONS is required... no
          whether %COMPAT is required... no
          for TLS 1.0 (RFC2246) support... no
          for TLS 1.1 (RFC4346) support... no
          fallback from TLS 1.1 to... failed
          for TLS 1.2 (RFC5246) support... yes
          fallback from TLS 1.6 to... TLS1.2
          for certificate chain order... sorted
          for safe renegotiation (RFC5746) support... yes
          for encrypt-then-MAC (RFC7366) support... no
          for ext master secret (RFC7627) support... no
          for heartbeat (RFC6520) support... no
          for version rollback bug in RSA PMS... yes
          for version rollback bug in Client Hello... no
          whether the server ignores the RSA PMS version... yes
          whether small records (512 bytes) are tolerated on handshake... yes
          whether cipher suites not in SSL 3.0 spec are accepted... yes
          whether a bogus TLS record version in the client hello is accepted... yes
          whether the server understands TLS closure alerts... yes
          whether the server supports session resumption... no
          for anonymous authentication support... no
          for ephemeral Diffie-Hellman support... no
          for ephemeral EC Diffie-Hellman support... yes
          for curve SECP256r1 (RFC4492)... yes
          for curve SECP384r1 (RFC4492)... yes
          for curve SECP521r1 (RFC4492)... yes
          for curve X25519 (draft-ietf-tls-rfc4492bis-07)... no
          for AES-128-GCM cipher (RFC5288) support... yes
          for AES-128-CCM cipher (RFC6655) support... no
          for AES-128-CCM-8 cipher (RFC6655) support... no
          for AES-128-CBC cipher (RFC3268) support... yes
          for CAMELLIA-128-GCM cipher (RFC6367) support... yes
          for CAMELLIA-128-CBC cipher (RFC5932) support... no
          for 3DES-CBC cipher (RFC2246) support... no
          for ARCFOUR 128 cipher (RFC2246) support... no
          for CHACHA20-POLY1305 cipher (RFC7905) support... yes
          for MD5 MAC support... no
          for SHA1 MAC support... yes
          for SHA256 MAC support... yes
          for ZLIB compression support... no
          for max record size (RFC6066) support... yes
          for OCSP status response (RFC6066) support... no
          for OpenPGP authentication (RFC6091) support... no

          Show
          olblak Olivier Vernin added a comment - Current settings (with gnutls) root@ldap-0:/# gnutls-cli-debug -p 636 ldap.jenkins.io GnuTLS debug client 3.5.8 Checking ldap.jenkins.io:636 unknown protocol 'ldaps' for SSL 3.0 (RFC6101) support... no whether we need to disable TLS 1.2... no whether we need to disable TLS 1.1... no whether we need to disable TLS 1.0... no whether %NO_EXTENSIONS is required... no whether %COMPAT is required... no for TLS 1.0 (RFC2246) support... no for TLS 1.1 (RFC4346) support... no fallback from TLS 1.1 to... failed for TLS 1.2 (RFC5246) support... yes fallback from TLS 1.6 to... TLS1.2 for certificate chain order... sorted for safe renegotiation (RFC5746) support... yes for encrypt-then-MAC (RFC7366) support... no for ext master secret (RFC7627) support... no for heartbeat (RFC6520) support... no for version rollback bug in RSA PMS... yes for version rollback bug in Client Hello... no whether the server ignores the RSA PMS version... yes whether small records (512 bytes) are tolerated on handshake... yes whether cipher suites not in SSL 3.0 spec are accepted... yes whether a bogus TLS record version in the client hello is accepted... yes whether the server understands TLS closure alerts... yes whether the server supports session resumption... no for anonymous authentication support... no for ephemeral Diffie-Hellman support... no for ephemeral EC Diffie-Hellman support... yes for curve SECP256r1 (RFC4492)... yes for curve SECP384r1 (RFC4492)... yes for curve SECP521r1 (RFC4492)... yes for curve X25519 (draft-ietf-tls-rfc4492bis-07)... no for AES-128-GCM cipher (RFC5288) support... yes for AES-128-CCM cipher (RFC6655) support... no for AES-128-CCM-8 cipher (RFC6655) support... no for AES-128-CBC cipher (RFC3268) support... yes for CAMELLIA-128-GCM cipher (RFC6367) support... yes for CAMELLIA-128-CBC cipher (RFC5932) support... no for 3DES-CBC cipher (RFC2246) support... no for ARCFOUR 128 cipher (RFC2246) support... no for CHACHA20-POLY1305 cipher (RFC7905) support... yes for MD5 MAC support... no for SHA1 MAC support... yes for SHA256 MAC support... yes for ZLIB compression support... no for max record size (RFC6066) support... yes for OCSP status response (RFC6066) support... no for OpenPGP authentication (RFC6091) support... no

            People

            Assignee:
            olblak Olivier Vernin
            Reporter:
            rtyler R. Tyler Croy
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: