[JENKINS-30109] Upgrade ssh-agent-plugin bouncycastle to 1.53

Type: Improvement
Resolution: Fixed
Priority: Minor
Component/s: ssh-agent-plugin
Labels:
- exception
- patch
- plugin
Environment:

Hide
Jenkins 1.622

plugins:
    "ansicolor/0.4.1"
    "ant/1.2"
    "antisamy-markup-formatter/1.3"
    "authentication-tokens/1.1"
    "cloudbees-credentials/3.3"
    "credentials/1.22"
    "cvs/2.12"
    "docker-build-publish/1.0"
    "docker-commons/1.2"
    "docker-custom-build-environment/1.4"
    "email-ext/2.40.5"
    "git/2.4.0"
    "git-client/1.18.0"
    "greenballs/1.14"
    "hipchat/0.1.9"
    "javadoc/1.3"
    "junit/1.8"
    "ldap/1.11"
    "mailer/1.15"
    "mapdb-api/1.0.6.0"
    "matrix-auth/1.2"
    "matrix-project/1.6"
    "maven-plugin/2.11"
    "mesos/0.6.0"
    "monitoring/1.56.0"
    "multi-branch-project-plugin/0.2.4"
    "pam-auth/1.2"
    "parameterized-trigger/2.27"
    "scm-api/0.2"
    "script-security/1.14"
    "ssh-credentials/1.11"
    "ssh-agent/1.8"
    "ssh-slaves/1.10"
    "stashNotifier/1.8"
    "subversion/2.5.1"
    "token-macro/1.10"
    "translation/1.12"
    "windows-slaves/1.1"

Show
Jenkins 1.622 plugins:     "ansicolor/0.4.1"     "ant/1.2"     "antisamy-markup-formatter/1.3"     "authentication-tokens/1.1"     "cloudbees-credentials/3.3"     "credentials/1.22"     "cvs/2.12"     "docker-build-publish/1.0"     "docker-commons/1.2"     "docker-custom-build-environment/1.4"     "email-ext/2.40.5"     "git/2.4.0"     "git-client/1.18.0"     "greenballs/1.14"     "hipchat/0.1.9"     "javadoc/1.3"     "junit/1.8"     "ldap/1.11"     "mailer/1.15"     "mapdb-api/1.0.6.0"     "matrix-auth/1.2"     "matrix-project/1.6"     "maven-plugin/2.11"     "mesos/0.6.0"     "monitoring/1.56.0"     "multi-branch-project-plugin/0.2.4"     "pam-auth/1.2"     "parameterized-trigger/2.27"     "scm-api/0.2"     "script-security/1.14"     "ssh-credentials/1.11"     "ssh-agent/1.8"     "ssh-slaves/1.10"     "stashNotifier/1.8"     "subversion/2.5.1"     "token-macro/1.10"     "translation/1.12"     "windows-slaves/1.1"

Similar Issues:
Powered by SuggestiMate

Show
URL:
https://github.com/jenkinsci/ssh-agent-plugin/pull/8

Currently when connecting to ECDHE-RSA-* servers I was getting errors.

Upgrading to bouncycastle 1.52 resolves these

Below is an example exception; seen via the stash-notification-plugin, and ssh-agent-plugin

javax.net.ssl.SSLHandshakeException: Could not generate secret
at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160)
at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834)
at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829)
at hudson.model.Build$BuildExecution.doRun(Build.java:144)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
at hudson.model.Run.execute(Run.java:1741)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:381)
Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase
at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source)
at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567)
at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96)
... 32 more

Josh Toft created issue - 2015-08-24 14:10

Josh Toft made changes - 2015-08-24 14:18

Description

Original: Currently when connecting to ECDHE-RSA-* servers I was getting errors.

Upgrading to bouncycastle 1.52 resolves these

Below is an example exception; seen via the stash-notification-plugin, and ssh-agent-plugin

javax.net.ssl.SSLHandshakeException: Could not generate secret
at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160)
at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834)
at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829)
at hudson.model.Build$BuildExecution.doRun(Build.java:144)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
at hudson.model.Run.execute(Run.java:1741)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:381)
Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase
at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source)
at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567)
at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96)
... 32 more

New: Currently when connecting to ECDHE-RSA-* servers I was getting errors.

Upgrading to bouncycastle 1.52 resolves these

Below is an example exception; seen via the stash-notification-plugin, and ssh-agent-plugin

{code}
javax.net.ssl.SSLHandshakeException: Could not generate secret
at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160)
at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834)
at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829)
at hudson.model.Build$BuildExecution.doRun(Build.java:144)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
at hudson.model.Run.execute(Run.java:1741)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:381)
Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase
at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source)
at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567)
at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96)
... 32 more
{code}

Josh Toft made changes - 2015-08-24 15:15

Summary

Original: Upgrade ssh-agent-plugin bouncycastle to 1.52 to add ECDH fixes

New: Upgrade ssh-agent-plugin bouncycastle to 1.52 to add ECDH support

Manuel Recena Soto made changes - 2015-08-24 15:29

Component/s

Original: stashnotifier-plugin [ 17535 ]

Manuel Recena Soto made changes - 2015-08-26 12:22

Assignee

New: Josh Toft [ seryl ]

Manuel Recena Soto made changes - 2015-08-26 12:22

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Josh Toft made changes - 2015-09-23 18:35

Summary

Original: Upgrade ssh-agent-plugin bouncycastle to 1.52 to add ECDH support

New: Upgrade ssh-agent-plugin bouncycastle to 1.52

Josh Toft made changes - 2015-10-30 18:39

Summary

Original: Upgrade ssh-agent-plugin bouncycastle to 1.52

New: Upgrade ssh-agent-plugin bouncycastle to 1.53

Josh Toft made changes - 2015-11-03 20:57

Resolution		New: Fixed [ 1 ]
Status	Original: In Progress [ 3 ]	New: Closed [ 6 ]

R. Tyler Croy made changes - 2016-07-26 00:01

Workflow

Original: JNJira [ 165193 ]

New: JNJira + In-Review [ 209163 ]

Assignee:: Josh Toft

Reporter:: Josh Toft

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2015-08-24 14:10

Updated:: 2015-11-03 20:57

Resolved:: 2015-11-03 20:57

Jenkins

Details

Description

Attachments

Activity

People

Dates