-
Improvement
-
Resolution: Fixed
-
Minor
-
Jenkins 1.622
plugins:
"ansicolor/0.4.1"
"ant/1.2"
"antisamy-markup-formatter/1.3"
"authentication-tokens/1.1"
"cloudbees-credentials/3.3"
"credentials/1.22"
"cvs/2.12"
"docker-build-publish/1.0"
"docker-commons/1.2"
"docker-custom-build-environment/1.4"
"email-ext/2.40.5"
"git/2.4.0"
"git-client/1.18.0"
"greenballs/1.14"
"hipchat/0.1.9"
"javadoc/1.3"
"junit/1.8"
"ldap/1.11"
"mailer/1.15"
"mapdb-api/1.0.6.0"
"matrix-auth/1.2"
"matrix-project/1.6"
"maven-plugin/2.11"
"mesos/0.6.0"
"monitoring/1.56.0"
"multi-branch-project-plugin/0.2.4"
"pam-auth/1.2"
"parameterized-trigger/2.27"
"scm-api/0.2"
"script-security/1.14"
"ssh-credentials/1.11"
"ssh-agent/1.8"
"ssh-slaves/1.10"
"stashNotifier/1.8"
"subversion/2.5.1"
"token-macro/1.10"
"translation/1.12"
"windows-slaves/1.1"
Jenkins 1.622 plugins: "ansicolor/0.4.1" "ant/1.2" "antisamy-markup-formatter/1.3" "authentication-tokens/1.1" "cloudbees-credentials/3.3" "credentials/1.22" "cvs/2.12" "docker-build-publish/1.0" "docker-commons/1.2" "docker-custom-build-environment/1.4" "email-ext/2.40.5" "git/2.4.0" "git-client/1.18.0" "greenballs/1.14" "hipchat/0.1.9" "javadoc/1.3" "junit/1.8" "ldap/1.11" "mailer/1.15" "mapdb-api/1.0.6.0" "matrix-auth/1.2" "matrix-project/1.6" "maven-plugin/2.11" "mesos/0.6.0" "monitoring/1.56.0" "multi-branch-project-plugin/0.2.4" "pam-auth/1.2" "parameterized-trigger/2.27" "scm-api/0.2" "script-security/1.14" "ssh-credentials/1.11" "ssh-agent/1.8" "ssh-slaves/1.10" "stashNotifier/1.8" "subversion/2.5.1" "token-macro/1.10" "translation/1.12" "windows-slaves/1.1"
slave's cannot connect to jenkins servers with ECDH* SSL configurations via https
Replacing the bc* libraries in war/WEB-INF/lib/ bcprov-jdk15on-1.47.jar with bcprov-jdk15on-152.jar allows all connections to work with and without ECDH connections.
Upgrading the instance identity module (https://github.com/jenkinsci/instance-identity-module) to bouncycastle 1.52 should resolve this I think, I'm not aware of any other things that include bcprov in core.
Additionally, ssh-agent-plugin has a patch to fix the same issue for that plugin:
https://github.com/jenkinsci/ssh-agent-plugin/pull/8
And below is an example error of such a failed connection, although not specifically with a slave.
Caught exception while notifying Stash with id 695c0a35657a11c973a904ff993cd873b7283e1b javax.net.ssl.SSLHandshakeException: Could not generate secret at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556) at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207) at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829) at hudson.model.Build$BuildExecution.doRun(Build.java:144) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537) at hudson.model.Run.execute(Run.java:1741) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:381) Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source) at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567) at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96) ... 32 more