Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30110

Upgrade instance-identity-module bouncycastle to 1.53

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core

      slave's cannot connect to jenkins servers with ECDH* SSL configurations via https

      Replacing the bc* libraries in war/WEB-INF/lib/ bcprov-jdk15on-1.47.jar with bcprov-jdk15on-152.jar allows all connections to work with and without ECDH connections.

      Upgrading the instance identity module (https://github.com/jenkinsci/instance-identity-module) to bouncycastle 1.52 should resolve this I think, I'm not aware of any other things that include bcprov in core.

      Additionally, ssh-agent-plugin has a patch to fix the same issue for that plugin:

      https://github.com/jenkinsci/ssh-agent-plugin/pull/8

      And below is an example error of such a failed connection, although not specifically with a slave.

      Caught exception while notifying Stash with id 695c0a35657a11c973a904ff993cd873b7283e1b
      javax.net.ssl.SSLHandshakeException: Could not generate secret
      at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99)
      at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045)
      at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
      at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
      at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
      at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
      at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
      at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338)
      at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
      at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
      at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
      at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
      at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
      at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
      at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556)
      at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207)
      at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160)
      at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834)
      at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829)
      at hudson.model.Build$BuildExecution.doRun(Build.java:144)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
      at hudson.model.Run.execute(Run.java:1741)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:98)
      at hudson.model.Executor.run(Executor.java:381)
      Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase
      at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source)
      at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567)
      at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96)
      ... 32 more
      

          [JENKINS-30110] Upgrade instance-identity-module bouncycastle to 1.53

          Josh Toft added a comment - - edited

          I would have fixed this myself, like I did with the ssh-agent-plugin, but I could not get this to build properly.

          I got the following error when running mvn clean package:

          Failed to execute goal org.codehaus.gmaven:gmaven-plugin:1.5-jenkins-3:generateStubs (default) on project pom: Execution default of goal org.codehaus.gmaven:gmaven-plugin:1.5-jenkins-3:generateStubs failed: A required class was missing while executing org.codehaus.gmaven:gmaven-plugin:1.5-jenkins-3:generateStubs: org/codehaus/groovy/control/CompilerConfiguration
          

          Josh Toft added a comment - - edited I would have fixed this myself, like I did with the ssh-agent-plugin, but I could not get this to build properly. I got the following error when running mvn clean package : Failed to execute goal org.codehaus.gmaven:gmaven-plugin:1.5-jenkins-3:generateStubs ( default ) on project pom: Execution default of goal org.codehaus.gmaven:gmaven-plugin:1.5-jenkins-3:generateStubs failed: A required class was missing while executing org.codehaus.gmaven:gmaven-plugin:1.5-jenkins-3:generateStubs: org/codehaus/groovy/control/CompilerConfiguration

          Josh Toft added a comment -

          Just needed to update plugins to 1.609.1

          Josh Toft added a comment - Just needed to update plugins to 1.609.1

          Code changed in jenkins
          User: Stephen Connolly
          Path:
          pom.xml
          src/main/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentity.java
          http://jenkins-ci.org/commit/instance-identity-module/2d47ae79a34291bec03883ee398ee194b666a488
          Log:
          Merge pull request #3 from seryl/update-bouncyastle-152

          [FIXED JENKINS-30110] Update bouncyastle 153

          Compare: https://github.com/jenkinsci/instance-identity-module/compare/763d508fa4e4...2d47ae79a342

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: pom.xml src/main/java/org/jenkinsci/main/modules/instance_identity/InstanceIdentity.java http://jenkins-ci.org/commit/instance-identity-module/2d47ae79a34291bec03883ee398ee194b666a488 Log: Merge pull request #3 from seryl/update-bouncyastle-152 [FIXED JENKINS-30110] Update bouncyastle 153 Compare: https://github.com/jenkinsci/instance-identity-module/compare/763d508fa4e4...2d47ae79a342

            Unassigned Unassigned
            seryl Josh Toft
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: