[JENKINS-30110] Upgrade instance-identity-module bouncycastle to 1.53

Type: Improvement
Resolution: Fixed
Priority: Minor
Component/s: core
Labels:
- exception
- patch
- plugin
Environment:

Hide
Jenkins 1.622

plugins:
    "ansicolor/0.4.1"
    "ant/1.2"
    "antisamy-markup-formatter/1.3"
    "authentication-tokens/1.1"
    "cloudbees-credentials/3.3"
    "credentials/1.22"
    "cvs/2.12"
    "docker-build-publish/1.0"
    "docker-commons/1.2"
    "docker-custom-build-environment/1.4"
    "email-ext/2.40.5"
    "git/2.4.0"
    "git-client/1.18.0"
    "greenballs/1.14"
    "hipchat/0.1.9"
    "javadoc/1.3"
    "junit/1.8"
    "ldap/1.11"
    "mailer/1.15"
    "mapdb-api/1.0.6.0"
    "matrix-auth/1.2"
    "matrix-project/1.6"
    "maven-plugin/2.11"
    "mesos/0.6.0"
    "monitoring/1.56.0"
    "multi-branch-project-plugin/0.2.4"
    "pam-auth/1.2"
    "parameterized-trigger/2.27"
    "scm-api/0.2"
    "script-security/1.14"
    "ssh-credentials/1.11"
    "ssh-agent/1.8"
    "ssh-slaves/1.10"
    "stashNotifier/1.8"
    "subversion/2.5.1"
    "token-macro/1.10"
    "translation/1.12"
    "windows-slaves/1.1"

Show
Jenkins 1.622 plugins:     "ansicolor/0.4.1"     "ant/1.2"     "antisamy-markup-formatter/1.3"     "authentication-tokens/1.1"     "cloudbees-credentials/3.3"     "credentials/1.22"     "cvs/2.12"     "docker-build-publish/1.0"     "docker-commons/1.2"     "docker-custom-build-environment/1.4"     "email-ext/2.40.5"     "git/2.4.0"     "git-client/1.18.0"     "greenballs/1.14"     "hipchat/0.1.9"     "javadoc/1.3"     "junit/1.8"     "ldap/1.11"     "mailer/1.15"     "mapdb-api/1.0.6.0"     "matrix-auth/1.2"     "matrix-project/1.6"     "maven-plugin/2.11"     "mesos/0.6.0"     "monitoring/1.56.0"     "multi-branch-project-plugin/0.2.4"     "pam-auth/1.2"     "parameterized-trigger/2.27"     "scm-api/0.2"     "script-security/1.14"     "ssh-credentials/1.11"     "ssh-agent/1.8"     "ssh-slaves/1.10"     "stashNotifier/1.8"     "subversion/2.5.1"     "token-macro/1.10"     "translation/1.12"     "windows-slaves/1.1"

Similar Issues:
Powered by SuggestiMate

Show
URL:
https://github.com/jenkinsci/instance-identity-module/pull/3

slave's cannot connect to jenkins servers with ECDH* SSL configurations via https

Replacing the bc* libraries in war/WEB-INF/lib/ bcprov-jdk15on-1.47.jar with bcprov-jdk15on-152.jar allows all connections to work with and without ECDH connections.

Upgrading the instance identity module (https://github.com/jenkinsci/instance-identity-module) to bouncycastle 1.52 should resolve this I think, I'm not aware of any other things that include bcprov in core.

Additionally, ssh-agent-plugin has a patch to fix the same issue for that plugin:

https://github.com/jenkinsci/ssh-agent-plugin/pull/8

And below is an example error of such a failed connection, although not specifically with a slave.

Caught exception while notifying Stash with id 695c0a35657a11c973a904ff993cd873b7283e1b
javax.net.ssl.SSLHandshakeException: Could not generate secret
at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207)
at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160)
at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834)
at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829)
at hudson.model.Build$BuildExecution.doRun(Build.java:144)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
at hudson.model.Run.execute(Run.java:1741)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:381)
Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase
at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source)
at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567)
at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96)
... 32 more

Josh Toft created issue - 2015-08-24 14:17

Josh Toft made changes - 2015-08-24 15:04

URL

Original: https://github.com/jenkinsci/instance-identity-module

New: https://github.com/jenkinsci/instance-identity-module/pull/3

Josh Toft made changes - 2015-08-24 15:04

Labels

Original: exception plugin

New: exception patch plugin

Josh Toft made changes - 2015-08-24 15:15

Summary

Original: Upgrade instance-identity-module to bouncycastle 1.52 to add ECDH support

New: Upgrade instance-identity-module to bouncycastle to 1.52 to add ECDH support

Josh Toft made changes - 2015-08-24 15:15

Summary

Original: Upgrade instance-identity-module to bouncycastle to 1.52 to add ECDH support

New: Upgrade instance-identity-module bouncycastle to 1.52 to add ECDH support

Josh Toft made changes - 2015-09-23 18:36

Summary

Original: Upgrade instance-identity-module bouncycastle to 1.52 to add ECDH support

New: Upgrade instance-identity-module bouncycastle to 1.52

Josh Toft made changes - 2015-10-30 18:39

Summary

Original: Upgrade instance-identity-module bouncycastle to 1.52

New: Upgrade instance-identity-module bouncycastle to 1.53

SCM/JIRA link daemon made changes - 2015-11-03 20:08

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

R. Tyler Croy made changes - 2016-07-25 23:57

Workflow

Original: JNJira [ 165194 ]

New: JNJira + In-Review [ 197648 ]

Assignee:: Unassigned

Reporter:: Josh Toft

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2015-08-24 14:17

Updated:: 2015-11-03 20:08

Resolved:: 2015-11-03 20:08

Jenkins

Details

Description

Attachments

Activity

People

Dates