Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31192

Subversion HTTPS + PKCS12 Certificate in CPU infinite loop

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • subversion-plugin
    • Jenkins LTS 1.625.1, Subversion plugin 2.5.3 (svnkit 1.8.6), Java 8u60, Debian GNU/Linux Jessie 8.2

      After upgrading to Jenkins 1.625.1 and switching to Java 8u60,
      one of our job configured to use mutual SSL authentication against a HTTPS Subversion repository produces the following behaviour:

      • the polling SCM thread consumes 100% in "endless" sun.security.pkcs12.PKCS12KeyStore.engineGetKey method
      • because of the lock hudson.scm.SubversionSCM$ModuleLocation held there, all SCM commit notification threads get stuck
      • as a result, the SCM thread pool gets exhausted and management page displays a warning

      In production, everything get stuck for 12 hours before we had to restart Jenkins master.
      In test environment, we reproduced with both Java 7u80 and Java 8u60.
      The issue persists even after replacing default "Sun" security provider by "BouncyCastle" to use alternate PKCS#12, SHA and DES implementations.

          [JENKINS-31192] Subversion HTTPS + PKCS12 Certificate in CPU infinite loop

          Yves Martin created issue -
          Yves Martin made changes -
          Yves Martin made changes -
          Description Original: After upgrading to Jenkins 1.625.1 and switching to Java 8u60,
          one of our job configured to use mutual SSL authentication against a HTTPS Subversion repository produces the following behaviour:
          - the polling SCM thread consumes 100% in "endless" {{sun.security.pkcs12.PKCS12KeyStore.engineGetKey}} method
          - because of the lock {{hudson.scm.SubversionSCM$ModuleLocation}} held there, all SCM commit notification gets stuck
          - as a result, the SCM thread pool gets exhausted and management page displays a warning

          In production, everything get stuck for 12 hours before we had to restart Jenkins master.
          In test environment, we reproduced with both Java 7u80 and Java 8u60.
          The issue persists even after replacing default "Sun" security provider by "BouncyCastle" to use alternate PKCS#12, SHA and DES implementations.
          New: After upgrading to Jenkins 1.625.1 and switching to Java 8u60,
          one of our job configured to use mutual SSL authentication against a HTTPS Subversion repository produces the following behaviour:
          - the polling SCM thread consumes 100% in "endless" {{sun.security.pkcs12.PKCS12KeyStore.engineGetKey}} method
          - because of the lock {{hudson.scm.SubversionSCM$ModuleLocation}} held there, all SCM commit notification threads get stuck
          - as a result, the SCM thread pool gets exhausted and management page displays a warning

          In production, everything get stuck for 12 hours before we had to restart Jenkins master.
          In test environment, we reproduced with both Java 7u80 and Java 8u60.
          The issue persists even after replacing default "Sun" security provider by "BouncyCastle" to use alternate PKCS#12, SHA and DES implementations.
          Yves Martin made changes -
          Environment Original: Jenkins LTS 1.625.1, Java 8u60, Debian GNU/Linux Jessie 8.2 New: Jenkins LTS 1.625.1, Subversion plugin Java 8u60, Debian GNU/Linux Jessie 8.2
          Yves Martin made changes -
          Environment Original: Jenkins LTS 1.625.1, Subversion plugin Java 8u60, Debian GNU/Linux Jessie 8.2 New: Jenkins LTS 1.625.1, Subversion plugin 2.5.3 (svnkit 1.8.6), Java 8u60, Debian GNU/Linux Jessie 8.2
          Yves Martin made changes -
          Assignee New: Yves Martin [ ymartin1040 ]
          Manuel Recena Soto made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Manuel Recena Soto made changes -
          Comment [ The changes related to this issue are in this [PR|https://github.com/jenkinsci/subversion-plugin/pull/145]. ]
          Manuel Recena Soto made changes -
          Link New: This issue is related to JENKINS-14958 [ JENKINS-14958 ]
          Manuel Recena Soto made changes -
          Labels Original: performance scm security subversion New: certificate performance scm
          Manuel Recena Soto made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]

            ymartin1040 Yves Martin
            ymartin1040 Yves Martin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: