Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34121

IBM Java doesn't support AES/CTR/PKCS5Padding, required for JNLP3

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Major Major
    • remoting
    • None

      It is not possible to run slaves anymore using IBM Java.

      This is due to the new encrypted communication introduced in Jenkins 1.653, where the handshake is done using "AES/CTR/PKCS5Padding".
      I couldn't find what ciphers IBM Java does or doesn't support (maybe nothing else than the default ones), but I created a quick test to check (see below).

      Would it be possible to switch to a cipher supported by IBM Java?

      Test:
      import java.security.NoSuchAlgorithmException;
      import javax.crypto.Cipher;
      import javax.crypto.NoSuchPaddingException;
      public class PaddingIssue {
      private static final String CIPHER = "AES/CTR/PKCS5Padding";
      public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException

      { Cipher encryptCipher = Cipher.getInstance(CIPHER); System.out.println("Fine!"); }

      }

      Executions:
      IBM JAVA 1.6
      /usr/lib/j2re1.6-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.7
      /usr/lib/j2re1.7-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.8
      /usr/lib/jvm/java-ibm-x86_64-80/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AbstractBufferingCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      OpenJDK 7
      /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java PaddingIssue
      Fine!

      Full stacktrace:
      Mar 22, 2016 3:54:13 PM hudson.remoting.jnlp.Main$CuiListener status
      INFO: Trying protocol: JNLP3-connect
      Mar 22, 2016 3:54:14 PM hudson.remoting.jnlp.Main$CuiListener error
      SEVERE: Failed to create handshake ciphers
      java.lang.AssertionError: Failed to create handshake ciphers
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:116)
      at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProtocol3.java:138)
      at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProtocol.java:77)
      at hudson.remoting.Engine.run(Engine.java:308)
      Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:109)
      ... 3 more
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
      126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a_.a(Unknown Source)
      ... 5 more

          [JENKINS-34121] IBM Java doesn't support AES/CTR/PKCS5Padding, required for JNLP3

          Code changed in jenkins
          User: Stephen Connolly
          Path:
          src/main/java/hudson/remoting/Engine.java
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java
          http://jenkins-ci.org/commit/remoting/43793e5b46f223c57f0a7b137cd983903fd63446
          Log:
          [Related to JENKINS-34121] Allow disabling the protocols individually (#83)

          • Also ensure that a fatal unexpected error in one protocol does not prevent a fall-back

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: src/main/java/hudson/remoting/Engine.java src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol.java http://jenkins-ci.org/commit/remoting/43793e5b46f223c57f0a7b137cd983903fd63446 Log: [Related to JENKINS-34121] Allow disabling the protocols individually (#83) Also ensure that a fatal unexpected error in one protocol does not prevent a fall-back

          Oleg Nenashev added a comment -

          Workaround - Disable JNLP3 protocol.
          This workaround has been implemented by Stephen and released as remoting 2.59.
          Should become available in the next weekly, may be a subject for backporting into the next LTS release (1.651.3)

          Oleg Nenashev added a comment - Workaround - Disable JNLP3 protocol. This workaround has been implemented by Stephen and released as remoting 2.59. Should become available in the next weekly, may be a subject for backporting into the next LTS release (1.651.3)

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/409438f36dc80f20964fb16f8d88041e11ba4ed4
          Log:
          [JENKINS-19445, JENKINS-34213, JENKINS-34808, JENKINS-34121] Bump remoting to 2.59. (#2344)

          • [JENKINS-19445, JENKINS-34213, JENKINS-34808] Bump remoting to 2.58.

          Changes:

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/409438f36dc80f20964fb16f8d88041e11ba4ed4 Log: [JENKINS-19445, JENKINS-34213, JENKINS-34808, JENKINS-34121] Bump remoting to 2.59. (#2344) [JENKINS-19445, JENKINS-34213, JENKINS-34808] Bump remoting to 2.58. Changes: JENKINS-34213 ( https://issues.jenkins-ci.org/browse/JENKINS-34213 ) - Ensure that the unexporter cleans up whatever it can each sweep ( https://github.com/jenkinsci/remoting/pull/81 ) JENKINS-19445 ( https://issues.jenkins-ci.org/browse/JENKINS-19445 ) Force class load on UserRequest in order to prevent deadlock on windows nodes when using JNA and Subversion ( https://github.com/jenkinsci/remoting/pull/81 ) JENKINS-34808 ( https://issues.jenkins-ci.org/browse/JENKINS-34808 ) - Allow user to adjust socket timeout ( https://github.com/jenkinsci/remoting/pull/68 ) JENKINS-34121 - Upgrade remoting to 2.59

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/12e79963cca5122351943ee107f65c3ad91a2e25
          Log:
          [JENKINS-19445, JENKINS-34213, JENKINS-34808, JENKINS-34121] Bump remoting to 2.59. (#2344)

          • [JENKINS-19445, JENKINS-34213, JENKINS-34808] Bump remoting to 2.58.

          Changes:

          (cherry picked from commit 409438f36dc80f20964fb16f8d88041e11ba4ed4)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: pom.xml http://jenkins-ci.org/commit/jenkins/12e79963cca5122351943ee107f65c3ad91a2e25 Log: [JENKINS-19445, JENKINS-34213, JENKINS-34808, JENKINS-34121] Bump remoting to 2.59. (#2344) [JENKINS-19445, JENKINS-34213, JENKINS-34808] Bump remoting to 2.58. Changes: JENKINS-34213 ( https://issues.jenkins-ci.org/browse/JENKINS-34213 ) - Ensure that the unexporter cleans up whatever it can each sweep ( https://github.com/jenkinsci/remoting/pull/81 ) JENKINS-19445 ( https://issues.jenkins-ci.org/browse/JENKINS-19445 ) Force class load on UserRequest in order to prevent deadlock on windows nodes when using JNA and Subversion ( https://github.com/jenkinsci/remoting/pull/81 ) JENKINS-34808 ( https://issues.jenkins-ci.org/browse/JENKINS-34808 ) - Allow user to adjust socket timeout ( https://github.com/jenkinsci/remoting/pull/68 ) JENKINS-34121 - Upgrade remoting to 2.59 (cherry picked from commit 409438f36dc80f20964fb16f8d88041e11ba4ed4)

          The workaround will be available in 1.651.3 LTS.

          Oliver Gondža added a comment - The workaround will be available in 1.651.3 LTS.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          docs/protocols.md
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java
          http://jenkins-ci.org/commit/remoting/fe2587b7f9d78334e0ab05ab0b95f39b4b600a25
          Log:
          Docs - Noting JENKINS-37302, JENKINS-33886, and JENKINS-34121 in Errata

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: docs/protocols.md src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java http://jenkins-ci.org/commit/remoting/fe2587b7f9d78334e0ab05ab0b95f39b4b600a25 Log: Docs - Noting JENKINS-37302 , JENKINS-33886 , and JENKINS-34121 in Errata

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          docs/protocols.md
          src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java
          http://jenkins-ci.org/commit/remoting/86e13055079fd679a46b06fc7ce54ea1eb33ac1f
          Log:
          Merge pull request #155 from oleg-nenashev/doc/jnlp3_errata

          [Docs] - Noting JENKINS-37302, JENKINS-33886, and JENKINS-34121 in JNLP3 Errata

          Compare: https://github.com/jenkinsci/remoting/compare/b8f10d809829...86e13055079f

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: docs/protocols.md src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java http://jenkins-ci.org/commit/remoting/86e13055079fd679a46b06fc7ce54ea1eb33ac1f Log: Merge pull request #155 from oleg-nenashev/doc/jnlp3_errata [Docs] - Noting JENKINS-37302 , JENKINS-33886 , and JENKINS-34121 in JNLP3 Errata Compare: https://github.com/jenkinsci/remoting/compare/b8f10d809829...86e13055079f

          Oleg Nenashev added a comment -

          Closing as "Won't fix", upgrade to JNLP4 is the recommended solution.

          If somebody wants to fix it, please feel free to reopen it and to create a pull request

          Oleg Nenashev added a comment - Closing as "Won't fix", upgrade to JNLP4 is the recommended solution. If somebody wants to fix it, please feel free to reopen it and to create a pull request

          Can someone please provide instructions to upgrade to JNLP4 ?

          We prefer to use IBM JRE.

          Mallikarjuna Manoj Kandala added a comment - Can someone please provide instructions to upgrade to JNLP4 ? We prefer to use IBM JRE.

          Oleg Nenashev added a comment -

          srimanoj_kandala

          1) Upgrade to Jenkins 2.32.1 or above
          2) Go to the Global Security Configuration in Manage Jenkins
          3) Ensure that JNLP4 is allowed in protocol security settings

          Oleg Nenashev added a comment - srimanoj_kandala 1) Upgrade to Jenkins 2.32.1 or above 2) Go to the Global Security Configuration in Manage Jenkins 3) Ensure that JNLP4 is allowed in protocol security settings

            Unassigned Unassigned
            gloparm Gabriel Lopez
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: