Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34121

IBM Java doesn't support AES/CTR/PKCS5Padding, required for JNLP3

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Won't Fix
    • remoting
    • None

    Description

      It is not possible to run slaves anymore using IBM Java.

      This is due to the new encrypted communication introduced in Jenkins 1.653, where the handshake is done using "AES/CTR/PKCS5Padding".
      I couldn't find what ciphers IBM Java does or doesn't support (maybe nothing else than the default ones), but I created a quick test to check (see below).

      Would it be possible to switch to a cipher supported by IBM Java?

      Test:
      import java.security.NoSuchAlgorithmException;
      import javax.crypto.Cipher;
      import javax.crypto.NoSuchPaddingException;
      public class PaddingIssue {
      private static final String CIPHER = "AES/CTR/PKCS5Padding";
      public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException

      { Cipher encryptCipher = Cipher.getInstance(CIPHER); System.out.println("Fine!"); }

      }

      Executions:
      IBM JAVA 1.6
      /usr/lib/j2re1.6-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.7
      /usr/lib/j2re1.7-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.8
      /usr/lib/jvm/java-ibm-x86_64-80/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AbstractBufferingCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      OpenJDK 7
      /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java PaddingIssue
      Fine!

      Full stacktrace:
      Mar 22, 2016 3:54:13 PM hudson.remoting.jnlp.Main$CuiListener status
      INFO: Trying protocol: JNLP3-connect
      Mar 22, 2016 3:54:14 PM hudson.remoting.jnlp.Main$CuiListener error
      SEVERE: Failed to create handshake ciphers
      java.lang.AssertionError: Failed to create handshake ciphers
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:116)
      at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProtocol3.java:138)
      at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProtocol.java:77)
      at hudson.remoting.Engine.run(Engine.java:308)
      Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:109)
      ... 3 more
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
      126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a_.a(Unknown Source)
      ... 5 more

      Attachments

        Issue Links

          Activity

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            docs/protocols.md
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java
            http://jenkins-ci.org/commit/remoting/fe2587b7f9d78334e0ab05ab0b95f39b4b600a25
            Log:
            Docs - Noting JENKINS-37302, JENKINS-33886, and JENKINS-34121 in Errata

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: docs/protocols.md src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java http://jenkins-ci.org/commit/remoting/fe2587b7f9d78334e0ab05ab0b95f39b4b600a25 Log: Docs - Noting JENKINS-37302 , JENKINS-33886 , and JENKINS-34121 in Errata

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            docs/protocols.md
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java
            http://jenkins-ci.org/commit/remoting/86e13055079fd679a46b06fc7ce54ea1eb33ac1f
            Log:
            Merge pull request #155 from oleg-nenashev/doc/jnlp3_errata

            [Docs] - Noting JENKINS-37302, JENKINS-33886, and JENKINS-34121 in JNLP3 Errata

            Compare: https://github.com/jenkinsci/remoting/compare/b8f10d809829...86e13055079f

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: docs/protocols.md src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java http://jenkins-ci.org/commit/remoting/86e13055079fd679a46b06fc7ce54ea1eb33ac1f Log: Merge pull request #155 from oleg-nenashev/doc/jnlp3_errata [Docs] - Noting JENKINS-37302 , JENKINS-33886 , and JENKINS-34121 in JNLP3 Errata Compare: https://github.com/jenkinsci/remoting/compare/b8f10d809829...86e13055079f
            oleg_nenashev Oleg Nenashev added a comment -

            Closing as "Won't fix", upgrade to JNLP4 is the recommended solution.

            If somebody wants to fix it, please feel free to reopen it and to create a pull request

            oleg_nenashev Oleg Nenashev added a comment - Closing as "Won't fix", upgrade to JNLP4 is the recommended solution. If somebody wants to fix it, please feel free to reopen it and to create a pull request

            Can someone please provide instructions to upgrade to JNLP4 ?

            We prefer to use IBM JRE.

            srimanoj_kandala Mallikarjuna Manoj Kandala added a comment - Can someone please provide instructions to upgrade to JNLP4 ? We prefer to use IBM JRE.
            oleg_nenashev Oleg Nenashev added a comment -

            srimanoj_kandala

            1) Upgrade to Jenkins 2.32.1 or above
            2) Go to the Global Security Configuration in Manage Jenkins
            3) Ensure that JNLP4 is allowed in protocol security settings

            oleg_nenashev Oleg Nenashev added a comment - srimanoj_kandala 1) Upgrade to Jenkins 2.32.1 or above 2) Go to the Global Security Configuration in Manage Jenkins 3) Ensure that JNLP4 is allowed in protocol security settings

            People

              Unassigned Unassigned
              gloparm Gabriel Lopez
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: