Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34121

IBM Java doesn't support AES/CTR/PKCS5Padding, required for JNLP3

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Major Major
    • remoting
    • None

      It is not possible to run slaves anymore using IBM Java.

      This is due to the new encrypted communication introduced in Jenkins 1.653, where the handshake is done using "AES/CTR/PKCS5Padding".
      I couldn't find what ciphers IBM Java does or doesn't support (maybe nothing else than the default ones), but I created a quick test to check (see below).

      Would it be possible to switch to a cipher supported by IBM Java?

      Test:
      import java.security.NoSuchAlgorithmException;
      import javax.crypto.Cipher;
      import javax.crypto.NoSuchPaddingException;
      public class PaddingIssue {
      private static final String CIPHER = "AES/CTR/PKCS5Padding";
      public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException

      { Cipher encryptCipher = Cipher.getInstance(CIPHER); System.out.println("Fine!"); }

      }

      Executions:
      IBM JAVA 1.6
      /usr/lib/j2re1.6-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.7
      /usr/lib/j2re1.7-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.8
      /usr/lib/jvm/java-ibm-x86_64-80/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AbstractBufferingCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      OpenJDK 7
      /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java PaddingIssue
      Fine!

      Full stacktrace:
      Mar 22, 2016 3:54:13 PM hudson.remoting.jnlp.Main$CuiListener status
      INFO: Trying protocol: JNLP3-connect
      Mar 22, 2016 3:54:14 PM hudson.remoting.jnlp.Main$CuiListener error
      SEVERE: Failed to create handshake ciphers
      java.lang.AssertionError: Failed to create handshake ciphers
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:116)
      at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProtocol3.java:138)
      at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProtocol.java:77)
      at hudson.remoting.Engine.run(Engine.java:308)
      Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:109)
      ... 3 more
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
      126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a_.a(Unknown Source)
      ... 5 more

          [JENKINS-34121] IBM Java doesn't support AES/CTR/PKCS5Padding, required for JNLP3

          Gabriel Lopez created issue -
          Gabriel Lopez made changes -
          Description Original: It is not possible to run slaves anymore using IBM Java.

          This is due to the new [encrypted communication|https://issues.jenkins-ci.org/browse/JENKINS-26580] introduced in Jenkins 1.653, where the handshake is done [using "AES/CTR/PKCS5Padding"|https://github.com/jenkinsci/remoting/blob/master/src/main/java/org/jenkinsci/remoting/engine/HandshakeCiphers.java#L109].

          I couldn't find what ciphers IBM Java does or doesn't support (maybe nothing else than the [default ones|https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.api.doc/jce/javax/crypto/Cipher.html]), but I created a quick test to check. See below.

          Would it be possible to switch to a cipher supported by IBM Java?

          Test:
          import java.security.NoSuchAlgorithmException;
          import javax.crypto.Cipher;
          import javax.crypto.NoSuchPaddingException;

          public class PaddingIssue {
          private static final String CIPHER = "AES/CTR/PKCS5Padding";

          public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException {
                  Cipher encryptCipher = Cipher.getInstance(CIPHER);
                  System.out.println("Fine!");
          }
          }

          Executions:
          IBM JAVA 1.6
          /usr/lib/j2re1.6-ibm/jre/bin/java PaddingIssue
          Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
          at javax.crypto.Cipher.getInstance(Unknown Source)
          at PaddingIssue.main(PaddingIssue.java:10)
          Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
          at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
          at javax.crypto.Cipher$a.a(Unknown Source)
          ... 2 more

          IBM JAVA 1.7
          /usr/lib/j2re1.7-ibm/jre/bin/java PaddingIssue
          Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
          at javax.crypto.Cipher.getInstance(Unknown Source)
          at PaddingIssue.main(PaddingIssue.java:10)
          Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
          at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
          at javax.crypto.Cipher$a.a(Unknown Source)
          ... 2 more

          IBM JAVA 1.8
          /usr/lib/jvm/java-ibm-x86_64-80/jre/bin/java PaddingIssue
          Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
          at javax.crypto.Cipher.getInstance(Unknown Source)
          at PaddingIssue.main(PaddingIssue.java:10)
          Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
          at com.ibm.crypto.provider.AbstractBufferingCipher.engineSetPadding(Unknown Source)
          at javax.crypto.Cipher$a.a(Unknown Source)
          ... 2 more

          OpenJDK 7
          /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java PaddingIssue
          Fine!

          Full stacktrace:
          Mar 22, 2016 3:54:13 PM hudson.remoting.jnlp.Main$CuiListener status
          INFO: Trying protocol: JNLP3-connect
          Mar 22, 2016 3:54:14 PM hudson.remoting.jnlp.Main$CuiListener error
          SEVERE: Failed to create handshake ciphers
          java.lang.AssertionError: Failed to create handshake ciphers
                  at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:116)
                  at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProtocol3.java:138)
                  at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProtocol.java:77)
                  at hudson.remoting.Engine.run(Engine.java:308)
          Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
                  at javax.crypto.Cipher.getInstance(Unknown Source)
                  at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:109)
                  ... 3 more
          Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
          126Padding or NoPadding
                  at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
                  at javax.crypto.Cipher$a_.a(Unknown Source)
                  ... 5 more
          New: It is not possible to run slaves anymore using IBM Java.

          This is due to the new [encrypted communication|https://issues.jenkins-ci.org/browse/JENKINS-26580] introduced in Jenkins 1.653, where the handshake is done [using "AES/CTR/PKCS5Padding"|https://github.com/jenkinsci/remoting/blob/master/src/main/java/org/jenkinsci/remoting/engine/HandshakeCiphers.java#L109].
          I couldn't find what ciphers IBM Java does or doesn't support (maybe nothing else than the [default ones|https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.api.doc/jce/javax/crypto/Cipher.html]), but I created a quick test to check (see below).

          Would it be possible to switch to a cipher supported by IBM Java?

          *Test:*
          import java.security.NoSuchAlgorithmException;
          import javax.crypto.Cipher;
          import javax.crypto.NoSuchPaddingException;
          public class PaddingIssue {
          private static final String CIPHER = "AES/CTR/PKCS5Padding";
          public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException {
                  Cipher encryptCipher = Cipher.getInstance(CIPHER);
                  System.out.println("Fine!");
          }
          }

          *Executions:*
          IBM JAVA 1.6
          /usr/lib/j2re1.6-ibm/jre/bin/java PaddingIssue
          Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
          at javax.crypto.Cipher.getInstance(Unknown Source)
          at PaddingIssue.main(PaddingIssue.java:10)
          Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
          at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
          at javax.crypto.Cipher$a.a(Unknown Source)
          ... 2 more

          IBM JAVA 1.7
          /usr/lib/j2re1.7-ibm/jre/bin/java PaddingIssue
          Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
          at javax.crypto.Cipher.getInstance(Unknown Source)
          at PaddingIssue.main(PaddingIssue.java:10)
          Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
          at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
          at javax.crypto.Cipher$a.a(Unknown Source)
          ... 2 more

          IBM JAVA 1.8
          /usr/lib/jvm/java-ibm-x86_64-80/jre/bin/java PaddingIssue
          Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
          at javax.crypto.Cipher.getInstance(Unknown Source)
          at PaddingIssue.main(PaddingIssue.java:10)
          Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
          at com.ibm.crypto.provider.AbstractBufferingCipher.engineSetPadding(Unknown Source)
          at javax.crypto.Cipher$a.a(Unknown Source)
          ... 2 more

          OpenJDK 7
          /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java PaddingIssue
          Fine!

          *Full stacktrace:*
          Mar 22, 2016 3:54:13 PM hudson.remoting.jnlp.Main$CuiListener status
          INFO: Trying protocol: JNLP3-connect
          Mar 22, 2016 3:54:14 PM hudson.remoting.jnlp.Main$CuiListener error
          SEVERE: Failed to create handshake ciphers
          java.lang.AssertionError: Failed to create handshake ciphers
                  at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:116)
                  at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProtocol3.java:138)
                  at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProtocol.java:77)
                  at hudson.remoting.Engine.run(Engine.java:308)
          Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
                  at javax.crypto.Cipher.getInstance(Unknown Source)
                  at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:109)
                  ... 3 more
          Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
          126Padding or NoPadding
                  at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
                  at javax.crypto.Cipher$a_.a(Unknown Source)
                  ... 5 more
          Daniel Beck made changes -
          Component/s New: remoting [ 15489 ]
          Component/s Original: core [ 15593 ]

          Daniel Beck added a comment -

          Daniel Beck added a comment - oleg_nenashev FYI

          nyoung02 added a comment -

          Hitting the same problem. As I work on platforms where the IBM JRE is the only option, this will stop me from upgrading my Jenkins instance.

          If it helps, I reverted the slave.jar file to an old one from another instance of Jenkins running on the same machine and this connects successfully using Jenkins 1.656, giving me a workaround of sorts.

          The version number of the slave that will connect is at 2.33.

          nyoung02 added a comment - Hitting the same problem. As I work on platforms where the IBM JRE is the only option, this will stop me from upgrading my Jenkins instance. If it helps, I reverted the slave.jar file to an old one from another instance of Jenkins running on the same machine and this connects successfully using Jenkins 1.656, giving me a workaround of sorts. The version number of the slave that will connect is at 2.33.

          Daniel Beck added a comment -

          What happens when you remove the JNLP3 protocol from the list of supported protocols on Jenkins master?

          CC stephenconnolly who's planning to implement JNLP4, maybe this can be considered.

          Daniel Beck added a comment - What happens when you remove the JNLP3 protocol from the list of supported protocols on Jenkins master? CC stephenconnolly who's planning to implement JNLP4, maybe this can be considered.

          So the JNLP4 protocol is implemented already. I am just awaiting approval to release the code. As it uses TLS rather than a home grown cipher system this should not be an issue for JNLP4. (The other change with JNLP4 is that it uses NIO whereas JNLP3 dropped the NIO support)

          If you remove JNLP3 from the list of supported protocols then it should fall back to JNLP2 if I recall the code correctly

          Stephen Connolly added a comment - So the JNLP4 protocol is implemented already. I am just awaiting approval to release the code. As it uses TLS rather than a home grown cipher system this should not be an issue for JNLP4. (The other change with JNLP4 is that it uses NIO whereas JNLP3 dropped the NIO support) If you remove JNLP3 from the list of supported protocols then it should fall back to JNLP2 if I recall the code correctly

          nyoung02 added a comment -

          I have a system I can try it on so I'm happy to give it a try and see as a workaround - but how do I remove JNLP3 from the list of supported protocols?!

          nyoung02 added a comment - I have a system I can try it on so I'm happy to give it a try and see as a workaround - but how do I remove JNLP3 from the list of supported protocols?!

          Daniel Beck added a comment -
          java -Djenkins.slaves.JnlpSlaveAgentProtocol3.enabled=false -jar jenkins.war

          should do it.

          Daniel Beck added a comment - java -Djenkins.slaves.JnlpSlaveAgentProtocol3.enabled=false -jar jenkins.war should do it.

          nyoung02 added a comment -

          I started Jenkins using that property, all started ok. This appeared in the console output for the master when I tried to connect a slave:

          WARNING: Connection #1 failed
          java.io.EOFException
                  at java.io.DataInputStream.readUnsignedShort(Unknown Source)
                  at java.io.DataInputStream.readUTF(Unknown Source)
                  at java.io.DataInputStream.readUTF(Unknown Source)
                  at hudson.TcpSlaveAgentListener$ConnectionHandler.run(TcpSlaveAgentListe
          ner.java:175)
          

          And the slave still fails to connect:

          May 10, 2016 9:41:11 AM hudson.remoting.jnlp.Main$CuiListener status
          INFO: Trying protocol: JNLP3-connect
          May 10, 2016 9:41:12 AM hudson.remoting.jnlp.Main$CuiListener error
          SEVERE: Failed to create handshake ciphers
          java.lang.AssertionError: Failed to create handshake ciphers
                  at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCipher
          s.java:116)
                  at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProt
          ocol3.java:138)
                  at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProto
          col.java:77)
                  at hudson.remoting.Engine.run(Engine.java:308)
          Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supp
          orting AES/CTR/PKCS5Padding
                  at javax.crypto.Cipher.getInstance(Unknown Source)
                  at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCipher
          s.java:109)
                  ... 3 more
          Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
          126Padding or NoPadding
                  at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
                  at javax.crypto.Cipher$a_.a(Unknown Source)
                  ... 5 more
          

          So it looks like the slave is still trying to connect with JNLP3. I tried passing the same property to the slave.jar in case the intention was to use it there, with no effect.

          nyoung02 added a comment - I started Jenkins using that property, all started ok. This appeared in the console output for the master when I tried to connect a slave: WARNING: Connection #1 failed java.io.EOFException at java.io.DataInputStream.readUnsignedShort(Unknown Source) at java.io.DataInputStream.readUTF(Unknown Source) at java.io.DataInputStream.readUTF(Unknown Source) at hudson.TcpSlaveAgentListener$ConnectionHandler.run(TcpSlaveAgentListe ner.java:175) And the slave still fails to connect: May 10, 2016 9:41:11 AM hudson.remoting.jnlp.Main$CuiListener status INFO: Trying protocol: JNLP3-connect May 10, 2016 9:41:12 AM hudson.remoting.jnlp.Main$CuiListener error SEVERE: Failed to create handshake ciphers java.lang.AssertionError: Failed to create handshake ciphers at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCipher s.java:116) at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProt ocol3.java:138) at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProto col.java:77) at hudson.remoting.Engine.run(Engine.java:308) Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supp orting AES/CTR/PKCS5Padding at javax.crypto.Cipher.getInstance(Unknown Source) at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCipher s.java:109) ... 3 more Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10 126Padding or NoPadding at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source) at javax.crypto.Cipher$a_.a(Unknown Source) ... 5 more So it looks like the slave is still trying to connect with JNLP3. I tried passing the same property to the slave.jar in case the intention was to use it there, with no effect.

            Unassigned Unassigned
            gloparm Gabriel Lopez
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: