Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39361

LDAP SSL authentication isn't working with OpenJDK 8/Oracle JDK 8

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Minor
    • Resolution: Not A Defect
    • ldap-plugin
    • None

    Description

      We configured LDAPS authentication and it works fine with OpenJDK 7.
      Once we switched to OpenJDK 8 or Oracle JDK 8 we got following error:

      Oct 28, 2016 10:40:30 PM hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl bind
      WARNING: Failed to bind to dc2.xxx.com:3269
      javax.naming.CommunicationException: simple bind failed: dc2.xxx.com:3269 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints]
      	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
      	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
      	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2696)
      	at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2670)
      	at com.sun.jndi.ldap.LdapCtx.reconnect(LdapCtx.java:2666)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:673)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:578)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:282)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:265)
      	at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4767)
      	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
      	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
      	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
      	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
      	at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
      	at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4764)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:265)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:230)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:172)
      	at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
      	at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
      	at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
      	at jenkins.security.BasicHeaderRealPasswordAuthenticator.authenticate(BasicHeaderRealPasswordAuthenticator.java:56)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:79)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
      	at org.eclipse.jetty.server.Server.handle(Server.java:499)
      	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
      	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
      	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
      	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
      	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
      	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
      	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
      	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
      	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
      	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)
      	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
      	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
      	... 54 more
      Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
      	at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1055)
      	at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:981)
      	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:923)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
      	... 67 more
      

      Attachments

        Activity

          rachel Rachel M. added a comment -

          Hi nitrogear,

          It's a very usual problem when upgrading JVM, because of disabling insecure algorithms.

          Your certificates were signed by security algorithms that are considered insecure by new version.

          It could be resolved quickly by commenting with # the line that starts with jdk.certpath.disabledAlgorithms= in JDK_HOME/jre/lib/security/java.security, but I think it's better to renew certificates in order to use another signature algorithm which is accepted by the new version.

          You can find a lot of articles about this problem when looking for Certificates does not conform to algorithm constraints.

          I hope be useful.

          Best regards,
          Rachel

          rachel Rachel M. added a comment - Hi nitrogear , It's a very usual problem when upgrading JVM, because of disabling insecure algorithms. Your certificates were signed by security algorithms that are considered insecure by new version. It could be resolved quickly by commenting with # the line that starts with jdk.certpath.disabledAlgorithms= in JDK_HOME/jre/lib/security/java.security , but I think it's better to renew certificates in order to use another signature algorithm which is accepted by the new version. You can find a lot of articles about this problem when looking for Certificates does not conform to algorithm constraints . I hope be useful. Best regards, Rachel

          People

            rachel Rachel M.
            nitrogear Oleksii Grinko
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: