[JENKINS-47625] Swarm client 3.6: disableSslVerification has no effect

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: swarm-plugin
Labels:
Environment:
Jenkins Swarm client 3.6
Jenkins 2.73.2 on Docker (jenkins/jenkins:lts)
openjdk version "1.8.0_131"
Ubuntu 16.04.3

Similar Issues:
Powered by SuggestiMate

Show
Released As:
Swarm Plugin Client 3.13

When starting swarm-client 3.6 with the option -disableSslVerification and using an invalid SSL certificate, the swarm client fails to start.

To reproduce: The Jenkins master is running locally as a Docker container. To get the https frontend, an nginx container with an SSL certificate listens to port 443 and proxies traffic to the Jenkins master. With swarm-client 3.4, I can start the agent with

java -jar swarm-client-3.4.jar \
-disableClientsUniqueId \
-name agent-3.4 \
-disableSslVerification \
-master https://localhost

With swarm-client 3.6 I get

javax.net.ssl.SSLException: hostname in certificate didn't match: <localhost> != </*.netent.com/netent.com/*.netent.com>
at shaded.org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:339)
at shaded.org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:275)
at shaded.org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:258)
at shaded.org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:115)
at shaded.org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:156)
at shaded.org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:714)
at shaded.org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1368)
at shaded.org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:394)
at shaded.org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:178)
at shaded.org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:404)
at shaded.org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:330)
at hudson.plugins.swarm.SwarmClient.discoverFromMasterUrl(SwarmClient.java:224)
at hudson.plugins.swarm.Client.run(Client.java:139)
at hudson.plugins.swarm.Client.main(Client.java:112)

Swarm client 3.6 works fine without the disableSslVerification option, or with the option when using a valid certificate.

Incidentally, I noticed that swarm-client 3.4 was built with Java 8 but 3.6 was built with Java 7. Don't know if that is relevant.

Gerard Ryan added a comment - 2017-11-29 19:42

I'm also seeing this issue, and it appears that it also affects version 3.5.

The only change between 3.4 and 3.5 was "[SECURITY-597] - Pick the patched version of commons-http-client for SECURITY-555", so I guess it might have been introduced here in this fork for the fix:

https://github.com/jenkinsci/lib-commons-httpclient/

oleg_nenashev Does that sound plausible?

Gerard Ryan added a comment - 2017-11-29 19:42 I'm also seeing this issue, and it appears that it also affects version 3.5. The only change between 3.4 and 3.5 was " [SECURITY-597] - Pick the patched version of commons-http-client for SECURITY-555", so I guess it might have been introduced here in this fork for the fix: https://github.com/jenkinsci/lib-commons-httpclient/ oleg_nenashev Does that sound plausible?

Oleg Nenashev added a comment - 2017-11-29 19:46

It does. I will try to check it in early Dsc, please ping me after Dec11 if there is no uldayes

Oleg Nenashev added a comment - 2017-11-29 19:46 It does. I will try to check it in early Dsc, please ping me after Dec11 if there is no uldayes

Oleg Nenashev added a comment - 2017-11-29 19:47

Upd: updates

Oleg Nenashev added a comment - 2017-11-29 19:47 Upd: updates

Sergii Kipot added a comment - 2018-03-22 15:27

I have the same issue with the following environment:
Jenkins Swarm client 3.11
Jenkins 2.107.1
openjdk version "1.8.0_162"
Debian stretch

Sergii Kipot added a comment - 2018-03-22 15:27 I have the same issue with the following environment: Jenkins Swarm client 3.11 Jenkins 2.107.1 openjdk version "1.8.0_162" Debian stretch

Jonas Lindström added a comment - 2018-03-27 06:50 - edited

oleg_nenashev Still unfixed with client 3.12.

Jonas Lindström added a comment - 2018-03-27 06:50 - edited oleg_nenashev Still unfixed with client 3.12.

Oleg Nenashev added a comment - 2018-03-27 07:22

That's why I asked to ping me.
Sorry, I receive more requests than I can handle so some things get missed.

Oleg Nenashev added a comment - 2018-03-27 07:22 That's why I asked to ping me. Sorry, I receive more requests than I can handle so some things get missed.

Jonas Lindström added a comment - 2018-03-27 07:28

No problem oleg_nenashev.

Jonas Lindström added a comment - 2018-03-27 07:28 No problem oleg_nenashev .

Roman Pickl added a comment - 2018-08-27 18:53

I ran into the same issue with 3.8 today, but it seems to work with 3.13

Roman Pickl added a comment - 2018-08-27 18:53 I ran into the same issue with 3.8 today, but it seems to work with 3.13

Jonas Lindström added a comment - 2018-08-28 07:03

Thank you for the heads-up rompic. 3.13 seems to work for me too.

Jonas Lindström added a comment - 2018-08-28 07:03 Thank you for the heads-up rompic . 3.13 seems to work for me too.

Oleg Nenashev added a comment - 2018-12-25 09:55

Let's assume it was fixed there somehow.

Oleg Nenashev added a comment - 2018-12-25 09:55 Let's assume it was fixed there somehow.

Alex Gray added a comment - 2020-04-06 17:09

weird. It's failing for me for all versions. I tried all the way up to version 3.19.
Maybe it the version of java that I'm using to launch the jar file?
I'll keep digging, but that is the exact error that I get when use the disableSslVerification option.

Alex Gray added a comment - 2020-04-06 17:09 weird. It's failing for me for all versions. I tried all the way up to version 3.19. Maybe it the version of java that I'm using to launch the jar file? I'll keep digging, but that is the exact error that I get when use the disableSslVerification option.

Assignee:: Oleg Nenashev

Reporter:: Jonas Lindström

Votes:: 3 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2017-10-25 09:25

Updated:: 2020-04-06 17:09

Resolved:: 2018-12-25 09:55

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Gerard Ryan added a comment - 2017-11-29 19:42

Expand comment: Gerard Ryan added a comment - 2017-11-29 19:42

Collapse comment: Oleg Nenashev added a comment - 2017-11-29 19:46

Expand comment: Oleg Nenashev added a comment - 2017-11-29 19:46

Collapse comment: Oleg Nenashev added a comment - 2017-11-29 19:47

Expand comment: Oleg Nenashev added a comment - 2017-11-29 19:47

Collapse comment: Sergii Kipot added a comment - 2018-03-22 15:27

Expand comment: Sergii Kipot added a comment - 2018-03-22 15:27

Collapse comment: Jonas Lindström added a comment - 2018-03-27 06:50, Edited by Jonas Lindström - 2018-03-27 07:01

Expand comment: Jonas Lindström added a comment - 2018-03-27 06:50, Edited by Jonas Lindström - 2018-03-27 07:01

Collapse comment: Oleg Nenashev added a comment - 2018-03-27 07:22

Expand comment: Oleg Nenashev added a comment - 2018-03-27 07:22

Collapse comment: Jonas Lindström added a comment - 2018-03-27 07:28

Expand comment: Jonas Lindström added a comment - 2018-03-27 07:28

Collapse comment: Roman Pickl added a comment - 2018-08-27 18:53

Expand comment: Roman Pickl added a comment - 2018-08-27 18:53

Collapse comment: Jonas Lindström added a comment - 2018-08-28 07:03

Expand comment: Jonas Lindström added a comment - 2018-08-28 07:03

Collapse comment: Oleg Nenashev added a comment - 2018-12-25 09:55

Expand comment: Oleg Nenashev added a comment - 2018-12-25 09:55

Collapse comment: Alex Gray added a comment - 2020-04-06 17:09

Expand comment: Alex Gray added a comment - 2020-04-06 17:09

People

Dates