Subversion plugin bundles outdated version of trilead-ssh2 library causing connections to fail due to non compatible cipher options

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

    • 2.12.0

      After upgrading sshd on subversion server, jenkins subversion plugin stopped working. The problem is that the jenkins subversion plugin has no longer compatible ciphers to negotiate with server. 

      Subversion plugin bundles trilead-ssh2-1.0.0-build221.jar and this is used when communicating with the svn+ssh protocol.

      Other plugins have had the same issues and therefore Jenkins core is patched with a version of the lib called trilead-ssh2-build-217-jenkins-11.jar. Since subversion plugin bundles its own that outdated version is used. 

      Here is a obfuscated stack trace that proves above (notice the KexManager:413 row in the latest jenkins core one it should have been KexManager:408): 

       

      ERROR: Failed to update svn+ssh://[host]/[path]ERROR: Failed to update svn+ssh://[host]/[path]org.tmatesoft.svn.core.SVNException: svn: E210002: There was a problem while connecting to [host] at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:64) at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:51) at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:145) at org.tmatesoft.svn.core.internal.io.svn.SVNConnection.open(SVNConnection.java:77) at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.openConnection(SVNRepositoryImpl.java:1273) at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.testConnection(SVNRepositoryImpl.java:99) at org.tmatesoft.svn.core.io.SVNRepository.getRepositoryUUID(SVNRepository.java:283) at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.createRepository(SvnRepositoryAccess.java:110) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepository(SvnNgRepositoryAccess.java:210) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgAbstractUpdate.updateInternal(SvnNgAbstractUpdate.java:194) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgAbstractUpdate.update(SvnNgAbstractUpdate.java:111) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgUpdate.run(SvnNgUpdate.java:38) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgUpdate.run(SvnNgUpdate.java:18) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgOperationRunner.run(SvnNgOperationRunner.java:20) at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:21) at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1235) at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:311) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:291) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:387) at hudson.scm.subversion.UpdateUpdater$TaskImpl.perform(UpdateUpdater.java:158) at hudson.scm.subversion.WorkspaceUpdater$UpdateTask.delegateTo(WorkspaceUpdater.java:162) at hudson.scm.SubversionSCM$CheckOutTask.perform(SubversionSCM.java:996) at hudson.scm.SubversionSCM$CheckOutTask.invoke(SubversionSCM.java:972) at hudson.scm.SubversionSCM$CheckOutTask.invoke(SubversionSCM.java:948) at hudson.FilePath.act(FilePath.java:990) at hudson.FilePath.act(FilePath.java:968) at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:897) at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:833) at hudson.scm.SCM.checkout(SCM.java:485) at hudson.model.AbstractProject.checkout(AbstractProject.java:1269) at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:607) at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:529) at hudson.model.Run.execute(Run.java:1738) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410)Caused by: java.io.IOException: There was a problem while connecting to [host] at com.trilead.ssh2.Connection.connect(Connection.java:817) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openConnection(SshHost.java:225) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openSession(SshHost.java:153) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshSessionPool.openSession(SshSessionPool.java:85) at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:122) ... 35 moreCaused by: java.io.IOException: Key exchange was not finished, connection is closed. at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:92) at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:231) at com.trilead.ssh2.Connection.connect(Connection.java:769) ... 39 moreCaused by: java.io.IOException: Cannot negotiate, proposals do not match. at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:413) at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:765) at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:480) at java.lang.Thread.run(Thread.java:745)ERROR: Subversion update failedjava.io.IOException at hudson.scm.subversion.UpdateUpdater$TaskImpl.perform(UpdateUpdater.java:212) at hudson.scm.subversion.WorkspaceUpdater$UpdateTask.delegateTo(WorkspaceUpdater.java:162) at hudson.scm.SubversionSCM$CheckOutTask.perform(SubversionSCM.java:996) at hudson.scm.SubversionSCM$CheckOutTask.invoke(SubversionSCM.java:972) at hudson.scm.SubversionSCM$CheckOutTask.invoke(SubversionSCM.java:948) at hudson.FilePath.act(FilePath.java:990) at hudson.FilePath.act(FilePath.java:968) at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:897) at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:833) at hudson.scm.SCM.checkout(SCM.java:485) at hudson.model.AbstractProject.checkout(AbstractProject.java:1269) at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:607) at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:529) at hudson.model.Run.execute(Run.java:1738) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410)Caused by: hudson.scm.subversion.UpdaterException: failed to perform svn update ... 18 moreCaused by: org.tmatesoft.svn.core.SVNException: svn: E210002: There was a problem while connecting to [host] at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:64) at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:51) at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:145) at org.tmatesoft.svn.core.internal.io.svn.SVNConnection.open(SVNConnection.java:77) at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.openConnection(SVNRepositoryImpl.java:1273) at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.testConnection(SVNRepositoryImpl.java:99) at org.tmatesoft.svn.core.io.SVNRepository.getRepositoryUUID(SVNRepository.java:283) at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.createRepository(SvnRepositoryAccess.java:110) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepository(SvnNgRepositoryAccess.java:210) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgAbstractUpdate.updateInternal(SvnNgAbstractUpdate.java:194) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgAbstractUpdate.update(SvnNgAbstractUpdate.java:111) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgUpdate.run(SvnNgUpdate.java:38) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgUpdate.run(SvnNgUpdate.java:18) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgOperationRunner.run(SvnNgOperationRunner.java:20) at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:21) at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1235) at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:311) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:291) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:387) at hudson.scm.subversion.UpdateUpdater$TaskImpl.perform(UpdateUpdater.java:158) ... 17 moreCaused by: java.io.IOException: There was a problem while connecting to [host] at com.trilead.ssh2.Connection.connect(Connection.java:817) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openConnection(SshHost.java:225) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openSession(SshHost.java:153) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshSessionPool.openSession(SshSessionPool.java:85) at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:122) ... 35 moreCaused by: java.io.IOException: Key exchange was not finished, connection is closed. at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:92) at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:231) at com.trilead.ssh2.Connection.connect(Connection.java:769) ... 39 moreCaused by: java.io.IOException: Cannot negotiate, proposals do not match. at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:413) at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:765) at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:480) at java.lang.Thread.run(Thread.java:745)

      We have found a workaround to manual patch the subversion plugin, but this will obviously break next subversion plugin update.

      (to manually patch: remove subversion plugin dependency from cmdline and copy latest patched version there instead)

       

      Alternatively if you don't have strong sec requirements and a path forward you could reenable the weak algos. Not recommended. 

       

      Steps to reproduce:

      You need a subversion server with svn+ssh protocol. The sshd needs to be patched and not allow algorithms and cipher generally considered weak. We had to manually rewrite logging on trilead to understand which algo caused our problems since the client used several outdated algos. 

            Assignee:
            Ivan Fernandez Calvo
            Reporter:
            Christofer Täpp
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Resolved:
              Archived: