• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • core
    • Jenkins ver. 2.170
      Linux, Chrome 73.0.3683.86, IE 11.112.17134.0, Firefox 67.0b4 (64-bit)

      Jenkins ver. 2.170

      Running from shell:

      java -jar jenkins.war --httpPort=-1 --httpsPort=8443 --httpsKeyStore=jenkin.jks --httpsKeyStorePassword=TopSecret

       

      Opening from Browser getting an error:

      Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

      FireFox: Error code: SSL_ERROR_NO_CYPHER_OVERLAP 

      IE: Your TLS security settings aren’t set to the defaults

       

          [JENKINS-56747] Error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

          Gil Br added a comment -

          Using --excludeCipherSuites=".*"

          I get:

          ERR_SSL_PROTOCOL_ERROR

           

          WARNING: No supported ciphers from [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

          Gil Br added a comment - Using --excludeCipherSuites=".*" I get: ERR_SSL_PROTOCOL_ERROR   WARNING: No supported ciphers from [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

          Olivier Lamy added a comment -

          gberesta71 using 

          --excludeCipherSuites=".*" 

          you are excluding all ciphers which is not what you want

          This option is the excluded/no supported cipher suites.

          So if you want to accept all use (note it's only a space but it's definitely not recommend!)

          --excludeCipherSuites=" " 

          To use the previous Jetty exclusions:

          --excludeCipherSuites="^.*_(MD5|SHA|SHA1)$" 

          see Jetty change here: https://github.com/eclipse/jetty.project/commit/5e07592a692e7400cd641e608decd8e0c942872d

          Olivier Lamy added a comment - gberesta71  using  --excludeCipherSuites= ".*" you are excluding all ciphers which is not what you want This option is the excluded/no supported cipher suites. So if you want to accept all use (note it's only a space but it's definitely not recommend!) --excludeCipherSuites= " " To use the previous Jetty exclusions: --excludeCipherSuites= "^.*_(MD5|SHA|SHA1)$" see Jetty change here:  https://github.com/eclipse/jetty.project/commit/5e07592a692e7400cd641e608decd8e0c942872d

          Gil Br added a comment -

          Many thanks for the explanation, however...

           

          Tried:

          --excludeCipherSuites="^.*_(MD5|SHA|SHA1)$"

          Got error:

          WARNING: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@50029372[provider=null,keyStore=null,trustStor e=null]

          ERR_SSL_VERSION_OR_CIPHER_MISMATCH

          Tried:

          --excludeCipherSuites=" "

          WARNING: Weak cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA enabled for SslContextFactory@50029372[provider=null,keyStore=null,trustStore=null]

          ERR_SSL_VERSION_OR_CIPHER_MISMATCH

           

          Gil

          Any other suggestions - information?

           

          Gil Br added a comment - Many thanks for the explanation, however...   Tried: --excludeCipherSuites="^.*_(MD5|SHA|SHA1)$" Got error: WARNING: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@50029372 [provider=null,keyStore=null,trustStor e=null] ERR_SSL_VERSION_OR_CIPHER_MISMATCH Tried: --excludeCipherSuites=" " WARNING: Weak cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA enabled for SslContextFactory@50029372 [provider=null,keyStore=null,trustStore=null] ERR_SSL_VERSION_OR_CIPHER_MISMATCH   Gil Any other suggestions - information?  

          Olivier Lamy added a comment -

          weird

          what is the java version? (you can see it in the output of the start)

          I don't mind this warning because you do not exclude non safe cipher

          WARNING: Weak cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA enabled for  

          But is this from Chrome? ERR_SSL_VERSION_OR_CIPHER_MISMATCH ?

          do you have an up2date version?

          What is your architecture? are you accessing jenkins via a proxy?

           

           

          Olivier Lamy added a comment - weird what is the java version? (you can see it in the output of the start) I don't mind this warning because you do not exclude non safe cipher WARNING: Weak cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA enabled for   But is this from Chrome? ERR_SSL_VERSION_OR_CIPHER_MISMATCH ? do you have an up2date version? What is your architecture? are you accessing jenkins via a proxy?    

          Gil Br added a comment -

          Chrome version: 73.0.3683.86

          Client: Windows 10 64-bit

          Jenkins master: Linux CentOS 6.9 x86_64

          Firefox version on master:  Mozilla Firefox 52.8.0

          Firefox error on the master host (directly): Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

          Gil Br added a comment - Chrome version: 73.0.3683.86 Client: Windows 10 64-bit Jenkins master: Linux CentOS 6.9 x86_64 Firefox version on master:  Mozilla Firefox 52.8.0 Firefox error on the master host (directly): Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

          Olivier Lamy added a comment -

          java version?

          Olivier Lamy added a comment - java version?

          Gil Br added a comment -

          Both Client and Server:

          java version "1.8.0_201"

          Gil Br added a comment - Both Client and Server: java version "1.8.0_201"

          Gil Br added a comment -

          Any suggestion? other ways to use the certificate?

          Gil Br added a comment - Any suggestion? other ways to use the certificate?

          Olivier Lamy added a comment -

          well I see you're using your own certificate..

          java -jar jenkins.war --httpPort=-1 --httpsPort=8443 --httpsKeyStore=jenkin.jks --httpsKeyStorePassword=TopSecret 

          What happen when you use

          java -jar jenkins.war --httpPort=-1 --httpsPort=8443

          I can only see an issue with the keystore (how did you generate it?) 

          Olivier Lamy added a comment - well I see you're using your own certificate.. java -jar jenkins.war --httpPort=-1 --httpsPort=8443 --httpsKeyStore=jenkin.jks --httpsKeyStorePassword=TopSecret What happen when you use java -jar jenkins.war --httpPort=-1 --httpsPort=8443 I can only see an issue with the keystore (how did you generate it?) 

          Paul added a comment - - edited

          I'm also experiencing "err_cert_authority_invalid" from a self signed SSL, which makes it impossible to use the embeddable status badges properly.

           

          Any update on how to resolve this?

          Paul added a comment - - edited I'm also experiencing "err_cert_authority_invalid" from a self signed SSL, which makes it impossible to use the embeddable status badges properly.   Any update on how to resolve this?

            olamy Olivier Lamy
            gberesta71 Gil Br
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: