[JENKINS-62033] Swarm client -disableSslVerification option does not disable SSL hostname verification

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: swarm-plugin
Labels:
None
Environment:
Jenkins 2.222.1
swarm-client 3.4 up through 3.19

Similar Issues:
Powered by SuggestiMate

Show
Released As:
3.20

When running the following command line:

/usr/bin/java -jar /tmp/swarm-client.3.19.jar \

-disableSslVerification \

-deleteExistingClients \

-disableClientsUniqueId \

-showHostName \

-noRetryAfterConnected \

-executors=7 \

-labels 'blftest' \

-master https://myjenkins.example.com \

-username jenkins \

-passwordEnvVariable ADMIN_PSW

I received the following output

Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client logArguments
INFO: Client invoked with: -deleteExistingClients true -disableClientsUniqueId true -disableSslVerification true -executors 7 -labels [blftest] -master https://myjenkins.example.com -noRetryAfterConnected true -passwordEnvVariable ADMIN_PSW -showHostName true -username *****
Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client run
INFO: Discovering Jenkins master
Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client run
SEVERE: IOException occurred
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <myjenkins.example.com> doesn't match any of the subject alternative names: [ingress.local]
at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at shaded.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at shaded.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at shaded.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at shaded.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at shaded.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at shaded.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at shaded.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at shaded.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at hudson.plugins.swarm.SwarmClient.discoverFromMasterUrl(SwarmClient.java:142)
at hudson.plugins.swarm.Client.run(Client.java:150)
at hudson.plugins.swarm.Client.main(Client.java:128)

javax.net.ssl.SSLPeerUnverifiedException: Certificate for <myjenkins.example.com> doesn't match any of the subject alternative names: [ingress.local]
at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at shaded.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at shaded.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at shaded.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at shaded.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at shaded.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at shaded.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at shaded.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at shaded.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at hudson.plugins.swarm.SwarmClient.discoverFromMasterUrl(SwarmClient.java:142)
at hudson.plugins.swarm.Client.run(Client.java:150)
at hudson.plugins.swarm.Client.main(Client.java:128)
Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client run
INFO: Retrying in 10 seconds

Not sure why the Subject Alternative name is even being checked when I specified "-disableSslVerification". I tried 'curl -k' and it works as expected.

links to

jenkinsci/swarm-plugin#200

Basil Crow added a comment - 2020-04-25 19:08

Thanks for reporting this, blf. I've opened jenkinsci/swarm-plugin#200 with a fix. Can you please try this snapshot build and confirm that the issue is resolved?

Basil Crow added a comment - 2020-04-25 19:08 Thanks for reporting this, blf . I've opened jenkinsci/swarm-plugin#200 with a fix. Can you please try this snapshot build and confirm that the issue is resolved?

Brian Farrell added a comment - 2020-04-27 12:52

Basil,

Thanks, that worked great. Here is the output:

/usr/bin/java -jar /tmp/swarm-3.20-snapshot.jar \

-disableSslVerification -deleteExistingClients \

-disableClientsUniqueId -showHostName \

-noRetryAfterConnected \

-executors=7 \

-labels 'blftest' \

-master https://myjenkins.example.com \

-username jenkins -passwordEnvVariable ADMIN_PSW

Apr 27, 2020 2:43:17 PM hudson.plugins.swarm.Client logArguments
INFO: Client invoked with: -deleteExistingClients true -disableClientsUniqueId true -disableSslVerification true -executors 7 -labels [blftest] -master https://myjenkins.example.com -noRetryAfterConnected true -passwordEnvVariable ADMIN_PSW -showHostName true -username *****
Apr 27, 2020 2:43:17 PM hudson.plugins.swarm.Client run
INFO: Discovering Jenkins master
Apr 27, 2020 2:43:19 PM hudson.plugins.swarm.Client run
INFO: Attempting to connect to https://myjenkins.example.com/ 3e83541e-5408-43be-b31e-ee29d6ecfc0d with ID
Apr 27, 2020 2:43:19 PM hudson.plugins.swarm.SwarmClient getCsrfCrumb
SEVERE: Could not obtain CSRF crumb. Response code: 404
Skipping HTTPS certificate checks altogether. Note that this is not secure at all.
Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main createEngine
INFO: Setting up agent: blflinux0.mydomain
Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener <init>
INFO: Jenkins agent is running in headless mode.
Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main createEngine
WARNING: Certificate validation for HTTPs endpoints is disabled
Apr 27, 2020 2:43:19 PM hudson.remoting.Engine startEngine
INFO: Using Remoting version: 4.3
Apr 27, 2020 2:43:19 PM org.jenkinsci.remoting.engine.WorkDirManager initializeWorkDir
INFO: Using ./remoting as a remoting work directory
Apr 27, 2020 2:43:19 PM org.jenkinsci.remoting.engine.WorkDirManager setupLogging
INFO: Both error and output logs will be printed to ./remoting
Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Locating server among https://myjenkins.example.com/
Apr 27, 2020 2:43:19 PM org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver openURLConnection
WARNING: HTTPs certificate check is disabled for the endpoint.
Apr 27, 2020 2:43:19 PM org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver resolve
INFO: Remoting server accepts the following protocols: [JNLP4-connect, Ping]
Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Agent discovery successful
Agent address: myjenkins.example.com
Agent port: 32300
Identity: d2:b4:83:36:94:c2:e5:f9:5e:8c:fa:2b:1e:4f:0f:c8
Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Handshaking
Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Connecting to myjenkins.example.com:32300
Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Trying protocol: JNLP4-connect
Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Remote identity confirmed: d2:b4:83:36:94:c2:e5:f9:5e:8c:fa:2b:1e:4f:0f:c8
Apr 27, 2020 2:43:20 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Connected

Brian Farrell added a comment - 2020-04-27 12:52 Basil, Thanks, that worked great. Here is the output: /usr/bin/java -jar /tmp/swarm-3.20-snapshot.jar \ -disableSslVerification -deleteExistingClients \ -disableClientsUniqueId -showHostName \ -noRetryAfterConnected \ -executors=7 \ -labels 'blftest' \ -master https://myjenkins.example.com \ -username jenkins -passwordEnvVariable ADMIN_PSW Apr 27, 2020 2:43:17 PM hudson.plugins.swarm.Client logArguments INFO: Client invoked with: -deleteExistingClients true -disableClientsUniqueId true -disableSslVerification true -executors 7 -labels [blftest] -master https://myjenkins.example.com -noRetryAfterConnected true -passwordEnvVariable ADMIN_PSW -showHostName true -username ***** Apr 27, 2020 2:43:17 PM hudson.plugins.swarm.Client run INFO: Discovering Jenkins master Apr 27, 2020 2:43:19 PM hudson.plugins.swarm.Client run INFO: Attempting to connect to https://myjenkins.example.com/ 3e83541e-5408-43be-b31e-ee29d6ecfc0d with ID Apr 27, 2020 2:43:19 PM hudson.plugins.swarm.SwarmClient getCsrfCrumb SEVERE: Could not obtain CSRF crumb. Response code: 404 Skipping HTTPS certificate checks altogether. Note that this is not secure at all. Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main createEngine INFO: Setting up agent: blflinux0.mydomain Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener <init> INFO: Jenkins agent is running in headless mode. Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main createEngine WARNING: Certificate validation for HTTPs endpoints is disabled Apr 27, 2020 2:43:19 PM hudson.remoting.Engine startEngine INFO: Using Remoting version: 4.3 Apr 27, 2020 2:43:19 PM org.jenkinsci.remoting.engine.WorkDirManager initializeWorkDir INFO: Using ./remoting as a remoting work directory Apr 27, 2020 2:43:19 PM org.jenkinsci.remoting.engine.WorkDirManager setupLogging INFO: Both error and output logs will be printed to ./remoting Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status INFO: Locating server among https://myjenkins.example.com/ Apr 27, 2020 2:43:19 PM org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver openURLConnection WARNING: HTTPs certificate check is disabled for the endpoint. Apr 27, 2020 2:43:19 PM org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver resolve INFO: Remoting server accepts the following protocols: [JNLP4-connect, Ping] Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status INFO: Agent discovery successful Agent address: myjenkins.example.com Agent port: 32300 Identity: d2:b4:83:36:94:c2:e5:f9:5e:8c:fa:2b:1e:4f:0f:c8 Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status INFO: Handshaking Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status INFO: Connecting to myjenkins.example.com:32300 Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status INFO: Trying protocol: JNLP4-connect Apr 27, 2020 2:43:19 PM hudson.remoting.jnlp.Main$CuiListener status INFO: Remote identity confirmed: d2:b4:83:36:94:c2:e5:f9:5e:8c:fa:2b:1e:4f:0f:c8 Apr 27, 2020 2:43:20 PM hudson.remoting.jnlp.Main$CuiListener status INFO: Connected

Basil Crow added a comment - 2020-04-27 14:43

Fixed in jenkinsci/swarm-plugin#200.

Basil Crow added a comment - 2020-04-27 14:43 Fixed in jenkinsci/swarm-plugin#200 .

Basil Crow added a comment - 2020-05-29 20:45

Released in Swarm 3.20.

Basil Crow added a comment - 2020-05-29 20:45 Released in Swarm 3.20 .

Tomek Swiecicki added a comment - 2020-06-08 16:11

Is it possible the bug is back in 3.21?

Tomek Swiecicki added a comment - 2020-06-08 16:11 Is it possible the bug is back in 3.21?

Basil Crow added a comment - 2020-06-08 16:31

Is it possible the bug is back in 3.21?

I don't think so. I just repeated the testing from jenkinsci/swarm-plugin#200 against both 3.21 and master with no issues. If you are experiencing problems, please open a new issue with detailed steps to reproduce.

Basil Crow added a comment - 2020-06-08 16:31 Is it possible the bug is back in 3.21? I don't think so. I just repeated the testing from jenkinsci/swarm-plugin#200 against both 3.21 and master with no issues. If you are experiencing problems, please open a new issue with detailed steps to reproduce.

Assignee:: Ewelina Wilkosz

Reporter:: Brian Farrell

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2020-04-23 17:12

Updated:: 2021-08-11 08:31

Resolved:: 2020-04-27 14:43

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Basil Crow added a comment - 2020-04-25 19:08

Expand comment: Basil Crow added a comment - 2020-04-25 19:08

Collapse comment: Brian Farrell added a comment - 2020-04-27 12:52

Expand comment: Brian Farrell added a comment - 2020-04-27 12:52

Collapse comment: Basil Crow added a comment - 2020-04-27 14:43

Expand comment: Basil Crow added a comment - 2020-04-27 14:43

Collapse comment: Basil Crow added a comment - 2020-05-29 20:45

Expand comment: Basil Crow added a comment - 2020-05-29 20:45

Collapse comment: Tomek Swiecicki added a comment - 2020-06-08 16:11

Expand comment: Tomek Swiecicki added a comment - 2020-06-08 16:11

Collapse comment: Basil Crow added a comment - 2020-06-08 16:31

Expand comment: Basil Crow added a comment - 2020-06-08 16:31

People

Dates