Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62033

Swarm client -disableSslVerification option does not disable SSL hostname verification

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: swarm-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.222.1
      swarm-client 3.4 up through 3.19
    • Similar Issues:
    • Released As:
      3.20

      Description

      When running the following command line:

      /usr/bin/java -jar /tmp/swarm-client.3.19.jar \

         -disableSslVerification \

         -deleteExistingClients \

              -disableClientsUniqueId \

              -showHostName \

              -noRetryAfterConnected \

              -executors=7 \

              -labels 'blftest' \

              -master https://myjenkins.example.com \

             -username jenkins \

              -passwordEnvVariable ADMIN_PSW

       

      I received the following output

      Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client logArguments
      INFO: Client invoked with: -deleteExistingClients true -disableClientsUniqueId true -disableSslVerification true -executors 7 -labels [blftest] -master https://myjenkins.example.com -noRetryAfterConnected true -passwordEnvVariable ADMIN_PSW -showHostName true -username *****
      Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client run
      INFO: Discovering Jenkins master
      Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client run
      SEVERE: IOException occurred
      javax.net.ssl.SSLPeerUnverifiedException: Certificate for <myjenkins.example.com> doesn't match any of the subject alternative names: [ingress.local]
      at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
      at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
      at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
      at shaded.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
      at shaded.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
      at shaded.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
      at shaded.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
      at shaded.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
      at shaded.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
      at shaded.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
      at shaded.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
      at shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
      at hudson.plugins.swarm.SwarmClient.discoverFromMasterUrl(SwarmClient.java:142)
      at hudson.plugins.swarm.Client.run(Client.java:150)
      at hudson.plugins.swarm.Client.main(Client.java:128)

      javax.net.ssl.SSLPeerUnverifiedException: Certificate for <myjenkins.example.com> doesn't match any of the subject alternative names: [ingress.local]
      at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
      at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
      at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
      at shaded.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
      at shaded.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
      at shaded.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
      at shaded.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
      at shaded.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
      at shaded.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
      at shaded.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
      at shaded.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
      at shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
      at hudson.plugins.swarm.SwarmClient.discoverFromMasterUrl(SwarmClient.java:142)
      at hudson.plugins.swarm.Client.run(Client.java:150)
      at hudson.plugins.swarm.Client.main(Client.java:128)
      Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client run
      INFO: Retrying in 10 seconds

       

      Not sure why the Subject Alternative name is even being checked when I specified "-disableSslVerification".  I tried 'curl -k' and it works as expected.

       

        Attachments

          Issue Links

            Activity

            blf Brian Farrell created issue -
            blf Brian Farrell made changes -
            Field Original Value New Value
            Description When running the following command line:

             
            When running the following command line:

            /usr/bin/java -jar /tmp/swarm-client.3.19.jar \

               -disableSslVerification \

               -deleteExistingClients \

                    -disableClientsUniqueId \

                    -showHostName \

                    -noRetryAfterConnected \

                    -executors=7 \

                    -labels 'blftest' \

                    -master https://myjenkins.example.com \

                   -username jenkins \

                    -passwordEnvVariable ADMIN_PSW

             

            I received the following output

            Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client logArguments
            INFO: Client invoked with: -deleteExistingClients true -disableClientsUniqueId true -disableSslVerification true -executors 7 -labels [blftest] -master https://myjenkins.example.com -noRetryAfterConnected true -passwordEnvVariable ADMIN_PSW -showHostName true -username *****
            Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client run
            INFO: Discovering Jenkins master
            Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client run
            SEVERE: IOException occurred
            javax.net.ssl.SSLPeerUnverifiedException: Certificate for <myjenkins.example.com> doesn't match any of the subject alternative names: [ingress.local]
             at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
             at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
             at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
             at shaded.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
             at shaded.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
             at shaded.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
             at shaded.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
             at shaded.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
             at shaded.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
             at shaded.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
             at shaded.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
             at shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
             at hudson.plugins.swarm.SwarmClient.discoverFromMasterUrl(SwarmClient.java:142)
             at hudson.plugins.swarm.Client.run(Client.java:150)
             at hudson.plugins.swarm.Client.main(Client.java:128)

            javax.net.ssl.SSLPeerUnverifiedException: Certificate for <myjenkins.example.com> doesn't match any of the subject alternative names: [ingress.local]
             at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
             at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
             at shaded.org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
             at shaded.org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
             at shaded.org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
             at shaded.org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
             at shaded.org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
             at shaded.org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
             at shaded.org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
             at shaded.org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
             at shaded.org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
             at shaded.org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
             at hudson.plugins.swarm.SwarmClient.discoverFromMasterUrl(SwarmClient.java:142)
             at hudson.plugins.swarm.Client.run(Client.java:150)
             at hudson.plugins.swarm.Client.main(Client.java:128)
            Apr 23, 2020 6:58:15 PM hudson.plugins.swarm.Client run
            INFO: Retrying in 10 seconds

             

            Not sure why the Subject Alternative name is even being checked when I specified "-disableSslVerification".  I tried 'curl -k' and it works as expected.

             
            basil Basil Crow made changes -
            Summary swarm-client -disableSslVerification does not skip searching subject alternative names Want a way to disable SSL hostname verification
            basil Basil Crow made changes -
            Summary Want a way to disable SSL hostname verification Swarm client -disableSslVerification option does not disable SSL host verification
            basil Basil Crow made changes -
            Summary Swarm client -disableSslVerification option does not disable SSL host verification Swarm client -disableSslVerification option does not disable SSL hostname verification
            basil Basil Crow made changes -
            Assignee Basil Crow [ basil ]
            basil Basil Crow made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            basil Basil Crow made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            basil Basil Crow made changes -
            Remote Link This issue links to "jenkinsci/swarm-plugin#200 (Web Link)" [ 24872 ]
            basil Basil Crow made changes -
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Fixed but Unreleased [ 10203 ]
            basil Basil Crow made changes -
            Released As 3.20
            Status Fixed but Unreleased [ 10203 ] Resolved [ 5 ]

              People

              Assignee:
              basil Basil Crow
              Reporter:
              blf Brian Farrell
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: