Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63489

Error occurred during the SSL handshake after P4 plugin is upgraded to 1.11.0 from 1.10.14

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: p4-plugin
    • Labels:
    • Environment:
      Jenkins Version: 2.235.5 docker image jenkins/jenkins:2.235.5
      P4 plugin version that has issue: 1.11.0
    • Similar Issues:

      Description

      Error occurred during the SSL handshake after P4 plugin is upgraded to 1.11.0 from 1.10.14

      Error:

      [Pipeline] p4sync
      11:43:26  WARNING: Unknown parameter(s) found for class type 'org.jenkinsci.plugins.p4.populate.ForceCleanImpl': modtime,replace,tidy
      11:43:29  Executor number at runtime: 0
      11:43:29  P4: Connection retry: 1
      11:43:32  Error occurred during the SSL handshake: invalid SSL session
      

        Attachments

          Activity

          Hide
          p4karl Karl Wirth added a comment -

          The new version of the plugin upgraded the base TLS version used. From the release notes:

              https://github.com/jenkinsci/p4-plugin/blob/master/RELEASE.md

                    P4Java now defaults to TLSv1.2 for SSL connections (previously TLSv1) to use an older version please refer to our KB article.

          Its possible that your P4D server does not support TLSv1.2 or has been fixed at TSLv1 so you may need to try the workaround mention in the KB article to downgrade the version of TLS used by P4Jenkins.

          Show
          p4karl Karl Wirth added a comment - The new version of the plugin upgraded the base TLS version used. From the release notes:     https://github.com/jenkinsci/p4-plugin/blob/master/RELEASE.md           P4Java now defaults to TLSv1.2 for SSL connections (previously TLSv1) to use an older version please refer to our KB article . Its possible that your P4D server does not support TLSv1.2 or has been fixed at TSLv1 so you may need to try the workaround mention in the KB article to downgrade the version of TLS used by P4Jenkins.
          Hide
          p4karl Karl Wirth added a comment - - edited

          Additional note. TLS 1.2 support was added in Perforce in 2016.2  2018.1 (See Paul's comment below):

          Bugs fixed in 2016.2 Patch 2
          
          #1481077, #1481305, #1483342 (Bugs #89051, #90160) * ** ***
          	    SSL connections now allow use of TLSv1.1 and TLSv1.2 in addition
          	    to the existing support for TLSv1.0.  Clients and servers will
          	    choose the highest TLS version supported by both ends of the
          	    connection; thus old clients and old servers will always use
          	    TLSv1.0, and by default new clients connecting to new servers
          	    will use TLSv1.2.	    Two new configurables are provided to restrict the allowed TLS
          	    versions when a new client connnects to a new server:
          	        ssl.tls.version.min    [default=10]
          	        ssl.tls.version.max    [default=12]
          	    These default settings allow TLSv1.0, TLSv1.1, and TLSv1.2.	    Each of these configurables can take one of the following
          	    values:
          	        10 specifies TLSv1.0
          	        11 specifies TLSv1.1
          	        12 specifies TLSv1.2
          	   ssl.tls.version.min specifies the lowest TLS version that
          	   will be accepted, and ssl.tls.version.max specifies the
          	   highest TLS version that will be accepted.	   Changes to these configurables on a server will not take
          	   effect until the server is restarted.	   Thus, to force use of a new client, the server can set
          	       ssl.tls.version.min=11    (or 12)
          	   because old clients support only TLSv1.0.	   To force the use of TLSv1.1, set
          	        ssl.tls.version.min=11
          	        ssl.tls.version.max=11	   To force the use of TLSv1.2, set
          	        ssl.tls.version.min=12
          	        ssl.tls.version.max=12	    To allow TLSv1.1 or TLSv1.2 but exclude TLSv1.0, set
          	        ssl.tls.version.min=11
          	        ssl.tls.version.max=12	    These configurables are designed to allow the server to restrict
          	    the set of allowed TLS protocol versions, but they can be used
          	    by clients as well; this is probably useful mostly for testing,
          	    although it can be use to prevent connecting to potentially
          	    vulnerable servers.  When used by a client these configurables
          	    specify the lowest and highest TLS versions that will be offered.	    Values of either configurable outside of the legal range will be
          	    treated as if they were pinned to the nearest end of the range.
          	    Thus values below 10 will be treated as 10; values above 12 will
          	    be treated as 12.	    Be careful not to set ssl.tls.version.min > ssl.tls.version.max
          	    because then no clients will be able to connect.  In this case
          	    you will need to change these settings on the command line, e.g.:
          	        p4d -c"set ssl.tls.version.min=10"
          	        p4d -c"set ssl.tls.version.max=12"
          	    and then restart the server.	    Note that if there are no allowed TLS versions common to the
          	    client and the server, or if the server is not using SSL, then
          	    the client will get an error similar to this:	    Perforce client error:
          	        SSL connect to ssl:host:1666 failed  (Connection reset by peer).
          	        Remove SSL protocol prefix from P4PORT or fix the TLS settings.	    If the client or server does not offer any protocol versions (eg,
          	    because the client set ssl.tls.version.min > ssl.tls.version.max)
          	    then the client will get an error similar to this:	    Perforce client error:
          	        SSL protocol: error:14077102:SSL routines:
          	            SSL23_GET_SERVER_HELLO:unsupported protocol:	    There are only two lines in this error message; the actual error
          	    has the "SSL protocol:" line and the "GET_SERVER_HELLO" line
          	    on a single line, but they are split here for readability.
          

          End of standard maintenance support for P4D 2016.2 was Nov 8, 2018:

             https://www.perforce.com/maintenance-support

           

          Show
          p4karl Karl Wirth added a comment - - edited Additional note. TLS 1.2 support was added in Perforce in 2016.2   2018.1 (See Paul's comment below): Bugs fixed in 2016.2 Patch 2 #1481077, #1481305, #1483342 (Bugs #89051, #90160) * ** *** SSL connections now allow use of TLSv1.1 and TLSv1.2 in addition to the existing support for TLSv1.0. Clients and servers will choose the highest TLS version supported by both ends of the connection; thus old clients and old servers will always use TLSv1.0, and by default new clients connecting to new servers will use TLSv1.2. Two new configurables are provided to restrict the allowed TLS versions when a new client connnects to a new server: ssl.tls.version.min [ default =10] ssl.tls.version.max [ default =12] These default settings allow TLSv1.0, TLSv1.1, and TLSv1.2. Each of these configurables can take one of the following values: 10 specifies TLSv1.0 11 specifies TLSv1.1 12 specifies TLSv1.2 ssl.tls.version.min specifies the lowest TLS version that will be accepted, and ssl.tls.version.max specifies the highest TLS version that will be accepted. Changes to these configurables on a server will not take effect until the server is restarted. Thus, to force use of a new client, the server can set ssl.tls.version.min=11 (or 12) because old clients support only TLSv1.0. To force the use of TLSv1.1, set ssl.tls.version.min=11 ssl.tls.version.max=11 To force the use of TLSv1.2, set ssl.tls.version.min=12 ssl.tls.version.max=12 To allow TLSv1.1 or TLSv1.2 but exclude TLSv1.0, set ssl.tls.version.min=11 ssl.tls.version.max=12 These configurables are designed to allow the server to restrict the set of allowed TLS protocol versions, but they can be used by clients as well; this is probably useful mostly for testing, although it can be use to prevent connecting to potentially vulnerable servers. When used by a client these configurables specify the lowest and highest TLS versions that will be offered. Values of either configurable outside of the legal range will be treated as if they were pinned to the nearest end of the range. Thus values below 10 will be treated as 10; values above 12 will be treated as 12. Be careful not to set ssl.tls.version.min > ssl.tls.version.max because then no clients will be able to connect. In this case you will need to change these settings on the command line, e.g.: p4d -c "set ssl.tls.version.min=10" p4d -c "set ssl.tls.version.max=12" and then restart the server. Note that if there are no allowed TLS versions common to the client and the server, or if the server is not using SSL, then the client will get an error similar to this : Perforce client error: SSL connect to ssl:host:1666 failed (Connection reset by peer). Remove SSL protocol prefix from P4PORT or fix the TLS settings. If the client or server does not offer any protocol versions (eg, because the client set ssl.tls.version.min > ssl.tls.version.max) then the client will get an error similar to this : Perforce client error: SSL protocol: error:14077102:SSL routines: SSL23_GET_SERVER_HELLO:unsupported protocol: There are only two lines in this error message; the actual error has the "SSL protocol:" line and the "GET_SERVER_HELLO" line on a single line, but they are split here for readability. End of standard maintenance support for P4D 2016.2 was Nov 8, 2018:    https://www.perforce.com/maintenance-support  
          Hide
          fl_shiki Kevin Dethoor added a comment -

          Hi,

          I found this issue from JENKINS-26176. As I originally posted there, I encountered the same problems testing SSL connections in Jenkins P4 credential page with Java JRE 1.8.0_261, Jenkins 2.235.5 installed from the war file, P4 Plugin 1.11.0 and a Perforce server 2018.1 (TLS min: 1.0, TLS max: 1.2). I tried the solutions on the KB page, but they didn't work for me. Eventually, downgrading both Jenkins (2.235.5 -> 2.235.1) and the P4 Plugin (1.11.0 -> 1.10.4) did the trick and allowed me to establish a connection.

          Hope this information helps.

          Show
          fl_shiki Kevin Dethoor added a comment - Hi, I found this issue from JENKINS-26176 . As I originally posted there, I encountered the same problems testing SSL connections in Jenkins P4 credential page with Java JRE 1.8.0_261, Jenkins 2.235.5 installed from the war file, P4 Plugin 1.11.0 and a Perforce server 2018.1 (TLS min: 1.0, TLS max: 1.2). I tried the solutions on the KB page, but they didn't work for me. Eventually, downgrading both Jenkins (2.235.5 -> 2.235.1) and the P4 Plugin (1.11.0 -> 1.10.4) did the trick and allowed me to establish a connection. Hope this information helps.
          Hide
          p4paul Paul Allen added a comment -

          You need a P4D Server 18.1 or greater with the patch version greater than 1805524

          	#1805524 (Job #97669) * ** *** ****
          	    SSL connections that negotiated with TLS 1.1 and above handshakes
          	    were rejected as plaintext. This has been fixed.
          	    Note that successful negotiation would still result in the use up
          	    to TLS 1.2 regardless of the version used for negotiation. 
          Show
          p4paul Paul Allen added a comment - You need a P4D Server 18.1 or greater with the patch version greater than 1805524 #1805524 (Job #97669) * ** *** **** SSL connections that negotiated with TLS 1.1 and above handshakes were rejected as plaintext. This has been fixed. Note that successful negotiation would still result in the use up to TLS 1.2 regardless of the version used for negotiation.
          Hide
          fl_shiki Kevin Dethoor added a comment -

          Hi Paul and Karl,

          Thank you very much for your help.

          It was indeed an issue with our server version (2018.1 patch 1715250). I was able to establish a connection using Java 1.8.0_261, Jenkins 2.235.5, P4 Plugin 1.11.0 and adding -DsecureSocketEnabledProtocols=TLSv1 to my Java arguments as prescribed in Perforce Knowledgebase (https://community.perforce.com/s/article/2620). I thought I had tried that previously but I made the mistake of specifying TLSv1.0 instead of TLSv1. With TLSv1, everything works as expected.

          Many thanks again.

           

          Show
          fl_shiki Kevin Dethoor added a comment - Hi Paul and Karl, Thank you very much for your help. It was indeed an issue with our server version (2018.1 patch 1715250). I was able to establish a connection using Java 1.8.0_261, Jenkins 2.235.5, P4 Plugin 1.11.0 and adding -DsecureSocketEnabledProtocols=TLSv1 to my Java arguments as prescribed in Perforce Knowledgebase ( https://community.perforce.com/s/article/2620 ). I thought I had tried that previously but I made the mistake of specifying TLSv1.0 instead of TLSv1. With TLSv1, everything works as expected. Many thanks again.  
          Hide
          p4karl Karl Wirth added a comment -

          Hi Kevin Dethoor,

           

          Thanks and happy to help. Also this has highlighted a problem with our older release notes so we've got the developers investigating so thanks again.

           

          Regards,

          Karl

          Show
          p4karl Karl Wirth added a comment - Hi Kevin Dethoor ,   Thanks and happy to help. Also this has highlighted a problem with our older release notes so we've got the developers investigating so thanks again.   Regards, Karl

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            shivaji_thanneeru Shivaji Thanneeru
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: