Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-8132

Automatic Usage of SSL after Upgrading to 1.17

    XMLWordPrintable

Details

    Description

      Hudson must not use LDAPS by default - i.e. our active directory system does not provide
      LDAPS. My windows admins opened the port but did not provide ldap via SSL....

      This reders hudson unusable - any ideas for a workaround?

      WARNUNG: Failed to bind to foobar-l02-dc01.foobar.local:3269
      javax.naming.CommunicationException: simple bind failed: foobar-l02-dc01.foobar.local:3269 [Root exception is javax.net.ssl.SSLException: java.net.SocketException: Connection reset]
      at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:134)
      at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DesciprotrImpl.bind(ActiveDirectorySecurityRealm.java:281)
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:135)
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:109)
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:75)
      at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:119)
      at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
      at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
      at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
      at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
      at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
      at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
      at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
      at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
      at java.lang.Thread.run(Thread.java:619)
      Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1623)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1586)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1550)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1495)
      at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:86)
      at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
      at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
      at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
      at com.sun.jndi.ldap.Connection.run(Connection.java:808)
      ... 1 more
      Caused by: java.net.SocketException: Connection reset
      at java.net.SocketInputStream.read(SocketInputStream.java:168)
      at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
      at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
      at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
      ... 5 more

      Attachments

        Issue Links

          Activity

            acwwat Anthony Wat added a comment -

            I've also confirmed the fix on Jenkins 1.418. It would be appreciated if you could commit the fix soon. Thanks a bunch!

            acwwat Anthony Wat added a comment - I've also confirmed the fix on Jenkins 1.418. It would be appreciated if you could commit the fix soon. Thanks a bunch!
            acwwat Anthony Wat added a comment -

            Can the patch be committed into the next version of the plugin?

            acwwat Anthony Wat added a comment - Can the patch be committed into the next version of the plugin?

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
            http://jenkins-ci.org/commit/active-directory-plugin/a0a130eb6ed978731e14313ba65f0be17e6253dd
            Log:
            [FIXED JENKINS-8132] Fixed a bug in TLS upgrade. Setting the socket factory kills the connection and the next time it tries to connect the client will attempt LDAPS.
            The server, expecting an LDAP (without S) connection, resets the connection, which results in "connection reset" error. All in all, it wasn't working as TLS.

            The correct way to specify the SSLSocketFactory is apparently to pass it to the negotiate method.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java http://jenkins-ci.org/commit/active-directory-plugin/a0a130eb6ed978731e14313ba65f0be17e6253dd Log: [FIXED JENKINS-8132] Fixed a bug in TLS upgrade. Setting the socket factory kills the connection and the next time it tries to connect the client will attempt LDAPS. The server, expecting an LDAP (without S) connection, resets the connection, which results in "connection reset" error. All in all, it wasn't working as TLS. The correct way to specify the SSLSocketFactory is apparently to pass it to the negotiate method.

            Fixed and released in 1.21.

            kohsuke Kohsuke Kawaguchi added a comment - Fixed and released in 1.21.
            dogfood dogfood added a comment -

            Integrated in plugins_active-directory #39
            [FIXED JENKINS-8132] Fixed a bug in TLS upgrade. Setting the socket factory kills the connection and the next time it tries to connect the client will attempt LDAPS.

            Kohsuke Kawaguchi :
            Files :

            • src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
            dogfood dogfood added a comment - Integrated in plugins_active-directory #39 [FIXED JENKINS-8132] Fixed a bug in TLS upgrade. Setting the socket factory kills the connection and the next time it tries to connect the client will attempt LDAPS. Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java

            People

              Unassigned Unassigned
              scoopex Marc Schoechlin
              Votes:
              10 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: