Using Java 1.7 and SSL self-signed certs

[Ari LiVigni]

I am having an issue with Java 1.7 and using self-signed cert it works with Java 1.6 and an official certificate but in some cases we have test Jenkins where we self sign.

Is there a setting in the jenkins config to get around this issue?  Something that can be done with Jetty?

Here are exceptions from the jenkins log and the cli

https://paste.fedoraproject.org/231148/

Exception from Jenkins Log:

Jun 10, 2015 6:06:21 PM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: handle failed
java.lang.RuntimeException: java.security.KeyException
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1333)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:799)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:767)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536)
	at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:401)
	at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:193)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.ProviderException: java.security.KeyException
	at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:146)
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:687)
	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:63)
	at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1316)
	at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1115)
	at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:942)
	at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:675)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:213)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:841)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:839)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1273)
	at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375)
	at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
	at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
	at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
	at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
	... 6 more
Caused by: java.security.KeyException
	at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(Native Method)
	at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:126)
	... 26 more


Exception from CLI:
[root@java16-master-jenkins-https-new ~]# java -jar jenkins-cli.jar -s https://localhost -noCertificateCheck help
Skipping HTTPS certificate checks altogether. Note that this is not secure at all.
Exception in thread "main" java.io.IOException: Failed to connect to https://localhost/
	at hudson.cli.CLI.getCliTcpPort(CLI.java:271)
	at hudson.cli.CLI.<init>(CLI.java:126)
	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72)
	at hudson.cli.CLI._main(CLI.java:471)
	at hudson.cli.CLI.main(CLI.java:387)
	Suppressed: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
		at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:953)
		at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
		at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
		at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
		at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
		at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
		at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1092)
		at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
		at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:77)
		at hudson.cli.CLI.connectViaHttp(CLI.java:156)
		at hudson.cli.CLI.<init>(CLI.java:130)
		... 3 more
	Caused by: java.io.EOFException: SSL peer shut down incorrectly
		at sun.security.ssl.InputRecord.read(InputRecord.java:482)
		at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
		... 13 more
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:953)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
	at hudson.cli.CLI.getCliTcpPort(CLI.java:269)
	... 4 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
	at sun.security.ssl.InputRecord.read(InputRecord.java:482)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
	... 11 more

[Richard Bywater]

I assume that you've loaded up the certs into the correct place for the 1.7 version of Java? (e.g. cacerts file)

Richard.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/378e2e50-2368-4cda-8aea-3eb8315abeac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ari LiVigni]

we used the keytool to create the self-signed cert so I assumed that was the correct method.

[Tom Moore]

Have you tried the Skip Certificate Check plugin?   Generally its not a great idea to be skipping security checks, but for a test instance it might be acceptable.

[Jaime Flynn]

Thanks for the replies on this topic!

We have tried using the Skip Certificate Check Plugin and that didn't help.

The cert was generated with "keytool -genkey".  We have tried exporting this cert from its original keystore and importing it into the cacerts file and that didn't help either.

We have also tried regenerating a new cert (with keytool and openssl) to no avail.

Jenkins was also started with the Java option "-Djsse.enableSNIExtension=false", but that doesn't seem to help either.

This was tested using Jenkins version 1.609.1 and Java version java-1.7.0-openjdk-1.7.0.79-2.5.5.4.el6.x86_64.

Any other suggestions are greatly appreciated.

[David Daniel]

So I ran into the same issue, and was able to figure out what the problem is (skip to the bottom if you want to jump directly to the answer). 

According to the source code (http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/9b8c96f96a0f/src/share/classes/sun/security/ec/ECKeyPairGenerator.java#l166), it looks like ECKeyPairGenerator.generateECKeyPair is a call across the Java Native Interface to an implementation in another language (probably C, since this looks like a CPU intensive task, and the implementation was done in C).

So I wrote a simple desktop application that just directly called ECKeyGenerator.generateECKeyPair(). This caused the following exception to be thrown:

Exception in thread "main" java.lang.UnsatisfiedLinkError: sun.security.ec.ECKeyPairGenerator.generateECKeyPair(I[B[B)[Ljava/lang/Object;

 at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(Native Method)
 at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:126)

 at ECGenerator.main(ECGenerator.java:10)

The implementation can be found here: http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/9b8c96f96a0f/src/share/native/sun/security/ec/ECC_JNI.cpp#l73

I'm still trying to figure out why its not linked but if anyone knows, please update this thread. I'll update the thread if I have a solution.

[Ari LiVigni]

In our case we needed to make sure nss >= 3.16 as a yum package on rhel 6.5

[Łukasz Korzybski]

I had the same issue with OpenJDK 1.7.0 on CentOS 6.6. I had nss 3.16 and upgrading to nss 3.19 fixed the issue.

[Michael Massey]

I had the same issue with OpenJDK 1.7.0 on CentOS 6.5. Upgrading to nss 3.19 fixed the issue.

Thanks for the inputs everyone. Thanks Lukasz.

[Vijayender Madura]

+1 ! 

This post saved me hours of troubleshooting. I had a similar problem on CentOS  6.5 and NSS 3.15 - I was using the Github Authenticator plugin for Global Security on Jenkins and had this exception - Upgrading NSS to 3.19 solved the problem.