Jenkins + Subversion + SSL client certificates
1,595 views
Skip to first unread message
Graham Leggett
Feb 4, 2013, 9:43:28 AM2/4/13
to jenkins...@googlegroups.com
Hi all,
Does there exist a definitive description on how to set Jenkins up to talk to a subversion repository that is protected by SSL client certificates?
The native subversion client works perfectly, but the svnkit based client refuses to connect, failing with a handshake error. Does the Jenkins Subversion plugin look at the native subversion configuration at ~/.subversion/servers? Does the plugin look somewhere else?
I have trawled the Jenkins UI, and apart from a few boilerplate options in the "configure" section there is no way to configure svn authentication at all. Is it supposed to be like this or am I doing something wrong?
Regards,
Graham
--
Does there exist a definitive description on how to set Jenkins up to talk to a subversion repository that is protected by SSL client certificates?
The native subversion client works perfectly, but the svnkit based client refuses to connect, failing with a handshake error. Does the Jenkins Subversion plugin look at the native subversion configuration at ~/.subversion/servers? Does the plugin look somewhere else?
I have trawled the Jenkins UI, and apart from a few boilerplate options in the "configure" section there is no way to configure svn authentication at all. Is it supposed to be like this or am I doing something wrong?
Regards,
Graham
--
Andreas Schilling
Feb 4, 2013, 9:50:49 AM2/4/13
to jenkins...@googlegroups.com
Hi Graham,
you know of http://YOURJENKINSINSTANCE/scm/SubversionSCM/enterCredential ?
To my current knowledge this URL is still kind of unknown. At least when we set up SVN (like 2 years ago) we stumbled upon this more by accident than by knowing...
After switching to hg some time ago I actually don't know alot about what's happening around the SVN integration in Jenkins, but I think this still is the way to pass the credentials.
Kind regards,
Andreas Schilling
CAE Processes & Data Management
-------------------------------------------------------------------
Dipl. Inf. Andreas Schilling
Senior Software Architect
TWT GmbH
Science & Innovation
Bernhäuser Str. 40 - 42
73765 Neuhausen
Tel: +49.7158.17 15.6 73
Mobil: +49.1 72.6 22 88 70
E-Mail: andreas....@twt-gmbh.de
--------------------------------------------------------------------
www.twt-gmbh.de
--------------------------------------------------------------------
Geschäftsführung: Dimitrios Vartziotis, Joachim Laicher (Stv.), Frank Beutenmüller (Stv.)
Registergericht: Amtsgericht Stuttgart, HRB Nr. 212778
Umsatzsteuer: ID-Nr.: DE147841145
--------------------------------------------------------------------
you know of http://YOURJENKINSINSTANCE/scm/SubversionSCM/enterCredential ?
To my current knowledge this URL is still kind of unknown. At least when we set up SVN (like 2 years ago) we stumbled upon this more by accident than by knowing...
After switching to hg some time ago I actually don't know alot about what's happening around the SVN integration in Jenkins, but I think this still is the way to pass the credentials.
Kind regards,
Andreas Schilling
CAE Processes & Data Management
-------------------------------------------------------------------
Dipl. Inf. Andreas Schilling
Senior Software Architect
TWT GmbH
Science & Innovation
Bernhäuser Str. 40 - 42
73765 Neuhausen
Tel: +49.7158.17 15.6 73
Mobil: +49.1 72.6 22 88 70
E-Mail: andreas....@twt-gmbh.de
--------------------------------------------------------------------
www.twt-gmbh.de
--------------------------------------------------------------------
Geschäftsführung: Dimitrios Vartziotis, Joachim Laicher (Stv.), Frank Beutenmüller (Stv.)
Registergericht: Amtsgericht Stuttgart, HRB Nr. 212778
Umsatzsteuer: ID-Nr.: DE147841145
--------------------------------------------------------------------
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to jenkinsci-use...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Graham Leggett
Feb 4, 2013, 10:38:23 AM2/4/13
to jenkins...@googlegroups.com
On 04 Feb 2013, at 4:50 PM, Andreas Schilling <andreas....@twt-gmbh.de> wrote:
you know of http://YOURJENKINSINSTANCE/scm/SubversionSCM/enterCredential ?
To my current knowledge this URL is still kind of unknown. At least when we set up SVN (like 2 years ago) we stumbled upon this more by accident than by knowing...
After switching to hg some time ago I actually don't know alot about what's happening around the SVN integration in Jenkins, but I think this still is the way to pass the credentials.
I finally stumbled on a way to put the certificate in on a per project basis (highly non ideal, but I'll take anything that works at this point). Still no joy.
The error I get is this:
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
The remote host disconnects because of this:
SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number
All of these are deep protocol errors that are just dumped in a logfile, the actual error is discarded or ignored.
Is there a way to get rid of svnkit entirely? In our case the native svn client works fine, we don't need this second client, it doesn't seem to work properly with digital certificates and/or SNI and has no error handling at all.
Regards,
Graham
--
Graham Leggett
Feb 6, 2013, 4:28:52 PM2/6/13
to jenkins...@googlegroups.com
On 04 Feb 2013, at 5:38 PM, Graham Leggett <min...@sharp.fm> wrote:
> Is there a way to get rid of svnkit entirely? In our case the native svn client works fine, we don't need this second client, it doesn't seem to work properly with digital certificates and/or SNI and has no error handling at all.
To the credit of the svnkit project, they have added SNI support to the latest trunk of svnkit, and have confirmed it works when used with Java 7 (which supports SNI).
> Is there a way to get rid of svnkit entirely? In our case the native svn client works fine, we don't need this second client, it doesn't seem to work properly with digital certificates and/or SNI and has no error handling at all.
Regards,
Graham
--
Graham Leggett
Feb 27, 2013, 4:34:04 PM2/27/13
to jenkins...@googlegroups.com
> I finally stumbled on a way to put the certificate in on a per project basis (highly non ideal, but I'll take anything that works at this point). Still no joy.
>
> The error I get is this:
> Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
> The remote host disconnects because of this:
>
> SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number
>
> All of these are deep protocol errors that are just dumped in a logfile, the actual error is discarded or ignored.
>
> Is there a way to get rid of svnkit entirely? In our case the native svn client works fine, we don't need this second client, it doesn't seem to work properly with digital certificates and/or SNI and has no error handling at all.
I finally got to the bottom of this one.
>
> The error I get is this:
> Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
> The remote host disconnects because of this:
>
> SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number
>
> All of these are deep protocol errors that are just dumped in a logfile, the actual error is discarded or ignored.
>
> Is there a way to get rid of svnkit entirely? In our case the native svn client works fine, we don't need this second client, it doesn't seem to work properly with digital certificates and/or SNI and has no error handling at all.
For reasons not entirely clear, svnkit defaults to using the SSLv3 protocol only. No newer protocols are accepted.
SNI is a TLSv1+ feature, and so our svn server is configured to accept TLSv1 as a minimum protocol. The svnkit default causes the handshake failure, and because the actual error is discarded we don't see the cause.
The workaround is to add the following to the JVM:
-Dsvnkit.http.sslProtocols=TLSv1
Regards,
Graham
--
Reply all
Reply to author
Forward
0 new messages