Replication failing with error : Algorithm negotiation fail
932 views
Skip to first unread message
Anjan Tummalapalli
Feb 23, 2018, 2:30:20 AM2/23/18
to Repo and Gerrit Discussion
Hi Team,
We are using Gerrit V2.11 in our production and using Github as our replica.
We are getting replication issue from yesterday without doing any update in our box
Replication to g...@github.com:<project>.git started...
Cannot replicate to g...@github.com:<project>.git
org.eclipse.jgit.errors.TransportException: g...@github.com:<project>.git: Algorithm negotiation fail
at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:159)
at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:136)
at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:262)
at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:161)
at com.googlesource.gerrit.plugins.replication.PushOne.listRemote(PushOne.java:505)
at com.googlesource.gerrit.plugins.replication.PushOne.doPushAll(PushOne.java:449)
at com.googlesource.gerrit.plugins.replication.PushOne.generateUpdates(PushOne.java:442)
at com.googlesource.gerrit.plugins.replication.PushOne.pushVia(PushOne.java:388)
at com.googlesource.gerrit.plugins.replication.PushOne.runImpl(PushOne.java:371)
at com.googlesource.gerrit.plugins.replication.PushOne.runPushOperation(PushOne.java:286)
at com.googlesource.gerrit.plugins.replication.PushOne.access$000(PushOne.java:81)
at com.googlesource.gerrit.plugins.replication.PushOne$1.call(PushOne.java:256)
at com.googlesource.gerrit.plugins.replication.PushOne$1.call(PushOne.java:253)
at com.google.gerrit.server.util.RequestScopePropagator$5.call(RequestScopePropagator.java:222)
at com.google.gerrit.server.util.RequestScopePropagator$4.call(RequestScopePropagator.java:201)
at com.google.gerrit.server.git.PerThreadRequestScope$Propagator$1.call(PerThreadRequestScope.java:75)
at com.googlesource.gerrit.plugins.replication.PushOne.run(PushOne.java:253)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at com.google.gerrit.server.git.WorkQueue$Task.run(WorkQueue.java:379)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:583)
at com.jcraft.jsch.Session.connect(Session.java:320)
at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:116)
... 24 more
Can someone please help me in solving this issue.
Best Regards,
Anjan
We are using Gerrit V2.11 in our production and using Github as our replica.
We are getting replication issue from yesterday without doing any update in our box
Replication to g...@github.com:<project>.git started...
Cannot replicate to g...@github.com:<project>.git
org.eclipse.jgit.errors.TransportException: g...@github.com:<project>.git: Algorithm negotiation fail
at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:159)
at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:136)
at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:262)
at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:161)
at com.googlesource.gerrit.plugins.replication.PushOne.listRemote(PushOne.java:505)
at com.googlesource.gerrit.plugins.replication.PushOne.doPushAll(PushOne.java:449)
at com.googlesource.gerrit.plugins.replication.PushOne.generateUpdates(PushOne.java:442)
at com.googlesource.gerrit.plugins.replication.PushOne.pushVia(PushOne.java:388)
at com.googlesource.gerrit.plugins.replication.PushOne.runImpl(PushOne.java:371)
at com.googlesource.gerrit.plugins.replication.PushOne.runPushOperation(PushOne.java:286)
at com.googlesource.gerrit.plugins.replication.PushOne.access$000(PushOne.java:81)
at com.googlesource.gerrit.plugins.replication.PushOne$1.call(PushOne.java:256)
at com.googlesource.gerrit.plugins.replication.PushOne$1.call(PushOne.java:253)
at com.google.gerrit.server.util.RequestScopePropagator$5.call(RequestScopePropagator.java:222)
at com.google.gerrit.server.util.RequestScopePropagator$4.call(RequestScopePropagator.java:201)
at com.google.gerrit.server.git.PerThreadRequestScope$Propagator$1.call(PerThreadRequestScope.java:75)
at com.googlesource.gerrit.plugins.replication.PushOne.run(PushOne.java:253)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at com.google.gerrit.server.git.WorkQueue$Task.run(WorkQueue.java:379)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:583)
at com.jcraft.jsch.Session.connect(Session.java:320)
at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:116)
... 24 more
Can someone please help me in solving this issue.
Best Regards,
Anjan
Matthew Webber
Feb 23, 2018, 3:00:27 AM2/23/18
to Repo and Gerrit Discussion
Looks like you're trying to replicate to GitHub.
The reason is explained here: https://githubengineering.com/crypto-removal-notice/
It's possible that the old version of Gerrit that you are on does not support the newer crypto standards.
Anjan Tummalapalli
Feb 23, 2018, 3:11:45 AM2/23/18
to Matthew Webber, Repo and Gerrit Discussion
Thank You very much for your insights. It helps
@Gerrit Maintainers, is it possible to get any patch on the replication plugin which supports our current Gerrit Version V2.11 along with newer crypto standards.Best Regards,
Anjan
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Matthew Webber
Feb 23, 2018, 5:36:33 AM2/23/18
to Repo and Gerrit Discussion
Looking at the GitHub blog post more closely, it looks like the TLS version is determined by Java,.
What Java version is your Gerrit running on?
Extract from https://githubengineering.com/crypto-removal-notice/:
Java releases < JDK 8
As noted in this blog post by Oracle,TLSv1was used by default for JDK releases prior to JDK 8. JDK 8 changed this behavior and defaults toTLSv1.2. Any client (ex. JGit is one such popular client) that runs on older versions of the JDK is affected. This can be addressed by updating to JDK >= 8 or explicitly opting in toTLSv1.2in JDK 7 (look at thehttps.protocolsJSSE tuning parameter). Unfortunately, versions of the JDK <= 6 do not supportTLSv1.2. We advise users of JDK <= 6 to upgrade to a newer version of the JDK.
Gert van Dijk
Feb 23, 2018, 6:54:56 AM2/23/18
to Repo and Gerrit Discussion
The traceback shows an SSH connection to GitHub rather than HTTPS. It has to do with the dropped support of key exchange algorithms diffie-hellman-group1-sha1 / diffie-hellman-group14-sha1 in the GitHub run SSH service.
Gerrit/JGit uses Jsch as the library for SSH transport. Gerrit 2.11 includes an older Jsch and both 2.12 and 2.14 have received updates to this library which include fixes for the same vulnerability as GitHub is referring to (Logjam). See http://www.jcraft.com/jsch/ChangeLog.
To me this looks like it should be fixed in Gerrit 2.14.x (regardless of Java version used).
Gerrit/JGit uses Jsch as the library for SSH transport. Gerrit 2.11 includes an older Jsch and both 2.12 and 2.14 have received updates to this library which include fixes for the same vulnerability as GitHub is referring to (Logjam). See http://www.jcraft.com/jsch/ChangeLog.
To me this looks like it should be fixed in Gerrit 2.14.x (regardless of Java version used).
Matthew Webber
Feb 23, 2018, 7:13:30 AM2/23/18
to Repo and Gerrit Discussion
The traceback shows an SSH connection to GitHub rather than HTTPS. It has to do with the dropped support of key exchange algorithms diffie-hellman-group1-sha1 / diffie-hellman-group14-sha1 in the GitHub run SSH service.
Good point, I completely missed that.
To me this looks like it should be fixed in Gerrit 2.14.x (regardless of Java version used).
I can confirm that replication to GitHub is working for us. Running Gerrit 2.14.6 on Java 8.
Anjan Tummalapalli
Feb 23, 2018, 7:59:04 AM2/23/18
to Gert van Dijk, Repo and Gerrit Discussion
As it is production environment, we came up with temporary solution that to use HTTPS protocol instead of ssh. It solved the issue.
Now we will try to upgrade to newer version in decent time.
David Ostrovsky
Feb 23, 2018, 8:17:40 AM2/23/18
to Repo and Gerrit Discussion
Am Freitag, 23. Februar 2018 13:59:04 UTC+1 schrieb Anjan Tummalapalli:
As it is production environment, we came up with temporary solution that to use HTTPS protocol instead of ssh. It solved the issue.Now we will try to upgrade to newer version in decent time.
All JSch version upgrades to 1.52: [1], 1.53: [2] and 1.54: [3] were trivial library upgrades,
without touching any line of code. You could probably patch your current gerrit version with
updated JSch library and it should just work.
* [1] https://gerrit-review.googlesource.com/#/c/gerrit/+/67792
* [2] https://gerrit-review.googlesource.com/#/c/gerrit/+/69900
* [3] https://gerrit-review.googlesource.com/#/c/gerrit/+/89730
David Ostrovsky
Feb 24, 2018, 12:14:59 PM2/24/18
to Repo and Gerrit Discussion
I cherry-picked these changes to stable-2.11 and thank GerritForge CI,
that even sill working, on Buck and JDK 7 the final artifact can be
downloaded from: [1] ;-).
Anjan Tummalapalli
Feb 24, 2018, 10:27:02 PM2/24/18
to David Ostrovsky, Repo and Gerrit Discussion
Thanks a lot for your timely help David..!!
Will surely make use of it.
Will surely make use of it.
--
David Pursehouse
Feb 25, 2018, 5:50:59 AM2/25/18
to David Ostrovsky, Repo and Gerrit Discussion
Is it worth making a new 2.11 release with these upgrades?
We would also need a new 2.12 release.
There are also several other commits on stable-2.12 since the last release (2.12.7). On stable-2.12 I already set the version to 2.12.8 in April last year [1] and wrote the release notes [2] but for some reason didn't actually do the release. I'm not sure what happened there.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
David Ostrovsky
Feb 25, 2018, 7:54:56 AM2/25/18
to Repo and Gerrit Discussion
On Sunday, February 25, 2018 at 11:50:59 AM UTC+1, David Pursehouse wrote:
On Sun, Feb 25, 2018 at 2:15 AM David Ostrovsky <david.o...@gmail.com> wrote:
On Friday, February 23, 2018 at 2:17:40 PM UTC+1, David Ostrovsky wrote:
Am Freitag, 23. Februar 2018 13:59:04 UTC+1 schrieb Anjan Tummalapalli:As it is production environment, we came up with temporary solution that to use HTTPS protocol instead of ssh. It solved the issue.Now we will try to upgrade to newer version in decent time.
All JSch version upgrades to 1.52: [1], 1.53: [2] and 1.54: [3] were trivial library upgrades,
without touching any line of code. You could probably patch your current gerrit version with
updated JSch library and it should just work.
* [1] https://gerrit-review.googlesource.com/#/c/gerrit/+/67792
* [2] https://gerrit-review.googlesource.com/#/c/gerrit/+/69900
* [3] https://gerrit-review.googlesource.com/#/c/gerrit/+/89730I cherry-picked these changes to stable-2.11 and thank GerritForge CI,that even sill working, on Buck and JDK 7 the final artifact can bedownloaded from: [1] ;-).Is it worth making a new 2.11 release with these upgrades?
Yes. There is one known vulnerability: [1], and lost ability to replicate
to GitHub over SSH, due to removed weak crypto algorithm: [2].
We would also need a new 2.12 release.
Yes. 2.12 is missing 1.54 JSch upgrade too.
I have built already both releases, from stable-2.11 and stable-2.12
and cherry-picked the needed changes and uploaded the releases to
my server. If you are using gerrit 2.11.x or 2.12.x your should urgently
consider to upgrade to the patched versions.
Reply all
Reply to author
Forward
0 new messages