SonarQube update-center.properties is not downloading with No Proxy

[Brandon Etchison]

We have been running SQ for about 1 year and randomly both our prod and test environments had the Update Center stop working.  When browsing to the update center it doesn't show any of the updates anymore.  We use the default settings for the update center so no proxies.  I have ran network traces and it looks like the SSL handshake is getting a "RESET" back from update.sonarsource.org.  I am at a loss as to what would cause this.  Is there some additional settings somewhere?  We have been looking into this problem ongoing since October and if we remove HTTPS and force the update center URL configuration to be HTTP (http://update.sonarsource.org/update-center.properties), it works fine.  So the issue definitely seems to be related to HTTPS.

org.sonar.api.utils.SonarException: Fail to download: https://update.sonarsource.org/update-center.properties (no proxy)

at org.sonar.core.util.DefaultHttpDownloader.failToDownload(DefaultHttpDownloader.java:157) ~[sonar-core-5.6.4.jar:na]

at org.sonar.core.util.DefaultHttpDownloader.readString(DefaultHttpDownloader.java:115) ~[sonar-core-5.6.4.jar:na]

at org.sonar.api.utils.UriReader.readString(UriReader.java:72) ~[sonar-plugin-api-5.6.4.jar:na]

Caused by: java.net.SocketException: Software caused connection abort: recv failed

at java.net.SocketInputStream.socketRead0(Native Method) ~[na:1.8.0_111]

at java.net.SocketInputStream.socketRead(Unknown Source) ~[na:1.8.0_111]

at java.net.SocketInputStream.read(Unknown Source) ~[na:1.8.0_111]

at java.net.SocketInputStream.read(Unknown Source) ~[na:1.8.0_111]

at sun.security.ssl.InputRecord.readFully(Unknown Source) ~[na:1.8.0_111]

[henri...@sonarsource.com]

Hi Brandon

Your SQ environment seems fine (SQ 5.6.4, Java 8u111).

Could you try this curl command from system where SQ is hosted ?

curl -L -v https://update.sonarsource.org/update-center.properties 

[Brandon Etchison]

Henri,

I am on a Windows Server so i dont have curl, but I ran both a wget and Invoke-WebRequest from powershell and get:

"Unable to read data from the transport connection:  An existing connection was forcibly closed by the remote host."

Brandon

[henri...@sonarsource.com]

We're using TLS 1.2 with strong ciphers and it could be your issue.

It should works out of the box on recent Java 8 

Could you try to compile and run this simple HttpsClient ?

https://gist.github.com/hgomez-sonarsource/bab47dfb151633ce3334b7a10c12e305

javac HttpsClient.java

java HttpsClient  https://update.sonarsource.org/update-center.properties

[Brandon Etchison]

I went ahead and updated to the latest Java 8 version and tried the code below.  This code actually worked, and could pull down the contents.  I am still stumped why the SQ server is getting the exception and why i still get the same exception when using powershell.

Brandon

[Brandon Etchison]

1 other update.  We did some comparisons.  We can hit that URL with a browser and compared the wire trace with the failed one from SQ.  The protocal that is being used on the failure from SQ is that it is trying to use SSL3.  Is there a way to force TLS1.2 from the SQ server?  Or is there a way to configure that at the Java level?

Brandon

On Monday, January 23, 2017 at 3:57:55 AM UTC-5, henri...@sonarsource.com wrote: