It's all about the answers!

Ask a question

RTC / Jenkins connection over SSL


Zoe Slattery (4011720) | asked Oct 31 '14, 1:01 p.m.
Hi

We have new Jenkins install (1.587) with the 1.1.9 team concert plugin. We are using an RTC server which is at level 4.0.6 (I do not administer the RTC server).

I have Jenkins working fine over SSL - it's just a basic installation using Winstone (no Apache, Tomcat etc). I can configure a job in Jenkins and validate the RTC Build definition (so there is some communication that works) but I can't get the Jenkins Build Engine working in RTC. This fails when I try the connection test:

The error is: Connection test requested.
    Connecting to: https://aegir.ssd.hursley.ibm.com:9445
Exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?    Test connection FAILED!

This looks similar to https://jazz.net/forum/questions/163603/how-to-create-rtc-build-engine-with-jenkins-using-ssl but I think that Dan had already got further than I have.

I suspect I have done/not done something obvious, can anyone see what it is?

5 answers



permanent link
Zoe Slattery (4011720) | answered Oct 31 '14, 6:03 p.m.
Not an answer but a little more info ... it looks as though RTC is getting what it thinks is a plain text response from Jenkins. Using curl:

curl -k --SSLv2 --request GET 'https://aegir.ssd.hursley.ibm.com:9445'
curl: (35) SSL connect error

curl -k --SSLv3 --request GET 'https://aegir.ssd.hursley.ibm.com:9445'
curl: (35) SSL connect error

curl -k --TLSv1 --request GET 'https://aegir.ssd.hursley.ibm.com:9445'
..gets what looks like the Jenkins home page.

What protocol does RTC 4.0.6 use? Could the 'plain text response' just be the error message?



Comments
Zoe Slattery commented Nov 04 '14, 6:32 a.m.

More slow progress. We fixed an issue with a firewall rule and got as far as this error from RTC:

Connection test requested.
    Connecting to: https://aegir.ssd.hursley.ibm.com:9445
Exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake    Test connection FAILED!

From memory this is identical to the problem linked to above.


Rick Patterson commented Dec 09 '14, 12:32 p.m.
JAZZ DEVELOPER

Hi.

We are using (almost) latest  Jenkins 1.592, on a Window r2008 V2 server, with builtin winstone web server, and Team concert Plugin 1.1.9.   RTC Server is at 4.07, and we had this connection working for a couple a weeks until today, the https connection has stopped working.  We get the "Exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake" message.  We revert to http connection, and it is fine.


sam detweiler commented Dec 09 '14, 12:49 p.m.

where is jenkins running? under tomcat or jetty?


permanent link
Zoe Slattery (4011720) | answered Dec 09 '14, 1:10 p.m.
 I should have updated this post earlier. Here is the answer as far I have it. I used tcpdump with the -w option to trace the traffic that was coming to the HTTPS port on the Jenkins server and output to a file that wireshark can read. I then looked at the SSL handshake with wireshark. This is a good thing to do - and not that difficult. 

What I found was that RTC was sending an SSL handshake which said "the highest level of secure protocol that I support is SSLv3". In Jenkins there was an update to Jenkins https://issues.jenkins-ci.org/browse/JENKINS-25169
to remove SSLv3 support (because of poodle) in - so TLSv1 is the lowest SSL protocol that recent versions of Jenkins can use. As TLSv1 is higher than SSLv3 my instance of Jenkins cannot communicate with the instance of RTC that I am using. 

I am still waiting for our DevOps team to figure out how to get RTC to use TLSv1. I'm afraid I don't know enough about RTC configuration to understand what needs to be done.

I strongly recommend tcpdump/wireshark as a very effective way to understand where the issue is.



Comments
sam detweiler commented Dec 09 '14, 1:23 p.m.

where is your RTC running? Tomcat or Websphere? that is where the config has to be done.

see here

https://jazz.net/help-dev/clm/index.jsp?re=1&topic=/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_was.html&scope=null


Zoe Slattery commented Dec 09 '14, 2:34 p.m.

Thanks Sam - unfortunately I don't have any access to the RTC systems - they are run by a central DevOps group and all I can do is raise and issue with them and wait till they have time to look at it. I'm sure they know how to configure it.


permanent link
Rick Patterson (40148) | answered Dec 09 '14, 3:10 p.m.
JAZZ DEVELOPER
Thanks for the updates,  Zoe, and Sam.  I believe our issue is the same as Zoe's, and was caused when we upgraded Jenkins from 1.576 to our current 1.592, and build 1.585 had the following change  as Zoe mentions:
https://issues.jenkins-ci.org/browse/JENKINS-25169.  I have opened a helpdesk request in our location as well to see what security protocol RTC is using, and whether it can be changed..

permanent link
Steffen Kriese (381921) | answered Dec 12 '14, 5:50 a.m.
Hello,

we see the same issue on RTC 5.0.0 running on tomcat.

until Jenknis 1.584 the test connection on the build engine dialog returns
Connection test requested.
    Connecting to: https://xyz:9443/
    Found header: X-Jenkins - 1.584
    Found header: X-Hudson - 1.395
    Test connection SUCCESSFUL!

with Jenknis 1.585 the result is
Connection test requested.
    Connecting to: https://xyz:9443/
Exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake    Test connection FAILED!

comparing the Jenkins  1.584 and 1.585 startup log
1.584:
INFO: Enabled Protocols [SSLv2Hello, SSLv3, TLSv1] of [SSLv2Hello, SSLv3, TLSv1]
1.585:
INFO: Enabled Protocols [TLSv1] of [SSLv2Hello, SSLv3, TLSv1]
it looks like Jenkins 1.585 and later only supports TLSv1.

Is there a description how to configure RTC 5.0.0 for TLSv1?

Thanx, Steffen


permanent link
Steffen Kriese (381921) | answered Dec 12 '14, 6:02 a.m.
tried this procedure to enable tls1.2 on rtc 5.0.0: https://jazz.net/help-dev/clm/topic/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_tomcat.html
server.startup now fails with
-Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2 command no found. 

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.