RTC / Jenkins connection over SSL
Hi
We have new Jenkins install (1.587) with the 1.1.9 team concert plugin. We are using an RTC server which is at level 4.0.6 (I do not administer the RTC server). I have Jenkins working fine over SSL - it's just a basic installation using Winstone (no Apache, Tomcat etc). I can configure a job in Jenkins and validate the RTC Build definition (so there is some communication that works) but I can't get the Jenkins Build Engine working in RTC. This fails when I try the connection test: The error is: Connection test requested. Connecting to: https://aegir.ssd.hursley.ibm.com:9445 Exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? Test connection FAILED! This looks similar to https://jazz.net/forum/questions/163603/how-to-create-rtc-build-engine-with-jenkins-using-ssl but I think that Dan had already got further than I have. I suspect I have done/not done something obvious, can anyone see what it is? |
5 answers
Not an answer but a little more info ... it looks as though RTC is getting what it thinks is a plain text response from Jenkins. Using curl:
curl -k --SSLv2 --request GET 'https://aegir.ssd.hursley.ibm.com:9445' curl: (35) SSL connect error curl -k --SSLv3 --request GET 'https://aegir.ssd.hursley.ibm.com:9445' curl: (35) SSL connect error curl -k --TLSv1 --request GET 'https://aegir.ssd.hursley.ibm.com:9445' ..gets what looks like the Jenkins home page. What protocol does RTC 4.0.6 use? Could the 'plain text response' just be the error message? Comments
Zoe Slattery
commented Nov 04 '14, 6:32 a.m.
More slow progress. We fixed an issue with a firewall rule and got as far as this error from RTC:
Hi.
sam detweiler
commented Dec 09 '14, 12:49 p.m.
where is jenkins running? under tomcat or jetty?
|
I should have updated this post earlier. Here is the answer as far I have it. I used tcpdump with the -w option to trace the traffic that was coming to the HTTPS port on the Jenkins server and output to a file that wireshark can read. I then looked at the SSL handshake with wireshark. This is a good thing to do - and not that difficult.
What I found was that RTC was sending an SSL handshake which said "the highest level of secure protocol that I support is SSLv3". In Jenkins there was an update to Jenkins https://issues.jenkins-ci.org/browse/JENKINS-25169
to remove SSLv3 support (because of poodle) in - so TLSv1 is the lowest SSL protocol that recent versions of Jenkins can use. As TLSv1 is higher than SSLv3 my instance of Jenkins cannot communicate with the instance of RTC that I am using.
I am still waiting for our DevOps team to figure out how to get RTC to use TLSv1. I'm afraid I don't know enough about RTC configuration to understand what needs to be done.
I strongly recommend tcpdump/wireshark as a very effective way to understand where the issue is.
Comments
sam detweiler
commented Dec 09 '14, 1:23 p.m.
where is your RTC running? Tomcat or Websphere? that is where the config has to be done.
Zoe Slattery
commented Dec 09 '14, 2:34 p.m.
Thanks Sam - unfortunately I don't have any access to the RTC systems - they are run by a central DevOps group and all I can do is raise and issue with them and wait till they have time to look at it. I'm sure they know how to configure it. |
Thanks for the updates, Zoe, and Sam. I believe our issue is the same as Zoe's, and was caused when we upgraded Jenkins from 1.576 to our current 1.592, and build 1.585 had the following change as Zoe mentions:
https://issues.jenkins-ci.org/browse/JENKINS-25169. I have opened a helpdesk request in our location as well to see what security protocol RTC is using, and whether it can be changed.. |
Hello,
we see the same issue on RTC 5.0.0 running on tomcat. until Jenknis 1.584 the test connection on the build engine dialog returns Connection test requested. Connecting to: https://xyz:9443/ Found header: X-Jenkins - 1.584 Found header: X-Hudson - 1.395 Test connection SUCCESSFUL! with Jenknis 1.585 the result is Connection test requested. Connecting to: https://xyz:9443/ Exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake Test connection FAILED! comparing the Jenkins 1.584 and 1.585 startup log 1.584: INFO: Enabled Protocols [SSLv2Hello, SSLv3, TLSv1] of [SSLv2Hello, SSLv3, TLSv1] 1.585: INFO: Enabled Protocols [TLSv1] of [SSLv2Hello, SSLv3, TLSv1] it looks like Jenkins 1.585 and later only supports TLSv1. Is there a description how to configure RTC 5.0.0 for TLSv1? Thanx, Steffen |
tried this procedure to enable tls1.2 on rtc 5.0.0: https://jazz.net/help-dev/clm/topic/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_tomcat.html
server.startup now fails with
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.