Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34121

IBM Java doesn't support AES/CTR/PKCS5Padding, required for JNLP3

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Component/s: remoting
    • Labels:
      None
    • Similar Issues:

      Description

      It is not possible to run slaves anymore using IBM Java.

      This is due to the new encrypted communication introduced in Jenkins 1.653, where the handshake is done using "AES/CTR/PKCS5Padding".
      I couldn't find what ciphers IBM Java does or doesn't support (maybe nothing else than the default ones), but I created a quick test to check (see below).

      Would it be possible to switch to a cipher supported by IBM Java?

      Test:
      import java.security.NoSuchAlgorithmException;
      import javax.crypto.Cipher;
      import javax.crypto.NoSuchPaddingException;
      public class PaddingIssue {
      private static final String CIPHER = "AES/CTR/PKCS5Padding";
      public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException

      { Cipher encryptCipher = Cipher.getInstance(CIPHER); System.out.println("Fine!"); }

      }

      Executions:
      IBM JAVA 1.6
      /usr/lib/j2re1.6-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.7
      /usr/lib/j2re1.7-ibm/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      IBM JAVA 1.8
      /usr/lib/jvm/java-ibm-x86_64-80/jre/bin/java PaddingIssue
      Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at PaddingIssue.main(PaddingIssue.java:10)
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10126Padding or NoPadding
      at com.ibm.crypto.provider.AbstractBufferingCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a.a(Unknown Source)
      ... 2 more

      OpenJDK 7
      /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java PaddingIssue
      Fine!

      Full stacktrace:
      Mar 22, 2016 3:54:13 PM hudson.remoting.jnlp.Main$CuiListener status
      INFO: Trying protocol: JNLP3-connect
      Mar 22, 2016 3:54:14 PM hudson.remoting.jnlp.Main$CuiListener error
      SEVERE: Failed to create handshake ciphers
      java.lang.AssertionError: Failed to create handshake ciphers
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:116)
      at org.jenkinsci.remoting.engine.JnlpProtocol3.performHandshake(JnlpProtocol3.java:138)
      at org.jenkinsci.remoting.engine.JnlpProtocol.establishChannel(JnlpProtocol.java:77)
      at hudson.remoting.Engine.run(Engine.java:308)
      Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/CTR/PKCS5Padding
      at javax.crypto.Cipher.getInstance(Unknown Source)
      at org.jenkinsci.remoting.engine.HandshakeCiphers.create(HandshakeCiphers.java:109)
      ... 3 more
      Caused by: javax.crypto.NoSuchPaddingException: CTR mode must be used with ISO10
      126Padding or NoPadding
      at com.ibm.crypto.provider.AESCipher.engineSetPadding(Unknown Source)
      at javax.crypto.Cipher$a_.a(Unknown Source)
      ... 5 more

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            docs/protocols.md
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java
            http://jenkins-ci.org/commit/remoting/fe2587b7f9d78334e0ab05ab0b95f39b4b600a25
            Log:
            Docs - Noting JENKINS-37302, JENKINS-33886, and JENKINS-34121 in Errata

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: docs/protocols.md src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java http://jenkins-ci.org/commit/remoting/fe2587b7f9d78334e0ab05ab0b95f39b4b600a25 Log: Docs - Noting JENKINS-37302 , JENKINS-33886 , and JENKINS-34121 in Errata
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            docs/protocols.md
            src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java
            http://jenkins-ci.org/commit/remoting/86e13055079fd679a46b06fc7ce54ea1eb33ac1f
            Log:
            Merge pull request #155 from oleg-nenashev/doc/jnlp3_errata

            [Docs] - Noting JENKINS-37302, JENKINS-33886, and JENKINS-34121 in JNLP3 Errata

            Compare: https://github.com/jenkinsci/remoting/compare/b8f10d809829...86e13055079f

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: docs/protocols.md src/main/java/org/jenkinsci/remoting/engine/JnlpProtocol3Handler.java http://jenkins-ci.org/commit/remoting/86e13055079fd679a46b06fc7ce54ea1eb33ac1f Log: Merge pull request #155 from oleg-nenashev/doc/jnlp3_errata [Docs] - Noting JENKINS-37302 , JENKINS-33886 , and JENKINS-34121 in JNLP3 Errata Compare: https://github.com/jenkinsci/remoting/compare/b8f10d809829...86e13055079f
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Closing as "Won't fix", upgrade to JNLP4 is the recommended solution.

            If somebody wants to fix it, please feel free to reopen it and to create a pull request

            Show
            oleg_nenashev Oleg Nenashev added a comment - Closing as "Won't fix", upgrade to JNLP4 is the recommended solution. If somebody wants to fix it, please feel free to reopen it and to create a pull request
            Hide
            srimanoj_kandala Mallikarjuna Manoj Kandala added a comment -

            Can someone please provide instructions to upgrade to JNLP4 ?

            We prefer to use IBM JRE.

            Show
            srimanoj_kandala Mallikarjuna Manoj Kandala added a comment - Can someone please provide instructions to upgrade to JNLP4 ? We prefer to use IBM JRE.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Mallikarjuna Manoj Kandala

            1) Upgrade to Jenkins 2.32.1 or above
            2) Go to the Global Security Configuration in Manage Jenkins
            3) Ensure that JNLP4 is allowed in protocol security settings

            Show
            oleg_nenashev Oleg Nenashev added a comment - Mallikarjuna Manoj Kandala 1) Upgrade to Jenkins 2.32.1 or above 2) Go to the Global Security Configuration in Manage Jenkins 3) Ensure that JNLP4 is allowed in protocol security settings

              People

              • Assignee:
                Unassigned
                Reporter:
                gloparm Gabriel Lopez
              • Votes:
                2 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: