Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35154

Jira-ext Plugin does not set Servername for SNI Hosts

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: jira-ext-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.6, jira-ext 0.5, OpenJDK 1.8u91 64bit, Amazon Linux 64bit
    • Similar Issues:

      Description

      The jira-ext Plugin does not set the servername parameter for ssl requests. Our Jira is behind SNIProxy and SNIProxy needs the servername to find the correct route. Without the following error occurs. The Jira Plugin works.

      Error finding FieldIds for issueKey: VITAL-1

      net.rcarz.jiraclient.JiraException: Exception getting fields for JIRA issue
      	at org.jenkinsci.plugins.jiraext.svc.impl.JiraClientSvcImpl.getJiraFields(JiraClientSvcImpl.java:212)
      	at org.jenkinsci.plugins.jiraext.view.UpdateField$DescriptorImpl.doQueryJiraFields(UpdateField.java:128)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:324)
      	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:167)
      	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:100)
      	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:124)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      	at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:233)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      	at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:233)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
      	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135)
      	at javax.servlet.FilterChain$doFilter.call(Unknown Source)
      	at com.ceilfors.jenkins.plugins.jiratrigger.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.groovy:22)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
      	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:126)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:80)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
      	at org.eclipse.jetty.server.Server.handle(Server.java:499)
      	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
      	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
      	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
      	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
      	at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
      	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
      	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
      	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
      	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
      	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
      	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
      	at net.rcarz.jiraclient.RestClient.request(RestClient.java:126)
      	at net.rcarz.jiraclient.RestClient.get(RestClient.java:243)
      	at net.rcarz.jiraclient.RestClient.get(RestClient.java:259)
      	at net.rcarz.jiraclient.RestClient.get(RestClient.java:274)
      	at org.jenkinsci.plugins.jiraext.svc.impl.JiraClientSvcImpl.getJiraFields(JiraClientSvcImpl.java:195)
      	... 76 more
      

      For reference the openssl output:

      # openssl s_client -connect jira.corussoft.de:443
      CONNECTED(00000003)
      139873481942880:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:
      ---
      no peer certificate available
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 7 bytes and written 249 bytes
      ---
      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      ---
      
      
      # openssl s_client -servername jira.corussoft.de -connect jira.corussoft.de:443
      CONNECTED(00000003)
      depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
      verify return:1
      depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
      verify return:1
      depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
      verify return:1
      depth=0 OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN = *.corussoft.de
      verify return:1
      ---
      Certificate chain
       0 s:/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.corussoft.de
         i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
       1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
         i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
       2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
         i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
       3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
         i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
      ---
      Server certificate
      -----BEGIN CERTIFICATE-----
      MIIGUDCCBTigAwIBAgIQBJBpncR+YdfSwHtajMN+rzANBgkqhkiG9w0BAQsFADCB
      kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
      A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
      BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
      QTAeFw0xNjA0MjIwMDAwMDBaFw0xNzA0MjIyMzU5NTlaMFoxITAfBgNVBAsTGERv
      bWFpbiBDb250cm9sIFZhbGlkYXRlZDEcMBoGA1UECxMTQ09NT0RPIFNTTCBXaWxk
      Y2FyZDEXMBUGA1UEAwwOKi5jb3J1c3NvZnQuZGUwggIiMA0GCSqGSIb3DQEBAQUA
      A4ICDwAwggIKAoICAQDJfRIiD+J6chIPbC6udfe6c6yZJHnRXAFZ1WAPT2zzOUH7
      drR0OJ0SknV7lRKEtdIYGuXWaCFW9BwxhqxP/37g/DgcstNIu1pDRVcTVDgtnVWn
      FBHxJNnvkX3QdIP+Fnev8hbtMLwwVqaAWmDhq4G0UwAHBBncxXEFds0PhFtl0QpO
      89TnzJM4g58ARwiWMTn16sNBCwjKYhKq7HIJ1WFa3LJ7VsCqIjv3Y3TDfN62hYSC
      qPZAUJXup5r+grLq1TljRmYLc56Ox291fxXpxjJvEdDKvMUyX42MIfwqKioH3IKm
      o/Gq7ZaMTU346eAyFXtyK9eL/0gQfDOyBgTxU3XMoDE6fQIIm4tqd+eXjuqIyKEi
      IW5AEtaW9iqs9bcAEJvoI0FoU3lCgIZwlJAT3TdwXAufygAbd93NihOFlPi+xUnD
      AQ6eN5VQ+ZoH/VhbIMUw1lzo1xhY3dYhR04yKTwkYgdmhgfHYC3EAuRB2Vb4ouUj
      XPctMALW9DArk8oXKfybczUviltP+aRBXDvuMfzeqz0PFaslo8P5aDgEXOgPsLoC
      sFrWkYMFMmAypkM3ed4DEGItdRo0iPC67m8vvaVKQTZA6zbQ6aSOvrIcqBW9XcPP
      BEGXvEzAMChL4G5Vk60EYLxp+ZzUlTi7FPfN6bZMu3x1XR5o3weeCLuAYCAOZwID
      AQABo4IB2TCCAdUwHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYD
      VR0OBBYEFNscp1OJLI8gqtAKNFcA2AU+AALNMA4GA1UdDwEB/wQEAwIFoDAMBgNV
      HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAE
      SDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJl
      LmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRw
      Oi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2Vj
      dXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0
      dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25T
      ZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9k
      b2NhLmNvbTAnBgNVHREEIDAegg4qLmNvcnVzc29mdC5kZYIMY29ydXNzb2Z0LmRl
      MA0GCSqGSIb3DQEBCwUAA4IBAQBN9pUfBDNXHRBCqFDcbr7RTjqTIvZwtNYjFcYL
      4UsYerDvQNvyJ+IlqpkBmjcif/8J+kGEXzP//xECHG0I2vVOcBPt4jwEgmWLJts/
      yPnFVeaacvvHWPpal6qjeySFLJhu+lgZ48OCF+omoYNGMOmitBHLr8ztxjty6cq0
      gX0VoUkWrzLuK3ZaplHFwPz9NW6RNNOI400jObI4jjov2XCedbyX1/2uG76v3dJQ
      qzyeFanpGRVGJO6FdwGmViylzXJoWZZ7miDJ/Yq8sVaooUtXjA68v4tKXZS5IeHs
      LVaFB4FQmF27d7tNa1QdYx5nBO78kYfdz7yMipbQX6tnArPr
      -----END CERTIFICATE-----
      subject=/OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.corussoft.de
      issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
      ---
      No client certificate CA names sent
      Server Temp Key: ECDH, secp521r1, 521 bits
      ---
      SSL handshake has read 6467 bytes and written 469 bytes
      ---
      New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
      Server public key is 4096 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      SSL-Session:
          Protocol  : TLSv1.2
          Cipher    : ECDHE-RSA-AES256-GCM-SHA384
          Session-ID: 574715770E1DF03256B550508EBE5D34F8736E1FD7E038B2DCACDA0A9EED8057
          Session-ID-ctx:
          Master-Key: D38223200385FC0C12FDC03CA07E851482A6D0C4F393988FFBD0577CCCF2E94A56CBCF943E8BE70FE27003CDD5A4F1EC
          Key-Arg   : None
          Krb5 Principal: None
          PSK identity: None
          PSK identity hint: None
          Start Time: 1464276203
          Timeout   : 300 (sec)
          Verify return code: 0 (ok)
      ---
      

      Further Reference: http://blog.chrismeller.com/testing-sni-certificates-with-openssl

        Attachments

          Activity

          Hide
          dalvizu Dan Alvizu added a comment -

          Need to investigate - one route: https://wiki.apache.org/HttpComponents/SNISupport

          Show
          dalvizu Dan Alvizu added a comment - Need to investigate - one route: https://wiki.apache.org/HttpComponents/SNISupport

            People

            • Assignee:
              dalvizu Dan Alvizu
              Reporter:
              ckirschner Carsten Kirschner
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: