Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48905

SSL Connection to Rocket failes if Rocket host uses SNI

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      Java: openjdk version "1.8.0_131"
      Jenkins: 2.101
      Jenkins Host OS: Debian Jessie (8)
      Rocket Server: 0.60.3
      RocketChat Notifier Plugin: 1.1.0
    • Similar Issues:

      Description

      When testing the connection, I get the exception found below. When manually trying to connect via openssl, I can reproduce the error but can also fix it.

      My assumption is, that the java ssl client doesn't send the servername information and thus is "routed" to the wrong website.

       

      Error reproduced via openssl

      root@host:~# openssl s_client -connect rocket.domain.com:443
      <snip>
      -----END CERTIFICATE-----
      subject=/C=DE/O=Company /CN=farmer.domain.com
      <snip>
      ---
      

      Error "fixed" via openssl

      root@host:~# openssl s_client -connect rocket.domain.com:443 -servername rocket.domain.com
      <snip>
      -----END CERTIFICATE-----
      subject=/OU=Domain Control Validated/OU=Company /OU=PositiveSSL/CN=rocket.doman.com
      issuer=<snip>
      ---

       

      Error Msg.

      Client error - Could not send message
      
      javax.net.ssl.SSLException: Certificate for <rocket.domain.com> doesn't match any of the subject alternative names: [farmer.domain.com, farmer]
          at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:165)
          at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61)
          at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:141)
          at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114)
          at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:580)
          at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
          at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
          at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
          at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
          at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
          at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
          at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
          at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
          at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
          at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
          at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
          at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138)
      Caused: com.mashape.unirest.http.exceptions.UnirestException
          at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:143)
          at com.mashape.unirest.request.BaseRequest.asJson(BaseRequest.java:68)
          at jenkins.plugins.rocketchatnotifier.rocket.RocketChatBasicCallAuthentication.doAuthentication(RocketChatBasicCallAuthentication.java:46)
      Caused: java.io.IOException: Please check if the server API https://rocket.domain.com//api/v1/login is correct: javax.net.ssl.SSLException: Certificate for <rocket.domain.com> doesn't match any of the subject alternative names: [farmer.domain.com, farmer]
          at jenkins.plugins.rocketchatnotifier.rocket.RocketChatBasicCallAuthentication.doAuthentication(RocketChatBasicCallAuthentication.java:48)
          at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildCall(RocketChatClientCallBuilder.java:91)
          at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildCall(RocketChatClientCallBuilder.java:81)
          at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.getChannels(RocketChatClientImpl.java:91)
          at jenkins.plugins.rocketchatnotifier.RocketClientImpl.<init>(RocketClientImpl.java:30)
          at jenkins.plugins.rocketchatnotifier.RocketChatNotifier$DescriptorImpl.doTestConnection(RocketChatNotifier.java:397)
          at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
          at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
          at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
          at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
          at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
          at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
          at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
          at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:59)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
          at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
          at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:99)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
          at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
          at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
          at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
          at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
          at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
          at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
          at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
          at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
          at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
          at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
          at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
          at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
          at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
          at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
          at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
          at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
          at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
          at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
          at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
          at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
          at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
          at org.eclipse.jetty.server.Server.handle(Server.java:564)
          at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317)
          at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
          at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
          at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
          at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
          at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
          at java.lang.Thread.run(Thread.java:748)

        Attachments

          Activity

          Hide
          mreinhardt Martin Reinhardt added a comment -

          sorry to say, but I don't have time to investigate further

          Show
          mreinhardt Martin Reinhardt added a comment - sorry to say, but I don't have time to investigate further
          Hide
          christopher Chris Childs added a comment -

          Andreas Bauer were you able to find work around for this?

          Show
          christopher Chris Childs added a comment - Andreas Bauer were you able to find work around for this?
          Hide
          mreinhardt Martin Reinhardt added a comment -

          updated http clients component. Will be included in next release

          Show
          mreinhardt Martin Reinhardt added a comment - updated http clients component. Will be included in next release
          Hide
          key_andi Andreas Bauer added a comment -

          Martin Reinhardt Thanks for fixing this bug!! Really apreciate it!

          Show
          key_andi Andreas Bauer added a comment - Martin Reinhardt Thanks for fixing this bug!! Really apreciate it!
          Hide
          mreinhardt Martin Reinhardt added a comment -

          I've pushed 1.2.1. Should be visible within Jenkins during today

          Show
          mreinhardt Martin Reinhardt added a comment - I've pushed 1.2.1. Should be visible within Jenkins during today

            People

            • Assignee:
              mreinhardt Martin Reinhardt
              Reporter:
              key_andi Andreas Bauer
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: