Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53325

Subversion plugin bundles outdated version of trilead-ssh2 library causing connections to fail due to non compatible cipher options

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: subversion-plugin
    • Labels:
      None
    • Environment:
      Jenkins ver. 2.121.3 Standalone install
      Subversion Plug-in 2.11.1
    • Similar Issues:
    • Released As:
      2.12.0

      Description

      After upgrading sshd on subversion server, jenkins subversion plugin stopped working. The problem is that the jenkins subversion plugin has no longer compatible ciphers to negotiate with server. 

      Subversion plugin bundles trilead-ssh2-1.0.0-build221.jar and this is used when communicating with the svn+ssh protocol.

      Other plugins have had the same issues and therefore Jenkins core is patched with a version of the lib called trilead-ssh2-build-217-jenkins-11.jar. Since subversion plugin bundles its own that outdated version is used. 

      Here is a obfuscated stack trace that proves above (notice the KexManager:413 row in the latest jenkins core one it should have been KexManager:408): 

       

      ERROR: Failed to update svn+ssh://[host]/[path]ERROR: Failed to update svn+ssh://[host]/[path]org.tmatesoft.svn.core.SVNException: svn: E210002: There was a problem while connecting to [host] at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:64) at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:51) at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:145) at org.tmatesoft.svn.core.internal.io.svn.SVNConnection.open(SVNConnection.java:77) at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.openConnection(SVNRepositoryImpl.java:1273) at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.testConnection(SVNRepositoryImpl.java:99) at org.tmatesoft.svn.core.io.SVNRepository.getRepositoryUUID(SVNRepository.java:283) at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.createRepository(SvnRepositoryAccess.java:110) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepository(SvnNgRepositoryAccess.java:210) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgAbstractUpdate.updateInternal(SvnNgAbstractUpdate.java:194) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgAbstractUpdate.update(SvnNgAbstractUpdate.java:111) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgUpdate.run(SvnNgUpdate.java:38) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgUpdate.run(SvnNgUpdate.java:18) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgOperationRunner.run(SvnNgOperationRunner.java:20) at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:21) at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1235) at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:311) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:291) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:387) at hudson.scm.subversion.UpdateUpdater$TaskImpl.perform(UpdateUpdater.java:158) at hudson.scm.subversion.WorkspaceUpdater$UpdateTask.delegateTo(WorkspaceUpdater.java:162) at hudson.scm.SubversionSCM$CheckOutTask.perform(SubversionSCM.java:996) at hudson.scm.SubversionSCM$CheckOutTask.invoke(SubversionSCM.java:972) at hudson.scm.SubversionSCM$CheckOutTask.invoke(SubversionSCM.java:948) at hudson.FilePath.act(FilePath.java:990) at hudson.FilePath.act(FilePath.java:968) at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:897) at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:833) at hudson.scm.SCM.checkout(SCM.java:485) at hudson.model.AbstractProject.checkout(AbstractProject.java:1269) at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:607) at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:529) at hudson.model.Run.execute(Run.java:1738) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410)Caused by: java.io.IOException: There was a problem while connecting to [host] at com.trilead.ssh2.Connection.connect(Connection.java:817) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openConnection(SshHost.java:225) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openSession(SshHost.java:153) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshSessionPool.openSession(SshSessionPool.java:85) at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:122) ... 35 moreCaused by: java.io.IOException: Key exchange was not finished, connection is closed. at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:92) at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:231) at com.trilead.ssh2.Connection.connect(Connection.java:769) ... 39 moreCaused by: java.io.IOException: Cannot negotiate, proposals do not match. at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:413) at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:765) at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:480) at java.lang.Thread.run(Thread.java:745)ERROR: Subversion update failedjava.io.IOException at hudson.scm.subversion.UpdateUpdater$TaskImpl.perform(UpdateUpdater.java:212) at hudson.scm.subversion.WorkspaceUpdater$UpdateTask.delegateTo(WorkspaceUpdater.java:162) at hudson.scm.SubversionSCM$CheckOutTask.perform(SubversionSCM.java:996) at hudson.scm.SubversionSCM$CheckOutTask.invoke(SubversionSCM.java:972) at hudson.scm.SubversionSCM$CheckOutTask.invoke(SubversionSCM.java:948) at hudson.FilePath.act(FilePath.java:990) at hudson.FilePath.act(FilePath.java:968) at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:897) at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:833) at hudson.scm.SCM.checkout(SCM.java:485) at hudson.model.AbstractProject.checkout(AbstractProject.java:1269) at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:607) at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:529) at hudson.model.Run.execute(Run.java:1738) at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:410)Caused by: hudson.scm.subversion.UpdaterException: failed to perform svn update ... 18 moreCaused by: org.tmatesoft.svn.core.SVNException: svn: E210002: There was a problem while connecting to [host] at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:64) at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:51) at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:145) at org.tmatesoft.svn.core.internal.io.svn.SVNConnection.open(SVNConnection.java:77) at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.openConnection(SVNRepositoryImpl.java:1273) at org.tmatesoft.svn.core.internal.io.svn.SVNRepositoryImpl.testConnection(SVNRepositoryImpl.java:99) at org.tmatesoft.svn.core.io.SVNRepository.getRepositoryUUID(SVNRepository.java:283) at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.createRepository(SvnRepositoryAccess.java:110) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepository(SvnNgRepositoryAccess.java:210) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgAbstractUpdate.updateInternal(SvnNgAbstractUpdate.java:194) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgAbstractUpdate.update(SvnNgAbstractUpdate.java:111) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgUpdate.run(SvnNgUpdate.java:38) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgUpdate.run(SvnNgUpdate.java:18) at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgOperationRunner.run(SvnNgOperationRunner.java:20) at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:21) at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1235) at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:311) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:291) at org.tmatesoft.svn.core.wc.SVNUpdateClient.doUpdate(SVNUpdateClient.java:387) at hudson.scm.subversion.UpdateUpdater$TaskImpl.perform(UpdateUpdater.java:158) ... 17 moreCaused by: java.io.IOException: There was a problem while connecting to [host] at com.trilead.ssh2.Connection.connect(Connection.java:817) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openConnection(SshHost.java:225) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshHost.openSession(SshHost.java:153) at org.tmatesoft.svn.core.internal.io.svn.ssh.SshSessionPool.openSession(SshSessionPool.java:85) at org.tmatesoft.svn.core.internal.io.svn.SVNSSHConnector.open(SVNSSHConnector.java:122) ... 35 moreCaused by: java.io.IOException: Key exchange was not finished, connection is closed. at com.trilead.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:92) at com.trilead.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:231) at com.trilead.ssh2.Connection.connect(Connection.java:769) ... 39 moreCaused by: java.io.IOException: Cannot negotiate, proposals do not match. at com.trilead.ssh2.transport.KexManager.handleMessage(KexManager.java:413) at com.trilead.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:765) at com.trilead.ssh2.transport.TransportManager$1.run(TransportManager.java:480) at java.lang.Thread.run(Thread.java:745)
      
      

      We have found a workaround to manual patch the subversion plugin, but this will obviously break next subversion plugin update.

      (to manually patch: remove subversion plugin dependency from cmdline and copy latest patched version there instead)

       

      Alternatively if you don't have strong sec requirements and a path forward you could reenable the weak algos. Not recommended. 

       

      Steps to reproduce:

      You need a subversion server with svn+ssh protocol. The sshd needs to be patched and not allow algorithms and cipher generally considered weak. We had to manually rewrite logging on trilead to understand which algo caused our problems since the client used several outdated algos. 

        Attachments

          Issue Links

            Activity

            There are no comments yet on this issue.

              People

              • Assignee:
                ifernandezcalvo Ivan Fernandez Calvo
                Reporter:
                afksd Christofer Täpp
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: