Reputation: 38132
Jenkins: https.protocols
In Jenkins (v1.599), in a Maven Release build, I get the following error:
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy
(default-deploy) on project myArtifactId: Failed to deploy
artifacts: Could not transfer artifact
myGroupdId:myArtifactId:pom:myVersion from/to
sonatype-nexus-staging
(https://oss.sonatype.org/service/local/staging/deploy/maven2/): peer
not authenticated -> [Help 1]
I had this first in a build which uses Java SE 7, but now I also have the issue in a build which uses Java SE 8.
After some research I found out that the issue happens because of the https.protocols property.
I noticed this line in the output almost at the top:
[workspace] $ /usr/lib/jvm/java-8-oracle//bin/java
-Dhttps.protocols=SSLv3 -Dforce.http.jre.executor=true -cp /opt/jenkins/plugins/maven-plugin/WEB-INF/lib/maven3-agent-1.6.jar:/usr/share/maven/boot/plexus-classworlds-2.x.jar
org.jvnet.hudson.maven3.agent.Maven3Main /usr/share/maven
/var/cache/jenkins/war/WEB-INF/lib/remoting-2.49.jar
/opt/jenkins/plugins/maven-plugin/WEB-INF/lib/maven3-interceptor-1.6.jar
/opt/jenkins/plugins/maven-plugin/WEB-INF/lib/maven3-interceptor-commons-1.6.jar
37213
Note the parameter
-Dhttps.protocols=SSLv3
I'm not sure what this call does or what it's effect is. The mvn calls come later and thus should start a different JVM (even several as the Maven Release Plugin forks the process).
Also note that the default values for https.protocols are TLSv1 (Java SE 7) and TLSv1.2 (Java SE 8).
Setting this parameter in the job configuration has no effect, but if configure the Maven Release Plugin like this:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<version>${plugin.release.version}</version>
<configuration>
<mavenExecutorId>forked-path</mavenExecutorId>
<useReleaseProfile>false</useReleaseProfile>
<arguments>-Psonatype-oss-release -Dusername=${username} -Dhttps.protocols=TLSv1.2</arguments>
</configuration>
</plugin>
then the release runs fine.
My questions:
- Where does this -Dhttps.protocols=SSLv3 come from?
- Is it really the source of the issue? It seems to be a different JVM instance...
- If it is the source, where can I configure/ remove this parameter?
Update
I checked MAVEN_OPTS at:
- Jenkins -> Configuration
- /etc/default/jenkins
- env | grep MAVEN_OPTS
The property is not defined there.
Upvotes: 2
Views: 8439
Answers (3)
Reputation: 1
Could it come from the JVM properties? Everything that comes before "-cp" in the call
/usr/lib/jvm/java-8-oracle//bin/java
-Dhttps.protocols=SSLv3 -Dforce.http.jre.executor=true -cp /opt/jenkins/plugins/maven-plugin/WEB-INF/lib/maven3-agent-1.6.jar:/usr/share/maven/boot/plexus-classworlds-2.x.jar
org.jvnet.hudson.maven3.agent.Maven3Main /usr/share/maven
/var/cache/jenkins/war/WEB-INF/lib/remoting-2.49.jar
/opt/jenkins/plugins/maven-plugin/WEB-INF/lib/maven3-interceptor-1.6.jar
/opt/jenkins/plugins/maven-plugin/WEB-INF/lib/maven3-interceptor-commons-1.6.jar
comes from system properties, see https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/util/JVMBuilder.java
Do you see anything in
< your-Jenkins-URL >/systemInfo
It seems that JVM properties in Maven jobs are taken from Jenkins system properties, see https://issues.jenkins-ci.org/browse/JENKINS-16331
Upvotes: 0
Reputation: 156
Where does this
-Dhttps.protocols=SSLv3come from?
I would say Jenkins or the way you start up your Jenkins job.
Is it really the source of the issue? It seems to be a different JVM instance...
If you only enable SSLv3 it means both client and server needs to allow and know how to talk it. SSLv3 is barely considered safe nowadays and you should change it to atleast TLSv1
If it is the source, where can I configure/ remove this parameter?
In your Jenkins config or the script that starts your job. Sometimes Jenkins can "inherit" the environment from how it was started itself. Check your default environment Jenkins is started in, your Jenkins JDK/Java system config, your Jenkins job and possible your slave host config where the job is run.
Upvotes: -1
Reputation: 24324
peer not authenticated -> [Help 1]
The client is not able to verify the certs. This could be because the server has disabled SSLv3.
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
- https://access.redhat.com/articles/1232123
- http://disablessl3.com/
Where does this -Dhttps.protocols=SSLv3 come from?
don't know; you may have more luck searching your server settings / job config / grepping your source code.
Is it really the source of the issue? It seems to be a different JVM instance...
If SSLv3 is disabled on the server and your client is configured to talk only SSLv3 then it is not going to work. You can pass in multiple protocols
e.g. -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
If it is the source, where can I configure/ remove this parameter?
Seems like you already found that configuring the plugin works just fine.
You could try overriding _JAVA_OPTIONS in your slave environment.
Upvotes: 2
Related Questions
- Enable HTTPS in jenkins?
- Jenkins Git plugin with https
- How to change the security type from SSL to TLS in Jenkins?
- Jenkins CLI with HTTPS
- Jenkins subversion - javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
- Maven release plugin SSL problems
- Using maven-release-plugin with git over HTTPS
- Maven Release plugin: Doing the git push via https
- Jenkins SVN using https protocol
- Jenkins CI - SSL handshake_failure