Jenkins CI - SSL handshake_failure

Question

Я пытаюсь настроить Jenkins CI для непрерывной интеграции для нашего проекта и не могу подключить его к нашему SVN-репозиторию через https. Каждый раз, когда я пытаюсь настроить хранилище URL и пытается подключиться я получаю следующие исключения:

org.tmatesoft.svn.core.SVNException: svn: OPTIONS /svn/repo/path failed 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:291) 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:276) 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:264) 
     at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:516) 
     at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:98) 
     at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1001) 
     at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.testConnection(DAVRepository.java:97) 
     at hudson.scm.SubversionSCM$DescriptorImpl.checkRepositoryPath(SubversionSCM.java:1966) 
     at hudson.scm.SubversionSCM$DescriptorImpl.doCheckRemote(SubversionSCM.java:1900) 
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) 
     at java.lang.reflect.Method.invoke(Unknown Source) 
     at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:282) 
     at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:149) 
     at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:88) 
     at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:111) 
     at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53) 
     at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:563) 
     at org.kohsuke.stapler.Stapler.invoke(Stapler.java:648) 
     at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:241) 
     at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53) 
     at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:563) 
     at org.kohsuke.stapler.Stapler.invoke(Stapler.java:648) 
     at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:241) 
     at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53) 
     at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:563) 
     at org.kohsuke.stapler.Stapler.invoke(Stapler.java:648) 
     at org.kohsuke.stapler.Stapler.invoke(Stapler.java:477) 
     at org.kohsuke.stapler.Stapler.service(Stapler.java:159) 
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
     at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:95) 
     at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:87) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
     at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:47) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
     at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) 
     at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) 
     at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) 
     at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:166) 
     at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) 
     at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) 
     at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) 
     at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) 
     at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) 
     at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) 
     at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) 
     at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173) 
     at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) 
     at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61) 
     at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) 
     at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) 
     at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66) 
     at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) 
     at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76) 
     at hudson.plugins.pwauth.PWauthFilter.doFilter(PWauthFilter.java:50) 
     at hudson.plugins.pwauth.PWauthFilter.doFilter(PWauthFilter.java:37) 
     at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
     at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) 
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 
     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) 
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) 
     at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) 
     at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) 
     at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:776) 
     at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:705) 
     at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898) 
     at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) 
     at java.lang.Thread.run(Unknown Source) 
Caused by: org.tmatesoft.svn.core.SVNErrorMessage: svn: OPTIONS /svn/repo/path failed 
     at org.tmatesoft.svn.core.SVNErrorMessage.create(SVNErrorMessage.java:200) 
     at org.tmatesoft.svn.core.SVNErrorMessage.create(SVNErrorMessage.java:146) 
     at org.tmatesoft.svn.core.SVNErrorMessage.create(SVNErrorMessage.java:89) 
     ... 81 more 
Caused by: org.tmatesoft.svn.core.SVNException: svn: OPTIONS request failed on '/svn/repo/path' 
svn: Received fatal alert: handshake_failure 
     at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:64) 
     at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:51) 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:644) 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:285) 
     ... 80 more 
Caused by: org.tmatesoft.svn.core.SVNErrorMessage: svn: OPTIONS request failed on '/svn/repo/path' 
     at org.tmatesoft.svn.core.SVNErrorMessage.create(SVNErrorMessage.java:200) 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:642) 
     ... 81 more 
Caused by: org.tmatesoft.svn.core.SVNErrorMessage: svn: Received fatal alert: handshake_failure 
     at org.tmatesoft.svn.core.SVNErrorMessage.create(SVNErrorMessage.java:101) 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:389) 
     ... 81 more 
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 
     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) 
     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) 
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source) 
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) 
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) 
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source) 
     at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source) 
     at java.io.BufferedOutputStream.flushBuffer(Unknown Source) 
     at java.io.BufferedOutputStream.flush(Unknown Source) 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.sendData(HTTPConnection.java:229) 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPRequest.dispatch(HTTPRequest.java:166) 
     at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:364) 
    ... 81 more 

Я включил отладку SSL на моем TOMCAT экземпляр (с помощью -Djavax.net.debug=ssl:handshake) и получил следующие:

X509KeyManager passed to SSLContext.init(): need an X509ExtendedKeyManager for SSLEngine use 
trigger seeding of SecureRandom 
done seeding SecureRandom 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, setSoTimeout(3600000) called 
%% No cached client session 
*** ClientHello, SSLv3 
RandomCookie: GMT: 1330544609 bytes = { 141, 119, 147, 122, 40, 183, 52, 147, 58, 49, 199, 147, 190, 160, 8, 252, 253, 194, 196, 96, 220, 88, 240, 200, 69, 210, 123, 127 } 
Session ID: {} 
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 
Compression Methods: { 0 } 
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} 
Extension ec_point_formats, formats: [uncompressed] 
*** 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, WRITE: SSLv3 Handshake, length = 163 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, READ: SSLv3 Alert, length = 2 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, RECV TLSv1 ALERT: fatal, handshake_failure 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, called closeSocket() 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, called close() 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, called closeInternal(true) 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, called close() 
Handling GET /jenkins/job/projectName/descriptorByName/hudson.scm.SubversionSCM/checkRemote : TP-Processor3, called closeInternal(true) 

Я попытался добавить свойство -Dhttps.protocols=SSLv3 в моем tomcat, как описано в сообщении this, и все еще имел ту же ошибку.

На данный момент я полностью в тупике относительно того, что происходит ... К сожалению, я не эксперт по SSL, чтобы полностью понять информацию об отладке SSL. У кого-нибудь есть мысли о том, как исправить эту ошибку?

Answer 1

Итак, похоже, что это проблема, связанная с конфигурацией SSL на сервере. По-видимому, SVNKit по какой-то причине не будет работать с TLSv1.

Наша первоначальная конфигурация была только разрешить TLSv1:

SSLProtocol -all +TLSv1 

Таким образом, исправление было включить TLSv1 и SSLv3:

SSLProtocol -all +SSLv3 +TLSv1 

Answer 2

Похоже, сервер отвечает клиенту, но клиент не любит ответа. Посмотрите на журнал клиентской стороны и посмотрите, есть ли что-то, что подскажет, в чем проблема.