When using SSL for Remote Agents in Bamboo they cannot connect with no cipher suites in common error

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

    

要約

After enabling SSL on Bamboo's JMS broker, some agents are failing to connect with: Received fatal alert: handshake_failure. javax.net.ssl.SSLHandshakeException: no cipher suites in common is present in the Bamboo server side logging.

診断

Inside the Bamboo Server side logs $BAMBOO_HOME/logs/atlassian-bamboo.log there is a no cipher suites in common error when the agent tries to connect:

2021-01-10 01:54:31,336 WARN [ActiveMQ Transport: ssl:///192.168.1.128:53856] [Transport] Transport Connection to: tcp://192.168.1.128:53856 failed: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: no cipher suites in common


Inside the $BAMBOO_REMOTE_AGENT/atlassian-bamboo-agent.log we can see it failing with a handshake_failure:

INFO   | jvm 23   | 2021/01/10 02:03:45 | Caused by: org.springframework.remoting.RemoteAccessException: Could not access JMS invoker queue [queue://com.atlassian.bamboo.registrationQueue]; nested exception is javax.jms.IllegalStateException: javax.jms.JMSException: Received fatal alert: handshake_failure
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.jms.remoting.JmsInvokerClientInterceptor.convertJmsInvokerAccessException(JmsInvokerClientInterceptor.java:432)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.jms.remoting.JmsInvokerClientInterceptor.invoke(JmsInvokerClientInterceptor.java:207)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at com.sun.proxy.$Proxy24.registerAgent(Unknown Source)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at com.atlassian.bamboo.v2.build.agent.remote.AgentRegistrationBean.registerAgent(AgentRegistrationBean.java:52)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at java.lang.reflect.Method.invoke(Method.java:498)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:363)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:307)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:136)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	... 22 more

You can also enable -Djavax.net.debug=all on both the Bamboo Server and Remote Agent if you wish to get additional information from the SSL Handshake to see which ciphers the agent is advertising in the ClientHello and what the server supports. The argument should be added as follows:

  • Bamboo Server: Configuring your system properties 
  • Remote Agent: $BAMBOO_AGENT_HOME/conf/wrapper.conf 
    • E.g. wrapper.java.additional.x=-Djavax.net.debug=all 
    • Where x is the next number in the sequence of additional properties.

原因

The use of some required ciphers have been restricted in the java security policy and the server and client don't have an overlap of compatible ciphers to complete the handshake.

ソリューション

Review the java.security policy on the agent and server and ensure that it has not been customized to a set of algorithms that are too restrictive for the server and agent to agree on a cipher in the SSL Handshake.

  • $JAVA_HOME/jre/lib/security/java.security

For example, this is a working default as of Java 8 272:

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224


jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Please note, there is also an additional property that can cause a different file to be sourced and its configuration appended to the java.security settings:

#
# Determines whether this properties file will be appended to
# using the system properties file stored at
# /etc/crypto-policies/back-ends/java.config
#
security.useSystemPropertiesFile=true

By default, this is set to false however if it is set to true, you should also review /etc/crypto-policies/back-ends/java.config (or equivalent depending on OS)


最終更新日: 2021 年 1 月 22 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.