Closed
Bug 1200205
Opened 9 years ago
Closed 9 years ago
Jenkins downloads are stopped, javax.net.ssl.SSLException: Could not generate DH keypair
Categories
(Firefox OS Graveyard :: Gaia::UI Tests, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jlorenzo, Unassigned)
References
Details
No download on mozilla-central has happened since August 29th
Reporter | ||
Comment 1•9 years ago
|
||
It actually happened on every job using pvtbuilds. TaskCluster jobs are not affected.
Reporter | ||
Comment 2•9 years ago
|
||
I managed to run the download job manually. As the job uses wget, there is a problem with either:
* pvtbuild having its SSL configuration changed
* the proxy
* or the URLTrigger plugin
* or Jenkins
* or The Java version we use
As none of the 3 last have changed, I'm suspecting the 1st or the 2nd option.
After looking up, it seems like a newer version of Java would solve the problem. I upgraded Java to 1.7.0.76 and rebooted Jenkins. Nothing as changed.
For reference, here are the logs:
> Polling started on Aug 31, 2015 7:06:02 AM
> Polling for the job flame-kk.mozilla-central.nightly.download
> Looking nodes where the poll can be run.
> Looking for a candidate node to run the poll.
> Trying to find an eligible node with the assigned project label master.
>
> Polling on master.
> Using Basic Authentication with the user 'jenkinsqa'
> Invoking the url:
> https://pvtbuilds.mozilla.org/pvt/mozilla.org/b2gotoro/nightly/mozilla-central-flame-kk-eng/latest/sources.xml
> [ERROR] - Polling error...
> [ERROR] - Error message: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
> [ERROR] - Error cause: java.lang.RuntimeException: Could not generate DH keypair
Reporter | ||
Comment 3•9 years ago
|
||
In bug 1137834, it's mentioned that the Squid configuration will change again. I don't have access to bug 1137834. Peter, has any change landed around Aug 29th?
Flags: needinfo?(pradcliffe+bugzilla)
See Also: → 1198316
Comment 4•9 years ago
|
||
bug 1137834 is a bug to upgrade puppet, it makes no mention of squid configuration. I'm not aware of any config changes just fallout from bug 1199982
Flags: needinfo?(pradcliffe+bugzilla)
Reporter | ||
Comment 5•9 years ago
|
||
:digi mentioned an update that fixed some SSL problems (bug 1195876). :atoll, how could we test that Jenkins is failing against one of the SSL patches that happened in bug 1195876?
Flags: needinfo?(rsoderberg)
See Also: → 1195876
Zeus unexpectedly changes the DH keysize default from 1024 to 2048. I reverted that change *for now*. This will fix Jenkins. I apologize for the issue, this was not an intentional event. (DH security fixes were unrelated to keysize.) However. We will eventually be required to go to DH 2048 regardless of the breakage it causes to Java 6 clients. Please begin taking steps to upgrade your Jenkins instance to Java 7. We've been delaying the DH1024->2048 upgrade for several months already due to this precise issue, but eventually a security event will force us to ship DH2048 regardless of the breakage to Java clients.
Flags: needinfo?(rsoderberg)
Reporter | ||
Comment 7•9 years ago
|
||
I checked the status of the plugin, it's back working. Thanks Richard! Regarding the Java version, that's bizarre. The one installed on the machine is the latest Java 7 (like said in comment 2). Maybe the Jenkins plugin is plugged to an old dependency.
Sorry, off by one error. Java 7 caps out at DH 1024. Java 8+ permit DH 2048.
(In reply to Johan Lorenzo [:jlorenzo] (QA) from comment #2) > After looking up, it seems like a newer version of Java would solve the > problem. I upgraded Java to 1.7.0.76 and rebooted Jenkins. Nothing as > changed. All Java 7 (1.7.x.y) would be affected, Java 8 (1.8.x.y) would be required.
You need to log in
before you can comment on or make changes to this bug.
Description
•