Closed Bug 1200205 Opened 9 years ago Closed 9 years ago

Jenkins downloads are stopped, javax.net.ssl.SSLException: Could not generate DH keypair

Categories

(Firefox OS Graveyard :: Gaia::UI Tests, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::UI Tests
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jlorenzo, Unassigned)

References

Details

No download on mozilla-central has happened since August 29th
It actually happened on every job using pvtbuilds. TaskCluster jobs are not affected.
I managed to run the download job manually. As the job uses wget, there is a problem with either:
* pvtbuild having its SSL configuration changed
* the proxy
* or the URLTrigger plugin
* or Jenkins
* or The Java version we use

As none of the 3 last have changed, I'm suspecting the 1st or the 2nd option.

After looking up, it seems like a newer version of Java would solve the problem. I upgraded Java to 1.7.0.76 and rebooted Jenkins. Nothing as changed. 

For reference, here are the logs:
> Polling started on Aug 31, 2015 7:06:02 AM
> Polling for the job flame-kk.mozilla-central.nightly.download
> Looking nodes where the poll can be run.
> Looking for a candidate node to run the poll.
> Trying to find an eligible node with the assigned project label master.
> 
> Polling on master.
> Using Basic Authentication with the user 'jenkinsqa'
> Invoking the url: 
>  https://pvtbuilds.mozilla.org/pvt/mozilla.org/b2gotoro/nightly/mozilla-central-flame-kk-eng/latest/sources.xml
> [ERROR] - Polling error...
> [ERROR] - Error message: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
> [ERROR] - Error cause: java.lang.RuntimeException: Could not generate DH keypair
In bug 1137834, it's mentioned that the Squid configuration will change again. I don't have access to bug 1137834. Peter, has any change landed around Aug 29th?
Flags: needinfo?(pradcliffe+bugzilla)
See Also: → 1198316
bug 1137834 is a bug to upgrade puppet, it makes no mention of squid configuration.

I'm not aware of any config changes just fallout from bug 1199982
Flags: needinfo?(pradcliffe+bugzilla)
:digi mentioned an update that fixed some SSL problems (bug 1195876). :atoll, how could we test that Jenkins is failing against one of the SSL patches that happened in bug 1195876?
Flags: needinfo?(rsoderberg)
See Also: → 1195876
Zeus unexpectedly changes the DH keysize default from 1024 to 2048. I reverted that change *for now*. This will fix Jenkins. I apologize for the issue, this was not an intentional event. (DH security fixes were unrelated to keysize.)

However.

We will eventually be required to go to DH 2048 regardless of the breakage it causes to Java 6 clients. Please begin taking steps to upgrade your Jenkins instance to Java 7. We've been delaying the DH1024->2048 upgrade for several months already due to this precise issue, but eventually a security event will force us to ship DH2048 regardless of the breakage to Java clients.
Flags: needinfo?(rsoderberg)
I checked the status of the plugin, it's back working. Thanks Richard!

Regarding the Java version, that's bizarre. The one installed on the machine is the latest Java 7 (like said in comment 2). Maybe the Jenkins plugin is plugged to an old dependency.
Blocks: 1195876
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
See Also: 1195876
Sorry, off by one error. Java 7 caps out at DH 1024. Java 8+ permit DH 2048.
(In reply to Johan Lorenzo [:jlorenzo] (QA) from comment #2)
> After looking up, it seems like a newer version of Java would solve the
> problem. I upgraded Java to 1.7.0.76 and rebooted Jenkins. Nothing as
> changed. 

All Java 7 (1.7.x.y) would be affected, Java 8 (1.8.x.y) would be required.
Blocks: 1222532
No longer blocks: 1222532
You need to log in before you can comment on or make changes to this bug.