[JIRA] (JENKINS-44787) AWS Simple AD stopped working
Title: Message Title Félix Belzunce Arcos resolved as Fixed This should be fixed as active-directory-2.14 Jenkins / JENKINS-44787 AWS Simple AD stopped working Change By: Félix Belzunce Arcos Status: In Progress Resolved Resolution: Fixed Released As: active-directory-2.14 Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-44787) AWS Simple AD stopped working
Title: Message Title Félix Belzunce Arcos edited a comment on JENKINS-44787 Re: AWS Simple AD stopped working This issue should be fixed in: https://github.com/jenkinsci/active-directory-plugin/pull/ 92 93 Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-44787) AWS Simple AD stopped working
Title: Message Title Félix Belzunce Arcos commented on JENKINS-44787 Re: AWS Simple AD stopped working This issue should be fixed in: https://github.com/jenkinsci/active-directory-plugin/pull/92 Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-44787) AWS Simple AD stopped working
Title: Message Title Félix Belzunce Arcos updated an issue Jenkins / JENKINS-44787 AWS Simple AD stopped working Change By: Félix Belzunce Arcos URL: https://github.com/jenkinsci/active-directory-plugin/pull/92 Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-44787) AWS Simple AD stopped working
Title: Message Title Félix Belzunce Arcos edited a comment on JENKINS-44787 Re: AWS Simple AD stopped working To debug this issue - or any other in the active directory plugin you need to create a custom logger under *Manage Jenkins -> System Log* for {{hudson.plugins.active_directory}}. This particular issue seems to be related to the fact that StartTls option is not working properly. In case StartTls connection does not work correctly, the plugin should automatically fall back into the plain-text communication. The problem is that when StartTls fails with an Exception, then the fallback does not work in all the cases.I think the problem is that when the was able to reproduce this issue launching a {{ Exception CertPathValidatorException }} happens we should . In this case, it is not even a possibility to just close the StartTls channel for the plain startTLS connection and to be able to work correctly re-create the full {{LdapContext}} is needed .{code:java}2019-04-30 15:44:58.322+ [id=48] FINE h.p.a.ActiveDirectorySecurityRealm$DescriptorImpl#bind: Failed to start TLS. Authentication will be done via plain-text LDAPjava.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: 1.2.840.113549.1.1.10 at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:278) at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1116)Caused: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1120) at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1044) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:986) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)Caused: javax.net.ssl.SSLHandshakeException at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:353) at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:217) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:658) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:628) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:575) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:358) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:341) at com.google.common.cache.LocalCache$LocalManualCac
[JIRA] (JENKINS-44787) AWS Simple AD stopped working
Title: Message Title Félix Belzunce Arcos started work on JENKINS-44787 Change By: Félix Belzunce Arcos Status: Open In Progress Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-44787) AWS Simple AD stopped working
Title: Message Title Félix Belzunce Arcos commented on JENKINS-44787 Re: AWS Simple AD stopped working To debug this issue - or any other in the active directory plugin you need to create a custom logger under Manage Jenkins -> System Log for hudson.plugins.active_directory. This particular issue seems to be related to the fact that StartTls option is not working properly. In case StartTls connection does not work correctly, the plugin should automatically fall back into the plain-text communication. The problem is that when StartTls fails with an Exception, then the fallback does not work in all the cases. I think the problem is that when the Exception happens we should close the StartTls channel for the plain connection to be able to work correctly. 2019-04-30 15:44:58.322+ [id=48] FINE h.p.a.ActiveDirectorySecurityRealm$DescriptorImpl#bind: Failed to start TLS. Authentication will be done via plain-text LDAP java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: 1.2.840.113549.1.1.10 at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:278) at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1116) Caused: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1120) at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1044) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:986) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) Caused: javax.net.ssl.SSLHandshakeException at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:353) at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:217) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:658) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:628) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$DescriptorImpl.bind(ActiveDirectorySecurityRealm.java:575) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:358) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider$1.call(ActiveDirectoryUnixAuthenticationProvider.java:341) at com.google.common.cache.LocalCache$LocalManualCache$1.load(