Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Handshake failure when connecting to a Subversion repository using a SSL client certificate

Paul Marculescu
Paul Marculescu January 9, 2014

Hello,

I'm in the process of evaluation Bamboo 5.3 build server and I cannot access the SVN repository.

I'm running the Bamboo server in Windows, on http.

Here are the SVN settings for my build plan:
Repository URL: https://svn.domain.com/path/to/the/project

Authentication type: SSL Client Certificate
Private key: C:\my.p12
Passphrase: xxx

I'm getting this error:
This is not a valid Subversion Repository: svn: E170001: Authentication required for '<https://svn.domain.com:443>'



I enabled svnkit logging by changing the following line
set LOGGING_CONFIG=-Djava.util.logging.config.file="%CATALINA_BASE%\conf\logging.properties"
to
set LOGGING_CONFIG=-Djava.util.logging.config.file="%CATALINA_BASE%\conf\logging.properties.disabled"
after downloading the file logging.properties.disabled.

A note here, some pages in the help section on atlassian website (like this one https://confluence.atlassian.com/display/BAMBOO024/Debugging+Subversion+connection+in+Bamboo) refer to using a wrapper.conf file that doesn't exist.

After a restart, I see this in the svnkit.0.log.0 file:

Jan 10, 2014 4:42:14 PM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: DEFAULT: socket output stream requested...
Jan 10, 2014 4:42:14 PM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.tmatesoft.svn.core.internal.util.SVNLogOutputStream.flush(SVNLogOutputStream.java:48)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.sendData(HTTPConnection.java:311)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPRequest.dispatch(HTTPRequest.java:168)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:444)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:362)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:350)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:708)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:628)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:103)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1016)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.testConnection(DAVRepository.java:99)
at com.atlassian.bamboo.repository.svn.SvnRepository.validate(SvnRepository.java:1034)
...


I assumed I need to add the SVN server certificate chain to JAVA trust store.
My JAVA_HOME is C:\Program Files\Java\jdk1.7.0_45
The certificate path for the server certificate looks like this:
MYROOTCA
MYENTERPRISECA3
SVNSERVERCERT

I exported the 2 certificates to 2 crt files and imported them like this:
keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -trustcacerts -alias myrootca -file MYROOTCA.crt
keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -trustcacerts -alias myenterpriseca -file MYENTERPRISECA3.crt

but I get the same error.


The MYROOTCA is also imported in the Trusted Root Certification Authorities store in LocalMachine.

If I run the svn command line against the SVN repository, with the following line added to the ...\AppData\Roaming\Subversion\servers:
ssl-client-cert-file=C:\my.p12
after I'm being prompted for the passphrase everything works fine.

Please let me know what should I do. Which certificates trust store is used by Bamboo ?

Thank you.

Answer
Watch
Like Be the first to like this
4924 views

5 answers

0 votes
Wahid Atif
Wahid Atif March 13, 2014

Hi John,

sorry for the late answer.

This happens right when I want to configure a Subversion repository on Bamboo's Admin.

Yes, I cached the username and password (in plain text) from the subversion user, but no way.

Then I tried also: On the $HOME directory of the user running Bamboo, there's also a Subversion config directiory $HOME/.subversion, there I though I could provide the SSL certificate informations "in advance" by adding these lines into the file $HOME/.subversion/servers

[groups]

project1 = svn.our-company-domain.com

[project1]

ssl-authority-files = /home/bamboo/ssl/CARootCer.pem

ssl-client-cert-file = /home/bamboo/ssl/client-ssl-cert.p12

ssl-client-cert-password = passphrase-in-plain-text

[global]

ssl-trust-default-ca = yes



 


 

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



        



    

      Reply
    

      
       



        



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			




 
      
 0  votes  
 
 
 
 
 
  
 
 
 
 

		
			

 
 John Bowker  
 
 John Bowker  February 18, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Hi Wahid


Is this happening when a build is triggered or when Bamboo calls checkout/update?


Have you cached the Subversion username and password for the build user on your Bamboo server?

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



        



    

      Reply
    

      
       



        



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			




 
      
 0  votes  
 
 
 
 
 
  
 
 
 
 

		
			

 
 John Bowker  
 
 John Bowker  February 18, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Have you tried setting the SSL config in Bamboo to use SSLv3?


svnkit.http.sslProtocols=SSLv3

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	
		

			

	
		

			

			
	

	

		


	

	
				View More Comments
			

	

	


		

	

	
		

	       	
	 

	
		
	

	       	
		

	



        


              



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			
		
			

 
 Wahid Atif  
 
 Wahid Atif  February 18, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Hi John,


 


I found this Bamboo's knowledge base article, saying that this SVNKit option "svnkit.http.sslProtocols=SSLv3" had to be set when using JDK 1.6 and SSLv3-only servers: https://confluence.atlassian.com/display/BAMKB/This+is+not+a+valid+Subversion+Repository%3A+svn%3A+Received+fatal+alert%3A+bad_record_mac+svn%3A+OPTIONS+request+failed+on


As mentioned above, my main issue is, that our Subversion Server has such a 2-way authentication: Passphrase protected SSL client certificate + SVN user credentials. However Bamboo provides only either a SSL certificate based authentication or with svn user/password.


For any tips i would be very thankful.

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



  Like         
              


    

      Reply
    

      
       



        



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			




 
      
 0  votes  
 
 
 
 
 
  
 
 
 
 

		
			

 
 Wahid Atif  
 
 Wahid Atif  February 13, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Hi Paul,


 


I think the "handshake_failure error message" is just a nested exception  and not the real cause of the problem.


 


I have almost the same problem, with the difference that our company's Subversion server requires a passphrase protected ssl client certificate + svn user credentials.


 


I couldn't figure how to use the Bamboo authentication options "Password" and "SSL Client Certifcate" to provide both a client Passphrase and SVN credentials.


 


I also turned the SVNKit-Logging on and got the following errors / exceptions:


 


    

  • Authentication type "SSL Client Certificate" providing an absolute path to the .p12 file, the client passphrase and the SVN username:
    • 



 


This is not a valid Subversion Repository: svn: E170001: Authentication required for '<https://svn.company-domain.com:443>'.


 


SVNKit log:


Feb 13, 2014 5:38:17 PM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log


FINE: NETWORK: exception decrypting data - java.security.InvalidKeyException: Illegal key size


...


STACKTRACE


...


 


FINE: NETWORK: Received fatal alert: handshake_failure


 


javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure  


 


 


    

  • Authentication type "Password", providing the SVN user credentials. The Path to the SSL certificate is already configured inside the $HOME/.subversion/servers file of the user running Bamboo:
    • 



 


This is not a valid Subversion Repository: svn: E170001: Authentication required for '/home/bamboo/ssl/svn-sslcert-20141008.p12'


 


SVNKit log:


FINE: NETWORK: PKCS12 key store mac invalid - wrong password or corrupted file.


...


STACKTRACE


...


 


FINE: NETWORK: Received fatal alert: handshake_failure


 


javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 


 


So I thought maybe I should put both the path to the SSL certificate and the passphrase (in plain text!) into the $HOME/.subversion/servers file, to get the SSL part ready "pre-configured" for the Bamboo SVN client, and  I reattempt again.


 


    

  • Authentication type "Password", providing the svn user credentials
    • 



 


This is not a valid Subversion Repository: svn: E170001: Authentication required for '/home/bamboo/ssl/svn-sslcert-20141008.p12'


 


SVNKit log:


 


FINE: NETWORK: exception decrypting data - java.security.InvalidKeyException: Illegal key size.


...


STACKTRACE


...


FINE: NETWORK: Received fatal alert: handshake_failure


javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


 


I raised yesterday a support issue to Atlassian, which you can watch here https://support.atlassian.com/browse/BSP-12821.

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	
		

			

	
		

			

			
	

	

		


	

	
				View More Comments
			

	

	


		

	

	
		

	       	
	 

	
		
	

	       	
		

	



        


              



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			
		
			

 
 Paul Marculescu  
 
 Paul Marculescu  February 13, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Thanks for info, Wahid. I cannot access the link to the issue you posted (not enough rights), but in the meantime I got in touch with the technical support team and managed to advance a bit further with the issue.


The initial problem was that the root certificate for the SVN server needed to be imported in "C:\Program Files\Java\jre7\lib\security\cacerts" instead of "%JAVA_HOME%\jre\lib\security\cacerts". Maybe this is helpful for you.


Nevertheless, we put the installation of the build server on hold for the moment, so I gave up on this for now.


Good luck.

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



  Like         
              

              



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			
		
			

 
 Wahid Atif  
 
 Wahid Atif  February 18, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Hi Paul,


 


Thanks.


I thought importing the root certificate to the jdk keystore only if a self signed ssl server certificate is in use. (e.g. https://confluence.atlassian.com/display/BAMKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException).


We are using a CA-verified root certificate.


Atlassian is still investigating my reported issue. I hope, they help us to get a solution to this issue soon. Later, I will probably give your suggested fix a try and let you know.


 


 


 

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



  Like         
              


    

      Reply
    

      
       



        



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			




 
      
 0  votes  
 
 
 
 
 
  
 
 
 
 

		
			

 
 Gretchen  
 
 Gretchen 
 Rising Star 
 
 
  
 Rising Star 
 
 Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders. 
 
 Get recognized 
 
 
   January 12, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
We had a lot of trouble with this.  Bamboo uses whichever certstore you configured as your java that bamboo runs under so you're on your own there (I have no idea what your install looks like check your JAVA_HOME system variable or look at your config file to see if it is defined there).  It may also help to use the following arguments.


svn command (with the following as arguments) 

--username <YourUsername> --password <YourPassword> -m "Comment if desired otherwise omit the -m and this string in quotes" --non-interactive --trust-server-cert --config-option servers:global:http-auth-types=BASIC


If we don't use these arguments (particularly those shown after comment) then  we get the cert error regardless of the certs.  Part of your problem may also be that unless you specify the user the SVN command tends to use the bamboo user (that the service runs under) when you use svn commands in a command task or script task rather than using the svn tasks. (which are sometimes necessary). 


Try the arguments first.


The version of java you're running under is also important.  SVNKit does not play well with IBM Java.  (extremely bad performance).  Use one of the approved JAVA versions for bamboo.  

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	
		

			

	
		

			

			
	

	

		


	

	
				View More Comments
			

	

	


		

	

	
		

	       	
	 

	
		
	

	       	
		

	



        


              



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			
		
			

 
 Paul Marculescu  
 
 Paul Marculescu  January 14, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Thanks for the answer, Gretchen, but I don't understand how to apply your suggestions.


The svn command line tool works fine with my certificate. The SVN server is configured to accept client certificate, not using user/pass credentials. 


Regarding the trusted key store for my JAVA install, as I wrote in the description of my question above, I added the certificates to the default java store from my installation, with no positive effect.


I have the jdk1.7.0_45 Java installation from the Oracle website.


 

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



  Like         
              

              



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			
		
			

 
 Gretchen  
 
 Gretchen 
 Rising Star 
 
 
  
 Rising Star 
 
 Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders. 
 
 Get recognized 
 
 
   January 14, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Okay, I see what you're doing.  We do have ssl setup but use the password option and have a user configured for that purpose with both svn and bamboo access. Are you running the commandline as the same user that the bamboo service runs as?  If not, you may need a client cert for that user.  It has to do with the ssl certs being stored in the named user part of the registry rather than current user which is not terribly intuitive.  Not that I know that much about certs (which should be obvious by now).

We still needed the certs imported to the cert store for server access and additionally use the password. I haven't tried just using the SSL client certs setting.  My bad.

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



  Like         
              

              



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			
		
			

 
 Paul Marculescu  
 
 Paul Marculescu  January 16, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
Yes, this is what I'm trying to figure out. Where should I import the certificates I mention in my question so that the client (bamboo, svnkit ... ) will accept the server SSL certificate?


Do you know if this is the right place to ask this to get an answer from someone from the technical support?

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



  Like         
              

              



	

	

	 
	
	
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			

				
					
		

			
 

			

				

					

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

		

			

	

		

			

	
		
			
		
			

 
 Gretchen  
 
 Gretchen 
 Rising Star 
 
 
  
 Rising Star 
 
 Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders. 
 
 Get recognized 
 
 
   January 16, 2014         
 

		
	
	


		

	

		

			

	
		
			

		

	
		

			
				
					
					
						
I think the trick is to be able to login to the bamboo host with the same account that bamboo runs as a service under.  (you might try using a runas approach but I don't use that much so can't say if it would work or not).


We weren't able to do login as the bamboo service user due to security restrictions and thus had to use a different approach.


Import them into the same java ssl cert store that you're running bamboo under.  That should be your JAVA_HOME but again you must be logged in as the bamboo service account to get it imported under the correct user. 


You could try tech support or you might try getting an answer on one of the ssl forums somewhere. (Since it's really not bamboo that can't connect you but svn running as the bamboo user which is java and svn interacting I think)

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
	
	


		

	

		

			
		

	



		

	
				

			

			
 

		

	
				
				
			

		

	

	

	



	

	


	

	
	
	

	
		

	       	
	 

	
		
	

	       	
		

	



  Like         
              


    

      Reply
    

      
 
  
    
  




  




 
Suggest an answer
 
 Log in or Sign up to answer 
 
  
		
			

		
			

		
	
	


		

			

	
		
			
		
			
		
			

   
 Bamboo 
  
 Bamboo 
  
 
TAGS
   


		
			

		
			
  
 
 
 
 AUG Leaders 
 
 
 
Atlassian Community Events
 
 
 
 
 
     
     See all events