Handshake failure when connecting to a Subversion repository using a SSL client certificate

Hello,

I'm in the process of evaluation Bamboo 5.3 build server and I cannot access the SVN repository.

I'm running the Bamboo server in Windows, on http.

Here are the SVN settings for my build plan:
Repository URL: https://svn.domain.com/path/to/the/project

Authentication type: SSL Client Certificate
Private key: C:\my.p12
Passphrase: xxx

I'm getting this error:
This is not a valid Subversion Repository: svn: E170001: Authentication required for '<https://svn.domain.com:443>'



I enabled svnkit logging by changing the following line
set LOGGING_CONFIG=-Djava.util.logging.config.file="%CATALINA_BASE%\conf\logging.properties"
to
set LOGGING_CONFIG=-Djava.util.logging.config.file="%CATALINA_BASE%\conf\logging.properties.disabled"
after downloading the file logging.properties.disabled.

A note here, some pages in the help section on atlassian website (like this one https://confluence.atlassian.com/display/BAMBOO024/Debugging+Subversion+connection+in+Bamboo) refer to using a wrapper.conf file that doesn't exist.

After a restart, I see this in the svnkit.0.log.0 file:

Jan 10, 2014 4:42:14 PM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: DEFAULT: socket output stream requested...
Jan 10, 2014 4:42:14 PM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.tmatesoft.svn.core.internal.util.SVNLogOutputStream.flush(SVNLogOutputStream.java:48)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.sendData(HTTPConnection.java:311)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPRequest.dispatch(HTTPRequest.java:168)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:444)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:362)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:350)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:708)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:628)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:103)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1016)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.testConnection(DAVRepository.java:99)
at com.atlassian.bamboo.repository.svn.SvnRepository.validate(SvnRepository.java:1034)
...


I assumed I need to add the SVN server certificate chain to JAVA trust store.
My JAVA_HOME is C:\Program Files\Java\jdk1.7.0_45
The certificate path for the server certificate looks like this:
MYROOTCA
MYENTERPRISECA3
SVNSERVERCERT

I exported the 2 certificates to 2 crt files and imported them like this:
keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -trustcacerts -alias myrootca -file MYROOTCA.crt
keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -trustcacerts -alias myenterpriseca -file MYENTERPRISECA3.crt

but I get the same error.


The MYROOTCA is also imported in the Trusted Root Certification Authorities store in LocalMachine.

If I run the svn command line against the SVN repository, with the following line added to the ...\AppData\Roaming\Subversion\servers:
ssl-client-cert-file=C:\my.p12
after I'm being prompted for the passphrase everything works fine.

Please let me know what should I do. Which certificates trust store is used by Bamboo ?

Thank you.

5 answers

We had a lot of trouble with this. Bamboo uses whichever certstore you configured as your java that bamboo runs under so you're on your own there (I have no idea what your install looks like check your JAVA_HOME system variable or look at your config file to see if it is defined there). It may also help to use the following arguments.

svn command (with the following as arguments)

--username <YourUsername> --password <YourPassword> -m "Comment if desired otherwise omit the -m and this string in quotes" --non-interactive --trust-server-cert --config-option servers:global:http-auth-types=BASIC

If we don't use these arguments (particularly those shown after comment) then we get the cert error regardless of the certs. Part of your problem may also be that unless you specify the user the SVN command tends to use the bamboo user (that the service runs under) when you use svn commands in a command task or script task rather than using the svn tasks. (which are sometimes necessary).

Try the arguments first.

The version of java you're running under is also important. SVNKit does not play well with IBM Java. (extremely bad performance). Use one of the approved JAVA versions for bamboo.

Thanks for the answer, Gretchen, but I don't understand how to apply your suggestions.

The svn command line tool works fine with my certificate. The SVN server is configured to accept client certificate, not using user/pass credentials.

Regarding the trusted key store for my JAVA install, as I wrote in the description of my question above, I added the certificates to the default java store from my installation, with no positive effect.

I have the jdk1.7.0_45 Java installation from the Oracle website.

Okay, I see what you're doing. We do have ssl setup but use the password option and have a user configured for that purpose with both svn and bamboo access. Are you running the commandline as the same user that the bamboo service runs as? If not, you may need a client cert for that user. It has to do with the ssl certs being stored in the named user part of the registry rather than current user which is not terribly intuitive. Not that I know that much about certs (which should be obvious by now).

We still needed the certs imported to the cert store for server access and additionally use the password. I haven't tried just using the SSL client certs setting. My bad.

Yes, this is what I'm trying to figure out. Where should I import the certificates I mention in my question so that the client (bamboo, svnkit ... ) will accept the server SSL certificate?

Do you know if this is the right place to ask this to get an answer from someone from the technical support?

I think the trick is to be able to login to the bamboo host with the same account that bamboo runs as a service under. (you might try using a runas approach but I don't use that much so can't say if it would work or not).

We weren't able to do login as the bamboo service user due to security restrictions and thus had to use a different approach.

Import them into the same java ssl cert store that you're running bamboo under. That should be your JAVA_HOME but again you must be logged in as the bamboo service account to get it imported under the correct user.

You could try tech support or you might try getting an answer on one of the ssl forums somewhere. (Since it's really not bamboo that can't connect you but svn running as the bamboo user which is java and svn interacting I think)

Hi Paul,

I think the "handshake_failure error message" is just a nested exception and not the real cause of the problem.

I have almost the same problem, with the difference that our company's Subversion server requires a passphrase protected ssl client certificate + svn user credentials.

I couldn't figure how to use the Bamboo authentication options "Password" and "SSL Client Certifcate" to provide both a client Passphrase and SVN credentials.

I also turned the SVNKit-Logging on and got the following errors / exceptions:

  • Authentication type "SSL Client Certificate" providing an absolute path to the .p12 file, the client passphrase and the SVN username:

This is not a valid Subversion Repository: svn: E170001: Authentication required for '<https://svn.company-domain.com:443>'.

SVNKit log:

Feb 13, 2014 5:38:17 PM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log

FINE: NETWORK: exception decrypting data - java.security.InvalidKeyException: Illegal key size

...

STACKTRACE

...

FINE: NETWORK: Received fatal alert: handshake_failure

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

  • Authentication type "Password", providing the SVN user credentials. The Path to the SSL certificate is already configured inside the $HOME/.subversion/servers file of the user running Bamboo:

This is not a valid Subversion Repository: svn: E170001: Authentication required for '/home/bamboo/ssl/svn-sslcert-20141008.p12'

SVNKit log:

FINE: NETWORK: PKCS12 key store mac invalid - wrong password or corrupted file.

...

STACKTRACE

...

FINE: NETWORK: Received fatal alert: handshake_failure

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

So I thought maybe I should put both the path to the SSL certificate and the passphrase (in plain text!) into the $HOME/.subversion/servers file, to get the SSL part ready "pre-configured" for the Bamboo SVN client, and I reattempt again.

  • Authentication type "Password", providing the svn user credentials

This is not a valid Subversion Repository: svn: E170001: Authentication required for '/home/bamboo/ssl/svn-sslcert-20141008.p12'

SVNKit log:

FINE: NETWORK: exception decrypting data - java.security.InvalidKeyException: Illegal key size.

...

STACKTRACE

...

FINE: NETWORK: Received fatal alert: handshake_failure

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I raised yesterday a support issue to Atlassian, which you can watch here https://support.atlassian.com/browse/BSP-12821.

Thanks for info, Wahid. I cannot access the link to the issue you posted (not enough rights), but in the meantime I got in touch with the technical support team and managed to advance a bit further with the issue.

The initial problem was that the root certificate for the SVN server needed to be imported in "C:\Program Files\Java\jre7\lib\security\cacerts" instead of "%JAVA_HOME%\jre\lib\security\cacerts". Maybe this is helpful for you.

Nevertheless, we put the installation of the build server on hold for the moment, so I gave up on this for now.

Good luck.

Hi Paul,

Thanks.

I thought importing the root certificate to the jdk keystore only if a self signed ssl server certificate is in use. (e.g. https://confluence.atlassian.com/display/BAMKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException).

We are using a CA-verified root certificate.

Atlassian is still investigating my reported issue. I hope, they help us to get a solution to this issue soon. Later, I will probably give your suggested fix a try and let you know.

Have you tried setting the SSL config in Bamboo to use SSLv3?

svnkit.http.sslProtocols=SSLv3

Hi John,

I found this Bamboo's knowledge base article, saying that this SVNKit option "svnkit.http.sslProtocols=SSLv3" had to be set when using JDK 1.6 and SSLv3-only servers: https://confluence.atlassian.com/display/BAMKB/This+is+not+a+valid+Subversion+Repository%3A+svn%3A+Received+fatal+alert%3A+bad_record_mac+svn%3A+OPTIONS+request+failed+on

As mentioned above, my main issue is, that our Subversion Server has such a 2-way authentication: Passphrase protected SSL client certificate + SVN user credentials. However Bamboo provides only either a SSL certificate based authentication or with svn user/password.

For any tips i would be very thankful.

Hi Wahid

Is this happening when a build is triggered or when Bamboo calls checkout/update?

Have you cached the Subversion username and password for the build user on your Bamboo server?

Hi John,

sorry for the late answer.

This happens right when I want to configure a Subversion repository on Bamboo's Admin.

Yes, I cached the username and password (in plain text) from the subversion user, but no way.

Then I tried also: On the $HOME directory of the user running Bamboo, there's also a Subversion config directiory $HOME/.subversion, there I though I could provide the SSL certificate informations "in advance" by adding these lines into the file $HOME/.subversion/servers

[groups]

project1 = svn.our-company-domain.com

[project1]

ssl-authority-files = /home/bamboo/ssl/CARootCer.pem

ssl-client-cert-file = /home/bamboo/ssl/client-ssl-cert.p12

ssl-client-cert-password = passphrase-in-plain-text

[global]

ssl-trust-default-ca = yes


Suggest an answer

Log in or Sign up to answer
Community showcase
Published Monday in Jira Ops

Jira Ops Early Access Program Update #1: Announcing our next feature and a new integration

Thanks for signing up for Jira Ops! I’m Matt Ryall, leader for the Jira Ops product team at Atlassian. Since this is a brand new product, we’ll be delivering improvements quickly and sharing updates...

536 views 0 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you