Community
Products
Bamboo
Questions
Handshake failure when connecting to a Subversion repository using a SSL client certificate

Handshake failure when connecting to a Subversion repository using a SSL client certificate

Hello,

I'm in the process of evaluation Bamboo 5.3 build server and I cannot access the SVN repository.

I'm running the Bamboo server in Windows, on http.

Here are the SVN settings for my build plan:
Repository URL: https://svn.domain.com/path/to/the/project

Authentication type: SSL Client Certificate
Private key: C:\my.p12
Passphrase: xxx

I'm getting this error:
This is not a valid Subversion Repository: svn: E170001: Authentication required for '<https://svn.domain.com:443>'

I enabled svnkit logging by changing the following line
set LOGGING_CONFIG=-Djava.util.logging.config.file="%CATALINA_BASE%\conf\logging.properties"
to
set LOGGING_CONFIG=-Djava.util.logging.config.file="%CATALINA_BASE%\conf\logging.properties.disabled"
after downloading the file logging.properties.disabled.

A note here, some pages in the help section on atlassian website (like this one https://confluence.atlassian.com/display/BAMBOO024/Debugging+Subversion+connection+in+Bamboo) refer to using a wrapper.conf file that doesn't exist.

After a restart, I see this in the svnkit.0.log.0 file:

Jan 10, 2014 4:42:14 PM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: DEFAULT: socket output stream requested...
Jan 10, 2014 4:42:14 PM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.tmatesoft.svn.core.internal.util.SVNLogOutputStream.flush(SVNLogOutputStream.java:48)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.sendData(HTTPConnection.java:311)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPRequest.dispatch(HTTPRequest.java:168)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:444)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:362)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:350)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:708)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:628)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:103)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1016)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.testConnection(DAVRepository.java:99)
at com.atlassian.bamboo.repository.svn.SvnRepository.validate(SvnRepository.java:1034)
...

I assumed I need to add the SVN server certificate chain to JAVA trust store.
My JAVA_HOME is C:\Program Files\Java\jdk1.7.0_45
The certificate path for the server certificate looks like this:
MYROOTCA
MYENTERPRISECA3
SVNSERVERCERT

I exported the 2 certificates to 2 crt files and imported them like this:
keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -trustcacerts -alias myrootca -file MYROOTCA.crt
keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -trustcacerts -alias myenterpriseca -file MYENTERPRISECA3.crt

but I get the same error.

The MYROOTCA is also imported in the Trusted Root Certification Authorities store in LocalMachine.

If I run the svn command line against the SVN repository, with the following line added to the ...\AppData\Roaming\Subversion\servers:
ssl-client-cert-file=C:\my.p12
after I'm being prompted for the passphrase everything works fine.

Please let me know what should I do. Which certificates trust store is used by Bamboo ?

Thank you.

5 answers

0 votes

Hi John,

sorry for the late answer.

This happens right when I want to configure a Subversion repository on Bamboo's Admin.

Yes, I cached the username and password (in plain text) from the subversion user, but no way.

Then I tried also: On the $HOME directory of the user running Bamboo, there's also a Subversion config directiory $HOME/.subversion, there I though I could provide the SSL certificate informations "in advance" by adding these lines into the file $HOME/.subversion/servers

[groups]

project1 = svn.our-company-domain.com

[project1]

ssl-authority-files = /home/bamboo/ssl/CARootCer.pem

ssl-client-cert-file = /home/bamboo/ssl/client-ssl-cert.p12

ssl-client-cert-password = passphrase-in-plain-text

[global]

ssl-trust-default-ca = yes

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hi Wahid

Is this happening when a build is triggered or when Bamboo calls checkout/update?

Have you cached the Subversion username and password for the build user on your Bamboo server?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Have you tried setting the SSL config in Bamboo to use SSLv3?

svnkit.http.sslProtocols=SSLv3

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi John,

I found this Bamboo's knowledge base article, saying that this SVNKit option "svnkit.http.sslProtocols=SSLv3" had to be set when using JDK 1.6 and SSLv3-only servers: https://confluence.atlassian.com/display/BAMKB/This+is+not+a+valid+Subversion+Repository%3A+svn%3A+Received+fatal+alert%3A+bad_record_mac+svn%3A+OPTIONS+request+failed+on

As mentioned above, my main issue is, that our Subversion Server has such a 2-way authentication: Passphrase protected SSL client certificate + SVN user credentials. However Bamboo provides only either a SSL certificate based authentication or with svn user/password.

For any tips i would be very thankful.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Hi Paul,

I think the "handshake_failure error message" is just a nested exception and not the real cause of the problem.

I have almost the same problem, with the difference that our company's Subversion server requires a passphrase protected ssl client certificate + svn user credentials.

I couldn't figure how to use the Bamboo authentication options "Password" and "SSL Client Certifcate" to provide both a client Passphrase and SVN credentials.

I also turned the SVNKit-Logging on and got the following errors / exceptions:

Authentication type "SSL Client Certificate" providing an absolute path to the .p12 file, the client passphrase and the SVN username:

This is not a valid Subversion Repository: svn: E170001: Authentication required for '<https://svn.company-domain.com:443>'.

SVNKit log:

Feb 13, 2014 5:38:17 PM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log

FINE: NETWORK: exception decrypting data - java.security.InvalidKeyException: Illegal key size

...

STACKTRACE

...

FINE: NETWORK: Received fatal alert: handshake_failure

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Authentication type "Password", providing the SVN user credentials. The Path to the SSL certificate is already configured inside the $HOME/.subversion/servers file of the user running Bamboo:

This is not a valid Subversion Repository: svn: E170001: Authentication required for '/home/bamboo/ssl/svn-sslcert-20141008.p12'

SVNKit log:

FINE: NETWORK: PKCS12 key store mac invalid - wrong password or corrupted file.

...

STACKTRACE

...

FINE: NETWORK: Received fatal alert: handshake_failure

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

So I thought maybe I should put both the path to the SSL certificate and the passphrase (in plain text!) into the $HOME/.subversion/servers file, to get the SSL part ready "pre-configured" for the Bamboo SVN client, and I reattempt again.

Authentication type "Password", providing the svn user credentials

This is not a valid Subversion Repository: svn: E170001: Authentication required for '/home/bamboo/ssl/svn-sslcert-20141008.p12'

SVNKit log:

FINE: NETWORK: exception decrypting data - java.security.InvalidKeyException: Illegal key size.

...

STACKTRACE

...

FINE: NETWORK: Received fatal alert: handshake_failure

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I raised yesterday a support issue to Atlassian, which you can watch here https://support.atlassian.com/browse/BSP-12821.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks for info, Wahid. I cannot access the link to the issue you posted (not enough rights), but in the meantime I got in touch with the technical support team and managed to advance a bit further with the issue.

The initial problem was that the root certificate for the SVN server needed to be imported in "C:\Program Files\Java\jre7\lib\security\cacerts" instead of "%JAVA_HOME%\jre\lib\security\cacerts". Maybe this is helpful for you.

Nevertheless, we put the installation of the build server on hold for the moment, so I gave up on this for now.

Good luck.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Paul,

Thanks.

I thought importing the root certificate to the jdk keystore only if a self signed ssl server certificate is in use. (e.g. https://confluence.atlassian.com/display/BAMKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException).

We are using a CA-verified root certificate.

Atlassian is still investigating my reported issue. I hope, they help us to get a solution to this issue soon. Later, I will probably give your suggested fix a try and let you know.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

We had a lot of trouble with this. Bamboo uses whichever certstore you configured as your java that bamboo runs under so you're on your own there (I have no idea what your install looks like check your JAVA_HOME system variable or look at your config file to see if it is defined there). It may also help to use the following arguments.

svn command (with the following as arguments)

--username <YourUsername> --password <YourPassword> -m "Comment if desired otherwise omit the -m and this string in quotes" --non-interactive --trust-server-cert --config-option servers:global:http-auth-types=BASIC

If we don't use these arguments (particularly those shown after comment) then we get the cert error regardless of the certs. Part of your problem may also be that unless you specify the user the SVN command tends to use the bamboo user (that the service runs under) when you use svn commands in a command task or script task rather than using the svn tasks. (which are sometimes necessary).

Try the arguments first.

The version of java you're running under is also important. SVNKit does not play well with IBM Java. (extremely bad performance). Use one of the approved JAVA versions for bamboo.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks for the answer, Gretchen, but I don't understand how to apply your suggestions.

The svn command line tool works fine with my certificate. The SVN server is configured to accept client certificate, not using user/pass credentials.

Regarding the trusted key store for my JAVA install, as I wrote in the description of my question above, I added the certificates to the default java store from my installation, with no positive effect.

I have the jdk1.7.0_45 Java installation from the Oracle website.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Okay, I see what you're doing. We do have ssl setup but use the password option and have a user configured for that purpose with both svn and bamboo access. Are you running the commandline as the same user that the bamboo service runs as? If not, you may need a client cert for that user. It has to do with the ssl certs being stored in the named user part of the registry rather than current user which is not terribly intuitive. Not that I know that much about certs (which should be obvious by now).

We still needed the certs imported to the cert store for server access and additionally use the password. I haven't tried just using the SSL client certs setting. My bad.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Yes, this is what I'm trying to figure out. Where should I import the certificates I mention in my question so that the client (bamboo, svnkit ... ) will accept the server SSL certificate?

Do you know if this is the right place to ask this to get an answer from someone from the technical support?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

I think the trick is to be able to login to the bamboo host with the same account that bamboo runs as a service under. (you might try using a runas approach but I don't use that much so can't say if it would work or not).

We weren't able to do login as the bamboo service user due to security restrictions and thus had to use a different approach.

Import them into the same java ssl cert store that you're running bamboo under. That should be your JAVA_HOME but again you must be logged in as the bamboo service account to get it imported under the correct user.

You could try tech support or you might try getting an answer on one of the ssl forums somewhere. (Since it's really not bamboo that can't connect you but svn running as the bamboo user which is java and svn interacting I think)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Handshake failure when connecting to a Subversion repository using a SSL client certificate

5 answers

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Handshake failure when connecting to a Subversion repository using a SSL client certificate

5 answers

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events

Welcome to the new Atlassian Community