My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 2732: TLS not working on Ubuntu 14.04
1 person starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by de...@webtuner.tv, Jun 23, 2014
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version: 29-rc2

What steps will reproduce the problem?
0. Run on Ubuntu 14.04
1. Do a fresh install of Gerrit with HTTPS (using a self-signed cert)
2. These both fail:

  openssl s_client -connect 10.10.1.168:8443
  ...
  140688968496800:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:


  openssl s_client -connect 10.10.1.168:8443 -tls1
  ...
  140255261521568:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:


However this one succeeds:

  openssl s_client -connect 10.10.1.168:8443 -ssl3


Also, I am able to use Chrome to connect successfully with HTTPS.

The support for TLSv1 is necessary for running an Android mirror.

When trying to run a local Android mirror and submit with "repo upload", the HTTPS connection from Python fails.  But the simplest repro case is using the openssl commands above.

I have tried running Gerrit with OpenJDK 7 and Oracle Sun Java(TM) 7.  The results are identical.


$ repo upload
Upload project kernel/ to remote branch wt-branch:
  branch derek_test1 ( 1 commit, Mon Jun 16 18:20:45 2014 -0700):
         827eb588 README1: Apply test change for Gerrit validation.
to https://10.10.1.168:8443/ (y/N)? y

----------------------------------------------------------------------
[FAILED] kernel/         derek_test1    
       (https://10.10.1.168:8443/ <urlopen error [Errno 8] _ssl.c:510: EOF occurred in violation of protocol>)



Jun 24, 2014
#1 de...@webtuner.tv
Further info:

The error seems to disappear if I run Gerrit manually with this command:

java -jar /home/gerrit2/review_site/bin/gerrit.war daemon -d /home/gerrit2/review_site --run-id=1403630880.8398


(I discovered this when I tried the above command both with and without the options "-Djavax.net.debug=ssl,handshake,failure".  When I tried to get extra info the problem just went away.)

I am running this on a machine that has OpenJDK 6, 7, and Sun Java(TM) 7 installed.  I need Java 7 to run Gerrit but Java 6 to build Jelly Bean. 

Although I have been careful to make sure Sun Java(TM) is the default version in my OS and in my bash environment, I suspect that the gerrit.sh launcher script is somehow choosing the wrong Java environment.  It's probably in this section:

    for N in java jdk jre ; do
      for L in $JAVA_LOCATIONS ; do
      ...



Jun 24, 2014
#2 de...@webtuner.tv
Further info:

I found the problem.  Although I had updated and exported my JAVA_HOME environment variable, and also ran 

sudo update-java-alternatives -s java-7-oracle


...this was not sufficient to satisfy Gerrit.  I also needed to set "javaHome" in $site_path/etc/gerrit.config.

Apparently there is an incompatibility or configuration issue with using OpenSSL for TLS on OpenJDK 1.7, on Ubuntu 14.04.  (I have not run with the -D option to diagnose.)  Using Sun Java 7 (and updating gerrit.config) worked around the issue for me.

Sign in to add a comment

Powered by Google Project Hosting