javax.net.ssl.SSLHandshakeException

There are no available Samebug tips for this exception. Do you have an idea how to solve this issue? A short tip would help users who saw this issue last week.

  • slave's cannot connect to jenkins servers with ECDH* SSL configurations via https Replacing the bc* libraries in war/WEB-INF/lib/ *bcprov-jdk15on-1.47.jar* with *bcprov-jdk15on-152.jar* allows all connections to work with and without ECDH connections. Upgrading the instance identity module (https://github.com/jenkinsci/instance-identity-module) to bouncycastle 1.52 should resolve this I think, I'm not aware of any other things that include bcprov in core. Additionally, ssh-agent-plugin has a patch to fix the same issue for that plugin: https://github.com/jenkinsci/ssh-agent-plugin/pull/8 And below is an example error of such a failed connection, although not specifically with a slave. {code} Caught exception while notifying Stash with id 695c0a35657a11c973a904ff993cd873b7283e1b javax.net.ssl.SSLHandshakeException: Could not generate secret at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556) at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207) at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829) at hudson.model.Build$BuildExecution.doRun(Build.java:144) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537) at hudson.model.Run.execute(Run.java:1741) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:381) Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source) at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567) at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96) ... 32 more {code}
    via by Josh Toft,
  • Currently when connecting to ECDHE-RSA-* servers I was getting errors. Upgrading to bouncycastle 1.52 resolves these Below is an example exception; seen via the stash-notification-plugin, and ssh-agent-plugin {code} javax.net.ssl.SSLHandshakeException: Could not generate secret at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556) at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207) at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829) at hudson.model.Build$BuildExecution.doRun(Build.java:144) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537) at hudson.model.Run.execute(Run.java:1741) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:381) Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source) at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567) at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96) ... 32 more {code}
    via by Josh Toft,
  • slave's cannot connect to jenkins servers with ECDH* SSL configurations via https Replacing the bc* libraries in war/WEB-INF/lib/ *bcprov-jdk15on-1.47.jar* with *bcprov-jdk15on-152.jar* allows all connections to work with and without ECDH connections. Upgrading the instance identity module (https://github.com/jenkinsci/instance-identity-module) to bouncycastle 1.52 should resolve this I think, I'm not aware of any other things that include bcprov in core. Additionally, ssh-agent-plugin has a patch to fix the same issue for that plugin: https://github.com/jenkinsci/ssh-agent-plugin/pull/8 And below is an example error of such a failed connection, although not specifically with a slave. {code} Caught exception while notifying Stash with id 695c0a35657a11c973a904ff993cd873b7283e1b javax.net.ssl.SSLHandshakeException: Could not generate secret at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556) at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207) at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829) at hudson.model.Build$BuildExecution.doRun(Build.java:144) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537) at hudson.model.Run.execute(Run.java:1741) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:381) Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source) at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567) at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96) ... 32 more {code}
    via by Josh Toft,
  • Currently when connecting to ECDHE-RSA-* servers I was getting errors. Upgrading to bouncycastle 1.52 resolves these Below is an example exception; seen via the stash-notification-plugin, and ssh-agent-plugin {code} javax.net.ssl.SSLHandshakeException: Could not generate secret at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556) at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207) at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829) at hudson.model.Build$BuildExecution.doRun(Build.java:144) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537) at hudson.model.Run.execute(Run.java:1741) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:381) Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source) at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567) at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96) ... 32 more {code}
    via by Josh Toft,
  • GitHub comment 26#160759478
    via GitHub by jserdaru
    ,
  • java 8 support - ssl issue
    via GitHub by charlesivie
    ,
    • javax.net.ssl.SSLHandshakeException: Could not generate secret at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:99) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1045) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.jenkinsci.plugins.stashNotifier.StashNotifier.notifyStash(StashNotifier.java:556) at org.jenkinsci.plugins.stashNotifier.StashNotifier.processJenkinsEvent(StashNotifier.java:207) at org.jenkinsci.plugins.stashNotifier.StashNotifier.prebuild(StashNotifier.java:160) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:834) at hudson.model.AbstractBuild$AbstractBuildExecution.preBuild(AbstractBuild.java:829) at hudson.model.Build$BuildExecution.doRun(Build.java:144) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537) at hudson.model.Run.execute(Run.java:1741) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:381) Caused by: java.security.InvalidKeyException: ECDH key agreement requires ECPublicKey for doPhase at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyAgreementSpi.engineDoPhase(Unknown Source) at javax.crypto.KeyAgreement.doPhase(KeyAgreement.java:567) at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:96) ... 32 more

    Users with the same issue

    Unknown visitor1 times, last one,
    Unknown visitor1 times, last one,
    Unknown visitor1 times, last one,
    Unknown visitor1 times, last one,