Unable to access Jenkins via HTTPS when using OpenJDK

Question

I'm struggling to run Jenkins 2.91 (RPM version) using its embedded mode on Centos 7.2 with OpenJDK (1.8.0_65)

However I'm getting the "ssl_error_no_cypher_overlap" error when I connect with Firefox 38.1.0 over HTTPS

This problem does not occur when running Jenkins with Oracle JDK 1.8.0_144, only with OpenJDK.

I've tried various options such as the following without success

JENKINS_JAVA_OPTIONS="-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2"

I came across bug 1167153, however the fix of applying jdk.tls.disabledAlgorithms=EC,ECDHE,ECDH already appears to be in place in /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64/jre/lib/security/java.security.

I've also tried using openssl to see what protocols are reported

openssl s_client -connect localhost:8443
>>>
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA256

I enabled logging using -Djavax.net.debug=ssl,handshake however this meant another fault was reported - ssl internal error - apparently due to bug - NoSuchAlgorithmException: EC AlgorithmParameters not available if SSL logs enabled

Answer 1

I managed to resolve this by installing bouncycastle. It seems OpenJDK doesn't ship with a ECC provider.

1. Download a bouncycastle provider from https://www.bouncycastle.org/latest_releases.html. e.g bcprov-ext-jdk15on-158.jar

2. Copy into /usr/lib/jvm/java-1.8.0-openjdk-<version>/jre/lib/ext

3. Add a provider to the end of the list in /usr/lib/jvm/java-1.8.0-openjdk-<version>/jre/lib/security/java.security

   security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider

4. Re-enabled ECC algorithms, line previously ended: , EC, ECDHE, ECDH

   jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

5. Restart jenkins