When using SSL for Remote Agents in Bamboo they cannot connect with no cipher suites in common error

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

    

Summary

After enabling SSL on Bamboo's JMS broker, some agents are failing to connect with: Received fatal alert: handshake_failure. javax.net.ssl.SSLHandshakeException: no cipher suites in common is present in the Bamboo server side logging.

Diagnosis

Inside the Bamboo Server side logs $BAMBOO_HOME/logs/atlassian-bamboo.log there is a no cipher suites in common error when the agent tries to connect:

2021-01-10 01:54:31,336 WARN [ActiveMQ Transport: ssl:///192.168.1.128:53856] [Transport] Transport Connection to: tcp://192.168.1.128:53856 failed: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: no cipher suites in common


Inside the $BAMBOO_REMOTE_AGENT/atlassian-bamboo-agent.log we can see it failing with a handshake_failure:

INFO   | jvm 23   | 2021/01/10 02:03:45 | Caused by: org.springframework.remoting.RemoteAccessException: Could not access JMS invoker queue [queue://com.atlassian.bamboo.registrationQueue]; nested exception is javax.jms.IllegalStateException: javax.jms.JMSException: Received fatal alert: handshake_failure
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.jms.remoting.JmsInvokerClientInterceptor.convertJmsInvokerAccessException(JmsInvokerClientInterceptor.java:432)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.jms.remoting.JmsInvokerClientInterceptor.invoke(JmsInvokerClientInterceptor.java:207)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at com.sun.proxy.$Proxy24.registerAgent(Unknown Source)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at com.atlassian.bamboo.v2.build.agent.remote.AgentRegistrationBean.registerAgent(AgentRegistrationBean.java:52)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at java.lang.reflect.Method.invoke(Method.java:498)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:363)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:307)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:136)
INFO   | jvm 23   | 2021/01/10 02:03:45 | 	... 22 more

You can also enable -Djavax.net.debug=all on both the Bamboo Server and Remote Agent if you wish to get additional information from the SSL Handshake to see which ciphers the agent is advertising in the ClientHello and what the server supports. The argument should be added as follows:

  • Bamboo Server: Configuring your system properties 
  • Remote Agent: $BAMBOO_AGENT_HOME/conf/wrapper.conf 
    • E.g. wrapper.java.additional.x=-Djavax.net.debug=all 
    • Where x is the next number in the sequence of additional properties.

Cause

The use of some required ciphers have been restricted in the java security policy and the server and client don't have an overlap of compatible ciphers to complete the handshake.

Solution

Review the java.security policy on the agent and server and ensure that it has not been customized to a set of algorithms that are too restrictive for the server and agent to agree on a cipher in the SSL Handshake.

  • $JAVA_HOME/jre/lib/security/java.security

For example, this is a working default as of Java 8 272:

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224


jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Please note, there is also an additional property that can cause a different file to be sourced and its configuration appended to the java.security settings:

#
# Determines whether this properties file will be appended to
# using the system properties file stored at
# /etc/crypto-policies/back-ends/java.config
#
security.useSystemPropertiesFile=true

By default, this is set to false however if it is set to true, you should also review /etc/crypto-policies/back-ends/java.config (or equivalent depending on OS)


Last modified on Jan 22, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.