JDK 1.8.x javax.net.ssl.SSLException: Received fatal alert: protocol_version

[cybo42]

Starting after Github updated their certificates I started to receive the below error message. Which is very similar to #634. With one exception, I'm running Java 1.8 which should default to TLS 1.2

I've found that restarting my jenkins instance resolves the issue. However it will start up again after some time. Restart always seems to resolve it, but that isn't the ideal solution ;)

This is happening on two of my Jenkins environments each running different jenkins versions. (2.89.2 and 2.21). One is also running on linux, the other on osx.

I'm not sure if the issue is in this plugin or the underline github-api plugin. I do see this ticket:
hub4j/github-api#418

Mar 02, 2018 1:11:07 PM hudson.triggers.Trigger checkTriggers
WARNING: org.jenkinsci.plugins.ghprb.GhprbTrigger.run() failed for hudson.model.FreeStyleProject@4853e929[android-phoenix-qa-emulator]
java.lang.Error: org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://api.github.com/repos/nytm/android-phoenix/pulls?state=open
        at org.kohsuke.github.Requester$PagingIterator.fetch(Requester.java:516)
        at org.kohsuke.github.Requester$PagingIterator.hasNext(Requester.java:481)
        at org.kohsuke.github.PagedIterator.fetch(PagedIterator.java:44)
        at org.kohsuke.github.PagedIterator.hasNext(PagedIterator.java:32)
        at org.kohsuke.github.PagedIterable.asList(PagedIterable.java:41)
        at org.kohsuke.github.GHRepository.getPullRequests(GHRepository.java:697)
        at org.jenkinsci.plugins.ghprb.GhprbRepository.check(GhprbRepository.java:138)
        at org.jenkinsci.plugins.ghprb.GhprbTrigger.run(GhprbTrigger.java:294)
        at hudson.triggers.Trigger.checkTriggers(Trigger.java:278)
        at hudson.triggers.Trigger$Cron.doRun(Trigger.java:226)
        at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:50)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://api.github.com/repos/nytm/android-phoenix/pulls?state=open
        at org.kohsuke.github.Requester.parse(Requester.java:633)
        at org.kohsuke.github.Requester.parse(Requester.java:594)
        at org.kohsuke.github.Requester.access$200(Requester.java:73)
        at org.kohsuke.github.Requester$PagingIterator.fetch(Requester.java:505)
        ... 17 more
Caused by: javax.net.ssl.SSLException: Received fatal alert: protocol_version
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
        at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
        at org.kohsuke.github.Requester.parse(Requester.java:602)
        ... 20 more

[bjoernhaeuser]

Which java / jenkins / plugin versions are you running?

[cybo42]

On one Jenkins server I am running:
Java: 1.8.0_60-b27
Jenkins:
ghprb plugin: 1.33.1
githup api plugin: 1.90

The other Jenkin's instance I don't have access to the management console at the moment but I know it it is on Java 1.8.x and github api plugin 1.90. I'm assuming it is the latest ghprb plugin but will verify tomorrow.

I was going to try hardcoding the TLS version even though I'm on JDK 1.8 to see if that made any difference.

[jsposato]

@cybo42, how'd it go? We're seeing this issue as well in some instances.

[cybo42]

Fingers crossed, but so far since I hardcoded the TLS version -Dhttps.protocols=TLSv1.2 I haven't seen the issue come up again.

It bothers me that I'd have to do that since JDK 1.8 should default to 1.2. But maybe something is causing it fallback. Maybe a persistent connection or something like that. (grasping at straws)

[dmewadamobi]

@cybo42
Can you please tell the detailed explanation stating where you actually changed the things.

[jsposato]

This fixed it for us, but not sure why the plugin would not use TLS1.2 if that's the default. The non-PR jobs were running fine.

[mikeobr]

Thanks so much @cybo42.
@dmewadamobi on linux I added this to my bash file: export JAVA_TOOL_OPTIONS="-Dhttps.protocols=TLSv1.2"

I'm not sure if there is a better place to put that though.

[bjoernhaeuser]

Issue seems to be resolved by using latest jdk version or harcoding tls version.

[phreakadelle]

We've had the same issue. After our Nexus has been moved to TLS 1.2 the Jenkins was not able to connect to it. Restarting Jenkins solved the issue. Our Java Version is "1.8.0_101"