Tag Archives: OpenSSL

Managing SSL for Jenkins with Sectigo Certificates

At VMSoft, I manage a Jenkins instance that uses SSL. To configure SSL using a certificate issued by Sectigo (in my case), the supplied .crt and .key files must be imported into a keystore, which is then passed as a Jenkins startup parameter.

The process of creating a keystore from the .crt and .key files involves using the openssl command-line utility to create a PKCS#12 file:

openssl pkcs12 -export -in <file_name>.crt -inkey <file_name>.key -out jenkins.p12

Next, convert the resulting .p12 file to a .jks file using the keytool utility, which comes bundled with the JDK:

keytool -importkeystore -srckeystore jenkins.p12 -srcstoretype PKCS12 -destkeystore jenkins.jks -deststoretype JKS

Finally, make Jenkins aware that you want to use HTTPS by editing the jenkins.xml configuration file. Modify the jenkins.war command-line arguments by appending the following:

--httpPort=-1 --httpsPort=8443 --httpsKeyStore=<path_to_key_store_file> --httpsKeyStorePassword=<key_store_password>

Note: If your Jenkins instance fails to start, check the error log. If you see an error like:

java.security.UnrecoverableKeyException: Cannot recover key

ensure that the password you provided during the creation of both the PKCS#12 file and the .jks file is the same. Inconsistent passwords can cause this error.

ERROR: dev-python/cryptography-1.1.2::gentoo failed (compile phase)

Latest

emerge --sync
emerge --update --deep --newuse @world

broke “dev-python/cryptography” on my development “server”. By server I mean Intel Celeron at 400Mhz with 768Mb of RAM. Currently running MySQL, Apache, Apache Tomcat, Samba and Deluge.

i686-pc-linux-gnu-gcc -O2 -march=pentium2 -pipe -fomit-frame-pointer -fno-ident -fPIC -I/usr/include/python2.7 -c /var/tmp/portage/dev-python/cryptography-1.1.2/work/cryptography-1.1.2-python2_7/temp.linux-i686-2.7/_openssl.c -o /var/tmp/portage/dev-python/cryptography-1.1.2/work/cryptography-1.1.2-python2_7/temp.linux-i686-2.7/var/tmp/portage/dev-python/cryptography-1.1.2/work/cryptography-1.1.2-python2_7/temp.linux-i686-2.7/_openssl.o
/var/tmp/portage/dev-python/cryptography-1.1.2/work/cryptography-1.1.2-python2_7/temp.linux-i686-2.7/_openssl.c:2096:15: error: ‘SSLv2_method’ redeclared as different kind of symbol
 SSL_METHOD* (*SSLv2_method)(void) = NULL;

As the build error says dev-python/cryptography is looking for SSLv2. Doing

equery u openssl
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for dev-libs/openssl-1.0.2h-r2:
 U I
 + + asm                : Support assembly hand optimized crypto functions (i.e. faster run time)
 + + bindist            : Disable EC algorithms (as they seem to be patented) -- note: changes the ABI
 - - cpu_flags_x86_sse2 : Use the SSE2 instruction set
 - - gmp                : Add support for dev-libs/gmp (GNU MP library)
 - - kerberos           : Add kerberos support
 - - rfc3779            : Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)
 - - sctp               : Support for Stream Control Transmission Protocol
 - - sslv2              : Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https
 + + sslv3              : Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https
 - - static-libs        : Build static versions of dynamic libraries as well
 - - test               : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in
                          make.conf/package.use anymore
 + + tls-heartbeat      : Enable the Heartbeat Extension in TLS and DTLS
 - - vanilla            : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes
                          drastically
 + + zlib               : Add support for zlib (de)compression

Reveled that OpenSSL is build with ought SSLv2 suport. Adding sslv2 use flag for OpenSSL and rebuilding resolved the problem.

echo "dev-libs/openssl sslv2" > /etc/portage/package.use/openssl

According to me, this is a bug in “dev-python/cryptography“. The ebuild should do some kind of checking if sslv2 use flag is enabled, or it should introduce use flags controlling the version of ssl used.

TortoiseGIT Disconnected: No supported authentication methods available ( server sent: publickey )

After migrating to SSH authentication for my Bitbucket repo ( one of the reasons for doing that was to be able to mirror my repo on my home server, article on that topic coming soon ), the TortoiseGIT windows client stopped working. It was unable to do pulls and pushes and all other functionallity related to connecting to the remote GIT. Android Studio and other IDE’s and tools I use on a daily basis, including git command line client were working properly.

Untitled1

TortoiseGIT uses Pageant (part of the PuTTY toolset) to manage it’s authentication keys. Because I have already generated the public / private key pair using ssh-keygen all I needed to do was make Pageant aware of them.

For this Puttygen (part of the PuTTY toolset) should be used.

Untitled4

pass

Load the key in Puttygen (you will be prompted for password during the loading process), leave the default settings. If the import was successful you will get a message telling you so.

success

Then click ‘Save private key’ button and save your private key in putty default ppk format. Fire up Pageant and load your newly created key.

Untitled6

Now pulls, pushes and all other functionallity related to connecting to the remote GIT should work as expected.

Untitled7

NOTE: Pageant should be started prior to using TortoiseGIT, else you will get the same error message again.

Using OpenSSL with Apache Tomcat 6

First we need Apache Portable Runtime (APR) in order to enable OpenSSL support and generally optimize Tomcat performance. It you are running Gentoo:

emerge -v tomcat-native

To enable APR edit your server.xml file and add the following line:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

Depending on your configuration APR listener may be enabled by default.

Next on the Open SSL part. Back in your server.xml file, add an SSL connector:

<connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               SSLEngine="on" 
               SSLCertificateFile="/path/to/your/certificate.crt"
               SSLCertificateKeyFile="/path/to/your/certificate.key">
</connector>

If you need an intermediate crt file add the following in your connector directive:

SSLCertificateChainFile="/path/to/your/intermediate.crt"

Restart Tomcat and you should be up and running with OpenSSL support. APR complete documentation is available here.