SSLHandshakeException

[AlexClineBB]

While trying to run previously working Veracode Scanner Plugin jobs, I get an SSLHandshakeException. I was able to test with the Veracode Java API jar (current version) and the request succeeded. Could it be that the current version of the plugin is using an old version of the Java API and needs to be updated?

Jenkins ver. 1.658

java -version
java version "1.7.0_131"
OpenJDK Runtime Environment (IcedTea 2.6.9) (7u131-2.6.9-0ubuntu0.14.04.2)
OpenJDK 64-Bit Server VM (build 24.131-b00, mixed mode)

Veracode Scanner Plugin Version: 1.6

Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
FATAL: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
org.jenkinsci.plugins.veracodescanner.exception.VeracodeScannerException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.getAppId(VeracodeNotifier.java:298)
    at org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.performScan(VeracodeNotifier.java:164)
    at org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.perform(VeracodeNotifier.java:94)
    at org.jenkins_ci.plugins.run_condition.BuildStepRunner$2.run(BuildStepRunner.java:110)
    at org.jenkins_ci.plugins.run_condition.BuildStepRunner$DontRun.conditionalRun(BuildStepRunner.java:264)
    at org.jenkins_ci.plugins.run_condition.BuildStepRunner.perform(BuildStepRunner.java:105)
    at org.jenkins_ci.plugins.flexible_publish.ConditionalPublisher.perform(ConditionalPublisher.java:183)
    at org.jenkins_ci.plugins.flexible_publish.FlexiblePublisher.perform(FlexiblePublisher.java:116)
    at hudson.tasks.BuildStepMonitor$3.perform(BuildStepMonitor.java:45)
    at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:782)
    at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:723)
    at hudson.model.Build$BuildExecution.post2(Build.java:185)
    at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:668)
    at hudson.model.Run.execute(Run.java:1763)
    at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
    at hudson.model.ResourceController.execute(ResourceController.java:98)
    at hudson.model.Executor.run(Executor.java:410)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1989)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1096)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1369)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1353)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1139)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
    at com.veracode.util.http.ClientHttpRequest.connect(ClientHttpRequest.java:99)
    at com.veracode.util.http.ClientHttpRequest.write(ClientHttpRequest.java:110)
    at com.veracode.util.http.ClientHttpRequest.boundary(ClientHttpRequest.java:148)
    at com.veracode.util.http.ClientHttpRequest.doPost(ClientHttpRequest.java:445)
    at com.veracode.util.http.ClientHttpRequest.post(ClientHttpRequest.java:480)
    at com.veracode.util.http.ClientHttpRequest.post(ClientHttpRequest.java:585)
    at com.veracode.util.http.WebClient.consumeResponse(WebClient.java:140)
    at com.veracode.util.http.WebClient.downloadString(WebClient.java:28)
    at com.veracode.apiwrapper.wrappers.UploadAPIWrapper.getAppList(UploadAPIWrapper.java:539)
    at org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.getAppId(VeracodeNotifier.java:282)
    ... 16 more

java -jar VeracodeJavaAPI.jar -vuser USERNAME -vpassword PASSWORD -action getapplist
<?xml version="1.0" encoding="UTF-8"?>

<applist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://analysiscenter.veracode.com/schema/2.0/applist" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/applist https://analysiscenter.veracode.com/resource/2.0/applist.xsd" applist_version="1.2" account_id="ID">
<app app_id="ID" app_name="NAME" policy_updated_date="2017-05-08T10:42:51-04:00"/>
...SNIP...
</applist>

[pdl3]

I figured out what I think is going on.

I think Veracode tweaked their TLS ciphers in a bid to get an A+ at ssllabs.com and inadvertently broke this plugin because all but very recent versions of Jenkins still use Java 7. This is just a theory, but the simulated Java 7 connection at SSL labs fails to connect: https://www.ssllabs.com/ssltest/analyze.html?d=analysiscenter.veracode.com

Since Jenkins just started requiring Java 8 with 2.54 hopefully this problem disappears at that version? https://jenkins.io/blog/2017/04/10/jenkins-has-upgraded-to-java-8/

[mufucaw]

We are experiencing this as well. Our Veracode runs suddenly began failing with this error. Digging into the error revealed that there are no matching ciphers.

[tjarrettveracode]

Hi folks: Veracode deprecated TLS 1.0 connections in June, which we had announced in advance that we would do for the past six months. From our release notes:

End of Support for TLS 1.0, and the TFS 2010 and VS 2010 Integrations For security reasons, starting 23 May 2017, Veracode APIs will block connections that use TLS 1.0. Veracode will also discontinue support of Team Foundation Server 2010 and Visual Studio 2010 integrations, which do not support TLS 1.1 or 1.2. Veracode Static Analysis will, however, continue to support applications compiled with Visual Studio 2003 and later.

You must upgrade the following integrations to support .NET 4.5 and TLS 1.2:

• .NET wrapper/SDK
• TFS flaw synchronizer
• TFS XAML build integration
• Visual Studio extension

You must upgrade the following integrations if you are using Java 1.7:

• Java wrapper/SDK
• Eclipse plugin
• IntelliJ plugin
• Jenkins plugin
• JIRA plugin

To support TLS 1.1 and 1.2 with Java 1.7, you must apply the Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction Policy to the JREs. The JCE Unlimited Strength Jurisdiction Policy files can be downloaded from Oracle. As supporting TLS 1.1 and 1.2 with Java 1.7 requires both an upgrade of Veracode integrations and a patch of the Java 1.7 JRE, Veracode recommends upgrading to Java 1.8 instead.

I suspect that applying the JCE policy would address the issue with this plugin on Java 7. However, you may also want to consider trying the Veracode-supported Jenkins plugin, which is being maintained and updated by Veracode.