Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 4.14.0.Final
    • Fix Version/s: 4.17.x
    • Component/s: openshift
    • Labels:
    • Security Sensitive Issue:
      This issue is security relevant
    • Steps to Reproduce:
      Hide

      0. Create OpenShift 4.4.0 cluster(e.g. you can use cluster-bot on slack and command

      launch 4.4.0-0.nightly-2020-02-19-222437
      

      )
      1. Try to connect to this cluster with old tooling for OpenShift:

      • Open OpenShift Explorer
      • Click on New Connection
      • Enter credentials(from cluster-bot)
        (you can select oc binary - I have used oc for 4.3.0.GA - but it should work without oc binary selected.)
        2. You are not connected, instead there is an error message:
      eclipse.buildId=12.14.0.GA-v20200220-0715-B5956
      java.version=11.0.2
      java.vendor=Oracle Corporation
      BootLoader constants: OS=macosx, ARCH=x86_64, WS=cocoa, NL=en_GB
      Framework arguments:  -product com.jboss.devstudio.core.product -keyring /Users/jkopriva/.eclipse_keyring
      Command-line arguments:  -os macosx -ws cocoa -arch x86_64 -product com.jboss.devstudio.core.product -keyring /Users/jkopriva/.eclipse_keyring
      
      org.jboss.tools.openshift.ui
      Error
      Thu Feb 20 11:47:53 CET 2020
      Unable to execute request to request url https://api.ci-ln-3c9jnpb-d5d6b.origin-ci-int-aws.dev.rhcloud.com:6443/.well-known/oauth-authorization-server
      
      com.openshift.restclient.OpenShiftException: Unable to execute request to request url https://api.ci-ln-3c9jnpb-d5d6b.origin-ci-int-aws.dev.rhcloud.com:6443/.well-known/oauth-authorization-server
      	at com.openshift.internal.restclient.RequestingSupplier.requestIfRequired(RequestingSupplier.java:59)
      	at com.openshift.internal.restclient.RequestingSupplier.get(RequestingSupplier.java:49)
      	at com.openshift.internal.restclient.AuthorizationEndpoints.getEndpoint(AuthorizationEndpoints.java:59)
      	at com.openshift.internal.restclient.AuthorizationEndpoints.getAuthorizationEndpoint(AuthorizationEndpoints.java:49)
      	at com.openshift.internal.restclient.DefaultClient.getAuthorizationEndpoint(DefaultClient.java:466)
      	at com.openshift.internal.restclient.okhttp.AuthenticatorInterceptor.isUrlWithoutAuthorization(AuthenticatorInterceptor.java:87)
      	at com.openshift.internal.restclient.okhttp.AuthenticatorInterceptor.intercept(AuthenticatorInterceptor.java:55)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
      	at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:57)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
      	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
      	at okhttp3.RealCall.execute(RealCall.kt:66)
      	at com.openshift.internal.restclient.ApiTypeMapper.request(ApiTypeMapper.java:273)
      	at com.openshift.internal.restclient.ApiTypeMapper.readEndpoint(ApiTypeMapper.java:261)
      	at com.openshift.internal.restclient.ApiTypeMapper.getApiGroups(ApiTypeMapper.java:224)
      	at com.openshift.internal.restclient.ApiTypeMapper.init(ApiTypeMapper.java:159)
      	at com.openshift.internal.restclient.ApiTypeMapper.isSupported(ApiTypeMapper.java:87)
      	at com.openshift.internal.restclient.URLBuilder.buildWithNamespaceInPath(URLBuilder.java:148)
      	at com.openshift.internal.restclient.URLBuilder.build(URLBuilder.java:135)
      	at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:297)
      	at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:271)
      	at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:239)
      	at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:222)
      	at com.openshift.internal.restclient.DefaultClient.get(DefaultClient.java:406)
      	at com.openshift.internal.restclient.authorization.AuthorizationContext.isAuthorized(AuthorizationContext.java:63)
      	at org.jboss.tools.openshift.core.connection.Connection.authorize(Connection.java:240)
      	at org.jboss.tools.openshift.core.connection.Connection.connect(Connection.java:229)
      	at org.jboss.tools.openshift.internal.common.ui.connection.ConnectionWizardPageModel.connect(ConnectionWizardPageModel.java:300)
      	at org.jboss.tools.openshift.internal.common.ui.connection.ConnectionWizardPage$ConnectJob.doRun(ConnectionWizardPage.java:434)
      	at org.jboss.tools.openshift.internal.common.core.job.AbstractDelegatingMonitorJob.run(AbstractDelegatingMonitorJob.java:37)
      	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
      Caused by: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
      	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
      	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
      	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255)
      	at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:89)
      	at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestMessage.<init>(CertificateRequest.java:757)
      	at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestConsumer.consume(CertificateRequest.java:861)
      	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
      	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
      	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
      	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
      	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
      	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
      	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
      	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
      	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:351)
      	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:310)
      	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:178)
      	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:236)
      	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:109)
      	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:77)
      	at okhttp3.internal.connection.Transmitter.newExchange$okhttp(Transmitter.kt:162)
      	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:35)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
      	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:82)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
      	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:84)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
      	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:71)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
      	at com.openshift.internal.restclient.okhttp.AuthenticatorInterceptor.intercept(AuthenticatorInterceptor.java:56)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
      	at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:57)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
      	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
      	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
      	at okhttp3.RealCall.execute(RealCall.kt:66)
      	at com.openshift.internal.restclient.RequestingSupplier.request(RequestingSupplier.java:69)
      	at com.openshift.internal.restclient.RequestingSupplier.requestIfRequired(RequestingSupplier.java:55)
      	... 32 more
      
      
      
      Show
      0. Create OpenShift 4.4.0 cluster(e.g. you can use cluster-bot on slack and command launch 4.4.0-0.nightly-2020-02-19-222437 ) 1. Try to connect to this cluster with old tooling for OpenShift: Open OpenShift Explorer Click on New Connection Enter credentials(from cluster-bot) (you can select oc binary - I have used oc for 4.3.0.GA - but it should work without oc binary selected.) 2. You are not connected, instead there is an error message: eclipse.buildId=12.14.0.GA-v20200220-0715-B5956 java.version=11.0.2 java.vendor=Oracle Corporation BootLoader constants: OS=macosx, ARCH=x86_64, WS=cocoa, NL=en_GB Framework arguments: -product com.jboss.devstudio.core.product -keyring /Users/jkopriva/.eclipse_keyring Command-line arguments: -os macosx -ws cocoa -arch x86_64 -product com.jboss.devstudio.core.product -keyring /Users/jkopriva/.eclipse_keyring org.jboss.tools.openshift.ui Error Thu Feb 20 11:47:53 CET 2020 Unable to execute request to request url https: //api.ci-ln-3c9jnpb-d5d6b.origin-ci- int -aws.dev.rhcloud.com:6443/.well-known/oauth-authorization-server com.openshift.restclient.OpenShiftException: Unable to execute request to request url https: //api.ci-ln-3c9jnpb-d5d6b.origin-ci- int -aws.dev.rhcloud.com:6443/.well-known/oauth-authorization-server at com.openshift.internal.restclient.RequestingSupplier.requestIfRequired(RequestingSupplier.java:59) at com.openshift.internal.restclient.RequestingSupplier.get(RequestingSupplier.java:49) at com.openshift.internal.restclient.AuthorizationEndpoints.getEndpoint(AuthorizationEndpoints.java:59) at com.openshift.internal.restclient.AuthorizationEndpoints.getAuthorizationEndpoint(AuthorizationEndpoints.java:49) at com.openshift.internal.restclient.DefaultClient.getAuthorizationEndpoint(DefaultClient.java:466) at com.openshift.internal.restclient.okhttp.AuthenticatorInterceptor.isUrlWithoutAuthorization(AuthenticatorInterceptor.java:87) at com.openshift.internal.restclient.okhttp.AuthenticatorInterceptor.intercept(AuthenticatorInterceptor.java:55) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87) at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:57) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184) at okhttp3.RealCall.execute(RealCall.kt:66) at com.openshift.internal.restclient.ApiTypeMapper.request(ApiTypeMapper.java:273) at com.openshift.internal.restclient.ApiTypeMapper.readEndpoint(ApiTypeMapper.java:261) at com.openshift.internal.restclient.ApiTypeMapper.getApiGroups(ApiTypeMapper.java:224) at com.openshift.internal.restclient.ApiTypeMapper.init(ApiTypeMapper.java:159) at com.openshift.internal.restclient.ApiTypeMapper.isSupported(ApiTypeMapper.java:87) at com.openshift.internal.restclient.URLBuilder.buildWithNamespaceInPath(URLBuilder.java:148) at com.openshift.internal.restclient.URLBuilder.build(URLBuilder.java:135) at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:297) at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:271) at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:239) at com.openshift.internal.restclient.DefaultClient.execute(DefaultClient.java:222) at com.openshift.internal.restclient.DefaultClient.get(DefaultClient.java:406) at com.openshift.internal.restclient.authorization.AuthorizationContext.isAuthorized(AuthorizationContext.java:63) at org.jboss.tools.openshift.core.connection.Connection.authorize(Connection.java:240) at org.jboss.tools.openshift.core.connection.Connection.connect(Connection.java:229) at org.jboss.tools.openshift.internal.common.ui.connection.ConnectionWizardPageModel.connect(ConnectionWizardPageModel.java:300) at org.jboss.tools.openshift.internal.common.ui.connection.ConnectionWizardPage$ConnectJob.doRun(ConnectionWizardPage.java:434) at org.jboss.tools.openshift.internal.common.core.job.AbstractDelegatingMonitorJob.run(AbstractDelegatingMonitorJob.java:37) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63) Caused by: javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:255) at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:89) at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestMessage.<init>(CertificateRequest.java:757) at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestConsumer.consume(CertificateRequest.java:861) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:351) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:310) at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:178) at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:236) at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:109) at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:77) at okhttp3.internal.connection.Transmitter.newExchange$okhttp(Transmitter.kt:162) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:35) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:82) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:84) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:71) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87) at com.openshift.internal.restclient.okhttp.AuthenticatorInterceptor.intercept(AuthenticatorInterceptor.java:56) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87) at com.openshift.internal.restclient.okhttp.ResponseCodeInterceptor.intercept(ResponseCodeInterceptor.java:57) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184) at okhttp3.RealCall.execute(RealCall.kt:66) at com.openshift.internal.restclient.RequestingSupplier.request(RequestingSupplier.java:69) at com.openshift.internal.restclient.RequestingSupplier.requestIfRequired(RequestingSupplier.java:55) ... 32 more
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      Use JDK8
      or
      -Djdk.tls.client.protocols=TLSv1.2
      (From Jeff)

      Show
      Use JDK8 or -Djdk.tls.client.protocols=TLSv1.2 (From Jeff)

      Description

      I was not able to connect to openshift 4.4.0 cluster with openshift tooling(based on openshift restclient).

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jkopriva Josef Kopriva
                  Reporter:
                  jkopriva Josef Kopriva
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated: