KBEC-00486 - How to validate SSL handshake when connecting to CloudBees CD Server

Issue

As of v10.0 to 10.1 CloudBees CD/RO only accepts TLS 1.2 in the CloudBees CD/RO Server Certificate, and doesn´t allow previous TLS versions when connecting from agents.

When upgrading CloudBees CD/RO from previous versions of the application, you could suffer some connectivity issues from agents to the server if the certificate doesn´t support TLS 1.2. In the same way, when you are using certificates signed from your organisation Certificate Authority, you need to validate TLS 1.2 is properly enabled in your certificate.

TLS 1.3 is not accepted due to perl incompatibilities and will be implemented in a future releases.

Environment

CloudBees CD/RO Server
- CloudBees CD/RO versions that only allows TLS 1.2
  - CloudBees CD/RO 10.1.x
  - CloudBees CD/RO 10.0.x
- CloudBees CD/RO versions that allows TLS 1.2 and previous versions:
  - CloudBees CD/RO 9.x
  - CloudBees CD/RO 8.x
CloudBees CD/RO Agent
- Windows and Linux Agents: TLS 1.2 is supported from CloudBees CD/RO agents v6.0.4/6.3 and newer
- Mac OS: TLS 1.2 is supported from CloudBees CD/RO agents v8.5 and newer
== Resolution

To validate the SSL handshake for this specific TLS version we need to execute from our CloudBees CD/RO Server:

Linux Systems

CloudBees CD/RO 10.0.x and lower:

COMMANDER_HOME=/opt/electriccloud/electriccommander&& LD_LIBRARY_PATH=$COMMANDER_HOME/lib&& OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf"&& echo -e "quit\n" | $COMMANDER_HOME/bin/openssl s_client -connect localhost:8443 -tls1_2

CloudBees CD/RO 10.1.x:

COMMANDER_HOME=/opt/cloudbees/sda&& LD_LIBRARY_PATH=$COMMANDER_HOME/lib&& OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf"&& echo -e "quit\n" | $COMMANDER_HOME/bin/openssl s_client -connect localhost:8443 -tls1_2

Windows Systems

CloudBees CD/RO 10.0.x and lower:

cd "C:\Program Files\Electric Cloud\ElectricCommander\bin"

set OPENSSL_CONF=C:\ProgramData\Electric Cloud\ElectricCommander\conf\agentssl.cnf

set COMMANDER_HOME=C:\Program Files\Electric Cloud\ElectricCommander\

set LD_LIBRARY_PATH=%COMMANDER_HOME%bin

openssl s_client -connect localhost:8443 -tls1_2

CloudBees CD/RO 10.1.x:

cd "C:\Program Files\CloudBees\Software Delivery Automation"

set OPENSSL_CONF=C:\ProgramData\CloudBees\Software Delivery Automation\conf\agentssl.cnf

set COMMANDER_HOME=C:\Program Files\CloudBees\Software Delivery Automation\

set LD_LIBRARY_PATH=%COMMANDER_HOME%bin

openssl s_client -connect localhost:8443 -tls1_2

In case the SSL handshake is properly executed we will receive a message similar to:

---
SSL handshake has read 2204 bytes and written 326 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 343FCBC5D64DFE053C4111B96E529FD6F4A3562DB1A66C4622901A722F3B92BD
    Session-ID-ctx:
    Master-Key: 90557A4C15104BA7DFF27E46CAC636B2B91C40A36EC3B7D1961A8B947A7150ED66EEA4EE119E5D754BAD6696CEBC6D39
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1615578628
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
---
DONE

If the SSL certificate in the CloudBees CD/RO Server doesn´t support TLS 1.2, we will receive a message similar to:

---
SSL handshake has read 7 bytes and written 106 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1615578979
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

In this case we will need to change our CloudBees CD/RO Server Certificate for one with TLS 1.2 support, as explained in CloudBees CD/RO Certificate Fails Security Scan

Please, be aware if you are running in a cluster environment then your Load Balancer system could be overriding the CloudBees CD/RO certificate. In this case you will need to validate the TLS certificate in the CloudBees CD/RO Server, but pointing both, your CloudBees CD/RO Server FQDN and your LoadBalancer FQDN.

If your CloudBees CD/RO Server accepts TLS 1.2 but not your load balancer cert, please contact your IT team to upgrade the Load Balancer certificate.

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.