Issue
CloudBees CI is configured to work with a proxy under (previously ) and Basic authentication is provided with corresponded username / password.
-
After we click on the
Check nowbutton to get the updates, a stacktrace similar to the one below is shown in the GUI.2020-09-25 10:13:00.023+0000 [id=529] INFO hudson.util.Retrier#start: The attempt #1 to do the action check updates server failed with an allowed exception: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required" at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2124) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.loadJSON(CloudBeesUpdateSite.java:539) at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.updateDirectlyNow(CloudBeesUpdateSite.java:529)
-
More generally
-
connections to
http://URLs are working through the proxy -
connections to
https://URLs are failing through the proxy
Explanation
Jenkins proxy configuration uses HTTP CONNECT to tunnel connections through the the proxy.
Since the release of Java 1.8.0_111-b14, the Basic authentication scheme is disabled by default when tunnelling HTTPS connection with HTTP Connect method to address CVE-2016-5597. And system properties such as jdk.http.auth.tunneling.disabledSchemes have been provided to control the list of disabled scheme for such scenario. As mentioned in the release note:
In some environments, certain authentication schemes may be undesirable when proxying HTTPS. Accordingly, the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime, by adding Basic to the jdk.http.auth.tunneling.disabledSchemes networking property. Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line.
Additionally, the jdk.http.auth.tunneling.disabledSchemes and jdk.http.auth.proxying.disabledSchemes networking properties, and system properties of the same name, can be used to disable other authentication schemes that may be active when setting up a tunnel for HTTPS, or proxying plain HTTP, respectively.
Consequently, if using the Jenkins proxy configuration with Basic authentication, requests to HTTPS URLs fail - with generally an HTTP error code 407 as the proxy authorization details will not be sent trough. System properties must be added to make it work.
Resolution
As per the release notes of Java 1.8.0_111-b14, the solution / workaround is to add the system property -Djdk.http.auth.tunneling.disabledSchemes="" on Jenkins startup. See How to add Java arguments to Jenkins?.
Under certain unknown circumstances, it might also needed to add -Dhttp.auth.preference="basic" as well to fully workaround this issue.
|