Build is failing on debian Jessie due to SSL issues

[tfoote]

http://build.ros.org/view/Kbin_dj_dJ64/job/Kbin_dj_dJ64__rosjava_bootstrap__debian_jessie_amd64__binary/30/console

00:03:21.394 cd /tmp/binarydeb/ros-kinetic-rosjava-bootstrap-0.3.2 && ROS_MAVEN_REPOSITORY=https://github.com/rosjava/rosjava_mvn_repo/raw/master GRADLE_USER_HOME=/tmp/binarydeb/ros-kinetic-rosjava-bootstrap-0.3.2/obj-x86_64-linux-gnu/devel/share/gradle /tmp/binarydeb/ros-kinetic-rosjava-bootstrap-0.3.2/obj-x86_64-linux-gnu/catkin_generated/env_cached.sh /tmp/binarydeb/ros-kinetic-rosjava-bootstrap-0.3.2/gradlew -q publish installApp
00:03:21.641 Downloading https://services.gradle.org/distributions/gradle-2.14.1-all.zip
00:03:22.185 
00:03:22.185 Exception in thread "main" java.lang.RuntimeException: javax.net.ssl.SSLException: java.security.ProviderException: java.security.InvalidKeyException: EC parameters error
00:03:22.186 	at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:78)
00:03:22.186 	at org.gradle.wrapper.Install.createDist(Install.java:44)
00:03:22.186 	at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:126)
00:03:22.186 	at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:55)
00:03:22.186 Caused by: javax.net.ssl.SSLException: java.security.ProviderException: java.security.InvalidKeyException: EC parameters error
00:03:22.186 	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
00:03:22.186 	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1914)
00:03:22.186 	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1872)
00:03:22.186 	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1855)
00:03:22.186 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1376)
00:03:22.187 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1353)
00:03:22.187 	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
00:03:22.187 	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
00:03:22.187 	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1348)
00:03:22.187 	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
00:03:22.187 	at org.gradle.wrapper.Download.downloadInternal(Download.java:56)
00:03:22.187 	at org.gradle.wrapper.Download.download(Download.java:42)
00:03:22.187 	at org.gradle.wrapper.Install$1.call(Install.java:57)
00:03:22.187 	at org.gradle.wrapper.Install$1.call(Install.java:44)
00:03:22.187 	at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:65)
00:03:22.187 	... 3 more
00:03:22.187 Caused by: java.security.ProviderException: java.security.InvalidKeyException: EC parameters error
00:03:22.187 	at sun.security.pkcs11.P11Key$P11ECPublicKey.getEncodedInternal(P11Key.java:1024)
00:03:22.187 	at sun.security.pkcs11.P11Key.equals(P11Key.java:158)
00:03:22.187 	at java.util.ArrayList.indexOf(ArrayList.java:298)
00:03:22.187 	at java.util.ArrayList.contains(ArrayList.java:281)
00:03:22.187 	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:239)
00:03:22.188 	at sun.security.validator.Validator.validate(Validator.java:260)
00:03:22.188 	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
00:03:22.188 	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
00:03:22.188 	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
00:03:22.188 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1459)
00:03:22.188 	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213)
00:03:22.188 	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:961)
00:03:22.188 	at sun.security.ssl.Handshaker.process_record(Handshaker.java:897)
00:03:22.188 	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1033)
00:03:22.188 	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342)
00:03:22.188 	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1369)
00:03:22.188 	... 13 more
00:03:22.188 Caused by: java.security.InvalidKeyException: EC parameters error
00:03:22.188 	at sun.security.ec.ECParameters.getAlgorithmParameters(ECParameters.java:284)
00:03:22.188 	at sun.security.ec.ECPublicKeyImpl.<init>(ECPublicKeyImpl.java:59)
00:03:22.188 	at sun.security.pkcs11.P11Key$P11ECPublicKey.getEncodedInternal(P11Key.java:1021)
00:03:22.188 	... 28 more
00:03:22.189 Caused by: java.security.NoSuchProviderException: no such provider: SunEC
00:03:22.189 	at sun.security.jca.GetInstance.getService(GetInstance.java:83)
00:03:22.189 	at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
00:03:22.189 	at java.security.Security.getImpl(Security.java:697)
00:03:22.189 	at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:199)
00:03:22.189 	at sun.security.ec.ECParameters.getAlgorithmParameters(ECParameters.java:279)
00:03:22.189 	... 30 more
00:03:22.213 CMakeFiles/gradle-rosjava_bootstrap.dir/build.make:52: recipe for target 'CMakeFiles/gradle-rosjava_bootstrap' failed
00:03:22.213 make[4]: Leaving directory '/tmp/binarydeb/ros-kinetic-rosjava-bootstrap-0.3.2/obj-x86_64-linux-gnu'
00:03:22.213 make[4]: *** [CMakeFiles/gradle-rosjava_bootstrap] Error 1
00:03:22.213 CMakeFiles/Makefile2:249: recipe for target 'CMakeFiles/gradle-rosjava_bootstrap.dir/all' failed
00:03:22.213 make[3]: *** [CMakeFiles/gradle-rosjava_bootstrap.dir/all] Error 2
00:03:22.213 make[3]: Leaving directory '/tmp/binarydeb/ros-kinetic-rosjava-bootstrap-0.3.2/obj-x86_64-linux-gnu'
00:03:22.214 Makefile:120: recipe for target 'all' failed
00:03:22.214 make[2]: *** [all] Error 2
00:03:22.214 make[2]: Leaving directory '/tmp/binarydeb/ros-kinetic-rosjava-bootstrap-0.3.2/obj-x86_64-linux-gnu'
00:03:22.214 dh_auto_build: make -j1 returned exit code 2
00:03:22.216 debian/rules:36: recipe for target 'override_dh_auto_build' failed
00:03:22.216 make[1]: *** [override_dh_auto_build] Error 2
00:03:22.216 make[1]: Leaving directory '/tmp/binarydeb/ros-kinetic-rosjava-bootstrap-0.3.2'
00:03:22.219 debian/rules:23: recipe for target 'build' failed
00:03:22.219 make: *** [build] Error 2
00:03:22.219 dpkg-buildpackage: error: debian/rules build gave error exit status 2
00:03:22.223 E: Building failed
00:03:22.226 Traceback (most recent call last):
00:03:22.227   File "/tmp/ros_buildfarm/ros_buildfarm/binarydeb_job.py", line 133, in build_binarydeb
00:03:22.227     subprocess.check_call(cmd, cwd=source_dir)
00:03:22.227   File "/usr/lib/python3.4/subprocess.py", line 561, in check_call
00:03:22.227     raise CalledProcessError(retcode, cmd)
00:03:22.228 subprocess.CalledProcessError: Command '['apt-src', 'build', 'ros-kinetic-rosjava-bootstrap']' returned non-zero exit status 1
00:03:22.228 
00:03:22.228 --------------------------------------------------------------------------------------------------
00:03:22.228 `apt-src build ros-kinetic-rosjava-bootstrap` failed.
00:03:22.228 This is usually because of an error building the package.
00:03:22.228 The traceback from this failure (just above) is printed for completeness, but you can ignore it.
00:03:22.228 You should look above `E: Building failed` in the build log for the actual cause of the failure.
00:03:22.228 --------------------------------------------------------------------------------------------------
00:03:22.228 

I think this might be a systematic issue with Jessie being older.
@nuclearsandwich @mikaelarguedas FYI

[tfoote]

It looks like this is an issue with older openjdk7 versions: gradle/gradle#2421

Travis was tracking this and then closed it: travis-ci/travis-ci#8503

I found there's a pretty ugly workaround here to inject the EC parameter support: eseifert/gral@c24e08a

[jubeira]

Hi @tfoote, thanks for reporting this.
We've checked this out with @ernestmc, and apparently there might be a problem with the encryption algorithm in that URL https://services.gradle.org/distributions/gradle-2.14.1-all.zip, which changed recently and may not be supported by old JDKs as you point out.

Which version of OpenJDK are you using in the build? I just tried installing rosjava from source in Ubuntu 14.04 with OpenJDK 1.7.0_151 and I didn't experience issues (the installation process downloads the gradle distribution without problems).

We can think of two quick workarounds, but they are somewhat dirty.

• The first one would be using HTTP instead of HTTPS in the distribution URL. The problem is that it may be somewhat risky.
• The second one would be placing the Gradle binary distribution in rosjava_bootstrap repository, and point to that distribution instead of a URL as one user suggests in this issue: SSL issues on catkin_make rosjava_core#252.

Any thoughts about this? What do you think is best to solve the problem?

[nuclearsandwich]

@jubeira from the logs it looks like openjdk-7-jdk_7u151-2.6.11-1~deb8u1_amd64.deb is being installed on in the buildfarm container as well. Are you able to reproduce the issue if you use the ros_buildfarm scripts? I'll try and give it a shot later as well.

[jubeira]

@nuclearsandwich no, I haven't, but it will be interesting to try indeed. I will give it a shot later too.

[jubeira]

I just realized that my $JAVA_HOME environment variable was pointing to java-8-oracle in my Ubuntu 14, even though java -version yielded openJDK 7, and apparently Gradle uses that environment variable at some point. If I unset that variable, my build fails too. So the conclusion for now is that the issue is with OpenJDK 7 indeed, but not with Oracle's JDK.

[nuclearsandwich]

OpenJDK 7 indeed, but not with Oracle's JDK.

Did you test with Oracle's JDK 7, because JDK 8 whether open or otherwise would have the updated crypto protocols.

[ernestmc]

I tried this on a clean Ubuntu 14.04 docker and was able to reproduce the error. As @jubeira points out either java-8-oracle or openjdk-8-jdk provide the libraries needed for the cryptographic algorithm.
One proven solution on Ubuntu 14.04 is the following:

1. Install openjdk-8-jdk from this ppa:

add-apt-repository ppa:openjdk-r/ppa
apt update
apt install openjdk-8-jdk

2. Modify the environment variable to use the libraries from this jdk:

export JAVA_HOME='/usr/lib/jvm/java-8-openjdk-amd64/'

I have not tested this on Debian but a similar solution should work.

[jubeira]

Did you test with Oracle's JDK 7, because JDK 8 whether open or otherwise would have the updated crypto protocols.

Sorry for the confusion, I meant Oracle JDK 8 which was the version I had installed.
I just tried to download Oracle's JDK 7 but it's no longer available from Oracle's official ppas. Right now, it seems that it's more straightforward to go with @ernestmc's solution.

[nuclearsandwich]

Installing openjdk 8 on Jessie would require enabling the jessie-backports repository and either changing the java rosdep key or adding one for specifcially for java8.

[jubeira]

@tfoote can that be done, or is it too complicated / considered bad practice?

[tfoote]

That's quite intrusive and potentially has a lot of potential side effects on other users.

Two other options might be to download/install the jdk8 into the rosjava_bootstrap repo and export the JAVA home.

Alternatively it could be declared that rosjava can't support Jessie due to lack openjdk support and we just disable the builds for Jessie.

[jubeira]

Well, in this case the only problem seems to be downloading the Gradle distribution. Placing the binary for Gradle and modifying the URL should do too, but I'd rather avoid placing binaries here.

As for Jessie, perhaps then it's wiser to drop its support now. We could announce this in ROS Discourse to check if anyone was using it, but I don't really think many people actually do.

I already updated the install instructions for Ubuntu 14 in case anyone was having issues with it.

[ernestmc]

I agree that dropping support for Rosjava on Debian Jessie would be the way to go. There's always the option to build from sources and we can point this for the affected users.

[tfoote]

I have submitted it to be blacklisted on Jessie: ros-infrastructure/ros_buildfarm_config#101

[jubeira]

Thanks for taking care of this @tfoote !