Bugzilla will undergo maintenance 2024-03-29 18h00 CET. Bugzilla will be placed in read-only mode at that time.

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 478690 - ssh to servers with insecure ciphers broken with Mars (4.5) and older
Summary: ssh to servers with insecure ciphers broken with Mars (4.5) and older
Status: RESOLVED WORKSFORME
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Git (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 blocker (vote)
Target Milestone: ---   Edit
Assignee: Eclipse Webmaster CLA
QA Contact:
URL:
Whiteboard: stalebug
Keywords:
: 478913 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-09-30 03:25 EDT by Dani Megert CLA
Modified: 2017-12-01 06:24 EST (History)
15 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dani Megert CLA 2015-09-30 03:25:38 EDT
ssh to Git servers broken with Mars (4.5) and older.

It works when using latest Mars.1 or Neon builds. It stopped working somewhere between Monday and Tuesday.

See https://dev.eclipse.org/mhonarc/lists/cross-project-issues-dev/msg12427.html for more details.

From that thread:
"
Dani,
 
Your observations match up with mine. I tested the following configurations using the same workspace (same repository). All were fresh installs of the Java EE package.
 
juno sr2 - Algorithm negotiation fail
mars - End of IO Stream Read
neon m1 - End of IO Stream Read
mars.1 rc4a – works
 
I also have a custom Neon installation where platform is M1, but EGit is 4.1. This configuration also works.
 
Hopefully that’s enough for webmasters to figure out what changed.
 
Thanks,
 
- Konstantin
"
Comment 1 Mikaël Barbero CLA 2015-09-30 04:04:16 EDT
Do you see the issue also from a git CLI?
Comment 2 Dani Megert CLA 2015-09-30 04:13:38 EDT
(In reply to Mikael Barbero from comment #1)
> Do you see the issue also from a git CLI?

No, it is related to the usage of EGit and there probably related to JSch. With the latest version shipped with upcoming Mars.1 it works but no longer with the old one from Mars and before.

As Matthias pointed out on the mailing list, jsch 0.1.53 supports more ciphers. Maybe the Eclipse Foundation adjusted the Git server to that fact and now it no longer works with older JSch versions? At any rate, there must be some server or infrastructure change since it worked on Monday and then stopped working for several people.
Comment 3 Mikaël Barbero CLA 2015-09-30 04:25:51 EDT
OK. So we will have to wait for Matt or Denis to tell us more about some changes that may have occurred on the server. AFAIK, there were no change. Maybe some upgrades of sshd or similar?
Comment 4 Roger Light CLA 2015-09-30 04:54:37 EDT
Using "ssh -vv"


git.eclipse.org:29418 (gerrit) reports

DH key exchange: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Public keys: ssh-rsa,ssh-dss
Ciphers: aes128-cbc,3des-cbc,blowfish-cbc,aes128-ctr,arcfour128
MACs: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
Compression: none


git.eclipse.org:22 reports

DH key exchange: diffie-hellman-group-exchange-sha256
Public keys: ssh-rsa
Ciphers: aes256-ctr,aes192-ctr,aes128-ctr
MACs: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
Compression: none,zlib@openssh.com


Back in January git.eclipse.org:22 was the same as is reported by gerrit. See https://bugs.eclipse.org/bugs/show_bug.cgi?id=456985 for comparison.

It does seem as though the ssh settings for git.eclipse.org:22 have changed since January at least.
Comment 5 Markus Keller CLA 2015-09-30 08:43:29 EDT
And here's the stacktrace (for reference and as a target for Bugzilla search):

org.eclipse.jgit.api.errors.TransportException: ssh://<user>@git.eclipse.org/gitroot/jdt/eclipse.jdt.ui.git: Session.connect: java.io.IOException: End of IO Stream Read
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:139)
	at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:266)
	at org.eclipse.egit.core.op.PullOperation$1.run(PullOperation.java:106)
	at org.eclipse.core.internal.resources.Workspace.run(Workspace.java:2241)
	at org.eclipse.egit.core.op.PullOperation.execute(PullOperation.java:137)
	at org.eclipse.egit.ui.internal.pull.PullOperationUI.execute(PullOperationUI.java:140)
	at org.eclipse.egit.ui.internal.pull.PullOperationUI$1.runInWorkspace(PullOperationUI.java:115)
	at org.eclipse.core.internal.resources.InternalWorkspaceJob.run(InternalWorkspaceJob.java:39)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
Caused by: org.eclipse.jgit.errors.TransportException: ssh://<user>@git.eclipse.org/gitroot/jdt/eclipse.jdt.ui.git: Session.connect: java.io.IOException: End of IO Stream Read
	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:159)
	at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:136)
	at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:262)
	at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:161)
	at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:136)
	at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:122)
	at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1138)
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:130)
	... 8 more
Caused by: com.jcraft.jsch.JSchException: Session.connect: java.io.IOException: End of IO Stream Read
	at com.jcraft.jsch.Session.connect(Session.java:558)
	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:116)
	... 15 more
Comment 6 Eclipse Webmaster CLA 2015-09-30 09:33:31 EDT
I've looked through the patches and there have been changes to both ssh and ssl, and the changes for preventing the logjam attack by disabling weak DH key lengths would be my best guess as to the root of this.

I'll see if there is a way to fix this, but if there isn't I can see 2 options:

1) People need to update to the latest Egit release
2) We move more repos towards Gerrit.

The issues with #2 is that we only have on Gerrit server and I'm not convinced it can handle the load if we moved all the remaining repos to it.  Also presumably Gerrit will change it's cipher list and we may be right back here again.

Which leaves us with option #1.

-M.
Comment 7 Denis Roy CLA 2015-09-30 09:50:59 EDT
> Which leaves us with option #1.

Anything we do on Eclipse servers won't fix EGit clients connecting to other servers.

I agree option #1 is the only option.
Comment 8 Dani Megert CLA 2015-09-30 11:02:10 EDT
(In reply to Eclipse Webmaster from comment #6)
> 1) People need to update to the latest Egit release

I can confirm that this works for Mars (4.5). For much older versions where the latest EGit might not be compatible, updating com.jcraft.jsch to 0.1.51.v201410302000 should also do the trick.

I suggest that the Eclipse Foundation communicates this widely.
Comment 9 Denis Roy CLA 2015-09-30 11:05:58 EDT
Are new EGit packages available for all the broken platforms?
Comment 10 Dani Megert CLA 2015-09-30 11:33:45 EDT
(In reply to Denis Roy from comment #9)
> Are new EGit packages available for all the broken platforms?

Did you mean releases? For platforms the answer is "yes".
Comment 11 Ed Willink CLA 2015-09-30 17:34:25 EDT
(In reply to Eclipse Webmaster from comment #6)
> 1) People need to update to the latest Egit release

Upgrading a Neon M1 platform to jsch 0.1.53 and EGIT to 4.1.0 makes no difference for me. Some Eclipse repos work, some don't.
Comment 12 Dani Megert CLA 2015-10-01 04:00:06 EDT
(In reply to Ed Willink from comment #11)
> (In reply to Eclipse Webmaster from comment #6)
> > 1) People need to update to the latest Egit release

> Upgrading a Neon M1 platform to jsch 0.1.53 

How did you do it Ed? Depending on the method it might not work. The easiest is to just install EGit from http://download.eclipse.org/egit/updates via Help > Install New Software... This will also install latest JSch.
Comment 13 Dani Megert CLA 2015-10-01 04:01:55 EDT
(In reply to Dani Megert from comment #10)
> (In reply to Denis Roy from comment #9)
> > Are new EGit packages available for all the broken platforms?
> 
> Did you mean releases? For platforms the answer is "yes".

For releases, https://wiki.eclipse.org/EGit/Contributor_Guide says:
"
EGit and JGit have Java 7.0 and Eclipse Platform 3.8.2 (Juno) as minimum requirements, so dependencies to newer Java and platform versions must be avoided. 
"
Hence it should work for 3.8.2, 4.2 and newer.
Comment 14 Matthias Sohn CLA 2015-10-01 04:46:33 EDT
I verified that EGit 4.1 can be installed and works on 3.8.2
Comment 15 Matthias Sohn CLA 2015-10-01 04:49:11 EDT
details about which platform versions are supported by EGit are documented here
https://wiki.eclipse.org/EGit/FAQ#What_versions_of_Eclipse_does_EGit_target.3F
Comment 16 Ed Willink CLA 2015-10-01 05:42:28 EDT
(In reply to Dani Megert from comment #12)
> > Upgrading a Neon M1 platform to jsch 0.1.53 
> 
> How did you do it Ed? Depending on the method it might not work. The easiest
> is to just install EGit from http://download.eclipse.org/egit/updates via
> Help > Install New Software... This will also install latest JSch.

I first tried Check for Updates, but EGIT still offers no update.

Then I did install as suggested above.

I verified the installed versions using Installation Details plugins.

(Concurrently I was experiencing an ssh lockout issue while accessing from a hotel IP, but that has now been resolved and I can login to build.eclipse.org, but still have these selective Eclipse GIT repo issues.)

The failing repos fail very early and quickly. Is it possible that some cache is involved?
Comment 17 Ed Willink CLA 2015-10-01 05:51:53 EDT
(In reply to Ed Willink from comment #16)
> Then I did install as suggested above.

To be more precise. I first selected an EGIT install, but P2 barfed on residue conflicts with my 4.0.1 installation. Backing up the dialog and selecting all components (JGit and EGit sources too) and the installation succeeded.
Comment 18 Dani Megert CLA 2015-10-01 11:17:25 EDT
(In reply to Ed Willink from comment #16)

Ed, I suspect that during the installation process the wrong JSch bundle got wired by p2.

Check via Help > About Eclipse SDK > Installation Details > Plug-ins tab and then check which version of com.jcraft.jsch.
Comment 19 Ed Willink CLA 2015-10-01 12:59:13 EDT
(In reply to Dani Megert from comment #18)
> Check via Help > About Eclipse SDK > Installation Details > Plug-ins tab and
> then check which version of com.jcraft.jsch.

com.jcraft.jsch (0.1.51.v201410302000) "JSch" [Resolved]
com.jcraft.jsch (0.1.53.v201508180515) "JSch" [Resolved]

I see both 0.1.51 and 0.1.53!

This should surely be impossible, but no doubt they are not singletons, so it looks like we may have another which Guava problem starting.
Comment 20 Simon Bernard CLA 2015-10-02 08:51:32 EDT
I think we should add some documentation about that here : https://wiki.eclipse.org/Git
Comment 21 Mikaël Barbero CLA 2015-10-02 11:00:47 EDT
*** Bug 478913 has been marked as a duplicate of this bug. ***
Comment 22 Ed Willink CLA 2015-10-02 11:15:26 EDT
(In reply to Ed Willink from comment #19)
> I see both 0.1.51 and 0.1.53!

Using a fresh M2 installation with only 0.1.53 and all seems ok again. But clearly all my maintenance installations will be broken inhibiting direct maintenance.
Comment 23 Alexander Gurov CLA 2015-10-18 09:27:06 EDT
(In reply to Ed Willink from comment #11)
> (In reply to Eclipse Webmaster from comment #6)
> > 1) People need to update to the latest Egit release
> 
> Upgrading a Neon M1 platform to jsch 0.1.53 and EGIT to 4.1.0 makes no
> difference for me. Some Eclipse repos work, some don't.

The issue did not disappear for me either. Older and newer EGit versions both work just fine with SimRel repo and both do not work with Subversive repo. And there is no difference in error too:

org.eclipse.jgit.api.errors.TransportException: ssh://agurov@git.eclipse.org/gitroot/www.eclipse.org/subversive.git: Session.connect: java.io.IOException: End of IO Stream Read
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:139)
	at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:266)
	at org.eclipse.egit.core.op.PullOperation$1.run(PullOperation.java:106)
	at org.eclipse.core.internal.resources.Workspace.run(Workspace.java:2241)
	at org.eclipse.egit.core.op.PullOperation.execute(PullOperation.java:137)
	at org.eclipse.egit.ui.internal.pull.PullOperationUI.execute(PullOperationUI.java:140)
	at org.eclipse.egit.ui.internal.pull.PullOperationUI$1.runInWorkspace(PullOperationUI.java:115)
	at org.eclipse.core.internal.resources.InternalWorkspaceJob.run(InternalWorkspaceJob.java:39)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
Caused by: org.eclipse.jgit.errors.TransportException: ssh://agurov@git.eclipse.org/gitroot/www.eclipse.org/subversive.git: Session.connect: java.io.IOException: End of IO Stream Read
	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:159)
	at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:136)
	at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:262)
	at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:161)
	at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:136)
	at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:122)
	at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1138)
	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:130)
	... 8 more
Caused by: com.jcraft.jsch.JSchException: Session.connect: java.io.IOException: End of IO Stream Read
	at com.jcraft.jsch.Session.connect(Session.java:558)
	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:116)
	... 15 more
Comment 24 Ed Willink CLA 2015-10-18 09:46:32 EDT
(In reply to Alexander Gurov from comment #23)
> (In reply to Ed Willink from comment #11)
> > (In reply to Eclipse Webmaster from comment #6)
> > > 1) People need to update to the latest Egit release
> > 
> > Upgrading a Neon M1 platform to jsch 0.1.53 and EGIT to 4.1.0 makes no
> > difference for me. Some Eclipse repos work, some don't.
> 
> The issue did not disappear for me either. Older and newer EGit versions
> both work just fine with SimRel repo and both do not work with Subversive
> repo. And there is no difference in error too:

You missed the subsequent comments.

P2 does not make a reliable choice when two non-singletons are available, so you must brutally eliminate com.jcraft.jsch (0.1.51.v201410302000)
Comment 25 Alexander Gurov CLA 2015-10-18 13:11:01 EDT
(In reply to Ed Willink from comment #24)
> You missed the subsequent comments.
> 
> P2 does not make a reliable choice when two non-singletons are available, so
> you must brutally eliminate com.jcraft.jsch (0.1.51.v201410302000)

I did not. After replacing Luna with Mars.1 and installing the latest EGit my configuration contains com.jcraft.jsch plug-in of 0.1.53.v201508180515 version only.

P.S.
Also when I had conflict between com.jcraft.jsch versions in Luna, EGit did not work at all (it just did not start a little more than completely :) ).
Comment 26 Alexander Gurov CLA 2015-10-18 13:15:17 EDT
(In reply to Alexander Gurov from comment #25)
So, to be exact: at the moment I have a configuration with com.jcraft.jsch 0.1.53.v201508180515 and EGit 4.1.0.201509280440-r installed in Mars.1. And this configuration does not solve anything.
Comment 27 Markus Keller CLA 2015-10-26 09:31:08 EDT
Bug 478695 is about a scenario where p2 breaks the install when you try to upgrade from EGit 4.0 to 4.1. Solution is to start with the -clean command line argument.
Comment 28 Lina Kemmel CLA 2015-10-28 12:11:31 EDT
For me it started working in Neon M2 with a built-in egit 4.1.0.201509280440 (failing in Mars and Neon M1 with the latest egit / jsch).
Comment 29 Eclipse Genie CLA 2017-10-18 15:33:14 EDT
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet.

If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.

--
The automated Eclipse Genie.