Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Handshake failures when using smithy CLI with private maven repository in smithy-build.json #2370

Closed
nated0g opened this issue Aug 14, 2024 · 5 comments · Fixed by #2379
Closed

SSL Handshake failures when using smithy CLI with private maven repository in smithy-build.json #2370

nated0g opened this issue Aug 14, 2024 · 5 comments · Fixed by #2379
Labels
bug This issue is a bug. investigating This issue is being investigated and/or work is in progress to resolve the issue.

Comments

@nated0g
Copy link

nated0g commented Aug 14, 2024
edited
Loading

I'm trying to migrate some of our smithy tooling to use the smithy-cli instead of gradle.

I have a private github maven repository specified in my smithy-build.json. I can reach the path to the maven repository and collect the artifact without issue using curl -u nated0g:$GITHUB_TOKEN https://maven.pkg.github.com/foo. The smithy build works fine using gradle.

relevant part of smithy-build.json:

{
  "version": "1.0",
  "maven": {
    "dependencies": [
      "<MY CUSTOM PACKAGE>",
      "software.amazon.smithy:smithy-aws-apigateway-traits:1.27.0",
      "software.amazon.smithy:smithy-aws-iam-traits:1.27.0",
      "software.amazon.smithy:smithy-aws-traits:1.27.0",
      "software.amazon.smithy:smithy-waiters:1.27.0"
    ],
    "repositories": [
      {
        "url": "https://repo1.maven.org/maven2/"
      },
      {
        "url": "https://maven.pkg.github.com/<REDACTED>",
        "httpCredentials":"nated0g:${GITHUB_TOKEN}"
      }
    ]
  },
  "transforms": [
...
  ],
  "projections": {
...
  }
}

Relevant logs (from smithy build --logging FINE --stacktrace), including stack trace:

[FINE] Using transporter HttpTransporter with priority 5.0 for https://maven.pkg.github.com/<REDACTED>
[FINE] Using connector BasicRepositoryConnector with priority 0.0 for https://maven.pkg.github.com/<REDACTED>
[FINE] CookieSpec selected: default
[FINE] Connection request: [route: {s}->https://maven.pkg.github.com:443][total available: 0; route allocated: 0 of 50; total allocated: 0 of 100]
[FINE] Connection leased: [id: 3][route: {s}->https://maven.pkg.github.com:443][total available: 0; route allocated: 1 of 50; total allocated: 1 of 100]
[FINE] Opening connection {s}->https://maven.pkg.github.com:443
[FINE] Connecting to maven.pkg.github.com/140.82.114.34:443
[FINE] Connecting socket to maven.pkg.github.com/140.82.114.34:443 with timeout 10000
[FINE] Enabled protocols: [TLSv1.3, TLSv1.2]
[FINE] Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[FINE] Starting handshake
[FINE] http-outgoing-3: Shutdown connection
[FINE] Connection discarded
[FINE] Connection released: [id: 3][route: {s}->https://maven.pkg.github.com:443][total available: 0; route allocated: 0 of 50; total allocated: 0 of 100]
[FINE] Connection manager is shutting down
[FINE] Connection manager shut down
software.amazon.smithy.cli.dependencies.DependencyResolverException: Failed to collect dependencies at <REDACTED>
	at software.amazon.smithy.cli.dependencies.MavenDependencyResolver.resolveMavenArtifacts(MavenDependencyResolver.java:242)
	at software.amazon.smithy.cli.dependencies.MavenDependencyResolver.resolve(MavenDependencyResolver.java:193)
	at software.amazon.smithy.cli.dependencies.FilterCliVersionResolver.resolve(FilterCliVersionResolver.java:66)
	at software.amazon.smithy.cli.dependencies.FileCacheResolver.resolve(FileCacheResolver.java:82)
	at software.amazon.smithy.cli.commands.ClasspathAction.resolveDependencies(ClasspathAction.java:155)
	at software.amazon.smithy.cli.commands.ClasspathAction.runTaskWithClasspath(ClasspathAction.java:112)
	at software.amazon.smithy.cli.commands.ClasspathAction.apply(ClasspathAction.java:61)
	at software.amazon.smithy.cli.commands.HelpActionWrapper.apply(HelpActionWrapper.java:85)
	at software.amazon.smithy.cli.commands.BuildCommand.execute(BuildCommand.java:82)
	at software.amazon.smithy.cli.commands.SmithyCommand.execute(SmithyCommand.java:117)
	at software.amazon.smithy.cli.Cli.run(Cli.java:82)
	at software.amazon.smithy.cli.SmithyCli.run(SmithyCli.java:104)
	at software.amazon.smithy.cli.SmithyCli.main(SmithyCli.java:50)
Caused by: software.amazon.smithy.cli.shaded.eclipse.aether.resolution.DependencyResolutionException: Failed to collect dependencies at <REDACTED>
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies(DefaultRepositorySystem.java:398)
	at software.amazon.smithy.cli.dependencies.MavenDependencyResolver.resolveMavenArtifacts(MavenDependencyResolver.java:237)
	... 12 more
Caused by: software.amazon.smithy.cli.shaded.eclipse.aether.collection.DependencyCollectionException: Failed to collect dependencies at <REDACTED>
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.collect.DependencyCollectorDelegate.collectDependencies(DependencyCollectorDelegate.java:283)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.collect.DefaultDependencyCollector.collectDependencies(DefaultDependencyCollector.java:95)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies(DefaultRepositorySystem.java:354)
	... 13 more
Caused by: software.amazon.smithy.cli.shaded.eclipse.aether.resolution.ArtifactDescriptorException: Failed to read artifact descriptor for <REDACTED>
	at software.amazon.smithy.cli.shaded.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:255)
	at software.amazon.smithy.cli.shaded.apache.maven.repository.internal.DefaultArtifactDescriptorReader.readArtifactDescriptor(DefaultArtifactDescriptorReader.java:171)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.collect.df.DfDependencyCollector.resolveCachedArtifactDescriptor(DfDependencyCollector.java:316)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.collect.df.DfDependencyCollector.getArtifactDescriptorResult(DfDependencyCollector.java:301)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.collect.df.DfDependencyCollector.processDependency(DfDependencyCollector.java:188)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.collect.df.DfDependencyCollector.processDependency(DfDependencyCollector.java:137)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.collect.df.DfDependencyCollector.process(DfDependencyCollector.java:125)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.collect.df.DfDependencyCollector.doCollectDependencies(DfDependencyCollector.java:107)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.collect.DependencyCollectorDelegate.collectDependencies(DependencyCollectorDelegate.java:247)
	... 15 more
Caused by: software.amazon.smithy.cli.shaded.eclipse.aether.resolution.ArtifactResolutionException: Could not transfer artifact <REDACTED> from/to 2|maven.pkg.github.com (https://maven.pkg.github.com/<REDACTED>): Received fatal alert: handshake_failure
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:506)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:278)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:255)
	at software.amazon.smithy.cli.shaded.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:240)
	... 23 more
Caused by: software.amazon.smithy.cli.shaded.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact <REDACTED> from/to 2|maven.pkg.github.com (https://maven.pkg.github.com/<REDACTED>): Received fatal alert: handshake_failure
	at software.amazon.smithy.cli.shaded.eclipse.aether.connector.basic.ArtifactTransportListener.transferFailed(ArtifactTransportListener.java:52)
	at software.amazon.smithy.cli.shaded.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run(BasicRepositoryConnector.java:388)
	at software.amazon.smithy.cli.shaded.eclipse.aether.util.concurrency.RunnableErrorForwarder.lambda$wrap$0(RunnableErrorForwarder.java:73)
	at software.amazon.smithy.cli.shaded.eclipse.aether.connector.basic.BasicRepositoryConnector$DirectExecutor.execute(BasicRepositoryConnector.java:635)
	at software.amazon.smithy.cli.shaded.eclipse.aether.connector.basic.BasicRepositoryConnector.get(BasicRepositoryConnector.java:280)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads(DefaultArtifactResolver.java:595)
	at software.amazon.smithy.cli.shaded.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:478)
	... 26 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
	at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at software.amazon.smithy.cli.shaded.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
	at software.amazon.smithy.cli.shaded.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
	at software.amazon.smithy.cli.shaded.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at software.amazon.smithy.cli.shaded.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
	at software.amazon.smithy.cli.shaded.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
	at software.amazon.smithy.cli.shaded.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at software.amazon.smithy.cli.shaded.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at software.amazon.smithy.cli.shaded.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at software.amazon.smithy.cli.shaded.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at software.amazon.smithy.cli.shaded.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at software.amazon.smithy.cli.shaded.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
	at software.amazon.smithy.cli.shaded.eclipse.aether.transport.http.HttpTransporter.execute(HttpTransporter.java:363)
	at software.amazon.smithy.cli.shaded.eclipse.aether.transport.http.HttpTransporter.implGet(HttpTransporter.java:298)
	at software.amazon.smithy.cli.shaded.eclipse.aether.spi.connector.transport.AbstractTransporter.get(AbstractTransporter.java:72)
	at software.amazon.smithy.cli.shaded.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask(BasicRepositoryConnector.java:466)
	at software.amazon.smithy.cli.shaded.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run(BasicRepositoryConnector.java:383)
	... 31 more
@JordonPhillips JordonPhillips added bug This issue is a bug. investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Aug 26, 2024
@JordonPhillips
Copy link
Contributor

I can confirm this. I created my own test package using GitHub's package repository, and just like you I'm seeing the Gradle build working but not the Smithy CLI build.

@kstich
Copy link
Contributor

kstich commented Aug 26, 2024

Using the -Djavax.net.debug=all flag should give more details on why the handshake is failing, though I'm not sure if that can be passed directly to the CLI.

@JordonPhillips
Copy link
Contributor

It looks like GitHub is only accepting elliptic curve algorithms in their TLS connections. The Smithy CLI is built using jlink, which doesn't include those by default.

@JordonPhillips JordonPhillips mentioned this issue Aug 26, 2024
Merged
@nated0g
Copy link
Author

nated0g commented Aug 26, 2024

Awesome. Thanks for the quick turnaround. ETA to see this in a smithy cli release?

@JordonPhillips
Copy link
Contributor

Likely sometime this week. There's a few others prs we want to get in before then

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. investigating This issue is being investigated and/or work is in progress to resolve the issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add the elliptic curve crypto module to jlink JordonPhillips/smithy
3 participants
@JordonPhillips @nated0g @kstich