Error regarding: SSL routines:ssl3_read_bytes:tlsv1

*SonarQube Enterprise Edition

  • Version 10.3 (build 82913)
    We are using SonarQube extension for Azure DevOps version: 5.20.0 (latest) in our Azure Devops pipeline. This extension version got updated yesterday automatically to 5.20.0 (latest) from 5.19.2.

And now, we are getting this error message in Code Analysis part of our pipeline:

##[error][SQ] API GET ‘/api/server/version’ failed, error is request to https://sonar.cloud.xxx.com/api/server/version failed, reason: write EPROTO 139912253751360:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:…/deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 70

We are not sure why we are getting this error message and how to fix it. I also could not manage to find a way in Azure DevOps as to how i can rollback to previous sonarqube extension version. It alwayas picks the latest version from the marketplace.

One more thing i noticed in my pipeline run that it shows in the header for the task:

Starting: Prepare Analysis Configuration

Task : Prepare Analysis Configuration
Description : Prepare SonarQube analysis configuration
Version : 5.19.1
Author : sonarsource
Help : Version: 5.19.1. More Information

error…

I am not sure why version 5.19.1 is stated here, whereas if i look in AzureDevOps the installed extension version is 5.20.0.

So, I will appreciate any pointers towards identifying the problem.

Thanks.

The problem got resolved. The Sonar server was recently updated to only accept TLS v1.3. As task definition in [SonarQubePrepare@5] relied on node10, which lacks support for TLSv1.3, the connectivity with the server failed. As a temporary solution, we included a step before [SonarQubePrepare@5] to modify the task definition accordingly.

- bash: |
          echo "Replacing Node version in SonarQube task"
          find _tasks/SonarQube* -name 'task.json' -exec sed -i 's/Node10/Node16/g' {} \;
        name: FixSonarQubeTask
        workingDirectory: "/home/vsts/work"

PS: Could not manage to dynamically get workingDirectory path above, so had to hard code.
Tried, workingDirectory: “$(Agent.WorkFolder)” but with my build vm agent as Ubuntu, it did not work.

Greetings Suleman,
Welcome to the Sonar Community :wave: .

Yes, we released a small version bump to 5.20.0 (see details here).

I am not sure why version 5.19.1 is stated here, whereas if i look in AzureDevOps the installed extension version is 5.20.0.

Each task in AzureDevops has its own version; here, you are looking at the “Prepare” task.

The Sonar server was recently updated to only accept TLS v1.3. As task definition in [SonarQubePrepare@5] relied on node10, which lacks support for TLSv1.3, the connectivity with the server failed.

I’m glad you were able to find a solution to the TLS problem. I will elevate this issue. We plan to release a newer version of the SonarQube AzureDevOps extension in the near future, which will use a newer version of node, and should resolve this TLS problem.

Cheers,
Lucas

1 Like

We have the same problem when using TLS 1.3 with AzureDevOps Task , our application is JAVA.

- task: SonarQubePrepare@5
        displayName: Prepare SonarQube Analysis
        inputs:
          SonarQube: 'SonarMgmt'
          scannerMode: 'Other'
          extraProperties: |
            sonar.projectKey=$(sonar_project_key)
            sonar.coverage.jacoco.xmlReportPaths=$(build.artifactstagingdirectory)/Code Coverage Report_$(Build.BuildId)/jacoco.xml

error: reason: write EPROTO 140597843173440:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 40

Can you please help on this?