Connect to EOL hardware with expired TLS 1.2 certificate

jhauerslev · March 6, 2026, 10:27pm

Hi

I am running Openhab 5.1.3 and have the IHC / Elko binding working for years.

This january, the certificate expired, and that messed up things. Hardware is EOL, so there will not be a new certificate for the hardware (IHC controller - smart home controller for lighting, temperature ect.)

I have tried adding the certificate to the truststore inside the running container, ca-certificates updates, but the binding stil fails:

COMMUNICATION_ERROR
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake

I tried debugging from looking in several forums, connecting from openssl-client:

jakob@raspberrypi:/opt $ openssl s_client -tls1_2 -connect 192.168.1.10:443
CONNECTED(00000003)
4000546CFF7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:322:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 195 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1772835796
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
jakob@raspberrypi:/opt $ openssl s_client -ignore_unexpected_eof -tls1_2 -connect 192.168.1.10:443
CONNECTED(00000003)
closed
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 188 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1772835813
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

How do I get along from here? I am an eutusiast in smart home, but not good at configuring network.

Best regards

rlkoshak · March 6, 2026, 11:34pm

The certificate is expired and therefor essentially defunct. Nothing is going to trust that certificate ever again no matter what you do.

The best you can do is file an issue on the binding to see if there’s a way to use untrusted certificates. I know self-signed certificates can be used in some circumstances which would equally be untrusted. So it might just be a matter of not checking to see if it’s expired or ignoring the expired error. But it needs to be done in the binding. There’s nothing you can do short of figuring out how to deploy a new unexpired certificate to the device.

jhauerslev · March 7, 2026, 7:29am

Thanks!

I think the binding is EOL too, as nothing has happened the last two years. I will try to file it on the binding - should this be done on openhab community or GitHub?

florian-h05 · March 7, 2026, 9:08am

It should be done on the openhab-addons repository on GitHub.

pauli_anttila · March 7, 2026, 9:30am

Binding is not EOL but the IHC controllers

I assume you are using controller hw version 7, which seems to have expired cert and I think there are not that many users which use openHAB and latest controller version. I have older version which have still valid cert until 2031. Because IHC/ELKO controllers have self signed cert, I have tried to implement trust manager in the binding which accept all certs, so I’m surprised about the issue.

Could you enable ihc binding debug logs in trace level and send logs to me. You could also enable Java debugs by adding following to JAVA_OPTS.

-Djavax.net.debug=ssl

jhauerslev · March 7, 2026, 8:45pm

Hi. Thanks a lot for helping me out - I just thought that the binding was not being maintained, but then again - nothing has happened to the IHC firmware for years, and LK / Schneider told me wednesday that they are not going to issue a new certificate / new firmware.

You are right, visual 3 controller (hw7).

Here is my trace-log (i think, again - entusiast but not near being good at this stuff )

2026-03-07 22:27:41.018 [DEBUG] [ding.ihc.internal.handler.IhcHandler] - Connecting to IHC / ELKO LS controller [hostname=‘192.168.1.10’, username=‘openhab’].

2026-03-07 22:27:41.018 [DEBUG] [ab.binding.ihc.internal.ws.IhcClient] - Opening connection with TLS version TLSv1.2

2026-03-07 22:27:41.019 [DEBUG] [c.internal.ws.http.IhcConnectionPool] - Initialize SSL context

2026-03-07 22:27:41.020 [DEBUG] [c.internal.ws.http.IhcConnectionPool] - Using TLS version TLSv1.2

2026-03-07 22:27:41.020 [DEBUG] [ws.services.IhcAuthenticationService] - Authenticate

2026-03-07 22:27:41.022 [TRACE] [.ihc.internal.ws.http.IhcHttpsClient] - Send query (url=https://192.168.1.10/ws/AuthenticationService, connectionPool=936535377, clientId=1926299087 requestId=0, timeout=5000, headers=[content-type: text/xml]): <?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsd=" XML Schema " xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”>

soapenv:Body

mypassword

openhab

treeview

</soapenv:Body>

</soapenv:Envelope>

2026-03-07 22:27:41.372 [TRACE] [.ihc.internal.ws.http.IhcHttpsClient] - Exception occurred (connectionPool=936535377, clientId=1926299087 requestId=0, in PT0.34947147S): Remote host terminated the handshake

2026-03-07 22:27:41.372 [WARN ] [ding.ihc.internal.handler.IhcHandler] - Can’t open connection to controller javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake

If you need the “JAVA-OPTS-thing”, then I need a clue on how to do it - I have added the value to my docker run script, but I cant find any logs, and it does not write to the openhab log file?

Running Openhab in docker - again, thanks alot!

pauli_anttila · March 8, 2026, 10:41am

Your controller is closing the connection during handshake, so I think it’s not a cert expiration issue. I guess you should have connection issue with Visual app as well. Have you tried to restart the controller?

jhauerslev · March 8, 2026, 6:58pm

Hi. Ok.

Visual does not connect, pings but times out. But it is reachable on port 80 (the start page in browser).

I have tried a reboot, does not change a thing.

This has been going on since i rebooted my network setup first time after 9. of january - so I am pretty sure that something has changed by that date.

What would you recommend af next step in debugging?

pauli_anttila · March 9, 2026, 4:20pm

Maybe this is a root cause

jhauerslev · March 9, 2026, 7:32pm

I think you are right. Just tried right now - today I can only reach it by port 80 on ethernet - usb is only responding when using firmwareloader.

I do not dare to try it out tonight, although I have a spare controller, but reflashing firmware will be tried out tomorrow - stay tuned

I did not even think about checking out IHC-user, I tought it was not used anymore.

I will give a hint when it has been done

jhauerslev · March 13, 2026, 7:34pm

Hi. Now running re-flashed firmware - still no access on https-traffic.

My controller is whats wrong with the setup….

Weird though that port 80 is still avaliable for traffic, while usb is only availiable from firmwareloader (as this reportedly is a common failure, it would be a great feature if the binding would have a configuration setting for http-traffic!)

IHC-user users report that Schneider have a fix, but it is required that the controller is sent to them.

Topic solved - thanks for helping me out.