Being a sucker for clean logfiles, I decided to dive into the source of some warnings that always show up in openhab.log
:
[WARN ] [ty.util.ssl.SslContextFactory.config] - Trusting all certificates configured for Client@1dc041a0[provider=null,keyStore=null,trustStore=null]
[WARN ] [ty.util.ssl.SslContextFactory.config] - No Client EndPointIdentificationAlgorithm configured for Client@1dc041a0[provider=null,keyStore=null,trustStore=null]
In my configuration these warnings are generated by two add-ons: http
and daikin
.
Digging in the source code of Eclipse Jetty, I noticed the following pieces of code in sslContextfactory.java
:
/**
* Construct an instance of SslContextFactory with the default configuration.
*/
protected SslContextFactory()
{
this(false);
}
/**
* Construct an instance of SslContextFactory that trusts all certificates
*
* @param trustAll whether to blindly trust all certificates
* @see #setTrustAll(boolean)
*/
public SslContextFactory(boolean trustAll)
{
setTrustAll(trustAll);
setExcludeProtocols(DEFAULT_EXCLUDED_PROTOCOLS);
setExcludeCipherSuites(DEFAULT_EXCLUDED_CIPHER_SUITES);
}
/**
* @param trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore
*/
public void setTrustAll(boolean trustAll)
{
_trustAll = trustAll;
if (trustAll)
setEndpointIdentificationAlgorithm(null);
}
/**
* When set to "HTTPS" hostname verification will be enabled.
* Deployments can be vulnerable to a man-in-the-middle attack if a EndpointIdentificationAlgorithm
* is not set.
*
* @param endpointIdentificationAlgorithm Set the endpointIdentificationAlgorithm
* @see #setHostnameVerifier(HostnameVerifier)
*/
public void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
{
_endpointIdentificationAlgorithm = endpointIdentificationAlgorithm;
}
protected void checkTrustAll()
{
if (isTrustAll())
LOG_CONFIG.warn("Trusting all certificates configured for {}", this);
}
From what I can deduct out of this (and some of the XML-config documentation), it looks like SslContextFactory
should be instantiated with true
to disable the “trust all” behaviour and use a key store (or call setEndpointIdentificationAlgorithim
with non-null parameter).
And because if no EndpointIdentificationAlgorithm
is set it could become vulnerable to a man-in-the-middel-attack, I think this should be considered for future releases of the bindings.
Can anyone with (much) more knowledge about Jetty confirm or correct me?