Protocol is disabled or cipher suites are inappropriate

So when I build docker with:

docker build --build-arg OPENHAB_VERSION=2.5.12 --build-arg JAVA_VERSION=11  -t "majherek/openhab-ffmpeg:2.5.12-amd64-debian" .

which version should I use? My previous build of OH 2.5.12 worked well and it was also on Java 11.

Hi,

I build OH 2.5.12 with java 8, and still the same error.

majherek@atom:~$ docker exec -it openhab2512 /bin/bash
root@atom:/openhab# java -version
openjdk version "1.8.0_292"
OpenJDK Runtime Environment (Zulu 8.54.0.21-CA-linux64) (build 1.8.0_292-b10)
OpenJDK 64-Bit Server VM (Zulu 8.54.0.21-CA-linux64) (build 25.292-b10, mixed mode)
==> /logs/openhab.log <==
2021-06-02 09:22:50.285 [ERROR] [rg.openhab.action.mail.internal.Mail] - Could not send e-mail to 'lakowa@XXX.pl'.
org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.SERVER.PL:587
[cut]
Caused by: javax.mail.MessagingException: Could not convert socket to TLS
[cut]
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
[cut]

When I change version from jdk8.0.292 to jdk8.0.192 everythink is working (I change zulu8_amd64_url in Dockerfile to zulu8.33.0.1).

Then I try: zulu8.48.0.51-ca-jdk8.0.262-linux_x64.tar.gz. It works.
Then I try: zulu8.50.0.51-ca-jdk8.0.275-linux_x64.tar.gz. It works.
With zulu8.52.0.23-ca-jdk8.0.282-linux_x64.tar.gz it also works.

So I suppose that in latest release: 8u292b10 and 11.0.11+9 somethings changed, and there is some problem z SSL/TLS during SMTP connecting in Openhab 2.5.12.

disabled outdated cipher algorithms ? Did you check the content of the file java.security ?

Hi @pauli_anttila
Thank you for this.
However, I am a lost here as I am running OH in a docker container which includes java. I am using docker run as specificed here.
Inside the generated docker image I did find a java.security file, which I copied outside the container to view and modify the contents. However, it does not contain any disabledAlgorithms I can modify.
So currently my OH is not working as the IHC binding is the core of the my setup.

It seems that 3.1.0 M4 docker images allows TLS1.0 and IHC binding works fine.
However, it seems that 3.1.0 M5 docker images does not allow TLS1.0 and IHC binding does not work.

M5 contains java.security file where TLSv1 is disabled

docker run -it openhab/openhab:3.1.0.M5 /bin/bash
root@4b2202530e05:/openhab# find / -name java.security
/usr/lib/jvm/default-jvm/conf/security/java.security

root@4b2202530e05:/openhab# cat /usr/lib/jvm/default-jvm/conf/security/java.security | grep jdk.tls.disabledAlgorithms
...
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
# jdk.tls.disabledAlgorithms property or the
# certificates such as jdk.tls.disabledAlgorithms or

But beware, you canā€™t edit file directly, but you need to mount your local copy to the container.

Something like

-v java.security:/usr/lib/jvm/default-jvm/conf/security/java.security

Thanks. This was also the file I found and when I use the grep command I get the same result as you do. I copied the file outside the container to current folder by

docker cp openhab3:/usr/lib/jvm/default-jvm/conf/security/java.security .

It is indeed copied but is contains only a list of providers and preference orders like this:

# List of providers and their preference orders (see above):
#
security.provider.1=SUN
security.provider.2=SunRsaSign
security.provider.3=SunEC
security.provider.4=SunJSSE
security.provider.5=SunJCE
security.provider.6=SunJGSS
security.provider.7=SunSASL
security.provider.8=XMLDSig
security.provider.9=SunPCSC
security.provider.10=JdkLDAP
security.provider.11=JdkSASL
security.provider.12=SunPKCS11

So I do not know how to create my local copy, which my docker run can point to.

Just tried to copy file from OH container to local file system and I didnā€™t have any issue. You are using container name ā€˜openhab3ā€™ rather than container id, so are you sure that itā€™s a correct container? To be sure, you can use also container id.

docker ps

CONTAINER ID        IMAGE                      COMMAND                  CREATED             STATUS                           PORTS                    NAMES
1ba8dc0137e4        openhab/openhab:3.1.0.M5   "/entrypoint gosu opā€¦"   1 second ago        Up 1 second (health: starting)                            openhab3_openhab_1

docker cp 1ba8dc0137e4:/usr/lib/jvm/default-jvm/conf/security/java.security .

cat java.security | grep jdk.tls.disabledAlgorithms

#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
# jdk.tls.disabledAlgorithms property or the
# certificates such as jdk.tls.disabledAlgorithms or

Thank you - it is working now. It was because I was not really aware of how the nano editor worked. I just needed to scroll down inside the file.

Hi
Iā€™m having the same issue with IHC.
I have a raspberry pi with openhabian image (flashed from Release openHABian v1.6.5 Ā· openhab/openhabian Ā· GitHub)

When I connect to the console (SSH) I get:

openhab> shell:cd /opt/jdk/zulu11.48.21-ca-jdk11.0.11-linux_aarch32hf/conf/security
openhab> shell:cat java.security | grep jdk.tls.disabledAlgorithms              
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
# jdk.tls.disabledAlgorithms property or the
# certificates such as jdk.tls.disabledAlgorithms or

so I take it that I need to edit this file and remove ā€œTLSv1ā€ from the line of disabled algorithms.
But how do I do this?

  • ssh into your raspi: ssh openhabian@openhabianpi
  • become root: sudo su -
  • cd into the directory: cd /opt/jdk/zulu11.48.21-ca-jdk11.0.11-linux_aarch32hf/conf/security
  • make a backup copy: cp java.security java.security.BAK
  • open vi editor: vi security
  • search for TLSv1: /TLSv1,
  • your cursor should be on T of TLSv1, in the line that you showed before; if not hit key n; if stil not :q
  • you are on TLSv1,: enter dw two times
  • the string TLSv1, should be deleted now
  • if exactly that part is deleted and you have ā€¦SSLv3, TLSv1.1,ā€¦ hit :wq
  • file should be saved now and you should be back on the command line
2 Likes

Thanks, I have it working now :+1:

1 Like

Hi Wolfgang_S

I am running OH3.3.0 on a RPi4, and have a old IHC HW6.1 controller with only TLS1.0.
I am trying to follow you instructions to reactivate TLSv1 but without success. I can not find the folder etc.
Can you somehow guide me?

Thanks

-Thomas