I have decided to build a new OH2 host and got CentOS8 with latest java 1.8.
Somehow neither old IHC1 nor new IHC bindings do not like to connect to IHC contoller (HW version 6.2 and latest FW 2.8.4). It can’t agree on ciphers and denies to connect.
I - as I said - have got latest FW installed, also played a whole day with java.security file to enabe/disable/remove all possible combinations of ciphers however it still print every second this message:
2020-01-11 20:48:36.224 [DEBUG] [ding.ihc.internal.handler.IhcHandler] - Connecting to IHC / ELKO LS controller [hostname='10.x.y.z', username='xxx'].
2020-01-11 20:48:36.225 [DEBUG] [ab.binding.ihc.internal.ws.IhcClient] - Opening connection
2020-01-11 20:48:36.225 [DEBUG] [c.internal.ws.http.IhcConnectionPool] - Initialize SSL context
2020-01-11 20:48:36.225 [DEBUG] [ws.services.IhcAuthenticationService] - Authenticate
2020-01-11 20:48:36.225 [TRACE] [.ihc.internal.ws.http.IhcHttpsClient] - Send query (url=https://10.1.1.21/ws/AuthenticationService, connectionPool=371634976, clientId=1075504935 requestId=0, timeout=5000, headers=[content-type: text/xml]): <?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<authenticate1 xmlns="utcs">
<password>yyy</password>
<username>xxx</username>
<application>treeview</application>
</authenticate1>
</soapenv:Body>
</soapenv:Envelope>
2020-01-11 20:48:36.227 [TRACE] [.ihc.internal.ws.http.IhcHttpsClient] - Exception occured (connectionPool=371634976, clientId=1075504935 requestId=0, in PT0.001S): No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2020-01-11 20:48:36.227 [DEBUG] [ding.ihc.internal.handler.IhcHandler] - Can't open connection to controller javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2020-01-11 20:48:37.227 [DEBUG] [ab.binding.ihc.internal.ws.IhcClient] - Closing connection
2020-01-11 20:48:37.228 [DEBUG] [ab.binding.ihc.internal.ws.IhcClient] - Connection closed
It might be something very simple and I really appreciate your help guys ! @pauli_anttila
IHC / ELKO controllers supports only TLSv1 and RSA cipher suites based on SHA1 message authentication (not sure about latest FW versions). SHA1 is nowadays marked as weak, so maybe that’s disabled on your system.
You could use e.g. WireShark to see more details about the TLS handshake and/or add “-Djavax.net.debug=all” option to enable Java debugs.
I have managed to fix the problem but it took me 2.5 days of various discoveries Now I know a lot about ciphers and java security options
Anyway - for those who might hit same problem:
CentOS (as well as any other atlest Red Hat distributive) has system wide security settings(/etc/crypto-policies/back-ends/java.config) where OS disables some ciphers on a system level.
So - aparently - one of recent crypto-policies rpm mention TLSv1 and TLSv1.1 as pasr ot jdk.tls.disabledAlgorithms. Then if java.security file contains security.useSystemPropertiesFile=true then this OS setting will be added to the list of disabled ciphers.
So - fo now - remove TLSv1, TLSv1.1 from /etc/crypto-policies/back-ends/java.config and restart openhab
Maybe you could add (create PR) note to ihc binding readme file as this problem most probably will impact to other users in the future as well (TLSv1 will be disabled by default on many systems in the future).
So I just ran into the same problem with IHC binding after upgrading. I, however, don’t have this (/etc/crypto-policies/back-ends/java.config) directory. I am running a standard openhabian setup on a raspberry. You wouldn’t happen to know where that file resides do you?
For anyone else stumbling into this.
/opt/jdk/zulu11.48.21-ca-jdk11.0.11-linux_aarch32hf/conf/security/java.security
is the directory that applies for openhabian configuration.
Now it works!!