Weak cipher suite TLS RSA

Setup, Configuration and Use Beginners
1

OH: 5.0.2, platform: Win11

I would like to return to this topic, which has been mentioned here and there among other topics, and from my observations, it seems to have appeared with version 5.x.

In any case:
a. I don’t know what thing this WARN reports, because the logs show that it is [Client@2a6ce8a3], but of course DeveloperBar doesn’t find anything.
b. The WARNINGS generated in the log greatly increase the volume of the log.

Here is the log:

20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Trusting all certificates configured for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	No Client EndPointIdentificationAlgorithm configured for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]
20.11.2025 07:00	 [WARN ]	 [ty.util.ssl.SslContextFactory.config] - 	Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for Client@2a6ce8a3[provider=null,keyStore=null,trustStore=null]

And my questions/requests for help:

  1. How can I identify the thing that is causing this problem?
  2. And how can I solve this problem so that WARN does not appear?
2

  1. It might not be a Thing at all. It might be Jetty, the web server that serves up the OH web UIs and REST APIs. That “ty” in the package name could be a cut off “jetty”. Are you accessing MainUI or BasicUI using HTTPS from anywhere? Though it could also be a Thing, in which case look for places where HTTPS is being used with self -signed certificates or where the certificates are being ignored. The weak cypher suite warnings come from asinine export control issues. Java doesn't provide the good encryption algorithms unless a command line argument is passed. I think there is an option in openhabian-config to set the crypto_policy to unlimited. If not, I'm pretty sure you can set it in /etc/default/openhab. For Docker you pass an enviornment variable CRYPTO_POLICY=unlimited`.

  2. The first warning is going to be there as long as you have anything in OH configured to accept self-signed certificates. You’ll either have to set up PKI and configure Java/OH to trust certificates from your certificate authority. Or you need to obtain a certificate from an already trusted CA and apply that on what ever device/service openHAB is accessing over HTTPS. The weak cipher warnings should go away once the cypher policy is set to unlimited.

3

Ad 1. No. From the local server over HTTP (for configuration purpose). From other comupter from the local network I’m using always https://home.myopenhab.org/overview

Ad 2. Where I can find it on Windows?

4

:person_shrugging: I don’t even have a windows machine any more. Maybe one of the .bat files.

5

I’ve seen this with the Samsung TV binding. If you have that installed and don’t like the log clutter, change the log level for the Samsung Binding. I believe this is a benign warning.

6

Yes. Samsung TV binding is installed. Log level has been changed.

Thank you for your help. Tomorrow I will inform you about the effects.

Thank a lot!

1 Like
7

Hello,

last information - after changing log level to error, the waring was still in the log file. I removed thing as my Samsung TV (occasionally used) and bind Samsung TV.

And now is clear in my log - no more warings.

Thank @kjknauss you for your help!

BTW: It’s a shame that the client ID reported in the logs has no relation to thig/element (I wrote about this in another thread regarding a different issue, that the developer bar couldn’t find anything based on the ID), so that it could be easily determined any problem.

8

This warning is being written from code not written by openHAB. It’s third party library code. This code almost certainly doesn’t know the Thing ID to include in the log nor even what a Thing is. And since it just logs a warning instead of throwing an exception, there is no chance for the problem to bubble up to code that was written by OH which could conceivably know the Thing UID and include that in a log statement.

9

You can also log bindings to a separate file, again if the clutter from openhab.log bothers you. A quick search of “Logging to a separate file” will provide solutions.

10

Thank you for explanation.