Weak cipher suite warnings

Hello,

since “some times” I get a lot of warnings like when I run the latest official openhab docker container.

2024-08-16 09:15:18.181 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]
2024-08-16 09:15:18.181 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]
2024-08-16 09:15:18.181 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]
2024-08-16 09:15:18.181 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]
2024-08-16 09:15:18.181 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]
2024-08-16 09:15:18.182 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]
2024-08-16 09:15:18.182 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]
2024-08-16 09:15:18.182 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]
2024-08-16 09:15:18.182 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]
2024-08-16 09:15:18.182 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for Client@1ee21af4[provider=null,keyStore=null,trustStore=null]

I found a very old outdatet issues Weak cipher suite warning since 2.5M2 · Issue #1064 · openhab/openhab-core · GitHub but it looks like the related fix is not present in the latest source code anymore.

If I can ignore it, then my next questions is, why its a warning and how can I make it silent to become aware of the important warnings again.

I think the issue is that there are still export controls over some cryptographic algorithms. If you are in a country where it’s allowed and have a JVM that supports them, you can pass CRYPTO_POLICY=unlimited as an environment variable to the Docker container and it should make all the algorithms available and these warning should go away.

I think making the better versions available should disable these weak/deprecated options. I could of course be wrong and something else is going on. I don’t think this is a common problem as this is the first report of it.

It can be ignored in that it will work as is. It is a warning because you shouldn’t be using these weak and deprecated encruption algorithms. They are easily broken and no longer considered safe to use. But ultimately it’s a warning because the upstream library that is generating this warning decided it was a warning.

You can figure out the whole class name that is creating this warning message (I’m not sure what it is but it’s not an OH class as far as I can tell) and set it’s logger to ERROR level. You can set up a regex filter in log4j2.xml. But probably the best thing to do would be to figure out why these cypher suites are enabled in the first place and disable them.

Some looking around over on karaf is probable where I would start on that if passing in unlimited doesn’t work as described above.

I’ve been seeing these on an x86 install. Happen twice per day, 12 hours apart. Tried to isolate what was happening at those times, but nothing is evident. Nearest I can tell is that it may be related to the Samsung TV binding, but changing that binding’s logging didn’t remove, so likely not the case. Just ignoring for now.

that was what I was looking for :slight_smile:

@rlkoshak I’m always surprised at how many topics you can comment on helpfully. Thanks a lot!

1 Like

It was not successful.

I added the environment variable ‘CRYPTO_POLICY: “unlimited”’

I confirmend it

root@marvin:/openhab# cat /usr/lib/jvm/java-17-openjdk-amd64/conf/security/java.security  | grep crypto.policy 
# The default setting is determined by the value of the "crypto.policy"
# The "crypto.policy" security property points to a subdirectory
crypto.policy=unlimited

but still getting

marvin:~ # tail -n 2000 /smartserver/var/log/openhab/openhab.log | grep "SslContextFactory"
2024-08-17 08:56:42.938 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Trusting all certificates configured for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.941 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - No Client EndPointIdentificationAlgorithm configured for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.944 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.945 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.947 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.949 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.951 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.953 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.955 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.962 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.964 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.965 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.967 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.977 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.978 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.980 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.982 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.984 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.986 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.988 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.995 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]
2024-08-17 08:56:42.996 [WARN ] [rg.eclipse.jetty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for Client@42eb49ba[provider=null,keyStore=null,trustStore=null]

I added also the following setting to /openhab/runtime/etc/jetty.xml, but without success

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
    <Set name="ExcludeCipherSuites">
        <Array type="String">
            <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
            <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
            <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
            <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
            <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
            <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
            <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
            <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
            <Item>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</Item>

            <Item>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</Item>
            <Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item>
            <Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</Item>
            <Item>TLS_RSA_WITH_AES_256_GCM_SHA384</Item>

            <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
            <Item>TLS_RSA_WITH_AES_256_CBC_SHA256</Item>
            <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
            <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>

            <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
            <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
            <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
        </Array>
    </Set>
    <Set name="KeyStorePath">....

@kjknauss you are right, it seams to be related to the samsung tv binding.

If I pause and restart the samsung tv binding, I get these error messages immediately.

Looks like it is related to the secure websocket connection.

I will continue to analyze it and share everything I find out…

I think the main problem is here which was changed as part of this commit.

I created an issues to get more details about how to deal with it.

@holger_hees

The problem is with the latest version of Samsung TV firmware,

They require a secure connection, but have invalid certificates.

I was unable to establish a secure connection using modern cypher suites, so I had to enable older, less secure cypher suites.

Now, the warning is that older cypher suites are enabled, but what cypher suites are actually used is a different thing.

I have no control over the cypher suites used by Samsung TV’s.

1 Like

@Nicholas_Waterton Thanks, for the explanation.

For now I hide this warning by adding

<Logger level="ERROR" name="org.eclipse.jetty.util.ssl.SslContextFactory.config"\/>

to /openhab/userdata/etc/log4j2.xml