Weak cipher suite warning since 2.5M2

[radokristof]

Dear community!

Other also reported that since M2 (and it is still present in M3), we usually get a long list of warnings:

2019-09-30 03:42:34.055 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@17b090b[provider=null,keyStore=null,trustStore=null]

First I thought it is because of the new mail binding, but others reported that they don't use mail bindings and still gets these warnings. @J-N-K said it might be related to Jetty.

I know this is just a warning, but I send a log report for myself daily to quickly identify problems in my setup. This warnings makes it unreadable because I get around 600-700 warnings a day just for this.
One temporary solution might be to set logging only for ERROR for the bundle which causes this warning, but I haven't figured it out yet which bundle is causing this.

[wborn]

Karaf 4.2.6 uses a newer Jetty version that logs these warnings when using weak cipher suites. I've fixed the warnings I saw in:

• Fix Jetty warnings by excluding weak cipher suites #858
• Upgrade Karaf to 4.2.6 openhab-distro#924

If you're using a customized jetty.xml you need to revert your changes so they are in sync with this commit. You can also use our default jetty.xml.

There can still be add-ons that use a SslContextFactory without excluding the weak cipher suites that may need a similar fix like #858.

[radokristof]

I didn't modified that file, I don't know why it didn't got updated when I updated to M2.
I will try to replace that file, thanks!

[radokristof]

The jetty.xml got updated correctly, it has the same content. So maybe another bundle is using it without excluding these suites.

Can this somehow traced back from the error which bundle is throwing this warning?

[wborn]

The logging does not help with pin pointing the bundle. It will most likely get logged when bundles are started so you could try pin pointing it with bundle:restart on the Karaf console.

[radokristof]

@wborn unfortunately this is not the case. This error happens randomly and I can't find any bundle which after its restart fires these warnings.

[pacive]

I get these warnings as well, in my case it seems to happen when the spotify binding refreshes it's OAuth token:

2019-11-25 15:07:09.640 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.641 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.642 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.642 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.643 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.644 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.644 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.645 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.645 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.646 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.647 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.647 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.647 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.648 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.648 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.648 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.649 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.649 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.649 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.650 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@3356100a[provider=null,keyStore=null,trustStore=null]
2019-11-25 15:07:09.807 [INFO ] [oauth2client.internal.OAuthConnector] - grant type refresh_token to URL https://accounts.spotify.com/api/token success

Not sure wether the fix should go in the oauth2client bundle or in the Spotify binding though..

[radokristof]

Yes I was also able to trace it down until Spotify. But I think this is something wrong in the OAuth implementation and not the Spotify binding itself...

[cweitkamp]

@Hilbrand As initial contributor of the Spotify Binding: Do you see these warnings too?

[wborn]

I see that the WebClientFactoryImpl has another method where it creates a SslContextFactory that doesn't exclude these weak ciphers:

openhab-core/bundles/org.openhab.core.io.net/src/main/java/org/eclipse/smarthome/io/net/http/internal/WebClientFactoryImpl.java

Lines 419 to 420 in abb5588

	String excludeCipherSuites[] = { "^.*_(MD5)$" };
	sslContextFactory.setExcludeCipherSuites(excludeCipherSuites);

So we can probably fix those warnings by adding the same excludes as in the other method:

openhab-core/bundles/org.openhab.core.io.net/src/main/java/org/eclipse/smarthome/io/net/http/internal/WebClientFactoryImpl.java

Lines 391 to 394 in abb5588

	// Exclude weak / insecure ciphers
	sslContextFactory.addExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
	// Exclude ciphers that don't support forward secrecy
	sslContextFactory.addExcludeCipherSuites("^TLS_RSA_.*$");

[radokristof]

Thanks @wborn it might be this causing the warnings. Should I create a PR for this?

[pacive]

The method is marked as deprecated, so either way we should find where this is called from and change the caller to use private SslContextFactory createSslContextFactoryFromExtensibleTrustManager() instead?

[wborn]

Thanks but I already made a PR @radokristof! Currently we focus on fixing/adding 2.5.0 end user functionality for the upcoming release @pacive. Deprecations don't impact end users but fixing them might cause more issues.

[radokristof]

Thank you! Yes I also think that we might try this first, if it solves the issue and then we can think about replacing deprecated methods...

[wborn]

Did you still see any warnings with this fix @radokristof, @pacive?

[radokristof]

No it is gone with this fix. Thanks!

[wborn]

Nice to know! 😄

[pacive]

Nothing in my logs either!

[openhab-bot]

This issue has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/weak-cipher-suite-warnings/157840/1