JRE TLS security

[lowgoz]

I've come across this after recently updating a RPI install with the same issue and found it was the reason why i could not connect my Cbus Toolkit to your implementation of this solution

Toolkit would error "An error has occurred while initializing the secure socket layer - Cannot connect to C-Gate Server" when connecting to the container.

Toolkit does not use TLS, but the latest version of Java 8 requires it.

Solution for me was to use portainer to open a console and edit the file "/usr/lib/jvm/java-8-openjdk/jre/lib/security/java.security" to remove TLSv1, TLSv1.1 in the line "jdk.tls.disabledAlgorithms="

Have re-tested and appears to have resolved the issue.

[lowgoz]

/for future people

• access docker image through console
• apk add nano
• nano /usr/lib/jvm/java-8-openjdk/jre/lib/security/java.security
• find the disabledAlgorithms bit (29 presses of "page dn" key!)
• Remove the bits
• ctrl x - save
• restart container

[DamianFlynn]

Thx for sharing. It’s a lesson in making sure I pin the sources in the dockerfile to the tested versions.

I’ll add the commands to update the settings

Sent from Outlook for iOShttps://aka.ms/o0ukef

---

From: lowgoz @.> Sent: Wednesday, October 11, 2023 3:22:57 AM To: DamianFlynn/cgate-server @.> Cc: Subscribed @.***> Subject: Re: [DamianFlynn/cgate-server] JRE TLS security (Issue #5)

/for future people

• access docker image through console
• apk add nano
• nano /usr/lib/jvm/java-8-openjdk/jre/lib/security/java.security
• find the disabledAlgorithms bit
• Remove the bits
• ctrl x - save
• restart docker

— Reply to this email directly, view it on GitHubhttps://github.com/DamianFlynn/cgate-server/issues/5#issuecomment-1756633398, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABP7GDZJPMEEN2345MVO25TX6X7IDAVCNFSM6AAAAAA53FBPIKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONJWGYZTGMZZHA. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[lowgoz]

many thanks for your quick response!

Im very much liking this repo compared to the attempts at using cmqttd - i've had constant problems over the years with random disconnects using this method and it seems that the tried and true method of simply running cgate / mqtt is the best option.

I really appreciate you taking the time to update the 2017 raspberry pi version and putting in discovery & dockerising! It's a solid solution.

wondering if one day we would be able to turn this into a home assistant Add on. would solve all of our problems forever !!

[DamianFlynn]

@lowgoz The latest build should automatically take your instructions and have the TLS1 protocol addressed. Give it a spin when you have a moment, and if your happy, we can proceed to close the issue.

Note this new build also uses the new version of cgate