openhab-bot
commented
2 months ago This issue has been mentioned on openHAB Community. There might be relevant details there:
https://community.openhab.org/t/weak-cipher-suite-warnings/157840/7
Closed HolgerHees closed 2 months ago
openhab-bot
commented
2 months ago This issue has been mentioned on openHAB Community. There might be relevant details there:
https://community.openhab.org/t/weak-cipher-suite-warnings/157840/7
NickWaterton
commented
2 months ago The problem is with the latest version of Samsung TV firmware,
They require a secure connection, but have invalid certificates.
I was unable to establish a secure connection using modern cypher suites, so I had to enable older, less secure cypher suites.
Now, the warning is that older cypher suites are enabled, but what cypher suites are actually used is a different thing.
I have no control over the cypher suites used by Samsung TV’s.
Also, just to be clear, the problem happened with 2024 TV’s, and I don’t have a 2024 Samsung TV, so I’ve had to rely on reports from users as to what works, and what doesn’t. I can’t directly test it myself.
HolgerHees
commented
2 months ago @NickWaterton Thanks, for the explanation.
should I keep this ticket open until there is an option to avoid this warnings? Or do you think there is no way and we can close this issues as "not planned"
NickWaterton
commented
2 months ago I don’t think there is an easy way to avoid it.
If I had a 2024 Samsung TV, I could refine what works and doesn’t. What year is your Samsung TV? And what model? They just dropped a new firmware version, and it may or may not fix the security issues.
If you don’t have a 2024 to do testing on, we should just close it as “not planned”.
HolgerHees
commented
2 months ago ok. I have a model from 2018.
Thanks again. For now I set the log level for jetty to ERROR.
When I use the latest (4.2.1) openhab docker container together with the samsung tv binding and secure websockets I get a lot of warnings like
I get ~10 twice per day and immediately if I restart the binding or openhab.
I know, I could ignore this warnings, but I believe warnings should never be ignored. If they can be ignored, they should be info messages or they should be hidden. If you start to ignore some logs, the chance that you ignore something what you should not ignore is getting higher and higher as more you apply this rule.
The line which is the root cause is here and the commit which introduce this change is here
The purpose of this issues is to get an answer what is the right way to deal with this warning. I hope for something else except 'ignoring'.
Maybe the reason why the jetty filters are removed is that the filters was removing too much. A solution could be to apply a custom filter remove weak cipher suites. Or a custom include rule which allows cipher suites, needed by samsung tv's.
@NickWaterton I assigned you here, because you are the author of the related commit and maybe you know more insights.
There is also a thread in the community page