Weak cipher suite warning since 2.5M2 #1064
Comments
|
Karaf 4.2.6 uses a newer Jetty version that logs these warnings when using weak cipher suites. I've fixed the warnings I saw in: If you're using a customized There can still be add-ons that use a |
|
I didn't modified that file, I don't know why it didn't got updated when I updated to M2. |
|
The jetty.xml got updated correctly, it has the same content. So maybe another bundle is using it without excluding these suites. Can this somehow traced back from the error which bundle is throwing this warning? |
|
The logging does not help with pin pointing the bundle. It will most likely get logged when bundles are started so you could try pin pointing it with |
wborn
changed the title
|
@wborn unfortunately this is not the case. This error happens randomly and I can't find any bundle which after its restart fires these warnings. |
|
I get these warnings as well, in my case it seems to happen when the spotify binding refreshes it's OAuth token: Not sure wether the fix should go in the oauth2client bundle or in the Spotify binding though.. |
|
Yes I was also able to trace it down until Spotify. But I think this is something wrong in the OAuth implementation and not the Spotify binding itself... |
|
@Hilbrand As initial contributor of the Spotify Binding: Do you see these warnings too? |
|
I see that the So we can probably fix those warnings by adding the same excludes as in the other method: |
|
Thanks @wborn it might be this causing the warnings. Should I create a PR for this? |
|
The method is marked as deprecated, so either way we should find where this is called from and change the caller to use |
To prevent weak cipher/protocol warnings it's better to not customize the default excluded ciphers and protocols. The MD5 ciphers have already been excluded by default since Jetty 9.3.11.v20160721. Fixes openhab#1064 Signed-off-by: Wouter Born <github@maindrain.net>
|
Thanks but I already made a PR @radokristof! Currently we focus on fixing/adding 2.5.0 end user functionality for the upcoming release @pacive. Deprecations don't impact end users but fixing them might cause more issues. |
|
Thank you! Yes I also think that we might try this first, if it solves the issue and then we can think about replacing deprecated methods... |
|
Did you still see any warnings with this fix @radokristof, @pacive? |
|
No it is gone with this fix. Thanks! |
|
Nice to know! 😄 |
|
Nothing in my logs either! |
Also-By: Christoph Weitkamp <github@christophweitkamp.de> Signed-off-by: Hilbrand Bouwkamp <hilbrand@h72.nl>
…openhab#1241) To prevent weak cipher/protocol warnings it's better to not customize the default excluded ciphers and protocols. The MD5 ciphers have already been excluded by default since Jetty 9.3.11.v20160721. Fixes openhab#1064 Signed-off-by: Wouter Born <github@maindrain.net> GitOrigin-RevId: c50766d
Dear community!
Other also reported that since M2 (and it is still present in M3), we usually get a long list of warnings:
2019-09-30 03:42:34.055 [WARN ] [ty.util.ssl.SslContextFactory.config] - Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@17b090b[provider=null,keyStore=null,trustStore=null]First I thought it is because of the new mail binding, but others reported that they don't use mail bindings and still gets these warnings. @J-N-K said it might be related to Jetty.
I know this is just a warning, but I send a log report for myself daily to quickly identify problems in my setup. This warnings makes it unreadable because I get around 600-700 warnings a day just for this.
One temporary solution might be to set logging only for ERROR for the bundle which causes this warning, but I haven't figured it out yet which bundle is causing this.
The text was updated successfully, but these errors were encountered: