ihc binding and java 8 #2322
Comments
|
When I implemented IHC binding, I tried to implement certificate manager which trust all certificates, so that certificate isn't need to add certificate store at all. I had many problems, which I could not resolve on that time. But some time ago I got tired to play those certificates, so I tried to solve those problems and in-fact I did. Here you can find test version, which does not need any certificates on the certificate store. Could you tried it and give feedback? Maybe it solve your problems on java 8. If not, enable debugs for IHC binding and send full log. |
|
Yes thank you for the quick feedback. I will give it a try while the On Fri, 20 Mar 2015 16:59 pali notifications@github.com wrote:
|
|
When i start 1.7.0 snapshot with the new binding and java 7 with the certificate added to the keystore everything is fine. is this enough information, if not please tell me how to enable debugging output for the binding. |
|
Could you download binding again from the link and try one more time. Debug can be enabled by starting start_debug script rather than start script. |
|
I downloaded the binding again. What i have found is: with java7 i get good connect to the controller but no traffic of updates or anything going on. with java8 and the debug option I get the following output (after only sorting out the lines with "ihc" in them). |
|
Download ihc binding ones again from the link (be sure that only one ihc binding exists on your addons folder) and add following line to start_debug script -Djavax.net.debug=ssl:handshake It will cause lot of ssl debug data. Hopefully that give a hint where the problem is. |
|
Damn, I forgotten to inform that you need to add following line on openhab.cfg ihc:trustAllCerts=true |
|
I will have a go tomorrow evening. On Sat, 21 Mar 2015 22:36 pali notifications@github.com wrote:
|
|
I'm currently looking to get it working as well. I have implemented a few other clients for the IHC, so I know that it has a very shaky TLS/SSL-implementation. The implementation on the IHC is based on "Rogatkin's JWS based on Acme.Serve The only non java way (before 1.8), I have found was using an stunnel with the following configuration: The current JAVA 1.8 implementation has enforced some TLS protocol specification and disables SSLv3. Disabling TLS1.2 and TLS1.1 (-Djdk.tls.client.protocols="TLSv1") at least helps getting through with downloading segments and getting the first event data. But after a few seconds the following shows up: The same happens if enabling SSLv3 and setting the protocol to SSLv3, so I guess something equal to "enable all workarounds" is needed for the java implementation as well. If no one has any ideas, I will patch the IHC-binding to allow HTTP connections as well and use my stunnel approach for now. (Better than punching a whole into the enforced java tls security after all). It might be possible to change the SSL contexts in java as well. Any one an idea which settings could help here? |
|
Just tested ihc binding (which trust all certs) with java 8 u40 and it works fine on my environment when -Djdk.tls.client.protocols="TLSv1" system property is introduced. I changed ihc binding code to force TLSv1 and now it seems to work without system property as well. So could you both test the latest test version from Here If you don't want to add controller certificate to trusted store anymore, don't forgot to add following line on openhab.cfg ihc:trustAllCerts=true |
|
hm nice, it really is working. I might have introduced a bug in my IHC snapshot or because of the testings the controller had blocked resources, whatever... Can you release the sourcecode for that version? I'm currently extending the IHC-binding with a custom output feature (allowing "custom" rollershutter programs) ( ihc=">[DOWN:IHC_ID:1000],>[UP:IHC_ID:1000]" ). Would be nice to merge them in. I will add a pull request the next days.. |
|
I see that you override the default SSLContext. I think that's not the best idea, as in my understanding this would not only change the context for the ihc-binding. But for the whole java process. As TLSv1 is always the right choice for the IHC, it would be okay to set it with the connection: conn.setSSLSocketFactory(socketFactory); // where socketFactory is the new factory (setting it to TLSv1 (and optionally enabling "trust all") |
I agree. I never had time to test it, but hoped that default context is limited to one OSGi bundle. I quickly tested with http binding, and my hope wasn't come true. Whole java process is using then all trusting trust manager and that's definitely not acceptable. The same, of course, also takes place with default cookie manager and host name verifier. This actually is pretty danger feature, because someone could use it in another binding to ruin the whole OH security. I quickly tried to do it via socket factory (and also changed cookie manager and host name verifier) without success. But anyhow, because it's works with default SSL context, global cookie manager and host name verifier, there is still hope to get it to work. |
|
Yes, I tried that as well and it did not work. I don't know what we are missing here. Nevertheless I wrote Schneider about the problem and they told me that they are currently working on a new firmware which should fix that issue and are about to release it in two weeks. So my hopes are high that this version will really fix it. Let's hope for the best 👍 |
|
That's great news. Btw, do you own ihc or elko branded controller? |
|
It is Schneider/ELSO IHC branded |
|
I spend some time again and tried to get HttpsURLConnection and socket factory to work without success. I give up and changed HttpsURLConnection to Apache HTTP client and that seems to work fine. I didn't test binding very well yet, but @smerschjohann if you have time please take a look my repo. |
|
I will check it tomorrow. |
|
Okay, I just checked it out and everything works as it should. Seems good 👍 I will now run it 24/7 and check if it keeps that way. |
|
@smerschjohann: have you had any problems with the binding? 1.7 code freeze date is pretty soon, so before I make PR, I like to have some feedback. |
|
Sorry, that I did not respond anymore. Yes, it runs for around 2 weeks now without any (big) issues. The only issue I see is while initializing. The socket timeout seems to be too short. Sometimes on the initialization I get a timeout and an exception gets thrown. But this is not an issue as the connection gets reestablished and the initialization proceeds. |
|
#2598 has been merged successfully … |
hello all, i am running openhab 1.7.0 snapshot but have seen the same problem in 1.5 and 1.6.
When using java 7 i have no problems connecting to my ihc/elko system after adding the certificate to the store, but repeating the same process for java 8 only yields an authentication error.
The text was updated successfully, but these errors were encountered: