[hue] Add workaround for Bridge v3 certificate issue

[andrewfg]

The new Hue Bridge (black) version 3 uses a different certificate chain than the older version 1 and 2 bridges. The new chain has a three link chain, and unfortunately Signify does not (yet) supply the intermediate certificate.

This PR is a work around for the time being until Signify does (eventually) supply the missing intermediate certificate. On v3 bridges we currently use a TrustAllTrustManager for verifying the HTTPS connections.

Whenever the missing intermediate certificate is finally provided, we will need to make another PR to do the certificate validation properly.

Fixes #19337

Signed-off-by: Andrew Fiddian-Green software@whitebear.ch

[andrewfg]

@jpalo ping: could you please test this?

[openhab-bot]

This pull request has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/cant-connect-new-hue-bridge-pro-to-openhab/166243/13

[andrewfg]

The developer guideline is here..

https://developers.meethue.com/develop/application-design-guidance/using-https/

[andrewfg]

There is probably a missing intermediate certificate..

currently the device certificate is signed directly by the root certificate. In the future – in particular when we would switch to the secondary root certificate – the device certificates will likely be signed by an intermediate certificate which is in turn signed by the root. You still only have to bundle the root certificates with your client application, since the Hue Bridge would present both its device certificate and intermediate certificate during the TLS handshake. However, care should be taken that the HTTPS library you are using has support for certificate chains with intermediate certificates.

[andrewfg]

Also perhaps this..

https://developers.meethue.com/forum/t/hue-bridge-ssl-certificates-are-not-compliant-and-must-be-fixed/7096

[openhab-bot]

This pull request has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/cant-connect-new-hue-bridge-pro-to-openhab/166243/21

[andrewfg]

from what i understand the PEM file can hold multiple certificates, so if you have all certificates in the chain, it should work.

• Prior bridges have a two step "v1" validation chain (leaf cert in the bridge, v1 root cert provided by the manufacturer in a pem file).
• The new bridge has a three step "v2" validation chain (leaf cert in the bridge, v2 root cert provided by the manufacturer and located in a pem file). But currently the middle intermediate certificate seems to be AWOL .. it is neither (yet) provided by the manufacturer in a pem file, nor (yet) by the bridge itself.

I have written to Signify asking for either a) the intermediate cert, or b) to update their firmware.

But in the meantime we can do nothing but wait..

[andrewfg]

@JPAlp @lsiepel @lolodomo I modified this PR to be a temporary fix until Signify finally gets around to publishing the missing intermediate certificate. => I think it would be good to merge this ASAP since I don't know how long it will take Signify to do their homework.

[Copilot]

Pull Request Overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[openhab-bot]

This pull request has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/cant-connect-new-hue-bridge-pro-to-openhab/166243/33

[andrewfg]

@kaikreuzer it looks like the CI build is once again not able to download the thing type xml schema..

[DenDeXTeR51]

any progress?

[andrewfg]

any progress?

The PR is ready. It just needs approval from @openhab/add-ons-maintainers ..

[DenDeXTeR51]

Yes, I mean that PR approve from maintainers stuck...

[lsiepel]

Thanks, LGTM