Add new --insecure flag to disable SSL certificate validation (#18)

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## [0.12.2] - 2024-12-20
+
+### Added
+- **Allow disable SSL validation**: Added new `--insecure` Flag to disable SSL certificate validation in case your bridge still uses self-signed certificates. (#18). See [Phis Hue Developer Documentation](https://developers.meethue.com/develop/application-design-guidance/using-https/) (requires login).
+
 ## [0.12.1] - 2024-11-02
 
 ### Fixed

docs/advanced_command_line_options.md

@@ -122,6 +122,14 @@ Configures the read timeout of the API v2 SSE event stream in minutes. The conne
 
 **Default**: `120` minutes
 
+### `--insecure`
+
+*New in 0.12.2*
+
+Disables SSL certificate validation for the Hue Bridge. Needed if your bridge still uses self-signed certificates instead of the one issues by Signify. See [Phis Hue Developer Documentation](https://developers.meethue.com/develop/application-design-guidance/using-https/) (requires login).
+
+**Default**: false
+
 ### `-Dlog.level`
 
 A JVM argument to configure the log level of Hue Scheduler. The following values are available:

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>at.sv.hue</groupId>
     <artifactId>hue-scheduler</artifactId>
-    <version>0.12.1</version>
+    <version>0.12.2-SNAPSHOT</version>
 
     <scm>
         <connection>scm:git:[email protected]:stefanvictora/hue-scheduler.git</connection>

src/main/java/at/sv/hue/HueScheduler.java

@@ -52,7 +52,7 @@
 import java.util.concurrent.TimeUnit;
 import java.util.function.Supplier;
 
-@Command(name = "HueScheduler", version = "0.12.1", mixinStandardHelpOptions = true, sortOptions = false)
+@Command(name = "HueScheduler", version = "0.12.2", mixinStandardHelpOptions = true, sortOptions = false)
 public final class HueScheduler implements Runnable {
 
     private static final Logger LOG = LoggerFactory.getLogger(HueScheduler.class);
@@ -165,6 +165,11 @@ public final class HueScheduler implements Runnable {
             description = "The delay in seconds during which turn-on events for affected lights and groups are ignored " +
                           "after a scene activation has been detected. Default: ${DEFAULT-VALUE} seconds.")
     int sceneActivationIgnoreWindowInSeconds;
+    @Option(names = "--insecure",
+            defaultValue = "${env:INSECURE:-false}",
+            description = "Disables certificate validation for older bridges using self-signed certificates." +
+                          " Default: ${DEFAULT-VALUE}")
+    private boolean insecure;
     private HueApi api;
     private StateScheduler stateScheduler;
     private final ManualOverrideTracker manualOverrideTracker;
@@ -284,7 +289,7 @@ private void createAndStart() {
 
     private OkHttpClient createHueHttpsClient() {
         try {
-            return HueHttpsClientFactory.createHttpsClient(apiHost, accessToken);
+            return HueHttpsClientFactory.createHttpsClient(apiHost, accessToken, insecure);
         } catch (Exception e) {
             System.err.println("Failed to create https client: " + e.getLocalizedMessage());
             System.exit(1);

src/main/java/at/sv/hue/api/hue/HueHttpsClientFactory.java

@@ -1,5 +1,6 @@
 package at.sv.hue.api.hue;
 
+import lombok.extern.slf4j.Slf4j;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
 
@@ -12,12 +13,19 @@
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 
+@Slf4j
 public class HueHttpsClientFactory {
 
     private static final String HUE_BRIDGE_CERTIFICATE = "/hue-bridge-certificate.pem";
 
-    public static OkHttpClient createHttpsClient(String bridgeIp, String accessToken) throws Exception {
-        X509TrustManager trustManager = createTrustManager();
+    public static OkHttpClient createHttpsClient(String bridgeIp, String accessToken, boolean insecure) throws Exception {
+        X509TrustManager trustManager;
+        if (insecure) {
+            log.warn("Disabling SSL certificate validation.");
+            trustManager = createTrustAllTrustManager();
+        } else {
+            trustManager = createTrustManager();
+        }
         SSLContext sslContext = createSSLContext(trustManager);
         return new OkHttpClient.Builder()
                 .sslSocketFactory(sslContext.getSocketFactory(), trustManager)
@@ -41,7 +49,7 @@ private static X509TrustManager createTrustManager() throws Exception {
     }
 
     private static Certificate loadCertificate() throws Exception {
-        try (InputStream certInputStream = HueEventStreamReader.class.getResourceAsStream(HUE_BRIDGE_CERTIFICATE)) {
+        try (InputStream certInputStream = HueHttpsClientFactory.class.getResourceAsStream(HUE_BRIDGE_CERTIFICATE)) {
             return CertificateFactory.getInstance("X.509").generateCertificate(certInputStream);
         }
     }
@@ -58,6 +66,23 @@ private static KeyStore createEmptyKeyStore() throws Exception {
         return keystore;
     }
 
+    private static X509TrustManager createTrustAllTrustManager() {
+        return new X509TrustManager() {
+            @Override
+            public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
+            }
+
+            @Override
+            public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {
+            }
+
+            @Override
+            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+                return new java.security.cert.X509Certificate[]{};
+            }
+        };
+    }
+
     private static SSLContext createSSLContext(X509TrustManager trustManager) throws Exception {
         SSLContext context = SSLContext.getInstance("TLS");
         context.init(null, new TrustManager[]{trustManager}, null);