⚠ Gateway software version 21.20.2 seems to break the Powerwall plugin on Linux
This post will contain some speculation.
My gateway received version 21.20.2 today, and the HS plugin stopped working. Every request resulted in this error message: "Authentication failed because the remote party has closed the transport stream."
I'm using mono 6.12.0.90 on Ubuntu 20, but the plugin still worked for me on Windows. All signs pointed to a TLS incompatibility, but the plugin was already using TLS v1.2 and .NET has supported TLS v1.2 for years at this point.
I ran tcpdump to capture the TLS handshake, and found that the gateway closed the TCP connection immediately after the TLS Client Hello message, meaning that the gateway didn't like something in the hello. I also noticed that while the TLS version in the handshake was 1.2, the version in the record layer was 1.0.
I also ran Wireshark on Windows to see if this was different, and it was:
So I checked into why this might be the case, and whether it's possible to change this. I came across this issue on GitHub, where an OpenSSL team member explains that it's perfectly valid to use an older version in the record layer, and that the version in the handshake is the version that should be treated as authoritative. So, it seems to me that Tesla's software is improperly checking the version in the record layer and rejecting older, insecure TLS versions, despite the fact that those connections are in fact valid and secure TLS 1.2 connections.
I was able to establish a connection using curl (which is built against openssl), so it does seem as though openssl matches the versions in the two layers, but I suppose that the BoringSSL fork of openssl mono is using hasn't received that change. Which means, as far as I can tell, that it's not going to be possible to get this working again on Linux unless Tesla fixes their problem.
I will continue to investigate workarounds for this, but in the meantime I suggest that if you're experiencing this problem and you're able to, run the plugin on a Windows PC. Here's how you can do that:
If you see that, then go into HS and check to make sure the plugin is working. Don't close the console window, as that will stop the plugin.
I realize this is all really inconvenient, and I'm looking into workarounds.
My gateway received version 21.20.2 today, and the HS plugin stopped working. Every request resulted in this error message: "Authentication failed because the remote party has closed the transport stream."
I'm using mono 6.12.0.90 on Ubuntu 20, but the plugin still worked for me on Windows. All signs pointed to a TLS incompatibility, but the plugin was already using TLS v1.2 and .NET has supported TLS v1.2 for years at this point.
I ran tcpdump to capture the TLS handshake, and found that the gateway closed the TCP connection immediately after the TLS Client Hello message, meaning that the gateway didn't like something in the hello. I also noticed that while the TLS version in the handshake was 1.2, the version in the record layer was 1.0.
I also ran Wireshark on Windows to see if this was different, and it was:
So I checked into why this might be the case, and whether it's possible to change this. I came across this issue on GitHub, where an OpenSSL team member explains that it's perfectly valid to use an older version in the record layer, and that the version in the handshake is the version that should be treated as authoritative. So, it seems to me that Tesla's software is improperly checking the version in the record layer and rejecting older, insecure TLS versions, despite the fact that those connections are in fact valid and secure TLS 1.2 connections.
I was able to establish a connection using curl (which is built against openssl), so it does seem as though openssl matches the versions in the two layers, but I suppose that the BoringSSL fork of openssl mono is using hasn't received that change. Which means, as far as I can tell, that it's not going to be possible to get this working again on Linux unless Tesla fixes their problem.
I will continue to investigate workarounds for this, but in the meantime I suggest that if you're experiencing this problem and you're able to, run the plugin on a Windows PC. Here's how you can do that:
- Download the latest release from GitHub
- Unzip the file you downloaded
- Download the support files: Support files.zip
- Unzip the support files into the same folder as HSPI_TeslaPowerwall.exe
- Right-click inside that folder and choose New > Shortcut
- Browse to HSPI_TeslaPowerwall.exe
- Once you've selected HSPI_TeslaPowerwall.exe, before you click next, click in the text box and after the last quotation mark, enter: server=1.2.3.4
- Replace 1.2.3.4 with your HomeSeer server's IP address
- You can find your HS server's IP address in HS4 by going to Tools > Help, and check the "Lan IP" under the help desk section
- Refer to this image to see how your shortcut should look
- Click next, then finish
- To start the plugin, double-click on your new shortcut
Code:
Connecting to HomeSeer... Connected to HomeSeer Waiting for initialization...
I realize this is all really inconvenient, and I'm looking into workarounds.
Comment