Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • rjh
    replied
    I think the cert specifies this. I don't don't specify any of this when I authenticate the stream.

    Maybe if someone can enable SSL and expose their system to the Internet we can check it with:

    https://www.ssllabs.com/ssltest/

    And see what it finds.

    Originally posted by Krumpy View Post
    Curious, what key length and digest algorithm did you use? I am hoping (suggesting) for key length 2048 or higher and SHA 256 or higher.

    Leave a comment:


  • Krumpy
    replied
    Curious, what key length and digest algorithm did you use? I am hoping (suggesting) for key length 2048 or higher and SHA 256 or higher.

    Leave a comment:


  • mloebl
    replied
    Thank you @rjh!

    I'm working on switching over to a Linux box during break, and just tried out .398, and ssl working great so far.

    FWIW, I created my own root cert for my local network, and just import it into my browsers on anything I need to access. No errors, and has a "real" cert (no need to register with a real cert authority). Since I use Google Domains for my domains (and it full supports dynamic dns), I could in theory get a real cert, but a waste of money for this.

    Leave a comment:


  • rjh
    replied
    I don't plan on supporting SSL with HSTouch, that would require new HSTouch clients. We will be supporting it with the new mobile client we are working on.

    The SSL support that was just added is for web access.

    Originally posted by lifespeed View Post
    I would be willing to test HTTPS access using the web client and HSTouch direct (no MYHS).

    Leave a comment:


  • rjh
    replied
    I was just planning on including a self signed cert. And I actually did create a new one, its only included with the Linux builds right now, the next Windows build will also include it. For most users I think that will be as far they will go. If you are an advanced user, you can create your our own self signed cert (lots of instructions on the web). You can get your own cert from a signed authority although can you use those with a dynamic IP? You may need to have your home on a static IP.

    Originally posted by Krumpy View Post
    Ok, installed Chrome and connected to HS3 web service via HTTPS. I presume that Chrome is the official web browser to test with?

    1.) Got usual and expected certificate error (due to the expired certificate that ships with HS3).

    2.) Clicked on Advanced and accepted the certificate so that I can go to the HS3 web site.

    3.) Traversing through web pages (using HTTPS) seems to work. All icons in the device management pages show up. No errors in the HS log.

    High-level scan of network traffic between web client and HS3 HTTPS server shows that it is no longer in plain text as it would have been if it was regular HTTP traffic.

    Can anyone else perform the same sort of test using a trusted certificate authority (such as GoDaddy, Verisign, etc)? I will now continue down the path of using my own certificate authority.

    Is anyone able to perform some sort of penetration test? Let's get serious, while I would personally love to have HomeSeer Technologies have a third party perform penetration testing on the HS3 web server, it is not financially feasible based on the cost of the product they are charging. It is still my thought that myHomeSeer should get tested since it's intended use is to authenticate users via the Internet. But, if we had someone in the community that could do this that would be great.

    Leave a comment:


  • Krumpy
    replied
    Ok, installed Chrome and connected to HS3 web service via HTTPS. I presume that Chrome is the official web browser to test with?

    1.) Got usual and expected certificate error (due to the expired certificate that ships with HS3).

    2.) Clicked on Advanced and accepted the certificate so that I can go to the HS3 web site.

    3.) Traversing through web pages (using HTTPS) seems to work. All icons in the device management pages show up. No errors in the HS log.

    High-level scan of network traffic between web client and HS3 HTTPS server shows that it is no longer in plain text as it would have been if it was regular HTTP traffic.

    Can anyone else perform the same sort of test using a trusted certificate authority (such as GoDaddy, Verisign, etc)? I will now continue down the path of using my own certificate authority.

    Is anyone able to perform some sort of penetration test? Let's get serious, while I would personally love to have HomeSeer Technologies have a third party perform penetration testing on the HS3 web server, it is not financially feasible based on the cost of the product they are charging. It is still my thought that myHomeSeer should get tested since it's intended use is to authenticate users via the Internet. But, if we had someone in the community that could do this that would be great.
    Last edited by Krumpy; December 22, 2017, 08:31 AM.

    Leave a comment:


  • Krumpy
    replied
    Rich,

    I have created a local certificate authority, and am in the process of generating a certificate from my own certificate. Then I will be generating a PFX, which I will import into HomeSeer.

    Now, if you want others to do the end to end step for testing, do you have some preliminary documented procedures for folks to follow. Or do you want folks to just import/access the certificate that ships with HomeSeer?

    Or, of course, it would be best if those folks that have certificate signed by a real certificate authority (GoDaddy, Verisign, etc) to test. At the moment I do not have one.

    Ok, so reading my own email tells me that we need to do all three. Doh. Too early this morning.

    Leave a comment:


  • lifespeed
    replied
    I would be willing to test HTTPS access using the web client and HSTouch direct (no MYHS).

    Leave a comment:


  • Krumpy
    replied
    I have been running 398 without any issues. Keep in mind that I do not use zwave as I am running Insteon. So, cant test that.

    Originally posted by Moskus View Post
    I apologize, but my house needs to be running. I'm not risking beta versions at the moment!

    I'll fire up the Zee2 and ... zee if I can install it there.
    Is it easy to update the Zee2 to use Mono 5?

    Leave a comment:


  • Krumpy
    replied
    I have been using it every day since last Sunday ( I think). Currently, in process of attempting to create my own certificate. With the holidays, not sure that I will have a lot of time testing thoroughly.


    Originally posted by rjh View Post
    If you are asking if the latest Beta has new SSL support, then yes, its in there.

    Lots of people seemed to have asked for it, but I only know of one person actually trying it.

    Leave a comment:


  • Pete
    replied
    Is it easy to update the Zee2 to use Mono 5?

    No. I have been helping a Zee2 user trying to update from Mono 4.6 to 5.4.

    Having issues removing Mono 4.6 that is installed on the Zee2. Thinking Rich mentioned that it was built from scratch on the current Zee2 build.

    Personally here way back with the original Zee just grabbed the Homeseer directory and built my own RPi with Wheezy.

    When I upgraded to the Zee2 I did the same. (did write an new Zee2 image, then just copied the Homeseer directory out of the image).

    @Magnus, it would be a nice Linux learning experience for you to DIY build a new RPi2 image for running Homeseer.

    Use a spare SD card and build a new Stretch Zee2 and add mono 5.4 to it and copy over your Homeseer directory.

    I am still using Wheezy on my RPi2's manually built and they are all running Mono 5.4 today.
    Last edited by Pete; December 21, 2017, 07:50 PM.

    Leave a comment:


  • kevini
    replied
    I'm running it too. Worked great for 2+ days and then stopped accepting SSL connections. How should I troubleshoot it? I'm on Windows 10.

    Restarting Homeseer cleared it.

    Leave a comment:


  • integlikewhoa
    replied
    Originally posted by rjh View Post
    Lots of people seemed to have asked for it, but I only know of one person actually trying it.
    I tested it a bit but I need to make alot of http call changes for it to work. Right off the bat my Blueiris local http commands failed along with some other things. I ended up flipping off https to get everything back up. I'll have to play more when I have some time to swap everything over.

    Leave a comment:


  • Moskus
    replied
    Originally posted by rjh View Post
    Lots of people seemed to have asked for it, but I only know of one person actually trying it.
    I apologize, but my house needs to be running. I'm not risking beta versions at the moment!

    I'll fire up the Zee2 and ... zee if I can install it there.
    Is it easy to update the Zee2 to use Mono 5?

    Leave a comment:


  • TechFan
    replied
    Originally posted by rjh View Post
    The user/pass is AES 128 bit encrypted, so while you could see the actual commands, not much you can do with them.
    I see. So, if someone played back the exact stream to the HS3 box later, it wouldn't execute the commands? That would be the concern if the user/pass is actually just hashed. . .

    Leave a comment:

Working...
X