Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Originally posted by Jobee View Post
    This time it took about 6 days. There are always a set of errors in the log when it goes down. Of course it is not until the next time I try to get in, that it just hangs and I know it is. I made the mistake of trying to turn it off in Labs and that just made it unable to get in either with or without SSL, so I don't do that anymore. I have to shut down HS3 and then restart it to get SSL back.

    Michael
    ok, i will try and repro
    i couldn't figure anyway to turn off the standard http webserver? how did you do that?

    Comment


      Originally posted by scyto View Post
      ok, i will try and repro
      i couldn't figure anyway to turn off the standard http webserver? how did you do that?
      I did not turn off the standard. I use it as my way in if SSL is not working. What I found it is if SSL is not working and I go in on standard port and go to Setup/Labs and turn off (uncheck) SSL, and close down the browser, then the standard becomes corrupt also and you cannot get in at all.

      I'm hoping the next version will have more debug entries in the log so we can see what is going on.

      Michael
      HS3Pro & HS4Pro on Win2012R2
      Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
      BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

      Comment


        I did not last that long this time. I was only 48 hours this time.

        Jun-29 00:56:04 Error Authenticating SSL stream inner exception: The function requested is not supported
        Jun-29 00:56:04 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
        Jun-29 00:56:03 Error Authenticating SSL stream inner exception: The function requested is not supported
        Jun-29 00:56:03 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
        Jun-29 00:56:00 weatherXML Triggers to check: 0
        Jun-29 00:55:53 Error Authenticating SSL stream inner exception: The client and server cannot communicate, because they do not possess a common algorithm
        Jun-29 00:55:53 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
        Jun-29 00:55:43 Error Authenticating SSL stream inner exception: The client and server cannot communicate, because they do not possess a common algorithm
        Jun-29 00:55:43 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
        Jun-29 00:55:42 Error Authenticating SSL stream: Authentication failed because the remote party has closed the transport stream.

        There just is not enough in the log to give a clue as to what is going on. My suspicion is that someone/something is trying to gain access to the web server via an attack and is overloading the web server.
        HS3Pro & HS4Pro on Win2012R2
        Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
        BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

        Comment


          Free SSLs

          For anyone who whats to use SSL and does not want to use a self signed cert or pay for a cert, you now have an option. Go to Let's Encrypt and you can get a free SSL Cert for your server.

          https://letsencrypt.org/getting-started/

          Michael
          HS3Pro & HS4Pro on Win2012R2
          Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
          BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

          Comment


            Originally posted by Jobee View Post
            For anyone who whats to use SSL and does not want to use a self signed cert or pay for a cert, you now have an option. Go to Let's Encrypt and you can get a free SSL Cert for your server.

            https://letsencrypt.org/getting-started/

            Michael
            and they do wildcart support making this a very useable proposition!
            https://community.letsencrypt.org/t/...-is-live/55579

            Comment


              @jobee i have been running for a week, no issues.

              are you exposing your homeseer via a mapped port to the internet?
              does your internet facing DNS name match the certificate name?

              it looks like a possible cypher mismatch - for example the browser (or connecting process) is trying to enforce modern compatibility only; could also be someone trying to telnet the port; either way that should not crash the web process; note they won't give any support on beta nor do they have roadmap for it leaving beta....

              you could try fronting the website with nginx reverse proxy - this is what i do for all my internal HTTP / HTTPS resources - so port 80 is closed (actually it redirect http to https on 443), port 443 is open externally that maps to the ngix proxy host. The nginx proxy then uses different host names to route to the right internal host. eg.g https://app1.mydomain.com https://app2.mydomain.com etc

              Comment


                Originally posted by scyto View Post
                @jobee i have been running for a week, no issues.

                are you exposing your homeseer via a mapped port to the internet?
                does your internet facing DNS name match the certificate name?

                it looks like a possible cypher mismatch - for example the browser (or connecting process) is trying to enforce modern compatibility only; could also be someone trying to telnet the port; either way that should not crash the web process; note they won't give any support on beta nor do they have roadmap for it leaving beta....

                you could try fronting the website with nginx reverse proxy - this is what i do for all my internal HTTP / HTTPS resources - so port 80 is closed (actually it redirect http to https on 443), port 443 is open externally that maps to the ngix proxy host. The nginx proxy then uses different host names to route to the right internal host. eg.g https://app1.mydomain.com https://app2.mydomain.com etc
                Thank you for the suggestions. I am testing a theory and will know if I'm ok in a day or so.

                Michael
                HS3Pro & HS4Pro on Win2012R2
                Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
                BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

                Comment


                  @Rich Can HS look into supporting Let's Encrypt as a solution for an SSL cert. I know my box can support it but since we have to export it, it would make it difficult to redo the cert every 45 days as required by Let's Encrypt. Maybe someone can devise a plug in that will run a new cert and export it updating the HS settings?

                  Michael
                  HS3Pro & HS4Pro on Win2012R2
                  Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
                  BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

                  Comment


                    Originally posted by Moskus View Post
                    That's great! I'd love to see faster loading speeds.



                    The web interface (using Jon00s excellent Quick Page builder) is extremely fast for getting the overview of the house.

                    HStouch is great for what it does, but it's not perfect. It takes a while to start, to connect, and to load data, and worst of all: There's no Windows app at all.

                    Making the web interface extremely useful, fast and reliable.
                    WinSeer was designed to load quickly and find a device fast. I'm sure I'm able to find and control a device much, MUCH faster than you are.



                    If you say so.
                    I'll try this again at work, but on my cell phone it doesn't work like this.



                    YES! This is very interesting!
                    My app is using the JSON interface only, so if I can pass credentials along with the request, then MyHS is easily integrated.

                    I've been looking in the documentation, but can't find anything. Point me in the right direction




                    .... but I still think we need a proper SSL supported web server. You can even get free fully qualified certificates these days (take a look at letsencrypt.org), so there really aren't any excuses. We ARE in 2017, everything should be using SSL.
                    Slight High Jack.... did you ever get JSON data working for your app? Not the JSON "interface" that expects FORM formated data. But ability to retreive full body of a POST and process the data? I'm struggling with this even today.

                    Comment


                      Originally posted by jeubanks View Post

                      Slight High Jack.... did you ever get JSON data working for your app? Not the JSON "interface" that expects FORM formated data. But ability to retreive full body of a POST and process the data? I'm struggling with this even today.
                      I'm not "tech" enough to understand the question, sorry...

                      But yes, I'm using GET to get data and process the JSON I recieve.
                      But perhaps I switched to post, I'll have to check.
                      HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                      Running on Windows 10 (64) virtualized
                      on ESXi (Fujitsu Primergy TX150 S8).
                      WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                      Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                      Comment


                        How are you guys handling the basic auth that Homeseer uses? Traefik (the reverse proxy I'm using) doesn't handle the logout gracefully.

                        Ideally I'd like to use http header forward auth to login so I only have to login once. I have Authelia setup as a single signon server and am able to successfully pass my auth back to Grafana, Portainer, and several other containers using the Remote-User http header.

                        I can't figure out how to do that in homeseer.

                        Thoughts?

                        Comment


                          Sorry to dig up old thread, but browsers will eventually no longer support http and only allow https and this might be expanded to local daemons as well.

                          It is a very slow process, as Mozilla pledged to start it back in 2015 -- https://blog.mozilla.org/security/20...n-secure-http/

                          HS3 relies on SSL/TLS engine 1.0 or 1.1, and supports https locally (not via MyHS), but there has also been a drive to eradicate the insecure TLS protocols and 1.2 is now pretty much forced on all modern browsers.

                          rjh I know you prefer to push MyHS, but with all the code already there, isn't it simply a matter to activate TLS 1.2 support in your code?

                          C# code such as: System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12; on .NET 4.5+, or ServicePointManager.SecurityProtocol |= (SecurityProtocolType)3072; if HS3 is still compiled on .NET 4.0

                          Ideally use = instead of |= to force TLS 1.2 only and avoid issues in browsers that scan for security exploits and ensure 1.0/1.1 is disabled.

                          It will cater to a very small group, but that has always been the beauty of HomeSeer.

                          I'm security aware enough on my LAN that PoE security cameras are MAC filtered and on their own VLAN with specific IDS/IPS and firewall rules to prevent somebody unplugging camera, putting in their notebook and tell HomeSeer to unlock the front-door. I'm fully aware that criminals with that level of expertise will not even bother venturing outside to do crime and can remain in their basement, but it's still good practice. It's scary to see how many businesses have RJ-45 plugs unattended that give full access to their LAN.

                          PS: It is pretty easy to setup: just run Win10 PowerShell command "New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "homeseer" -FriendlyName "HomeSeer" -NotAfter (Get-Date).AddYears(10)" for a 10-year certificate, which you then open in your "Manage Computer Certificate" app, and then under Personal > Certificates it will list it (and the little key icon to indicate private key is included). Right click it, All Tasks > Export.. > Next > export private key > Next > select checkbox on password and enter a password twice > change encryption to AES as SHA1 is insecure -> Next -> save somewhere you'll find it, such as homeseer.pfx on your desktop. Now optionally right click the file and select "Install Certificate", but force it to manually go into the Local Machine > "Trusted Root Certificates" as you otherwise get an non-trusted CA warning in browsers. Then the same file you put in HS3 root folder, rename server.pfx that comes bundled to like server_old.pfx and copy your own file there as server.pfx. Then inside HomeSeer -> Tools > Setup > Labs > enter the password first under "SSL Server Certificate Password", and then check the "Enable SSL Secure Server" box. In my case I needed to restart HS3, and then SSL works if you visit https://homeseer/ without any certificate warning if you installed it as root-cert, but you still get the obsolete TLS version error. Firefox refuses to allow you to continue until you accept insecure TLS 1.0/1.1 certificate support, but Chrome has not forced that yet. Site is accessible on your LAN via https://homeseer/ as I cannot be the only one who picked that as the easy hostname option 😁

                          PPS: The only problem about self-signed certs is that to get rid of the CA non-trusted error on other LAN clients you have to install the PFX on each client in their respective root-store, which is not a problem on desktop systems, but not possible on non-rooted Android devices. If you want to kick it up a notch you can always generate a free CA-trusted certificate via https://letsencrypt.org/ but they are only valid for 3-months and explaining how to automatically renew those via a script is way outside of the scope here. Single domain real certificates are as cheap as $4/year, and wild-card domain certificates are now down to $35/year for those more privileged amongst us. In most cases MyHS will be much easier then and offered for free by HomeSeer.

                          Comment


                            I agree, the fact TLS 1.2 (Well now even 1.3) isn't supported is unacceptable. Having to proxy Homeseer behind a TLS1.2 proxy is a horrible work around.
                            MyHS does work, but you have to allow internet connection to that system/PC/subnet, which a lot of people don't want too.

                            Comment

                            Working...
                            X