Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • RoChess
    replied
    Sorry to dig up old thread, but browsers will eventually no longer support http and only allow https and this might be expanded to local daemons as well.

    It is a very slow process, as Mozilla pledged to start it back in 2015 -- https://blog.mozilla.org/security/20...n-secure-http/

    HS3 relies on SSL/TLS engine 1.0 or 1.1, and supports https locally (not via MyHS), but there has also been a drive to eradicate the insecure TLS protocols and 1.2 is now pretty much forced on all modern browsers.

    rjh I know you prefer to push MyHS, but with all the code already there, isn't it simply a matter to activate TLS 1.2 support in your code?

    C# code such as: System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12; on .NET 4.5+, or ServicePointManager.SecurityProtocol |= (SecurityProtocolType)3072; if HS3 is still compiled on .NET 4.0

    Ideally use = instead of |= to force TLS 1.2 only and avoid issues in browsers that scan for security exploits and ensure 1.0/1.1 is disabled.

    It will cater to a very small group, but that has always been the beauty of HomeSeer.

    I'm security aware enough on my LAN that PoE security cameras are MAC filtered and on their own VLAN with specific IDS/IPS and firewall rules to prevent somebody unplugging camera, putting in their notebook and tell HomeSeer to unlock the front-door. I'm fully aware that criminals with that level of expertise will not even bother venturing outside to do crime and can remain in their basement, but it's still good practice. It's scary to see how many businesses have RJ-45 plugs unattended that give full access to their LAN.

    PS: It is pretty easy to setup: just run Win10 PowerShell command "New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "homeseer" -FriendlyName "HomeSeer" -NotAfter (Get-Date).AddYears(10)" for a 10-year certificate, which you then open in your "Manage Computer Certificate" app, and then under Personal > Certificates it will list it (and the little key icon to indicate private key is included). Right click it, All Tasks > Export.. > Next > export private key > Next > select checkbox on password and enter a password twice > change encryption to AES as SHA1 is insecure -> Next -> save somewhere you'll find it, such as homeseer.pfx on your desktop. Now optionally right click the file and select "Install Certificate", but force it to manually go into the Local Machine > "Trusted Root Certificates" as you otherwise get an non-trusted CA warning in browsers. Then the same file you put in HS3 root folder, rename server.pfx that comes bundled to like server_old.pfx and copy your own file there as server.pfx. Then inside HomeSeer -> Tools > Setup > Labs > enter the password first under "SSL Server Certificate Password", and then check the "Enable SSL Secure Server" box. In my case I needed to restart HS3, and then SSL works if you visit https://homeseer/ without any certificate warning if you installed it as root-cert, but you still get the obsolete TLS version error. Firefox refuses to allow you to continue until you accept insecure TLS 1.0/1.1 certificate support, but Chrome has not forced that yet. Site is accessible on your LAN via https://homeseer/ as I cannot be the only one who picked that as the easy hostname option 😁

    PPS: The only problem about self-signed certs is that to get rid of the CA non-trusted error on other LAN clients you have to install the PFX on each client in their respective root-store, which is not a problem on desktop systems, but not possible on non-rooted Android devices. If you want to kick it up a notch you can always generate a free CA-trusted certificate via https://letsencrypt.org/ but they are only valid for 3-months and explaining how to automatically renew those via a script is way outside of the scope here. Single domain real certificates are as cheap as $4/year, and wild-card domain certificates are now down to $35/year for those more privileged amongst us. In most cases MyHS will be much easier then and offered for free by HomeSeer.

    Leave a comment:


  • sdkIpZUSSrtmzqaRQeJ3OdqY
    replied
    How are you guys handling the basic auth that Homeseer uses? Traefik (the reverse proxy I'm using) doesn't handle the logout gracefully.

    Ideally I'd like to use http header forward auth to login so I only have to login once. I have Authelia setup as a single signon server and am able to successfully pass my auth back to Grafana, Portainer, and several other containers using the Remote-User http header.

    I can't figure out how to do that in homeseer.

    Thoughts?

    Leave a comment:


  • Moskus
    replied
    Originally posted by jeubanks View Post

    Slight High Jack.... did you ever get JSON data working for your app? Not the JSON "interface" that expects FORM formated data. But ability to retreive full body of a POST and process the data? I'm struggling with this even today.
    I'm not "tech" enough to understand the question, sorry...

    But yes, I'm using GET to get data and process the JSON I recieve.
    But perhaps I switched to post, I'll have to check.

    Leave a comment:


  • simplextech
    replied
    Originally posted by Moskus View Post
    That's great! I'd love to see faster loading speeds.



    The web interface (using Jon00s excellent Quick Page builder) is extremely fast for getting the overview of the house.

    HStouch is great for what it does, but it's not perfect. It takes a while to start, to connect, and to load data, and worst of all: There's no Windows app at all.

    Making the web interface extremely useful, fast and reliable.
    WinSeer was designed to load quickly and find a device fast. I'm sure I'm able to find and control a device much, MUCH faster than you are.



    If you say so.
    I'll try this again at work, but on my cell phone it doesn't work like this.



    YES! This is very interesting!
    My app is using the JSON interface only, so if I can pass credentials along with the request, then MyHS is easily integrated.

    I've been looking in the documentation, but can't find anything. Point me in the right direction




    .... but I still think we need a proper SSL supported web server. You can even get free fully qualified certificates these days (take a look at letsencrypt.org), so there really aren't any excuses. We ARE in 2017, everything should be using SSL.
    Slight High Jack.... did you ever get JSON data working for your app? Not the JSON "interface" that expects FORM formated data. But ability to retreive full body of a POST and process the data? I'm struggling with this even today.

    Leave a comment:


  • Jobee
    replied
    @Rich Can HS look into supporting Let's Encrypt as a solution for an SSL cert. I know my box can support it but since we have to export it, it would make it difficult to redo the cert every 45 days as required by Let's Encrypt. Maybe someone can devise a plug in that will run a new cert and export it updating the HS settings?

    Michael

    Leave a comment:


  • Jobee
    replied
    Originally posted by scyto View Post
    @jobee i have been running for a week, no issues.

    are you exposing your homeseer via a mapped port to the internet?
    does your internet facing DNS name match the certificate name?

    it looks like a possible cypher mismatch - for example the browser (or connecting process) is trying to enforce modern compatibility only; could also be someone trying to telnet the port; either way that should not crash the web process; note they won't give any support on beta nor do they have roadmap for it leaving beta....

    you could try fronting the website with nginx reverse proxy - this is what i do for all my internal HTTP / HTTPS resources - so port 80 is closed (actually it redirect http to https on 443), port 443 is open externally that maps to the ngix proxy host. The nginx proxy then uses different host names to route to the right internal host. eg.g https://app1.mydomain.com https://app2.mydomain.com etc
    Thank you for the suggestions. I am testing a theory and will know if I'm ok in a day or so.

    Michael

    Leave a comment:


  • scyto
    replied
    @jobee i have been running for a week, no issues.

    are you exposing your homeseer via a mapped port to the internet?
    does your internet facing DNS name match the certificate name?

    it looks like a possible cypher mismatch - for example the browser (or connecting process) is trying to enforce modern compatibility only; could also be someone trying to telnet the port; either way that should not crash the web process; note they won't give any support on beta nor do they have roadmap for it leaving beta....

    you could try fronting the website with nginx reverse proxy - this is what i do for all my internal HTTP / HTTPS resources - so port 80 is closed (actually it redirect http to https on 443), port 443 is open externally that maps to the ngix proxy host. The nginx proxy then uses different host names to route to the right internal host. eg.g https://app1.mydomain.com https://app2.mydomain.com etc

    Leave a comment:


  • scyto
    replied
    Originally posted by Jobee View Post
    For anyone who whats to use SSL and does not want to use a self signed cert or pay for a cert, you now have an option. Go to Let's Encrypt and you can get a free SSL Cert for your server.

    https://letsencrypt.org/getting-started/

    Michael
    and they do wildcart support making this a very useable proposition!
    https://community.letsencrypt.org/t/...-is-live/55579

    Leave a comment:


  • Jobee
    replied
    Free SSLs

    For anyone who whats to use SSL and does not want to use a self signed cert or pay for a cert, you now have an option. Go to Let's Encrypt and you can get a free SSL Cert for your server.

    https://letsencrypt.org/getting-started/

    Michael

    Leave a comment:


  • Jobee
    replied
    I did not last that long this time. I was only 48 hours this time.

    Jun-29 00:56:04 Error Authenticating SSL stream inner exception: The function requested is not supported
    Jun-29 00:56:04 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
    Jun-29 00:56:03 Error Authenticating SSL stream inner exception: The function requested is not supported
    Jun-29 00:56:03 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
    Jun-29 00:56:00 weatherXML Triggers to check: 0
    Jun-29 00:55:53 Error Authenticating SSL stream inner exception: The client and server cannot communicate, because they do not possess a common algorithm
    Jun-29 00:55:53 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
    Jun-29 00:55:43 Error Authenticating SSL stream inner exception: The client and server cannot communicate, because they do not possess a common algorithm
    Jun-29 00:55:43 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
    Jun-29 00:55:42 Error Authenticating SSL stream: Authentication failed because the remote party has closed the transport stream.

    There just is not enough in the log to give a clue as to what is going on. My suspicion is that someone/something is trying to gain access to the web server via an attack and is overloading the web server.

    Leave a comment:


  • Jobee
    replied
    Originally posted by scyto View Post
    ok, i will try and repro
    i couldn't figure anyway to turn off the standard http webserver? how did you do that?
    I did not turn off the standard. I use it as my way in if SSL is not working. What I found it is if SSL is not working and I go in on standard port and go to Setup/Labs and turn off (uncheck) SSL, and close down the browser, then the standard becomes corrupt also and you cannot get in at all.

    I'm hoping the next version will have more debug entries in the log so we can see what is going on.

    Michael

    Leave a comment:


  • scyto
    replied
    Originally posted by Jobee View Post
    This time it took about 6 days. There are always a set of errors in the log when it goes down. Of course it is not until the next time I try to get in, that it just hangs and I know it is. I made the mistake of trying to turn it off in Labs and that just made it unable to get in either with or without SSL, so I don't do that anymore. I have to shut down HS3 and then restart it to get SSL back.

    Michael
    ok, i will try and repro
    i couldn't figure anyway to turn off the standard http webserver? how did you do that?

    Leave a comment:


  • Jobee
    replied
    Originally posted by scyto View Post
    hi michale, when you say about a week do you mean like 5 days or 9 days (just so i know how long to leave it up to see if i have same issues!)
    This time it took about 6 days. There are always a set of errors in the log when it goes down. Of course it is not until the next time I try to get in, that it just hangs and I know it is. I made the mistake of trying to turn it off in Labs and that just made it unable to get in either with or without SSL, so I don't do that anymore. I have to shut down HS3 and then restart it to get SSL back.

    Michael

    Leave a comment:


  • scyto
    replied
    Originally posted by Jobee View Post
    Have you had any issues yet? I am on .449 and my ssl goes down after about a week in use. still can't track down what is causing it, but at some point, I cannot hit the SLL site. I get the "unable to load this page".

    If I shut down HS3 and restart it, I get the SSL site back. Something is causing the custom web service within HS3 to bomb out but not take down the whole application. The non SSL works so it is my back door in until there is a fix.

    Michael
    hi michale, when you say about a week do you mean like 5 days or 9 days (just so i know how long to leave it up to see if i have same issues!)

    Leave a comment:


  • scyto
    replied
    Anyone seen this, any ideas why i can't connect (my suspicion is this a TLS negotiation issue)

    Authenticating SSL stream: One or more errors occurred.

    --edit--
    hmm seems to now be connecting despite the error!?
    ok my bad, was because i was connecting to IP and bypassing browser cert warning, connecting on DNS name was aok
    Last edited by scyto; June 25, 2018, 10:06 PM.

    Leave a comment:

Working...
X