Years later, still an issue...

I agree, the fact TLS 1.2 (Well now even 1.3) isn't supported is unacceptable. Having to proxy Homeseer behind a TLS1.2 proxy is a horrible work around.
MyHS does work, but you have to allow internet connection to that system/PC/subnet, which a lot of people don't want too.

Sorry to dig up old thread, but browsers will eventually no longer support http and only allow https and this might be expanded to local daemons as well.

It is a very slow process, as Mozilla pledged to start it back in 2015 -- https://blog.mozilla.org/security/20...n-secure-http/

HS3 relies on SSL/TLS engine 1.0 or 1.1, and supports https locally (not via MyHS), but there has also been a drive to eradicate the insecure TLS protocols and 1.2 is now pretty much forced on all modern browsers.

rjh I know you prefer to push MyHS, but with all the code already there, isn't it simply a matter to activate TLS 1.2 support in your code?

C# code such as: System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12; on .NET 4.5+, or ServicePointManager.SecurityProtocol |= (SecurityProtocolType)3072; if HS3 is still compiled on .NET 4.0

Ideally use = instead of |= to force TLS 1.2 only and avoid issues in browsers that scan for security exploits and ensure 1.0/1.1 is disabled.

It will cater to a very small group, but that has always been the beauty of HomeSeer.

I'm security aware enough on my LAN that PoE security cameras are MAC filtered and on their own VLAN with specific IDS/IPS and firewall rules to prevent somebody unplugging camera, putting in their notebook and tell HomeSeer to unlock the front-door. I'm fully aware that criminals with that level of expertise will not even bother venturing outside to do crime and can remain in their basement, but it's still good practice. It's scary to see how many businesses have RJ-45 plugs unattended that give full access to their LAN.

PS: It is pretty easy to setup: just run Win10 PowerShell command "New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "homeseer" -FriendlyName "HomeSeer" -NotAfter (Get-Date).AddYears(10)" for a 10-year certificate, which you then open in your "Manage Computer Certificate" app, and then under Personal > Certificates it will list it (and the little key icon to indicate private key is included). Right click it, All Tasks > Export.. > Next > export private key > Next > select checkbox on password and enter a password twice > change encryption to AES as SHA1 is insecure -> Next -> save somewhere you'll find it, such as homeseer.pfx on your desktop. Now optionally right click the file and select "Install Certificate", but force it to manually go into the Local Machine > "Trusted Root Certificates" as you otherwise get an non-trusted CA warning in browsers. Then the same file you put in HS3 root folder, rename server.pfx that comes bundled to like server_old.pfx and copy your own file there as server.pfx. Then inside HomeSeer -> Tools > Setup > Labs > enter the password first under "SSL Server Certificate Password", and then check the "Enable SSL Secure Server" box. In my case I needed to restart HS3, and then SSL works if you visit https://homeseer/ without any certificate warning if you installed it as root-cert, but you still get the obsolete TLS version error. Firefox refuses to allow you to continue until you accept insecure TLS 1.0/1.1 certificate support, but Chrome has not forced that yet. Site is accessible on your LAN via https://homeseer/ as I cannot be the only one who picked that as the easy hostname option 😁

PPS: The only problem about self-signed certs is that to get rid of the CA non-trusted error on other LAN clients you have to install the PFX on each client in their respective root-store, which is not a problem on desktop systems, but not possible on non-rooted Android devices. If you want to kick it up a notch you can always generate a free CA-trusted certificate via https://letsencrypt.org/ but they are only valid for 3-months and explaining how to automatically renew those via a script is way outside of the scope here. Single domain real certificates are as cheap as $4/year, and wild-card domain certificates are now down to $35/year for those more privileged amongst us. In most cases MyHS will be much easier then and offered for free by HomeSeer.

How are you guys handling the basic auth that Homeseer uses? Traefik (the reverse proxy I'm using) doesn't handle the logout gracefully.

Ideally I'd like to use http header forward auth to login so I only have to login once. I have Authelia setup as a single signon server and am able to successfully pass my auth back to Grafana, Portainer, and several other containers using the Remote-User http header.

I can't figure out how to do that in homeseer.

Thoughts?

I'm not "tech" enough to understand the question, sorry...

But yes, I'm using GET to get data and process the JSON I recieve.
But perhaps I switched to post, I'll have to check.

Slight High Jack.... did you ever get JSON data working for your app? Not the JSON "interface" that expects FORM formated data. But ability to retreive full body of a POST and process the data? I'm struggling with this even today.

@Rich Can HS look into supporting Let's Encrypt as a solution for an SSL cert. I know my box can support it but since we have to export it, it would make it difficult to redo the cert every 45 days as required by Let's Encrypt. Maybe someone can devise a plug in that will run a new cert and export it updating the HS settings?

Michael

Thank you for the suggestions. I am testing a theory and will know if I'm ok in a day or so.

Michael

@jobee i have been running for a week, no issues.

are you exposing your homeseer via a mapped port to the internet?
does your internet facing DNS name match the certificate name?

it looks like a possible cypher mismatch - for example the browser (or connecting process) is trying to enforce modern compatibility only; could also be someone trying to telnet the port; either way that should not crash the web process; note they won't give any support on beta nor do they have roadmap for it leaving beta....

you could try fronting the website with nginx reverse proxy - this is what i do for all my internal HTTP / HTTPS resources - so port 80 is closed (actually it redirect http to https on 443), port 443 is open externally that maps to the ngix proxy host. The nginx proxy then uses different host names to route to the right internal host. eg.g https://app1.mydomain.com https://app2.mydomain.com etc

and they do wildcart support making this a very useable proposition!
https://community.letsencrypt.org/t/...-is-live/55579

Free SSLs

For anyone who whats to use SSL and does not want to use a self signed cert or pay for a cert, you now have an option. Go to Let's Encrypt and you can get a free SSL Cert for your server.

https://letsencrypt.org/getting-started/

Michael

I did not last that long this time. I was only 48 hours this time.

Jun-29 00:56:04 Error Authenticating SSL stream inner exception: The function requested is not supported
Jun-29 00:56:04 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
Jun-29 00:56:03 Error Authenticating SSL stream inner exception: The function requested is not supported
Jun-29 00:56:03 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
Jun-29 00:56:00 weatherXML Triggers to check: 0
Jun-29 00:55:53 Error Authenticating SSL stream inner exception: The client and server cannot communicate, because they do not possess a common algorithm
Jun-29 00:55:53 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
Jun-29 00:55:43 Error Authenticating SSL stream inner exception: The client and server cannot communicate, because they do not possess a common algorithm
Jun-29 00:55:43 Error Authenticating SSL stream: A call to SSPI failed, see inner exception.
Jun-29 00:55:42 Error Authenticating SSL stream: Authentication failed because the remote party has closed the transport stream.

There just is not enough in the log to give a clue as to what is going on. My suspicion is that someone/something is trying to gain access to the web server via an attack and is overloading the web server.

I did not turn off the standard. I use it as my way in if SSL is not working. What I found it is if SSL is not working and I go in on standard port and go to Setup/Labs and turn off (uncheck) SSL, and close down the browser, then the standard becomes corrupt also and you cannot get in at all.

I'm hoping the next version will have more debug entries in the log so we can see what is going on.

Michael

ok, i will try and repro
i couldn't figure anyway to turn off the standard http webserver? how did you do that?

This time it took about 6 days. There are always a set of errors in the log when it goes down. Of course it is not until the next time I try to get in, that it just hangs and I know it is. I made the mistake of trying to turn it off in Labs and that just made it unable to get in either with or without SSL, so I don't do that anymore. I have to shut down HS3 and then restart it to get SSL back.

Michael