Anyone seen this, any ideas why i can't connect (my suspicion is this a TLS negotiation issue)
Authenticating SSL stream: One or more errors occurred.
--edit--
hmm seems to now be connecting despite the error!?
ok my bad, was because i was connecting to IP and bypassing browser cert warning, connecting on DNS name was aok
Announcement
Collapse
No announcement yet.
We need native HTTPS support!
Collapse
X
-
Originally posted by jjason View PostFrom Krumpy talking about the HomeSeer Web Interface with SSL support enabled: "Can anyone else perform the same sort of test using a trusted certificate authority (such as GoDaddy, Verisign, etc)?"
Absolutely!
Finally got to the weekend, have the time, and happen to have a wildcard certificate from AlphaSSL for my domain, bigfastnet.com. The certificate is for *.bigfastnet.com and is a SHA-256 certificate. It chains thru AlphaSSL up to the GlobalSign root. (See attached screen capture of the certificate info.)
Setup:- I have DNS for bigfastnet.com running internally to my home network - homeseer.bigfastnet.com is properly defined in DNS.
- HS3 Pro installed and running on Windows 10.
Changes:- Went into C:\Program Files (x86)\HomeSeer HS3 and replaced the self-signed certificate included with the .398 beta with my *.bigfastnet.com certificate.
- In HS3 Tools -> Setup -> Labs, put in the SSL Server Certificate Password, checked the Enable SSL Secure Server.
- Restarted HS3 Pro to "reset all the marbles."
Results:- https://homeseer.bigfastnet.com does exactly what you would expect. Every page I hit is encrypted. Not seeing any operational issues.
- Both Safari and Chrome see Homeseer properly secured.
- Been working on Homeseer for several hours and the SSL support appears to "just work".
Other:
I purchased my wildcard certificate from SSL2BUY.com because they were inexpensive and quick.- $121 for three years - working well for me.
- https://www.ssl2buy.com/alphassl-wildcard.php
If you are looking for certificates for your company, Digicert.com has done well by me over the years. Recommended!
I'll keep using it and report back any abnormalities.
If I shut down HS3 and restart it, I get the SSL site back. Something is causing the custom web service within HS3 to bomb out but not take down the whole application. The non SSL works so it is my back door in until there is a fix.
Michael
Leave a comment:
-
It is possible to make SSL nice and trivial via UI (only requirement is you have a domain name).
Synology has an awesome example of this in their UI where they obtain the cert for you - no self cert (self certs are IMO useless).
I hear you on clients that cant transition between LAN and WAN. It is why in the end I ONLY ever connect to my external endpoints even if I am in the LAN - one host name, addressable internally and externally.
For consumergrade (which IMO homeseer most defintely is not - it is designed from ground up for tinkers). I agree a webservice is best and have all clients connect to that always. Of course that needs reliability. And not everyone wants to use a service based infrastructure.
I don't think these are mutually exclusive options. I do think, given the price, it is incumbent on HS to finish their features.
Leave a comment:
-
Ok, I am going to chime in. I mostly agree with waynehead99, especially his posts https://forums.homeseer.com/showpost...9&postcount=84 and https://forums.homeseer.com/showpost...&postcount=108
Basically:
* VPN is non-sense for this kind of application. My wife also wouldn't deal with this unless there is a serious emergency. Actually, count me in, too.
* Setting up SSL? You must be kidding. Even a self signed certificate isn't trivial to setup. Besides maybe 1% of power users the other 99% would just be frustrated by this process.
MyHS is the way to go if it actually would work. The problem is:
* If you switch from WAN to LAN or visa-versa HSTouch doesn't know. So you have to shut down the app and restart it. Not 'wife-approved' and it annoys me as well.
* It doesn't allow me to access other resources on the same server. As an example, I have BlueIris running on the same server. However, as far as I know there isn't a way to pass this traffic from the server through MyHS to HSTouch so everything is encrypted (including the username/pwd I need to include in the URL to access the BlueIris stream)
* Even accessing .aspx pages seems to require credentials which probably are not encrypted either. I might be completely wrong with this as I just started out with this (out of frustration of all the HSTouch limitations).
I did hear about a new client but it seems that this client is targeted to an audience that just wants everything easy and it has rather limited customization. If that is correct, I doubt anybody who contributed here will be interested in it. But let's see what HS is coming up with.
Leave a comment:
-
I just came across this and (probably like others) didn't realize this was an option finally!
I'm getting an error when starting HS3 build 3.0.0.435.
Authenticating SSL stream: The client and server cannot communicate, because they do not possess a common algorithm
Some Googleing says it has to do with which SSL protocol is enabled on the sever. Any ideas?
Leave a comment:
-
Installed my cert and all was good. No issues accessing the site on 443 and the cert showed valid and everything was working.
This morning I needed to get in and run an event and I could not get in. All my scheduled events ran without issue, but the web server crashed. port 80 or 443 did not work. I could ping the box and do everything else, just no web. I ended up having to reboot the server and everything is back up. Have some intermittent errors showing in the log:
Dec-30 22:56:34 Error Authenticating SSL stream: The handshake failed due to an unexpected packet format.
Dec-30 22:56:34 Error Authenticating SSL stream: The handshake failed due to an unexpected packet format.
I don't see any direct error of the web server shutting down. Not sure if it is logged anyway.
Rich - Is there a specific log item to see when the web server stops?
Michael
Leave a comment:
-
Originally posted by rjh View PostThe code looks for the file server.pfx. I did not see a reason to offer a setting for the filename, you have to put the file there anyway, so just give it that name. Is there an issue with the name?
As for the link, if you are on the PC, then the connection is all internal to the PC, it does not go out to the network, so I don't see why you would need SSL in that case?
I would like SSL internal for consistency sake. At some point it would be better to be able to turn off port 80 so the whole system is running secure.
Michael
Leave a comment:
-
The code looks for the file server.pfx. I did not see a reason to offer a setting for the filename, you have to put the file there anyway, so just give it that name. Is there an issue with the name?
As for the link, if you are on the PC, then the connection is all internal to the PC, it does not go out to the network, so I don't see why you would need SSL in that case?
Originally posted by Jobee View PostRich - 2 things. First, I have my pfx I put in the root but it is not called server.pfx. I set server.pfx to .old. I assume the code would look for *.pfx and then use the password supplied in Labs to open the backup file to get what it needs.
I shut down and restarted HS3 thinking it would find my pfx file in the root, but it does not. When I try to go to the ssl site, it is still using the server.pfx file showing local from MA.
Will only the file name server.pfx work? Maybe add file name in Lab along with password?
Second - when you are on the machine running HS3 and use the button "Web Interface", where is it set to use either port 80 or 443? For me it defaults to IP address/deviceutility and uses port 80. Would be nice if this button would default to 443 if you are using ssl.
Thanks,
Michael
Leave a comment:
-
Originally posted by rjh View PostI removed the setting for the certificate file. The file is "server.pfx" and is in the HS root folder. There is one there already but you can replace as needed.
I shut down and restarted HS3 thinking it would find my pfx file in the root, but it does not. When I try to go to the ssl site, it is still using the server.pfx file showing local from MA.
Will only the file name server.pfx work? Maybe add file name in Lab along with password?
Second - when you are on the machine running HS3 and use the button "Web Interface", where is it set to use either port 80 or 443? For me it defaults to IP address/deviceutility and uses port 80. Would be nice if this button would default to 443 if you are using ssl.
Thanks,
Michael
Leave a comment:
-
Originally posted by Jobee View PostRobert,
Depending on the email software and the number of domains you have, you might be good with a wildcard. If you only have a single domain you would be golden with a wildcard. I use a wildcard for all my servers under a specific domain but since I have 4 domains on my email server, a wildcard will not work. I use a UCC or SAN cert so I can can have all FQDN for all domains covered. Running exchange can be tricky.
If you only have a couple to 5 hosts that need the cert, look at the SAN cert to see if it is cheaper then the wildcard cert; although 129 for 3 years is not bad for a wildcard.
I too would like to have my HA using ssl as well...
Robert
Leave a comment:
-
You will need to be cautious when using a wildcard certificate - within certain limitations, they are useful.
Typically, when you get a wildcard certificate you can us it with any number of names at the same level.
For example, all the following names below will be covered by the wildcard certificate *.fakedomain.com.- randommachine.fakedomain.com
- mail.fakedomain.com
- vpn.fakedomain.com
However, these will typically NOT work for *.fakedomain.com as they are too many levels deep:- randombox.testlab.fakedomain.com
- mail.devlab1.dev.fakedomain.com
Ok - Here come the caveats:- Digicert has a method of requesting duplicates that somehow allows the to many levels deep to work. See the URL below. I have not tried this myself. YMMV: https://www.digicert.com/ssl-support...-san-names.htm
- Some devices/apps, while they can use a wildcard certificate, will require that the FQDN be specified as a Subject Alternative Name (SAN) inside the Wildcard certificate. For example, the GlobalProtect VPN portal/gateways on Palo Alto Networks firewalls.
- Some devices/apps will simply not accept wildcard certs at all.
- The cheap wildcard certificates I found do not allow you to specify SANs. So, I ended up getting a wildcard certificate for general use and a FQDN certificate for my VPN. I.E. *.fakedomain.com and vpn.fakedomain.com.
I have spent waaaay to much time with certificates in 2017. I hope this saves some frustration.
Jason
Leave a comment:
-
So far, so good on the SSL server uptime - 5 days, 9 hours.
Have been running across some intermittent z-wave delays of 3-5 seconds. Have not yet ben able to isolate whether its the Z-wave network itself, the z-wave plugin, or the .398 build.
Jason
-----
MESSAGE BOARD (copy/paste section below to message board posts)
Current Date/Time: 12/29/2017 2:28:10 AM
HomeSeer Version: HS3 Pro Edition 3.0.0.398
Operating System: Microsoft Windows 10 Home - Work Station
System Uptime: 5 Days 9 Hours 2 Minutes 37 Seconds
IP Address: 192.168.1.23
Number of Devices: 296
Number of Events: 58
Available Threads: 100
HSTouch Enabled: True
Event Threads: 1
Event Trigger Eval Queue: 0
Event Trigger Priority Eval Queue: 0
Device Exec Queue: 0
HSTouch Event Queue: 0
Email Send Queue: 0
Anti Virus Installed: Sophos Home Windows Defender
Enabled Plug-Ins
3.2.0.5: APCUPSD
2.0.8.0: BLCpuAdvisor
2.0.6.0: BLPlugins
3.0.0.42: EasyTrigger
2.0.1.6: JowiHue
3.0.0.28: MediaController
1.5.0.0: MQTT
3.0.0.28: Nest
1.0.0.6: Restart
3.0.0.76: weatherXML
3.0.1.173: Z-Wave
Leave a comment:
-
Originally posted by langenet View PostThanks for this as well... I didn't even know about a wild card certificate.
I use a certificate for my e-mail server currently - though, it's specific to my email.
So maybe a wild card certificate would help for both HS and my e-mail server since I can specify sub-domains...
Robert
Depending on the email software and the number of domains you have, you might be good with a wildcard. If you only have a single domain you would be golden with a wildcard. I use a wildcard for all my servers under a specific domain but since I have 4 domains on my email server, a wildcard will not work. I use a UCC or SAN cert so I can can have all FQDN for all domains covered. Running exchange can be tricky.
If you only have a couple to 5 hosts that need the cert, look at the SAN cert to see if it is cheaper then the wildcard cert; although 129 for 3 years is not bad for a wildcard.
Leave a comment:
-
I too have a wildcard cert for my domain and have it running now since the 24th after moving to .398 from .397. I like that I don't need the VPN headaches.
It always bothered me that I had to let my tracking app (EgiGeoZone) in using http but now that is moved to secure too and while also still doing nat and port forwarding at the router.
Next I need to work on HSBuddy and get it connected secure. App is ready, just need to finish setting it up to move from 80 to 443.
So far so good. Now I too need to run SSL Labs on it to see where I sit.
Michael
Leave a comment:
-
Thanks for this as well... I didn't even know about a wild card certificate.
I use a certificate for my e-mail server currently - though, it's specific to my email.
So maybe a wild card certificate would help for both HS and my e-mail server since I can specify sub-domains...
RobertLast edited by langenet; December 28, 2017, 10:38 AM.
Leave a comment:
Leave a comment: