Announcement

Collapse
No announcement yet.

HS4 Only Offers TLSv1.0 - Web Browsers Refuse to Connect

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    HS4 Only Offers TLSv1.0 - Web Browsers Refuse to Connect

    I recently upgraded from HS3 Pro to HS4 Pro (4.1.2.0)
    I have had TLS working fine with HS3 for years. After upgrading, browsers now fail to connect saying that the site is insecure. After doing some research, I found that the HS4 service is only enabling TLSv1.0 and not TLSv1.2 as HS3 did. All modern browsers fail to connect with TLSv1.0

    I am running Windows 10 Pro. I have not changed anything in the OS. I only upgraded HomeSeer. Am I missing something? How do I enable TLSv1.2?

    Thanks

    #2
    Try this:

    http://sunlync.com/kb/index.php?View...3#Windows%2010
    HomeSeer Version: HS3 Pro Edition 3.0.0.500
    Operating System: Microsoft Windows 10 Pro - Work Station

    Enabled Plug-Ins:
    2.1.0.119: AmbientWeather | 3.0.21.0: BLLock | 2.0.24.0: BLUPS | 1.3.6.0: Device History | 3.0.0.56: EasyTrigger | 3.1.0.7: MeiHarmonyHub | 3.0.6681.34300: UltraCID3 | 3.0.6644.26753: UltraLog3 | 3.0.6554.33094: UltraMon3 | 3.0.0.91: weatherXML | 3.0.1.245: Z-Wave | 3.0.51: HS Touch Designer | 3.0.0.40 Z-Seer+

    Comment


      #3
      Originally posted by ewkearns View Post
      Thanks for the tip, but this really only applies to old versions of windows that were around before TLSv1.2 was the standard. All modern versions already have it enabled by default for servers and clients. I confirmed that it is enable on my system according to your link. There is also now an option for TLSv1.3 in modern versions of windows.

      I also tried adding some new registry values that I found in another post and that also did not help.

      This would be a lot easier if the setup just allowed selecting the TLS protocols and ciphers that are enabled rather than relying on any system default settings.

      Comment


        #4
        If the appropriate boxes are checked, the fallback negotiation either isn't happening or it won't go all the way back to "1.0." Hard to tell if it is a client or server problem, too.
        HomeSeer Version: HS3 Pro Edition 3.0.0.500
        Operating System: Microsoft Windows 10 Pro - Work Station

        Enabled Plug-Ins:
        2.1.0.119: AmbientWeather | 3.0.21.0: BLLock | 2.0.24.0: BLUPS | 1.3.6.0: Device History | 3.0.0.56: EasyTrigger | 3.1.0.7: MeiHarmonyHub | 3.0.6681.34300: UltraCID3 | 3.0.6644.26753: UltraLog3 | 3.0.6554.33094: UltraMon3 | 3.0.0.91: weatherXML | 3.0.1.245: Z-Wave | 3.0.51: HS Touch Designer | 3.0.0.40 Z-Seer+

        Comment


          #5
          It is definitely a server problem and not a client problem. I ran TestSSL.sh on the homeseer service. TLSv1.2 is not offered and clients are falling back to TLSv1.0, which is then locked by Chrome, Firefox, Safari, and Edge

          Code:
          
          ###########################################################
          testssl.sh 3.1dev from https://testssl.sh/dev/
          
          This program is free software. Distribution and
          modification under GPLv2 permitted.
          USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
          
          Please file bugs @ https://testssl.sh/bugs/
          
          ###########################################################
          
          Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
          on 2d21af496a78:/home/testssl/bin/openssl.Linux.x86_64
          (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
          
          
          Start 2020-07-25 20:44:38 -->> MY_IP_ADDRESS:443 (homeseer.MYHOSTNAME.com) <<--
          
          rDNS (MY_IP_ADDRESS): homeseer.localdomain.
          Service detected: HTTP
          
          
          Testing protocols via sockets except NPN+ALPN
          
          SSLv2 not offered (OK)
          SSLv3 not offered (OK)
          TLS 1 offered (deprecated)
          TLS 1.1 not offered
          TLS 1.2 not offered and downgraded to a weaker protocol
          TLS 1.3 not offered and downgraded to a weaker protocol
          NPN/SPDY not offered
          ALPN/HTTP2 not offered
          
          Testing cipher categories
          
          NULL ciphers (no encryption) not offered (OK)
          Anonymous NULL Ciphers (no authentication) not offered (OK)
          Export ciphers (w/o ADH+NULL) not offered (OK)
          LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
          Triple DES Ciphers / IDEA offered
          Obsoleted CBC ciphers (AES, ARIA etc.) offered
          Strong encryption (AEAD ciphers) with no FS not offered
          Forward Secrecy strong encryption (AEAD ciphers) not offered
          
          
          Testing server's cipher preferences
          
          Has server cipher order? yes (OK)
          Negotiated protocol TLSv1
          Negotiated cipher ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Cipher per protocol
          
          Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
          -----------------------------------------------------------------------------------------------------------------------------
          SSLv2
          -
          SSLv3
          -
          TLSv1 (server order)
          xc014 ECDHE-RSA-AES256-SHA ECDH 384 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
          xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
          x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
          x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
          TLSv1.1
          -
          TLSv1.2
          -
          TLSv1.3
          -
          
          
          Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
          
          FS is offered (OK) ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA
          Elliptic curves offered: prime256v1 secp384r1 X25519
          
          
          Testing server defaults (Server Hello)
          
          TLS extensions (standard) "status request/#5" "renegotiation info/#65281"
          "extended master secret/#23"
          Session Ticket RFC 5077 hint no -- no lifetime advertised
          SSL Session ID support yes
          Session Resumption Tickets no, ID: no
          TLS clock skew +8 sec from localtime
          Signature Algorithm SHA256 with RSA
          Server key size RSA 2048 bits (exponent is 65537)
          Server key usage Digital Signature, Key Encipherment
          Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
          Serial / Fingerprints 04E40D1FEB517F103243F02E78F1A9BC519C / SHA1 6241EDAA86C2B67284C4B083489F3F292AB40BA8
          SHA256 85C541F7CDC4F07FF5A9E0D8F011A1CB99C4059D4F12445D69A9D4FA1231 8BE4
          Common Name (CN) *.MYHOSTNAME.com
          subjectAltName (SAN) *.MYHOSTNAME.com MYHOSTNAME.com
          Issuer Let's Encrypt Authority X3 (Let's Encrypt from US)
          Trust (hostname) Ok via SAN wildcard and CN wildcard (same w/o SNI)
          Chain of trust Ok
          EV cert (experimental) no
          Bad OCSP intermediate (exp.) Ok
          ETS/"eTLS", visibility info not present
          Certificate Validity (UTC) 42 >= 30 days (2020-06-08 01:27 --> 2020-09-06 01:27)
          # of certificates provided 2
          Certificate Revocation List --
          OCSP URI http://ocsp.int-x3.letsencrypt.org
          OCSP stapling offered, not revoked
          OCSP must staple extension --
          DNS CAA RR (experimental) not offered
          Certificate Transparency yes (certificate extension)
          
          
          Testing HTTP header response @ "/"
          
          HTTP Status Code 200 OK
          HTTP clock skew Got no HTTP time, maybe try different URL?
          Strict Transport Security not offered
          Public Key Pinning --
          Server banner HomeSeer
          
          Application banner --
          Cookie(s) (none issued at "/")
          Security headers Access-Control-Allow-Origin *
          Cache-Control no-cache
          Reverse Proxy banner --
          
          
          Testing vulnerabilities
          
          Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
          CCS (CVE-2014-0224) not vulnerable (OK)
          Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension
          ROBOT VULNERABLE (NOT ok)
          Secure Renegotiation (RFC 5746) supported (OK)
          Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
          CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
          BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested
          POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
          TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, no protocol below TLS 1 offered (OK)
          SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers
          FREAK (CVE-2015-0204) not vulnerable (OK)
          DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
          make sure you don't use this certificate elsewhere with SSLv2 enabled services
          https://censys.io/ipv4?q=85C541F7CDC4F07FF5A9E0D8F011A1CB99C4059D4F12445D69A9D 4FA12318BE4 could help you to find out
          LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
          BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES256-SHA
          ECDHE-RSA-AES128-SHA
          AES256-SHA AES128-SHA
          DES-CBC3-SHA
          VULNERABLE -- and no higher protocols as mitigation supported
          LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
          RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
          
          
          Running client simulations (HTTP) via sockets
          
          Android 4.4.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Android 5.0.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Android 6.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Android 7.0 (native) TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
          Android 8.1 (native) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Android 9.0 (native) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Android 10.0 (native) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Chrome 74 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Chrome 79 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Firefox 66 (Win 8.1/10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Firefox 71 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          IE 6 XP No connection
          IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          IE 8 XP TLSv1.0 DES-CBC3-SHA, No FS
          IE 11 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          IE 11 Win 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          IE 11 Win Phone 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          IE 11 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Edge 15 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Edge 17 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Opera 66 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Safari 9 iOS 9 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Safari 9 OS X 10.11 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Safari 10 OS X 10.12 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Safari 12.1 (iOS 12.2) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Safari 13.0 (macOS 10.14.6) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Apple ATS 9 iOS 9 No connection
          Java 6u45 TLSv1.0 AES128-SHA, No FS
          Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
          Java 8u161 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Java 11.0.2 (OpenJDK) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          Java 12.0.1 (OpenJDK) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          OpenSSL 1.0.2e TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          OpenSSL 1.1.0l (Debian) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          OpenSSL 1.1.1d (Debian) No connection
          Thunderbird (68.3) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
          
          
          Rating (experimental)
          
          Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
          Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
          Protocol Support (weighted) 0 (0)
          Key Exchange (weighted) 0 (0)
          Cipher Strength (weighted) 0 (0)
          Final Score 0
          Overall Grade F
          Grade cap reasons Grade capped to F. Vulnerable to ROBOT
          Grade capped to C. TLS 1.2 is not offered
          Grade capped to B. Vulnerable to BEAST
          Grade capped to B. TLS 1.0 offered
          Grade capped to A. HSTS is not offered
          
          Done 2020-07-25 20:48:13 [ 217s] -->> MY_IP_ADDRESS:443 (homeseer.MYHOSTNAME.com) <<--

          Comment


            #6
            Does anyone know what web server/service HS4 for Windows is installing/using?
            I do not have this issue with HS4 Linux...

            Comment


              #7
              Is there no solution to this problem? Still not resolved in the latest update.
              I also found this post a couple weeks back: Old Post

              Comment


                #8
                Has anyone put a bug ticket in for this? That's the only way it will truly get resolved if it is in fact a bug.

                Comment


                  #9
                  Good point. Finding the support ticket portal was not obvious. Submitting now.

                  Comment


                    #10
                    Ticket ID: HSCS-850
                    I'll share the response

                    Comment


                      #11
                      Same here with Firefox and had to allow TLS 1.0.
                      To change Firefox back to TLS 1.2...
                      1. Open a new tab and navigate to about:config
                      2. In the search box type security.tls.version.min
                      3. Set the value to 3 and click the save icon

                      Comment


                        #12
                        On my MAC, Firefox first complained but came up with a dialog box asking me if I wanted to enable TLS 1.0 on this site and that I understood the security implications. I did it once and really never thought about it again. But, in general, I agree. TLS 1.0 is not a good thing.

                        Comment


                          #13
                          Originally posted by dbrunt View Post
                          I'm not sure what the issue/problem is. My main system is Linux but I just installed HS4 Windows as a test. The HS4 process is listening on port 80, my Firefox about:config security.tls.version.tls is set to "3" (TLS 1.2). HS4.exe is listening port 80 and I can browse 192.168.1.100/devices.html with no complaint from Firefox about TLS...
                          You do realize that port 80 communication is generally http (unsecure) and not https, hence why you get no TLS issues.

                          Comment


                            #14
                            Originally posted by TC1 View Post

                            You do realize that port 80 communication is generally http (unsecure) and not https, hence why you get no TLS issues.
                            At 1 pm I do but I guess not at 1 am!!
                            Post edited to correct my "senior" moment...

                            Comment


                              #15
                              For reference https://forums.homeseer.com/forum/de...url-ssl-issue:
                              Originally posted by jon00 View Post
                              It's probably related to SSL/TLS support in .NET 4. For instance .NET 4 only supports TLS 1.0 whereas many sites now have switched to TLS 1.2 or higher. No easy way around that without compiling HS3 in a later version of .NET. As you are on Windows, you can use hs.GetURLIE which provides the certificate support via Internet Explorer.
                              Apparently HS4 is still using the same .NET 4...

                              Comment

                              Working...
                              X