Announcement

Collapse
No announcement yet.

HS4 Only Offers TLSv1.0 - Web Browsers Refuse to Connect

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #1

    HS4 Only Offers TLSv1.0 - Web Browsers Refuse to Connect

    I recently upgraded from HS3 Pro to HS4 Pro (4.1.2.0)
    I have had TLS working fine with HS3 for years. After upgrading, browsers now fail to connect saying that the site is insecure. After doing some research, I found that the HS4 service is only enabling TLSv1.0 and not TLSv1.2 as HS3 did. All modern browsers fail to connect with TLSv1.0

    I am running Windows 10 Pro. I have not changed anything in the OS. I only upgraded HomeSeer. Am I missing something? How do I enable TLSv1.2?

    Thanks
    Tags: None
    #2
    Try this:

    http://sunlync.com/kb/index.php?View...3#Windows%2010
    HomeSeer Version: HS4 Pro Edition 4.2.19.0 (Windows - Running as a Service)
    Home Assistant 2024.3
    Operating System: Microsoft Windows 11 Pro - Desktop
    Z-Wave Devices via two Z-Net G3s
    Zigbee Devices via RaspBee on RPi 3b+
    WiFi Devices via Internal Router.

    Enabled Plug-Ins
    AK GoogleCalendar 4.0.4.16,AK HomeAssistant 4.0.1.23,AK SmartDevice 4.0.5.1,AK Weather 4.0.5.181,AmbientWeather 3.0.1.9,Big6 3.44.0.0,BLBackup 2.0.64.0,BLGData 3.0.55.0,BLLock 3.0.39.0,BLUPS 2.0.26.0,Device History 4.5.1.1,EasyTrigger 3.0.0.76,Harmony Hub 4.0.14.0,HSBuddy 4.51.303.0,JowiHue 4.1.4.0,LG ThinQ 4.0.26.0,ONVIF Events 1.0.0.5,SDJ-Health 3.1.1.9,TPLinkSmartHome4 2022.12.30.0,UltraCID3 3.0.6681.34300,Z-Wave 4.1.3.0

    Comment

      #3
      Originally posted by ewkearns View Post
      Try this:

      http://sunlync.com/kb/index.php?View...3#Windows%2010
      Thanks for the tip, but this really only applies to old versions of windows that were around before TLSv1.2 was the standard. All modern versions already have it enabled by default for servers and clients. I confirmed that it is enable on my system according to your link. There is also now an option for TLSv1.3 in modern versions of windows.

      I also tried adding some new registry values that I found in another post and that also did not help.

      This would be a lot easier if the setup just allowed selecting the TLS protocols and ciphers that are enabled rather than relying on any system default settings.

      Comment

        #4
        If the appropriate boxes are checked, the fallback negotiation either isn't happening or it won't go all the way back to "1.0." Hard to tell if it is a client or server problem, too.
        HomeSeer Version: HS4 Pro Edition 4.2.19.0 (Windows - Running as a Service)
        Home Assistant 2024.3
        Operating System: Microsoft Windows 11 Pro - Desktop
        Z-Wave Devices via two Z-Net G3s
        Zigbee Devices via RaspBee on RPi 3b+
        WiFi Devices via Internal Router.

        Enabled Plug-Ins
        AK GoogleCalendar 4.0.4.16,AK HomeAssistant 4.0.1.23,AK SmartDevice 4.0.5.1,AK Weather 4.0.5.181,AmbientWeather 3.0.1.9,Big6 3.44.0.0,BLBackup 2.0.64.0,BLGData 3.0.55.0,BLLock 3.0.39.0,BLUPS 2.0.26.0,Device History 4.5.1.1,EasyTrigger 3.0.0.76,Harmony Hub 4.0.14.0,HSBuddy 4.51.303.0,JowiHue 4.1.4.0,LG ThinQ 4.0.26.0,ONVIF Events 1.0.0.5,SDJ-Health 3.1.1.9,TPLinkSmartHome4 2022.12.30.0,UltraCID3 3.0.6681.34300,Z-Wave 4.1.3.0

        Comment

          #5
          It is definitely a server problem and not a client problem. I ran TestSSL.sh on the homeseer service. TLSv1.2 is not offered and clients are falling back to TLSv1.0, which is then locked by Chrome, Firefox, Safari, and Edge

          Code:
          
###########################################################
testssl.sh 3.1dev from https://testssl.sh/dev/

This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

Please file bugs @ https://testssl.sh/bugs/

###########################################################

Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]
on 2d21af496a78:/home/testssl/bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")


Start 2020-07-25 20:44:38 -->> MY_IP_ADDRESS:443 (homeseer.MYHOSTNAME.com) <<--

rDNS (MY_IP_ADDRESS): homeseer.localdomain.
Service detected: HTTP


Testing protocols via sockets except NPN+ALPN

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 not offered
TLS 1.2 not offered and downgraded to a weaker protocol
TLS 1.3 not offered and downgraded to a weaker protocol
NPN/SPDY not offered
ALPN/HTTP2 not offered

Testing cipher categories

NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
Triple DES Ciphers / IDEA offered
Obsoleted CBC ciphers (AES, ARIA etc.) offered
Strong encryption (AEAD ciphers) with no FS not offered
Forward Secrecy strong encryption (AEAD ciphers) not offered


Testing server's cipher preferences

Has server cipher order? yes (OK)
Negotiated protocol TLSv1
Negotiated cipher ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Cipher per protocol

Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
-
SSLv3
-
TLSv1 (server order)
xc014 ECDHE-RSA-AES256-SHA ECDH 384 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLSv1.1
-
TLSv1.2
-
TLSv1.3
-


Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4

FS is offered (OK) ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA
Elliptic curves offered: prime256v1 secp384r1 X25519


Testing server defaults (Server Hello)

TLS extensions (standard) "status request/#5" "renegotiation info/#65281"
"extended master secret/#23"
Session Ticket RFC 5077 hint no -- no lifetime advertised
SSL Session ID support yes
Session Resumption Tickets no, ID: no
TLS clock skew +8 sec from localtime
Signature Algorithm SHA256 with RSA
Server key size RSA 2048 bits (exponent is 65537)
Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
Serial / Fingerprints 04E40D1FEB517F103243F02E78F1A9BC519C / SHA1 6241EDAA86C2B67284C4B083489F3F292AB40BA8
SHA256 85C541F7CDC4F07FF5A9E0D8F011A1CB99C4059D4F12445D69A9D4FA1231 8BE4
Common Name (CN) *.MYHOSTNAME.com
subjectAltName (SAN) *.MYHOSTNAME.com MYHOSTNAME.com
Issuer Let's Encrypt Authority X3 (Let's Encrypt from US)
Trust (hostname) Ok via SAN wildcard and CN wildcard (same w/o SNI)
Chain of trust Ok
EV cert (experimental) no
Bad OCSP intermediate (exp.) Ok
ETS/"eTLS", visibility info not present
Certificate Validity (UTC) 42 >= 30 days (2020-06-08 01:27 --> 2020-09-06 01:27)
# of certificates provided 2
Certificate Revocation List --
OCSP URI http://ocsp.int-x3.letsencrypt.org
OCSP stapling offered, not revoked
OCSP must staple extension --
DNS CAA RR (experimental) not offered
Certificate Transparency yes (certificate extension)


Testing HTTP header response @ "/"

HTTP Status Code 200 OK
HTTP clock skew Got no HTTP time, maybe try different URL?
Strict Transport Security not offered
Public Key Pinning --
Server banner HomeSeer

Application banner --
Cookie(s) (none issued at "/")
Security headers Access-Control-Allow-Origin *
Cache-Control no-cache
Reverse Proxy banner --


Testing vulnerabilities

Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension
ROBOT VULNERABLE (NOT ok)
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible, no protocol below TLS 1 offered (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=85C541F7CDC4F07FF5A9E0D8F011A1CB99C4059D4F12445D69A9D 4FA12318BE4 could help you to find out
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
AES256-SHA AES128-SHA
DES-CBC3-SHA
VULNERABLE -- and no higher protocols as mitigation supported
LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)


Running client simulations (HTTP) via sockets

Android 4.4.2 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Android 5.0.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Android 6.0 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Android 7.0 (native) TLSv1.0 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
Android 8.1 (native) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Android 9.0 (native) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Android 10.0 (native) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Chrome 74 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Chrome 79 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Firefox 66 (Win 8.1/10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Firefox 71 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
IE 6 XP No connection
IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
IE 8 XP TLSv1.0 DES-CBC3-SHA, No FS
IE 11 Win 7 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
IE 11 Win 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
IE 11 Win Phone 8.1 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
IE 11 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Edge 15 Win 10 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Edge 17 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Opera 66 (Win 10) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Safari 9 iOS 9 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Safari 9 OS X 10.11 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Safari 10 OS X 10.12 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Safari 12.1 (iOS 12.2) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Safari 13.0 (macOS 10.14.6) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Apple ATS 9 iOS 9 No connection
Java 6u45 TLSv1.0 AES128-SHA, No FS
Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
Java 8u161 TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Java 11.0.2 (OpenJDK) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
Java 12.0.1 (OpenJDK) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
OpenSSL 1.0.2e TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
OpenSSL 1.1.0l (Debian) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
OpenSSL 1.1.1d (Debian) No connection
Thunderbird (68.3) TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)


Rating (experimental)

Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Protocol Support (weighted) 0 (0)
Key Exchange (weighted) 0 (0)
Cipher Strength (weighted) 0 (0)
Final Score 0
Overall Grade F
Grade cap reasons Grade capped to F. Vulnerable to ROBOT
Grade capped to C. TLS 1.2 is not offered
Grade capped to B. Vulnerable to BEAST
Grade capped to B. TLS 1.0 offered
Grade capped to A. HSTS is not offered

Done 2020-07-25 20:48:13 [ 217s] -->> MY_IP_ADDRESS:443 (homeseer.MYHOSTNAME.com) <<--

          Comment

            #6
            Does anyone know what web server/service HS4 for Windows is installing/using?
            I do not have this issue with HS4 Linux...
            HS4 Pro Edition 4.2.5.0 running on Lenovo ThinkCenter & Debian Linux
            Plugins: Z-Wave (via Nortek USB stick
            Home Assistant 2021.10.6 running on HA "Blue" ODROID-N2
            Add-ons: Android Debug Bridge, Duck DNS, ESPHome, File Editor, Glances, HA Google Drive Backup, InfluxDB, Log Viewer, MariaDB, Mosquitto broker, NGINX SSL Proxy, Node-RED, Portainer, SSH & Web Terminal, Samba, TasmoAdmin, UniFi Controller, Visual Studio Code, WireGuard, Zigbee2mqtt, Z-Wave JS to MQTT
            Integrations: AccuWeather, Alexa Media Player, Glances, Google Nest, HACS, HomeSeer, Insteon, IPP, Life360, Local IP, Logitech Harmony Hub, Mobile App, MQTT, My Garage, OpenWeather, Spotify, Tuya Local. Ubiquiti UniFi, Z-Wave JS
            Insteon: 2413S Dual Band PLM
            Zigbee: zzh! CC2652R Rev A
            Z-Wave: RaZberry daughtercard on RPi 1B via ser2net

            Comment

              #7
              Is there no solution to this problem? Still not resolved in the latest update.
              I also found this post a couple weeks back: Old Post

              Comment

                #8
                Has anyone put a bug ticket in for this? That's the only way it will truly get resolved if it is in fact a bug.

                Comment

                  #9
                  Good point. Finding the support ticket portal was not obvious. Submitting now.
                  • Likes 1

                  Comment

                    #10
                    Ticket ID: HSCS-850
                    I'll share the response

                    Comment

                      #11
                      Same here with Firefox and had to allow TLS 1.0.
                      To change Firefox back to TLS 1.2...
                      1. Open a new tab and navigate to about:config
                      2. In the search box type security.tls.version.min
                      3. Set the value to 3 and click the save icon
                      HS4 Pro Edition 4.2.5.0 running on Lenovo ThinkCenter & Debian Linux
                      Plugins: Z-Wave (via Nortek USB stick
                      Home Assistant 2021.10.6 running on HA "Blue" ODROID-N2
                      Add-ons: Android Debug Bridge, Duck DNS, ESPHome, File Editor, Glances, HA Google Drive Backup, InfluxDB, Log Viewer, MariaDB, Mosquitto broker, NGINX SSL Proxy, Node-RED, Portainer, SSH & Web Terminal, Samba, TasmoAdmin, UniFi Controller, Visual Studio Code, WireGuard, Zigbee2mqtt, Z-Wave JS to MQTT
                      Integrations: AccuWeather, Alexa Media Player, Glances, Google Nest, HACS, HomeSeer, Insteon, IPP, Life360, Local IP, Logitech Harmony Hub, Mobile App, MQTT, My Garage, OpenWeather, Spotify, Tuya Local. Ubiquiti UniFi, Z-Wave JS
                      Insteon: 2413S Dual Band PLM
                      Zigbee: zzh! CC2652R Rev A
                      Z-Wave: RaZberry daughtercard on RPi 1B via ser2net

                      Comment

                        #12
                        On my MAC, Firefox first complained but came up with a dialog box asking me if I wanted to enable TLS 1.0 on this site and that I understood the security implications. I did it once and really never thought about it again. But, in general, I agree. TLS 1.0 is not a good thing.

                        Comment

                          #13
                          Originally posted by dbrunt View Post
                          I'm not sure what the issue/problem is. My main system is Linux but I just installed HS4 Windows as a test. The HS4 process is listening on port 80, my Firefox about:config security.tls.version.tls is set to "3" (TLS 1.2). HS4.exe is listening port 80 and I can browse 192.168.1.100/devices.html with no complaint from Firefox about TLS...
                          You do realize that port 80 communication is generally http (unsecure) and not https, hence why you get no TLS issues.

                          Comment

                            #14
                            Originally posted by TC1 View Post

                            You do realize that port 80 communication is generally http (unsecure) and not https, hence why you get no TLS issues.
                            At 1 pm I do but I guess not at 1 am!!
                            Post edited to correct my "senior" moment...
                            HS4 Pro Edition 4.2.5.0 running on Lenovo ThinkCenter & Debian Linux
                            Plugins: Z-Wave (via Nortek USB stick
                            Home Assistant 2021.10.6 running on HA "Blue" ODROID-N2
                            Add-ons: Android Debug Bridge, Duck DNS, ESPHome, File Editor, Glances, HA Google Drive Backup, InfluxDB, Log Viewer, MariaDB, Mosquitto broker, NGINX SSL Proxy, Node-RED, Portainer, SSH & Web Terminal, Samba, TasmoAdmin, UniFi Controller, Visual Studio Code, WireGuard, Zigbee2mqtt, Z-Wave JS to MQTT
                            Integrations: AccuWeather, Alexa Media Player, Glances, Google Nest, HACS, HomeSeer, Insteon, IPP, Life360, Local IP, Logitech Harmony Hub, Mobile App, MQTT, My Garage, OpenWeather, Spotify, Tuya Local. Ubiquiti UniFi, Z-Wave JS
                            Insteon: 2413S Dual Band PLM
                            Zigbee: zzh! CC2652R Rev A
                            Z-Wave: RaZberry daughtercard on RPi 1B via ser2net

                            Comment

                              #15
                              For reference https://forums.homeseer.com/forum/de...url-ssl-issue:
                              Originally posted by jon00 View Post
                              It's probably related to SSL/TLS support in .NET 4. For instance .NET 4 only supports TLS 1.0 whereas many sites now have switched to TLS 1.2 or higher. No easy way around that without compiling HS3 in a later version of .NET. As you are on Windows, you can use hs.GetURLIE which provides the certificate support via Internet Explorer.
                              Apparently HS4 is still using the same .NET 4...
                              HS4 Pro Edition 4.2.5.0 running on Lenovo ThinkCenter & Debian Linux
                              Plugins: Z-Wave (via Nortek USB stick
                              Home Assistant 2021.10.6 running on HA "Blue" ODROID-N2
                              Add-ons: Android Debug Bridge, Duck DNS, ESPHome, File Editor, Glances, HA Google Drive Backup, InfluxDB, Log Viewer, MariaDB, Mosquitto broker, NGINX SSL Proxy, Node-RED, Portainer, SSH & Web Terminal, Samba, TasmoAdmin, UniFi Controller, Visual Studio Code, WireGuard, Zigbee2mqtt, Z-Wave JS to MQTT
                              Integrations: AccuWeather, Alexa Media Player, Glances, Google Nest, HACS, HomeSeer, Insteon, IPP, Life360, Local IP, Logitech Harmony Hub, Mobile App, MQTT, My Garage, OpenWeather, Spotify, Tuya Local. Ubiquiti UniFi, Z-Wave JS
                              Insteon: 2413S Dual Band PLM
                              Zigbee: zzh! CC2652R Rev A
                              Z-Wave: RaZberry daughtercard on RPi 1B via ser2net

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X