Announcement

Collapse
No announcement yet.

HS3 SSL connection issues (Firefox & Automate); certificate problem or POODLE

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    I've very disappointed that HomeSeer is dropping SSL support. I don't want to use myHS. I want a direct, secure connection to my HS machine and don't want to rely on a 3rd party service let alone give said 3rd party access to my HS machine. Bad choice IMHO. Very frustrating to hear. I understand the usefulness of myHS for those who don't want to hassle with port forwarding and dynamic IPs and such, but I think most of us who are into home automation want that level of control and don't want to sacrifice on that for the sake of simplicity. That's one reason I won't use IFTTT right now as it requires 2 3rd party services and requires allowing unauthenticated LAN access to HS3.

    That said, your solution sounds interesting. I really wish I didn't have to run another server to get a proper, direct SSL connection. Are you running Apache on Win 8.1? I'm somewhat familiar with Apache but not so much on Windows machines, let alone getting HS to run through a 3rd party server. Can you describe in more detail how you accomplished this or post links to some threads that explain this? If you post your own step-by-step it would probably deserve its own thread.

    Thank for caring about this issue!
    HS4, Insteon, Z-wave, USB-UIRT, Harmony Hubs, Google Hub/Chromecasts/Speakers, Foscam & Amcrest cameras, EZVIZ DB1 doorbell
    Plugins: BLLAN, BLOccupied, BLUSBUIRT, Chromecast, Harmony Hub, Insteon, Jon00 Homeseer/Echo Skill Helper, Harmony Hub, Jon00 DB Charting, MediaController, NetCAM, PHLocation2, Pushover 3P, weatherXML, Z-wave

    Comment


      #17
      Originally posted by mrceolla View Post
      I've very disappointed that HomeSeer is dropping SSL support. I don't want to use myHS. I want a direct, secure connection to my HS machine and don't want to rely on a 3rd party service let alone give said 3rd party access to my HS machine. Bad choice IMHO. Very frustrating to hear. I understand the usefulness of myHS for those who don't want to hassle with port forwarding and dynamic IPs and such, but I think most of us who are into home automation want that level of control and don't want to sacrifice on that for the sake of simplicity. That's one reason I won't use IFTTT right now as it requires 2 3rd party services and requires allowing unauthenticated LAN access to HS3.
      I completely agree, but when I heard that HS is using their own 'homebrewed' web server part, then I think this is a good thing. It clarifies where their responsibilities are and once you have a separate web server installed to take care of security and caching, you can rely on their much faster and current security updates.

      For example, the 'fix' for POODLE is actually just one added line in httpd.conf!

      That said, your solution sounds interesting. I really wish I didn't have to run another server to get a proper, direct SSL connection. Are you running Apache on Win 8.1? I'm somewhat familiar with Apache but not so much on Windows machines, let alone getting HS to run through a 3rd party server. Can you describe in more detail how you accomplished this or post links to some threads that explain this? If you post your own step-by-step it would probably deserve its own thread.
      Yes, I'm running Apache on Win 8.1. The whole install and setup process took about an hour, and that included the time to browse for the solutions and comparing which ones are relevant and which are not... and carrying them all out and testing them.

      I will write the outline and general steps from memory...

      1. Install Apache. Since Apache project does not release windows binary, we need to grab one from one of the listed providers. I used the one from Apache Haus, links below.

      2. It's a quick install, but before you test it you need to swap the web port, since HS3 is already using port 80. At this point Apache is fully installed and able to server web pages on the port that you assign.

      3. Now we need to enable the modules that lets Apache become a proxy for another (HS3's) website. The lines are already in httpd.conf but commented out, so you just need to find them and uncomment the folllowing lines:

      Code:
      LoadModule proxy_module modules/mod_proxy.so
      LoadModule proxy_connect_module modules/mod_proxy_connect.so
      LoadModule proxy_http_module modules/mod_proxy_http.so
      LoadModule rewrite_module modules/mod_rewrite.so
      LoadModule headers_module modules/mod_headers.so
      LoadModule ssl_module modules/mod_ssl.so​
      Include conf/extra/httpd-vhosts.conf
      4. Then create the vhost section in conf/extra/httpd-vhosts.conf for your reverse proxy that points to HS3's server:

      Code:
      <VirtualHost _default_:443>
        DocumentRoot "${SRVROOT}/htdocs"
        ServerName yourdomain.com
        ServerAlias yourdomain.com
        ProxyRequests Off
        ProxyPreserveHost Off
        ProxyPass / http://hs3.local.ip.here/
        ProxyPassReverse / http://hs3.local.ip.here/
        SSLProxyEngine on
        SSLEngine on
        SSLCertificateFile c:/path/to/your/ssl_certificate.crt
        SSLCertificateKeyFile c:/path/to/your/ssl_private.key
      </VirtualHost>
      5. At this point, you just need to restart Apache and it should work.

      PS: If you're unsure about the SSL certificate part, you can comment out all the lines that start with SSL (starting from SSLProxyEngine on), and that vhost will server unencrypted website on port 443 of your hs3 computer that you can test with (http://ip.to.hs3.server:443).

      6. Once you have Apache serving HS3 pages with SSL, you need to apply the POODLE fix. Edit httpd.conf and insert the line below under <IfModule ssl_module> section:

      Code:
          SSLProtocol All -SSLv2 -SSLv3
      Restart Apache and you're done. Test it!

      Links:

      How to setup mod_proxy in Apache (Dell): http://documents.software.dell.com/doc181862#Configur2

      Windows binaries from Apache Haus: https://www.apachehaus.com/cgi-bin/download.plx

      Apache poodle fix: https://access.redhat.com/solutions/1232413

      Poodle test: https://www.poodlescan.com

      PS : Apache seems to be really light. As I check my Task manager, I only see 2 Apache processes, one taking up 3.2MB, the other 1.7MB.

      Thank for caring about this issue!
      And thanks for bringing it up
      HW: HS3 w/ Win8.1 on ASRock C2550d4i. Digi AnywhereUSB, Hubport, Edgeport, UZB, Z-trollers, PLCBUS, SONOS, GC-100, iTach IP2SL, WF2IR, IP2IR, RFXtrx433, Harmony Hubs, Hue, Ademco Vista 128BP, NetAtmo, NetAtmo Welcome

      Google Search for HomeSeer Forum

      Comment


        #18
        You're awesome! I'm almost there but I don't know how to get a .crt and .key file for my certificate. HS3 wants a .pfx file. I have two .cer files and one .pfx created following the steps outlined here:

        http://forums.homeseer.com/showthread.php?t=108130

        Do you happen to know how to obtain a .crt and .key file from these?
        HS4, Insteon, Z-wave, USB-UIRT, Harmony Hubs, Google Hub/Chromecasts/Speakers, Foscam & Amcrest cameras, EZVIZ DB1 doorbell
        Plugins: BLLAN, BLOccupied, BLUSBUIRT, Chromecast, Harmony Hub, Insteon, Jon00 Homeseer/Echo Skill Helper, Harmony Hub, Jon00 DB Charting, MediaController, NetCAM, PHLocation2, Pushover 3P, weatherXML, Z-wave

        Comment


          #19
          Ok, so I was able to generate those two file types by running the following commands:

          openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
          openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key

          openssl.exe was included with the Apache Haus distro so I didn't have to install anything else.

          I think I have Apache setup correctly to act as a proxy. Unfortunately Automate is reporting a 'CertPathValidatorException: Trust anchor for certification path not found.' when using my self signed cert. I'm trying to investigate a solution now. I could try purchasing a cert as you did but I'd rather figure out a work around. I'll report back if I find one.

          Thanks again!
          HS4, Insteon, Z-wave, USB-UIRT, Harmony Hubs, Google Hub/Chromecasts/Speakers, Foscam & Amcrest cameras, EZVIZ DB1 doorbell
          Plugins: BLLAN, BLOccupied, BLUSBUIRT, Chromecast, Harmony Hub, Insteon, Jon00 Homeseer/Echo Skill Helper, Harmony Hub, Jon00 DB Charting, MediaController, NetCAM, PHLocation2, Pushover 3P, weatherXML, Z-wave

          Comment


            #20
            SUCCESS!!! Seems more difficult than it should be but I can accept that. If anyone else is having trouble, this page helped me out:

            http://android.stackexchange.com/que...as-if-cert-isn

            I'd be happy to give additional input should anyone need help getting this working with self-signed certificates on non-standard SSL ports.

            Thanks again, LeoS!!!
            HS4, Insteon, Z-wave, USB-UIRT, Harmony Hubs, Google Hub/Chromecasts/Speakers, Foscam & Amcrest cameras, EZVIZ DB1 doorbell
            Plugins: BLLAN, BLOccupied, BLUSBUIRT, Chromecast, Harmony Hub, Insteon, Jon00 Homeseer/Echo Skill Helper, Harmony Hub, Jon00 DB Charting, MediaController, NetCAM, PHLocation2, Pushover 3P, weatherXML, Z-wave

            Comment


              #21
              Congrats! (sorry, was asleep when you had a question earlier )

              Btw, have you tried the app 'CADroid'? It should make installing certificate easy through their UI. It didn't work with HS3's built-in SSL server, but it worked with my Apache reverseproxy (though I didn't test self-signed cert by then)
              HW: HS3 w/ Win8.1 on ASRock C2550d4i. Digi AnywhereUSB, Hubport, Edgeport, UZB, Z-trollers, PLCBUS, SONOS, GC-100, iTach IP2SL, WF2IR, IP2IR, RFXtrx433, Harmony Hubs, Hue, Ademco Vista 128BP, NetAtmo, NetAtmo Welcome

              Google Search for HomeSeer Forum

              Comment


                #22
                It's just amazing. There is a security hole in the HS3 software and the solution is to remove SSL support altogether?! So what are users supposed to do, in order to connect securely? Use MyHomeSeer? I do use that. Guess what? It's been broken for three straight days now, with no ability to connect remotely. If I did not have my own domain redirecting to HS server in my house, I would be SOL right now!

                Comment


                  #23
                  Originally posted by LeoS View Post
                  Btw, have you tried the app 'CADroid'? It should make installing certificate easy through their UI. It didn't work with HS3's built-in SSL server, but it worked with my Apache reverseproxy (though I didn't test self-signed cert by then)
                  I didn't want to have to use an app to install a cert if I didn't have to. Fortunately I was able to figure that out with the help of that post. However, while I am able to install w/o issue on my Galaxy S5, my g/f's S4 wants to force a pin or password screen lock. Her current pattern isn't good enough. Perhaps I'll try that app on her phone. Thanks!
                  HS4, Insteon, Z-wave, USB-UIRT, Harmony Hubs, Google Hub/Chromecasts/Speakers, Foscam & Amcrest cameras, EZVIZ DB1 doorbell
                  Plugins: BLLAN, BLOccupied, BLUSBUIRT, Chromecast, Harmony Hub, Insteon, Jon00 Homeseer/Echo Skill Helper, Harmony Hub, Jon00 DB Charting, MediaController, NetCAM, PHLocation2, Pushover 3P, weatherXML, Z-wave

                  Comment


                    #24
                    Originally posted by VirtualPanther View Post
                    So what are users supposed to do, in order to connect securely? Use MyHomeSeer? I do use that. Guess what? It's been broken for three straight days now, with no ability to connect remotely.
                    This is one of the main reasons I don't want to rely on a 3rd party if I don't have to. Just one more failure point. I'm sure MyHomeSeer fills a need for some, but I'm guessing most of us would prefer a built-in, direct, secure connection to their HS machine.

                    Why can't they just use Apache as their web server? Why role your own? I guess I don't know all the licensing restrictions...
                    HS4, Insteon, Z-wave, USB-UIRT, Harmony Hubs, Google Hub/Chromecasts/Speakers, Foscam & Amcrest cameras, EZVIZ DB1 doorbell
                    Plugins: BLLAN, BLOccupied, BLUSBUIRT, Chromecast, Harmony Hub, Insteon, Jon00 Homeseer/Echo Skill Helper, Harmony Hub, Jon00 DB Charting, MediaController, NetCAM, PHLocation2, Pushover 3P, weatherXML, Z-wave

                    Comment


                      #25
                      1. There are other ways to 'bring your own security' to the table. VPN, SSH tunneling, Stunnel SSL, etc.

                      2. I'm kinda glad having an apache server on my HS3 box handling the web. I'm looking into applying compression and pipelining to speed up the really heavy HS3 web ui.
                      HW: HS3 w/ Win8.1 on ASRock C2550d4i. Digi AnywhereUSB, Hubport, Edgeport, UZB, Z-trollers, PLCBUS, SONOS, GC-100, iTach IP2SL, WF2IR, IP2IR, RFXtrx433, Harmony Hubs, Hue, Ademco Vista 128BP, NetAtmo, NetAtmo Welcome

                      Google Search for HomeSeer Forum

                      Comment


                        #26
                        Let's see what kind of improvement is possible...

                        HW: HS3 w/ Win8.1 on ASRock C2550d4i. Digi AnywhereUSB, Hubport, Edgeport, UZB, Z-trollers, PLCBUS, SONOS, GC-100, iTach IP2SL, WF2IR, IP2IR, RFXtrx433, Harmony Hubs, Hue, Ademco Vista 128BP, NetAtmo, NetAtmo Welcome

                        Google Search for HomeSeer Forum

                        Comment


                          #27
                          Originally posted by LeoS View Post
                          1. There are other ways to 'bring your own security' to the table. VPN, SSH tunneling, Stunnel SSL, etc.

                          2. I'm kinda glad having an apache server on my HS3 box handling the web. I'm looking into applying compression and pipelining to speed up the really heavy HS3 web ui.
                          1) Yes, but most of those are either more of a hassle to setup, more difficult to use, or both, than your Apache approach. I still wish I didn't have to setup another web server to get a proper SSL connection to HS.

                          2) Me too. I just wish HS came with it as the built in web server.
                          HS4, Insteon, Z-wave, USB-UIRT, Harmony Hubs, Google Hub/Chromecasts/Speakers, Foscam & Amcrest cameras, EZVIZ DB1 doorbell
                          Plugins: BLLAN, BLOccupied, BLUSBUIRT, Chromecast, Harmony Hub, Insteon, Jon00 Homeseer/Echo Skill Helper, Harmony Hub, Jon00 DB Charting, MediaController, NetCAM, PHLocation2, Pushover 3P, weatherXML, Z-wave

                          Comment


                            #28
                            I also accomplished a reverse proxy with IIS...

                            By following this post:

                            http://weblogs.asp.net/owscott/creat...ewrite-for-iis

                            Comment

                            Working...
                            X