Is it running Android lolliipop (5.x)?

If I'm not mistaken, it's a problem with Android 5.0... it implements higher security and it's a huge pain in the *** to add your own self signed certificates to its exclusion list.

Yes, it is a Galaxy S5 on Sprint running the latest OTA update.

I don't believe it is a system wide issue as I can access HS3 via https from the stock Android browser. I just have to accept the warning first.

I read that Firefox prevents navigation to sites using out-dated encryption:
https://support.mozilla.org/en-US/kb/tls-error-reports

Chrome's certificate/encryption information mentioned above seems to confirm the server is in fact using outdated encryption. I have a feeling that is the problem here causing FF and Automate not to be able to connect, and I don't know if that is a function of the certificate or the server.

Anyone know?

From the certificate information tab on the stock Android browser:

----------------
Your connection to www.domain.com is encrypted with 256-bit encryption.

The connection uses TLS 1.0

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and RSA as the key exchange mechanism.

The connection had to be retried using an older version of the TLS or SSL protocol. This typically means that the server is using very old software and may have other security issues.

The server does not support the TLS renegotiation extension.
---------------------

Thoughts? Can HS update this part of the software?

I think it's higher security imposed upon 3rd party apps, I experience the same thing in Tasker.

You can try an app called CAdroid to try install your self signed certificate to your Android's cert store. It didn't work for me, but if it does for you then it should solve your issues. (I meant the app crapped out before finishing)

I seemingly was able to install the certificates via Settings -> System - Security -> Credential Storage - Install from device storage. Path to this setting may be different on your device.

Even after installing these certificates nothing seems to have changed.

I still think there is more than one issue here. Self-signed certificates is one of them, but the other is that my HS3 SSL server is using a no longer secure encryption method.

Is that last part something I can change/fix or is that something that must be updated in the HS3 software?

Well if the certificate on HS3 server is deemed to not comply with the latest security update, then you'd want to do something about that certificate than weaken the HS3 side.

The error that I get on my android's browser is something along the line of ERR Certificate Authority Invalid. That's basically saying that the certificate that you have is not signed by one of the already known trusted authority (ie: it's self signed).

Yes, I realize a self signed cert creates those types of error messages. I use a self signed cert for my Exchange email server with Outlook Web Access and I can still access that via Firefox just fine, even though I still get those usual warnings about an untrusted certificate. That tells me that the simple fact that my HS3 cert is not from a trusted authority isn't the issue I'm seeing in Firefox and Automate (well, maybe Automate).

There seems to be something else at play here and I believe it is the encryption method used by the HS SSL server. You know, SSLv3, TLS 1.x, etc...

Given the Automate error about SSL handshake, and reading that Firefox now simply prevents you from navigating to sites still using the unsafe encryption methods, I believe it is the encryption method being used and not the fact that it's a self-signed certificate not from a trusted authority.

A quote from a POODLE page explains that updating the servers encryption method is not related to the certificates itself.

"Note: This vulnerability does not affect the SSL Certificates themselves. There is no need to resissue, renew, or reinstall any certificates at this time."

I could be barking up the wrong tree but I think we need HomeSeer to update the SSL portion of the software.

Can you other folks using SSL access HS3 from Firefox?

Yes, I'm getting the same error.

I don't know enough about Android (especially lollipop) and SSL certs... but I'm in the process of purchasing a proper cert for my dyndns.org domain (lol). But anyway it's just $10 and would be great if it works.

Yes you CAN access via Firefox? Or yes you're blocked completely?

Please let us know if your $10 cert solves this Firefox problem. Your legit cert should prevent you from seeing 'untrusted' errors in other browsers but I suspect nothing will change with Firefox.

Yes, i'm getting the same error as you. And firefox could not open Hs3 ssl website at all, with no override options.

i can report that rapidssl does not accept host.dyndns.org domain. I will have to use a proper domain to do this test. Luckily i have some spares that i can try with, i will ipdate when i have triedit.

Btw, any input on comodo vs rapidssl or any of those cheap ssl?

The certificate does not solve the firefox problem because the certificate is not the problem. They need to disable SSLv3, whether in client or server. I've emailed Richard (rjh) about this.. I hope it's a simple fix and they can release and update sooner than later.

Thank you so much for confirming my suspicion and sending it up the chain. I too hope it can be fixed soon. I'd really like to be able to send encrypted JSON requests via Android's Automate. Please let me know what you hear from Richard.

Thanks again!

I've got the reply from Rich and unfortunately it's not what I had hoped. But at the very least it gives clarity on this situation.

So I guess we should treat HS3 as a plain web without ssl component, then add a (hopefully light and simple) reverse caching proxy to wrap HS3's pages in more compliant SSL?

Edit: I've installed Apache 2.4 (binaries from Apache Haus), set it up with my RapidSSL certificate... Firefox could now open it with no error whatsoever. But unfortunately Tasker still does not seem to play ball with it.

Success...

So after install Apache on my HomeSeer server, setup mod_proxy, put my RapidSSL certs on it... that configuration worked with Firefox but didn't work with Tasker.

Apparently you still need to manually disable SSLv3 on the latest Apache (that I got from Apache Haus):

http://serverfault.com/questions/660...he-2-4-9-on-wi

and after that, you can test with these methods:

http://chrisburgess.com.au/how-to-te...vulnerability/

and this site:

https://www.poodlescan.com

and this is what you want to see:



Best of all... Tasker now works with direct SSL connection to my home server, on my Android 5.0 (Lollipop) phone.

PS: I think this will work even if you use a self-signed certificate.