Do not check certificate in HTTPS request

[lazer 38]

Hi,

 

I am trying to connect to a secure web server, with a self-signed SSL certificate, using the net.HTTPClient() library in a scene.

 

When I connect to the web server using my web browser, I get a warning telling me that the certificate is not certified by a valid authority, as you may have already seen on such certificate.

In my web browser, I just click on the button to continue anyway. Firefox even allows me to add the certificate to the list of approved certificates. Problem solved

 

But on HC2, I can't figure how to bypass the warning

 

Here is the LUA code i use :

Please login or register to see this code.

As you can see,I tried to use the "checkCertificate = false" option, but I doesn't seem to have any effect.

 

I always get the following message : "sslv3 alert handshake failure"

 

 

[DEBUG] 21:05:41: httpClient:request() : Error : sslv3 alert handshake failure

 

The checkCertificate option seems to exist, as I found it as a string in the compiled binaries into the HC2.

I tried both true and false boolean values, which seems to be accepted by the LUA interpreter, but I doesn't affect result as I would normally expect;

If I try another value, such as a number or a string, I get a LUA Cast error and the script immediately ends. This is a proof that the checkCertificate parameter is used, but apparently with no effect.

 

Can anyone confirm this strange behavior ?

 

To Fibaro developers, can you confirm this parameter is correctly implemented ?

 

[lazer 38]

I found a solution, which is not really a good one....

 

Apparently, the HC2 only performs SSLv3 request, which is a weak protocol, affected by the POODLE attack, revealed in 2014.

Since that date, all secure web servers should not use SSLv3 anymore, and use at least TLS v1 or better.

 

Of course, my Web server only accepts TLS v1 and higher, that is why the HC2 was not able to connect.

So this is not a problem with my self signed certificate as I initially thought.

 

I have forced the SSLv3 protocol on my web server, and the HC2 is now able to connect.

This is a weakness in my security, hopefully this is only a internal Web server, not exposed on the Internet.

 

 

Now, the question is, how can we enable TLS v1 connections from the HC2 using the LUA net.HTTPClient() library ?

 

 

 

EDIT :

 

I finally found a better way to configure my web server

 

I now have disabled back SSLv3, and add the TLS_DHE_RSA_WITH_AES_256_CBC_SHA cipher to the TLSv1 protocol, and it appears that the HC2 is now able to connect

 

I made a lot of tests using curl, openssl, nmap, and haproxy  to identify which couples of protocol+cipher work.

 

That's all for tonight !

Edited June 5, 2017 by lazer