Jump to content

Welcome to Smart Home Forum by FIBARO

Dear Guest,

 

as you can notice parts of Smart Home Forum by FIBARO is not available for you. You have to register in order to view all content and post in our community. Don't worry! Registration is a simple free process that requires minimal information for you to sign up. Become a part of of Smart Home Forum by FIBARO by creating an account.

 

As a member you can:

  •     Start new topics and reply to others
  •     Follow topics and users to get email updates
  •     Get your own profile page and make new friends
  •     Send personal messages
  •     ... and learn a lot about our system!

 

Regards,

Smart Home Forum by FIBARO Team


  • 0

Do not check certificate in HTTPS request


lazer
 Share

Question

Hi,

 

I am trying to connect to a secure web server, with a self-signed SSL certificate, using the net.HTTPClient() library in a scene.

 

When I connect to the web server using my web browser, I get a warning telling me that the certificate is not certified by a valid authority, as you may have already seen on such certificate.

In my web browser, I just click on the button to continue anyway. Firefox even allows me to add the certificate to the list of approved certificates. Problem solved :)

 

But on HC2, I can't figure how to bypass the warning :(

 

Here is the LUA code i use :

Please login or register to see this code.

As you can see,I tried to use the "checkCertificate = false" option, but I doesn't seem to have any effect.

 

I always get the following message : "sslv3 alert handshake failure"

 

 

[DEBUG] 21:05:41: httpClient:request() : Error : sslv3 alert handshake failure

 

The checkCertificate option seems to exist, as I found it as a string in the compiled binaries into the HC2.

I tried both true and false boolean values, which seems to be accepted by the LUA interpreter, but I doesn't affect result as I would normally expect;

If I try another value, such as a number or a string, I get a LUA Cast error and the script immediately ends. This is a proof that the checkCertificate parameter is used, but apparently with no effect.

 

Can anyone confirm this strange behavior ?

 

To Fibaro developers, can you confirm this parameter is correctly implemented ?

 

Link to comment
Share on other sites

1 answer to this question

Recommended Posts

  • 0
  • Inquirer
  • I found a solution, which is not really a good one....

     

    Apparently, the HC2 only performs SSLv3 request, which is a weak protocol, affected by the POODLE attack, revealed in 2014.

    Since that date, all secure web servers should not use SSLv3 anymore, and use at least TLS v1 or better.

     

    Of course, my Web server only accepts TLS v1 and higher, that is why the HC2 was not able to connect.

    So this is not a problem with my self signed certificate as I initially thought.

     

    I have forced the SSLv3 protocol on my web server, and the HC2 is now able to connect.

    This is a weakness in my security, hopefully this is only a internal Web server, not exposed on the Internet.

     

     

    Now, the question is, how can we enable TLS v1 connections from the HC2 using the LUA net.HTTPClient() library ?

     

     

     

    EDIT :

     

    I finally found a better way to configure my web server :)

     

    I now have disabled back SSLv3, and add the TLS_DHE_RSA_WITH_AES_256_CBC_SHA cipher to the TLSv1 protocol, and it appears that the HC2 is now able to connect :D

     

    I made a lot of tests using curl, openssl, nmap, and haproxy  to identify which couples of protocol+cipher work.

     

    That's all for tonight !

    Edited by lazer
    Link to comment
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Answer this question...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

     Share

    ×
    ×
    • Create New...