Comments (7)
gwww
commented on August 20, 2024
Looking now. Assuming the fix is as easy as changing the one line it should be done today or tomorrow.
from elkm1.
gwww
commented on August 20, 2024
Switching from ssl.PROTOCOL_TLSv1 to ssl.PROTOCOL_TLS does not work. Here are a couple of things I tied. I'm using the 2.0.34 version of the firmware on the Ethernet board which support TLS 1.1.
This did not work:
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
ssl_context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1_2 | ssl.OP_NO_TLSv1_3
This also did not work:
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
ssl_context.options = ssl.PROTOCOL_TLSv1_1
@bdraco do you have any thoughts? I'll poke around a bit more during the weekend to see if I can learn something new.
from elkm1.
gwww
commented on August 20, 2024
I'm guessing, but know little about TLS negotiation, is that ElkM1 does not support negotiation, so you need to specify the version of TLS specific to the version of the Ethernet firmware. If that is the case then a parameter is needed, which would have to be specified in HA and passed through to the library. If this is true then here is what I propose: elks:// is TLSv1, elksv1 is TLSv1, and elksv1_2 is TLSv1_2. Might as well add elksv1_3 while I'm changing the lib, even those no ElkM1 supports it yet.
The code for TLSv1 (other versions would be similar) would be something such as:
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
ssl_context.minimum_version = ssl.TLSVersion.TLSv1
ssl_context.maximum_version = ssl.TLSVersion.TLSv1
To learn about negotiation, I tried this: openssl s_client -connect 192.168.1.12:2601 -prexit which failed.
I then tried this: openssl s_client -connect 192.168.1.12:2601 -prexit -no_tls1_1 -no_tls1_2 which worked.
I will go ahead with changes once there's some responses on this thread. If we go ahead as proposed it would be great if someone could change the HA code, I don't have a dev environment setup.
from elkm1.
bdraco
commented on August 20, 2024
That sounds right. I haven't upgraded my firmware yet and I'm traveling so I can't test. Pretty lame that it can't do negotiation.
from elkm1.
ls6620
commented on August 20, 2024
Glenn – I’d be happy to test. I’m currently running updated M1XEP firmware using the unsecure port. It won’t connect using the secure port due to this issue. This would be my first time updating HA to test but happy to learn.
Thanks,
Tim Whitaker
From: Glenn Waters ***@***.***>
Sent: Saturday, June 26, 2021 1:19 PM
To: gwww/elkm1 ***@***.***>
Cc: Tim Whitaker ***@***.***>; Author ***@***.***>
Subject: Re: [gwww/elkm1] Elk M1G SSL Error after updating M1XEP to v 2.0.46 (#44)
I'm guessing, but know little about TLS negotiation, is that ElkM1 does not support negotiation, so you need to specify the version of TLS specific to the version of the Ethernet firmware. If that is the case then a parameter is needed, which would have to be specified in HA and passed through to the library. If this is true then here is what I propose: elks:// is TLSv1, elksv1 is TLSv1, and elksv1_2 is TLSv1_2. Might as well add elksv1_3 while I'm changing the lib, even those no ElkM1 supports it yet.
The code for TLSv1 (other versions would be similar) would be something such as:
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
ssl_context.minimum_version = ssl.TLSVersion.TLSv1
ssl_context.maximum_version = ssl.TLSVersion.TLSv1
To learn about negotiation, I tried this: openssl s_client -connect 192.168.1.12:2601 -prexit which failed.
I then tried this: openssl s_client -connect 192.168.1.12:2601 -prexit -no_tls1_1 -no_tls1_2 which worked.
I will go ahead with changes once there's some responses on this thread. If we go ahead as proposed it would be great if someone could change the HA code, I don't have a dev environment setup.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#44 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AUT3ZU3SPWGWR5GZUJ6BRRTTUYDX7ANCNFSM47KLVADA>.
from elkm1.
gwww
commented on August 20, 2024
FYI, fallback until this fix makes its way through is to use elk://, the non-secure connection.
from elkm1.
gwww
commented on August 20, 2024
I've push a new version of the ElkM1 library which adds support for TLS 1.2.
To use the HA config GUI changes are required to use the new protocol. If you are using the YAML config then I believe it should work (but have not checked) by changing from elks:// to elksv1_2://
I won't have time this week to look at the HA changes... life has thrown a few curve balls. I'm going to close this issue. I recommend to get the HA changes in open a bug against that project. That will help with tracking, and perhaps someone else can pick it up.
Check this project's README for details on the change, or "use the code Luke" - they are pretty simple.
And BTW, I bumped the version of this lib to 1.0.0! Woo hoo! Its out of beta!
from elkm1.
Related Issues (20)
- [Enhancement] Add a contributing.md to the project.
- Can't install the lib elk_m1 HOT 4
- [BUG] Zone change callback called twice with same changeset HOT 5
- [BUG] HOT 2
- Requirement is pinned for elkm1-lib 0.8.8: pyserial-asyncio>=0.4.0,<0.5.0 HOT 1
- [Enhancement] Know if a Zone can be bypassed HOT 2
- [Enhancement] Discovery Support
- [BUG] Voltage is not initialized on startup HOT 5
- Question: Ever seen Keypad Zero? HOT 3
- [Enhancement] How to get F or C configuration from panel HOT 3
- [Enhancement] Tag releases on GitHub HOT 2
- Request for Assistance HOT 24
- [BUG] ValueError in zc_decode HOT 2
- [BUG] Frequent disconnects with latest version HOT 4
- [BUG] RuntimeError: list changed size during iteration HOT 6
- [Enhancement] Report zone specific system trouble to the zone instead of the panel HOT 2
- [Enhancement] Question about Toggling ArmedStatus
- pyserial-asyncio does blocking I/O in the event loop HOT 2
- Areas are incorrectly labeled as configured [BUG] HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from elkm1.