Add support for WSS / SSL

[Ape]

I updated my TV firmware and now it is rejecting non-SSL WS connection. The API still works with WSS with SSL. However, aiopylgtv doesn't currently support that.

To support SSL we need the following changes:

• Swich port to 3001 (from 3000)
• Use wss:// instead of ws://
• Additionally we need to have an SSL context that has the LG certificates or that doesn't verify the certificates.

As a proof of concept, I got it working by changing the following code:

WebOsClient.connect_handler:

ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE

...

websockets.connect(
    f"wss://{self.ip}:3001",
    ping_interval=None,
    close_timeout=self.timeout_connect,
    max_size=None,
    ssl=ssl_context,
)

...

websockets.connect(
    inputsockpath,
    ping_interval=None,
    close_timeout=self.timeout_connect,
    ssl=ssl_context,
)

[chewi]

Ideally, we would get hold of the root CA and trust that. Unfortunately, the TV doesn't present it, only the intermediate, although we could trust that while allowing a partial chain if we cannot obtain the root CA.

$ openssl s_client -showcerts lgcx:3001 <<< Q
CONNECTED(00000003)
depth=1 C = KR, ST = Seoul, O = LG Electronics Inc., OU = HE Lab., CN = LGE SSG Intermediate CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = KR, ST = Seoul, O = LG Electronics Inc., OU = HE Lab., CN = LGE TV SSG
verify return:1
---
Certificate chain
 0 s:C = KR, ST = Seoul, O = LG Electronics Inc., OU = HE Lab., CN = LGE TV SSG
   i:C = KR, ST = Seoul, O = LG Electronics Inc., OU = HE Lab., CN = LGE SSG Intermediate CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 12 01:49:52 2018 GMT; NotAfter: Aug 15 01:49:52 2034 GMT
-----BEGIN CERTIFICATE-----
MIIFwjCCA6qgAwIBAgICIAEwDQYJKoZIhvcNAQELBQAwbzELMAkGA1UEBhMCS1Ix
DjAMBgNVBAgMBVNlb3VsMRwwGgYDVQQKDBNMRyBFbGVjdHJvbmljcyBJbmMuMRAw
DgYDVQQLDAdIRSBMYWIuMSAwHgYDVQQDDBdMR0UgU1NHIEludGVybWVkaWF0ZSBD
QTAeFw0xODAzMTIwMTQ5NTJaFw0zNDA4MTUwMTQ5NTJaMGIxCzAJBgNVBAYTAktS
MQ4wDAYDVQQIDAVTZW91bDEcMBoGA1UECgwTTEcgRWxlY3Ryb25pY3MgSW5jLjEQ
MA4GA1UECwwHSEUgTGFiLjETMBEGA1UEAwwKTEdFIFRWIFNTRzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANgLe30lB7jMOm5v890Pl+KGPSqQ2tbNOpob
fbzZkpGROcTKPWrDrWQFiy2yS8Yn2Oqs+i1ioDcOD8pOh1UyxXY+I61f/4DRkL2L
Qqdx0a4qoNmKHHgTRuffklt8Tc7oVKsuf53q0D3zUIs/c/UarRo/2FiLZSXCqzTg
XnDZh3O15rvt8jzepA9RturlPMDwaszHahaT3Lm3nSDpoeJzWtrDZH7zJG0eD5P2
LqbA6YnOenTMV9E8L4Okomiho7/DTvS3L4S7dnUdl14v89herlYz+aGD75UgCvRh
1aPepIaWnyhj7yMD0khrZRyOIrP8k+1hHi7kLORQ/7wLPXqkDZECAwEAAaOCAXMw
ggFvMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQm
FiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FFm/07eIWpKBKqpoJ4+dzQDU55KLMIHVBgNVHSMEgc0wgcqAFCyLYO76owaYuCOC
aHJpV4grLZfdoYGtpIGqMIGnMQswCQYDVQQGEwJLUjEOMAwGA1UECAwFU2VvdWwx
DjAMBgNVBAcMBVNlb3VsMRwwGgYDVQQKDBNMRyBFbGVjdHJvbmljcyBJbmMuMRYw
FAYDVQQLDA1IRSBMYWJvcmF0b3J5MRwwGgYDVQQDDBNMRyB3ZWJPUyBUViBSb290
IENBMSQwIgYJKoZIhvcNAQkBFhVzZWN1cml0eS1wYXJ0QGxnZS5jb22CAhAHMA4G
A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsF
AAOCAgEAJhLtCLsTi/l+xpAzF01NFwPy8pBi+7Q1ZyBfbw+rIKnnzFXMMwsGrt57
xMfArdB54MePs6UMvn/HRbfx7UkXxha38HY65+redBX27EuQs3EodajRFzz/OG7A
NhQovjJ4fxeadTP1AI7coULi8hwG78RxBNHzRsdtfjcboOYA27Nzi6cpFd4O/v5m
8NhCnsLU5AcYoP+S7Qab9nbyteT3RorhdZYNCFSUWiKbCS1aZMH828vUi97ja+mX
q0gvbt0cM5o3iJngmwH7PVR+slrL6CHXaMJHXkXSSyQcqbwSu5mbqV+lTY8fJkn3
5rds1bJRy6LIFPAT7jpPzONT70jnS5NZmYQtkDWugX2WHAqwnmPv3sLWSGVG6gjh
W+pnlxwDzXWV3stVVqrPVRaoSHYuqAxBWB8vIwrPXVIcUb2JNYLef1eOJpGqEhTr
++0i1NpYxiehVinA21CLrditO/IXhGsopjGWnK1zPG6L3LiLciXhrKqeuQCqzcSD
7+ihyqNxQ0oQlC1mr6u9tmeGuGPWRYWy5h7SYcOVivsxbrUYq3SdzDNy8Izl7vE4
n2mOKPyF0sXhSOHC+bBmsg+IZ0FpBKw0N4JJ/XfoPqnHxw7LF2f2IEvxahYSxgRg
xCdCs+vi8ob++70uAgs3suJUybGTa8sExkHo0BtsqnmgEBDxfdM=
-----END CERTIFICATE-----
 1 s:C = KR, ST = Seoul, O = LG Electronics Inc., OU = HE Lab., CN = LGE SSG Intermediate CA
   i:C = KR, ST = Seoul, L = Seoul, O = LG Electronics Inc., OU = HE Laboratory, CN = LG webOS TV Root CA, emailAddress = security-part@lge.com
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 12 01:30:28 2018 GMT; NotAfter: Aug 15 01:30:28 2034 GMT
-----BEGIN CERTIFICATE-----
MIIF+TCCA+GgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAktS
MQ4wDAYDVQQIDAVTZW91bDEOMAwGA1UEBwwFU2VvdWwxHDAaBgNVBAoME0xHIEVs
ZWN0cm9uaWNzIEluYy4xFjAUBgNVBAsMDUhFIExhYm9yYXRvcnkxHDAaBgNVBAMM
E0xHIHdlYk9TIFRWIFJvb3QgQ0ExJDAiBgkqhkiG9w0BCQEWFXNlY3VyaXR5LXBh
cnRAbGdlLmNvbTAeFw0xODAzMTIwMTMwMjhaFw0zNDA4MTUwMTMwMjhaMG8xCzAJ
BgNVBAYTAktSMQ4wDAYDVQQIDAVTZW91bDEcMBoGA1UECgwTTEcgRWxlY3Ryb25p
Y3MgSW5jLjEQMA4GA1UECwwHSEUgTGFiLjEgMB4GA1UEAwwXTEdFIFNTRyBJbnRl
cm1lZGlhdGUgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDl5xeN
+UkKyfHifIGtO4igsl/UxXosQ0qeAMadDSdI8XLHAsfEnlCDVWwYSFD76A7+GO6m
ttN5MTlsdVJPQ/lyy032cPkz38R9MHS6sOxqOCXurkX0wN/7fTODKVkS/Q3dCqYz
eluWaMrZQBAW6vGQVgoilBxf5Z9jpV9Dj6IxXThomUlyM8HVCWmg38eht8ItiuSe
1Bzpr8Bqv35wLEnPPK1QhKu9oxU10GS6Yn1GNQ6xMvpayf1jPuRK443tdR+IA2mD
y/N8h623yvIbBxMt/rLmvzjWevLC8wyTlrEw5ei/GOfMlJq8fK3TK1S9CMqqe6uS
O9YHJo5/ibg+aFKkJEDO4RNzK2W0A7F+a2eJIk8lz49rvZNC+X/waRUfso8YrAcX
vQo4EbYDWTlFDNa15rYiZEE3lzqROto440Wb6v5ZavyvkRyQbUNbodUh42Wvo616
kD6GG5/Le1QUpO6I66Hjs0MyJQApFuOR2OZhS8FjHPRONSNZJl1rAP7xtZ7fDika
d0oqU9hHKOKQSb8e8QTLUyQGCW17FB8pgC8Du7ZZquRU/0RhK002yEdlWY+yDWs1
8aLqKl64P5GiipYufRTWVS3Ev8e4W/ycdI3n4gOWNAUuHUkO+LRXxm1fimPV1rig
Qrth9KtRc1g9FsDr+s2ZfxPft3LTozt1HRSBeQIDAQABo2YwZDAdBgNVHQ4EFgQU
LItg7vqjBpi4I4JocmlXiCstl90wHwYDVR0jBBgwFoAUYJCBYPvCCUxyONKaiLR4
beSYs/gwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI
hvcNAQELBQADggIBAEoyN23/Z+63ejYpBpJ3Xzowf3CEU7vN1J7QrxLJN+hJh2Go
f/NO6p9v0REoNeQjVKXbd8ycNpOl5SY620XFip6F+gLGxlTRy2LX7BUpYwCHoAuD
zSdRi7bhqmdwSZL7VGwm4RIGpeUWNqx2YH8xgJ7Zb4v0LCcCDsqB1JdobxB1ULbB
ZQ/8BsuEjiWnWg0nTDz7VZmpP1fOs4vLYPzFVzq07Q9avxYh642JLshhVZ9/VwWL
q5uGXNrxrvRNr4JR5emax9HV/o+LK9FdUP5XJWEXeXSRSvCYh7djtkQqzcmLdT4x
zU6chJMuCJAG6qzv8r7EA0IrbWk5oBhxNet/cCExIUH/Rqivcfa7qPTsTYVSoM5J
dw2ociET6vc2UmYzBiHV22Ez02aydOSmL4VkdR+ngxGTaCkEDBpHPLDaZ6Yzp/xB
gCGkvL417B3rTuBvD2YYwQ2pSS9O5N0FOLFjX3L3d9ixlXwqWi07w79YONjLqjYm
6OrYp5xtinZrxEEcdu/jt0pSOkYVG+NEg+kcLiRpxy4q7A3vVllREbLZL6R/5G3D
ulTRmICailJN3PF+5YavaQI2H6yRdiw2OMzaLgHw3zU9NGN43mMI1q1Yl4PYA2sO
qHkaceoSAL7CaC2ZvI51K88ekUfqC34L20hiZS8kLtE3BLS/olqMsyuAnBc+
-----END CERTIFICATE-----
---
Server certificate
subject=C = KR, ST = Seoul, O = LG Electronics Inc., OU = HE Lab., CN = LGE TV SSG
issuer=C = KR, ST = Seoul, O = LG Electronics Inc., OU = HE Lab., CN = LGE SSG Intermediate CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3716 bytes and written 450 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 0CAA9BFA04D0CBBD75702DCEB79CADC0A3E165CE551ACA1D40E5C3BF3F6C9B5F
    Session-ID-ctx: 
    Master-Key: 44A042172A77FE9DD97697406B0A709B4C849450A5AAB3A95795EE99864C2E57F28283A0F8257CDBD8E87A346CF8299F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b5 f3 25 e3 d4 f1 15 19-ca 19 dd 2d 47 92 53 81   ..%........-G.S.
    0010 - 9c 84 30 df 11 2a 0d 21-5b 0c c1 6f 16 43 99 d3   ..0..*.![..o.C..
    0020 - f3 8c 44 a9 38 73 f8 ec-9e a3 ce 3c 16 cd f3 c3   ..D.8s.....<....
    0030 - 05 ac 83 85 81 f0 ec e0-59 97 f9 91 d1 8f df 3d   ........Y......=
    0040 - ff 30 84 df a7 35 de a4-a8 fc 3b c7 f2 ce 71 54   .0...5....;...qT
    0050 - c9 35 f9 2a b5 df 97 4c-1b 31 21 6d 8e 5f f8 16   .5.*...L.1!m._..
    0060 - 70 38 31 60 d1 9b 5e 24-34 23 7b f8 ef 17 ee af   p81`..^$4#{.....
    0070 - 59 b5 af 64 7c 30 22 d9-e9 0b 8c 7c 36 a6 7c bb   Y..d|0"....|6.|.
    0080 - 28 c4 33 4f 78 66 fe 3d-18 8b c9 f7 ac c6 b7 06   (.3Oxf.=........
    0090 - 95 80 2c f3 30 fd 05 aa-60 31 4f ee cf a9 32 b1   ..,.0...`1O...2.
    00a0 - 08 8d bf f6 87 a1 43 64-a4 a8 3a 23 5a 59 79 f9   ......Cd..:#ZYy.
    00b0 - c3 0c 2d 78 82 76 80 3e-de ae 1f 77 35 43 93 21   ..-x.v.>...w5C.!
    00c0 - 24 34 3d 74 25 cc 5f 55-40 14 fc c1 82 ba 1a 99   $4=t%._U@.......

    Start Time: 1697300469
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---
DONE

[chewi]

The changes were easy enough to make and work for me. You called it a proof of concept, but this seems fine, apart from maybe verifying the certificate as I suggested. I don't think this needs to be configurable. I'd be surprised if any of the models already supported by this library don't support SSL. What do you think?

[chewi]

I got the partial chain verification to work. I had hoped to fish the root CA out of the Android app, but I cannot find it, despite finding a bunch of other certificates. I'll try emailing security-part@lge.com. It's worth a shot, right?

I can submit this in a pull request, but would you merge it, @bendavid? I know you haven't touched this for ages, but I don't want to have to maintain yet another fork.

[chros73]

It's already done in bscpylgtv.