-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Elk M1G SSL Error after updating M1XEP to v 2.0.46 #44
Comments
Looking now. Assuming the fix is as easy as changing the one line it should be done today or tomorrow. |
Switching from This did not work:
This also did not work:
@bdraco do you have any thoughts? I'll poke around a bit more during the weekend to see if I can learn something new. |
I'm guessing, but know little about TLS negotiation, is that ElkM1 does not support negotiation, so you need to specify the version of TLS specific to the version of the Ethernet firmware. If that is the case then a parameter is needed, which would have to be specified in HA and passed through to the library. If this is true then here is what I propose: The code for TLSv1 (other versions would be similar) would be something such as:
To learn about negotiation, I tried this: I then tried this: I will go ahead with changes once there's some responses on this thread. If we go ahead as proposed it would be great if someone could change the HA code, I don't have a dev environment setup. |
That sounds right. I haven't upgraded my firmware yet and I'm traveling so I can't test. Pretty lame that it can't do negotiation. |
Glenn – I’d be happy to test. I’m currently running updated M1XEP firmware using the unsecure port. It won’t connect using the secure port due to this issue. This would be my first time updating HA to test but happy to learn.
Thanks,
Tim Whitaker
From: Glenn Waters ***@***.***>
Sent: Saturday, June 26, 2021 1:19 PM
To: gwww/elkm1 ***@***.***>
Cc: Tim Whitaker ***@***.***>; Author ***@***.***>
Subject: Re: [gwww/elkm1] Elk M1G SSL Error after updating M1XEP to v 2.0.46 (#44)
I'm guessing, but know little about TLS negotiation, is that ElkM1 does not support negotiation, so you need to specify the version of TLS specific to the version of the Ethernet firmware. If that is the case then a parameter is needed, which would have to be specified in HA and passed through to the library. If this is true then here is what I propose: elks:// is TLSv1, elksv1 is TLSv1, and elksv1_2 is TLSv1_2. Might as well add elksv1_3 while I'm changing the lib, even those no ElkM1 supports it yet.
The code for TLSv1 (other versions would be similar) would be something such as:
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
ssl_context.minimum_version = ssl.TLSVersion.TLSv1
ssl_context.maximum_version = ssl.TLSVersion.TLSv1
To learn about negotiation, I tried this: openssl s_client -connect 192.168.1.12:2601 -prexit which failed.
I then tried this: openssl s_client -connect 192.168.1.12:2601 -prexit -no_tls1_1 -no_tls1_2 which worked.
I will go ahead with changes once there's some responses on this thread. If we go ahead as proposed it would be great if someone could change the HA code, I don't have a dev environment setup.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#44 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AUT3ZU3SPWGWR5GZUJ6BRRTTUYDX7ANCNFSM47KLVADA>.
|
FYI, fallback until this fix makes its way through is to use |
I've push a new version of the ElkM1 library which adds support for TLS 1.2. To use the HA config GUI changes are required to use the new protocol. If you are using the YAML config then I believe it should work (but have not checked) by changing from I won't have time this week to look at the HA changes... life has thrown a few curve balls. I'm going to close this issue. I recommend to get the HA changes in open a bug against that project. That will help with tracking, and perhaps someone else can pick it up. Check this project's README for details on the change, or "use the code Luke" - they are pretty simple. And BTW, I bumped the version of this lib to 1.0.0! Woo hoo! Its out of beta! |
HomeAssistant is unable to connect to M1G using secure port after upgrading M1XEP to v2.0.46. Apparently this version is using TLS and the elkm1_lib is using an older version of SSL. Error Message:
Could not connect to ElkM1 ([SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1125))
home-assistant/core#52188
per bdraco, this is the line that needs to be adjusted..
elkm1/elkm1_lib/util.py
Line 21 in 0328b15
The text was updated successfully, but these errors were encountered: