Use less strict certificate checking for ComEd #74361
Conversation
It may be because ComEd isn't using intermediate certificates per digicert's diagnostics tool: DNS resolves hourlypricing.comed.com to 45.60.152.155 HTTP Server Header: Apache TLS Certificate Common Name = hourlypricing.comed.com Organization = Exelon Corporation City/Locality = Chicago State/Province = Illinois Country = US Subject Alternative Names = hourlypricing.comed.com Issuer = DigiCert TLS RSA SHA256 2020 CA1 Serial Number = 0CFD656D10D544BC1024EC8256F96786 SHA1 Thumbprint = 6947F33F43CBDEBD6350CCD8D00EB0D229837692 Key Length = 2048 Signature algorithm = SHA256-RSA Secure Renegotiation: TLS Certificate has not been revoked OCSP Staple: Not Enabled OCSP Origin: Good CRL Status: Good TLS Certificate expiration The certificate expires June 23, 2023 (355 days from today) Certificate Name matches hourlypricing.comed.com Subject hourlypricing.comed.com Valid from 23/Jun/2022 to 23/Jun/2023 Issuer DigiCert TLS RSA SHA256 2020 CA1 The server is not sending the required intermediate certificate. In most cases, solving this problem in Apache is as simple as adding "SSLCertificateChainFile /path/to/DigiCertCA.crt" to your apache configuration file after/near your SSLCertificateFile line. You can find the missing intermediate in the zip file containing your certificate, or download it from your customer account area. Follow the directions on our certificate installation guide to install the missing intermediate. If you have any problems correcting this issue, please contact our helpful support team and we would be happy to assist.
probot-home-assistant
bot
added
integration: comed_hourly_pricing
small-pr
|
Hi @glenviewjeff, It seems you haven't yet signed a CLA. Please do so here. Once you do that we will be able to review and accept this pull request. Thanks! |
glenviewjeff
changed the title
| @@ -113,7 +113,7 @@ async def async_update(self): | |||
| url_string += "?type=currenthouraverage" | |||
|
|
|||
| async with async_timeout.timeout(60): | |||
| response = await self.websession.get(url_string) | |||
| response = await self.websession.get(url_string, ssl=False) | |||
There was a problem hiding this comment.
Disabling SSL checks is not a solution to issues like this, especially considering this is a public service. This PR basically introduces a security issue.
There was a problem hiding this comment.
@frenck From what I understand from the documentation, this setting doesn't disable the checks, it only uses less strict checks, presumably more along the lines of what Chrome does in practice. The certificates currently pass under Chrome but not with the default SSL values from this library.
By default aiohttp uses strict checks for HTTPS protocol. Certification checks can be relaxed by setting ssl to False:
r = await session.get('https://example.com', ssl=False)
If I'm misunderstanding the source of the problem (that it's the strict checking that's causing the issue because of the missing intermediate certificate,) then this SO post and/or this github issue may hold some clues. I'd play around but I don't yet know how to import a development version of an integration into HA (I've only been playing with HA for a couple of weeks.)
There was a problem hiding this comment.
From what I understand from the documentation, this setting doesn't disable the checks, it only uses less strict checks
That is correct, meaning aiohttp will accept anything. Even self-signed and invalid certificates (that is the security issue created).
There was a problem hiding this comment.
Actually ssl=false does appear to completely skip validation according to this section of the documentation.
There was a problem hiding this comment.
does appear to completely skip validation according to
Yes. Which is the security issue :)
There was a problem hiding this comment.
So... what do we do when Home Assistant uses different rules for intermediate certificate downloads/checks than modern browsers? I agree disabling SSL checks is not the solution, but the SSL certificate is valid, the chain is just incomplete or is expected to be part of the OS instead of served via the remote webserver. So what is the solution here?
There was a problem hiding this comment.
The correct fix is ComEd needs to fix their site/service. I've reached out to them about this issue (via email and on twitter) as it's something they really need to address on their end. I also agree that not strictly checking the certificate reduces security and isn't the correct/proper fix. Their site/TLS endpoint needs to provide the full certificate chain as is required for proper TLS security.
There was a problem hiding this comment.
Looks like they fixed it, it's working for me now suddenly with no changes required in HA. The entity just started responding.
|
Care to point me to some simple instructions for modifying and testing
integrations? For now, I just copied the code to a custom_components
directory. Is this sound? Do I have to rename it uniquely or will it
override the built-in comed_hourly_pricing integration?
…On Sun, Jul 3, 2022 at 3:58 PM Franck Nijhof ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In homeassistant/components/comed_hourly_pricing/sensor.py
<#74361 (comment)>:
> @@ -113,7 +113,7 @@ async def async_update(self):
url_string += "?type=currenthouraverage"
async with async_timeout.timeout(60):
- response = await self.websession.get(url_string)
+ response = await self.websession.get(url_string, ssl=False)
does appear to completely skip validation according to
Yes. Which is the security issue :)
—
Reply to this email directly, view it on GitHub
<#74361 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACRYQWFSLGOGXSZUOFYGM3VSH5F3ANCNFSM52RDYSQA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
All information regarding the development of Home Assistant can be found on our developers portal. https://developers.home-assistant.io/docs/development_environment |
|
Thanks, with the documentation help I at least got my own version
functioning now with the SSL bypass. I'll see if I can fix it properly with
the suggestions on those two pages I referenced.
…On Sun, Jul 3, 2022 at 4:17 PM Franck Nijhof ***@***.***> wrote:
All information regarding the development of Home Assistant can be found
on our developers portal.
https://developers.home-assistant.io/docs/development_environment
—
Reply to this email directly, view it on GitHub
<#74361 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACRYQQ4P32DDO57QW42O7TVSH7P3ANCNFSM52RDYSQA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Can probably close this PR now -- ComEd fixed the certificate on their end. |
|
Yes I went another route and filed regulatory and watchdog group
complaints. The watchdog group responded immediately that they sent it to
the right person in the company along with instructions on how to fix the
certificate.
…On Tue, Jul 5, 2022, 6:27 PM Jake Burgy ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In homeassistant/components/comed_hourly_pricing/sensor.py
<#74361 (comment)>:
> @@ -113,7 +113,7 @@ async def async_update(self):
url_string += "?type=currenthouraverage"
async with async_timeout.timeout(60):
- response = await self.websession.get(url_string)
+ response = await self.websession.get(url_string, ssl=False)
Looks like they fixed it, it's working for me now suddenly with no changes
required in HA. The entity just started responding.
—
Reply to this email directly, view it on GitHub
<#74361 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACRYQSMABLI45JDKUVQTWLVSTAGZANCNFSM52RDYSQA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Alright, since this issue has been resolved upstream, I'm going to close this PR. ../Frenck |
Fixing this issue: #74320
It may be because ComEd isn't using intermediate certificates per digicert's diagnostics tool:
DNS resolves hourlypricing.comed.com to 45.60.152.155
HTTP Server Header: Apache
TLS Certificate
Common Name = hourlypricing.comed.com
Organization = Exelon Corporation
City/Locality = Chicago
State/Province = Illinois
Country = US
Subject Alternative Names = hourlypricing.comed.com
Issuer = DigiCert TLS RSA SHA256 2020 CA1
Serial Number = 0CFD656D10D544BC1024EC8256F96786
SHA1 Thumbprint = 6947F33F43CBDEBD6350CCD8D00EB0D229837692
Key Length = 2048
Signature algorithm = SHA256-RSA
Secure Renegotiation:
TLS Certificate has not been revoked
OCSP Staple: Not Enabled
OCSP Origin: Good
CRL Status: Good
TLS Certificate expiration
The certificate expires June 23, 2023 (355 days from today)
Certificate Name matches hourlypricing.comed.com
Subject hourlypricing.comed.com
Valid from 23/Jun/2022 to 23/Jun/2023
Issuer DigiCert TLS RSA SHA256 2020 CA1
The server is not sending the required intermediate certificate.
In most cases, solving this problem in Apache is as simple as adding "SSLCertificateChainFile /path/to/DigiCertCA.crt" to your apache configuration file after/near your SSLCertificateFile line.
You can find the missing intermediate in the zip file containing your certificate, or download it from your customer account area.
Follow the directions on our certificate installation guide to install the missing intermediate.
If you have any problems correcting this issue, please contact our helpful support team and we would be happy to assist.
Breaking change
Proposed change
Type of change
Additional information
Checklist
black --fast homeassistant tests)If user exposed functionality or configuration variables are added/changed:
If the code communicates with devices, web services, or third-party tools:
Updated and included derived files by running:
python3 -m script.hassfest.requirements_all.txt.Updated by running
python3 -m script.gen_requirements_all..coveragerc.The integration reached or maintains the following Integration Quality Scale:
To help with the load of incoming pull requests: