quick question …
can HW connect to the vera using SSL ?
AND (more important) … does HW respect the build in certificates ?
i plan on securing the vera better since everyone know the port can basically unlock my house wit ha simple tcp string to be sent.
so the idea is to simply use https but limit the access to a certain set of certificates (including my developer certificate i have on the phone)
that should do the job, question is does homewave also reads this certificates installed ?
HW does not use SSL to connect on the LAN.
The idea to secure the connection by means of certificates is interesting… are there some best practices for this, and specifically for Vera? If so, I can add SSL with the option to load a cert from Dropbox.
Hi,
I access my Veralite from HW using a VPN connection established with OpenVPN software on client (Iphone) and on a DD-WRT Router in my house. On my client I’ve installed a digital certificate controlled by the OpenVPN sw on the router.
My HW is configured with the local IP address of Veralite.
Don
You can use an SSL tunnel on Vera.
You can authenticate using Certificates with SSL on Vera … you will need to look up the details for dropbear (ssl on vera).
You will have to port Forward some port on your router to port 22 on Vera.
All of this is equivalent to establishing a VPN, except you have to do a little more work on the Mobil side … You will need an SSL app that
when you attach to a port XXX on the phone, it will establish a link via SSL to vera and open port yyy on Vera. I know Android has an APP for that!
Note that your normally talk to vera through two ports, port 80 (the web server on Vera) and port 3480 the LuaUPnP engine.
If you are not network savvy … this can all get complicated quickly.
It is however fairly secure.
it turns out that i have not thinked that trough for a Production solution … 
anyway:
[quote=“intveltr, post:2, topic:184321”]HW does not use SSL to connect on the LAN.
The idea to secure the connection by means of certificates is interesting… are there some best practices for this, and specifically for Vera? If so, I can add SSL with the option to load a cert from Dropbox.[/quote]
well lan is fine as via lan its connecting directly anyway.
but the “internet” option is a http URL … so my idea was to simply use a https url instead … and just use a certificate on the phone to authenticate the device on the vera.
in my mind/case i will solve the ssl lack on the vera itself without touching the vera by just proxy everything via a real apache-httpd which will require my certificates.
but this is hardly a production value then for HW i guess as most peoples not gonna do this.
guess we should need to figure out first if the vera actually capable (in some way) to support https
i do that too … but thats just like Humans building Flyover’s over a predestian crossings …
does not really solve the problem … it just diverts the danger
That will not work … because access for Vera uses two ports … 80 and 3480.
There is port forwarding on the WebServer by using http://…/port_3480/xxxxx instead of http://…:3480/xxxxx
But the normal web client uses port 3480 when it does not go through the MCV Servers.
You can setup PORT 443 for the Web Browser to be accessible from the outside and configure it to use certificates … but the LuqUPnP program does not have a port that will accept an SSL connection.
It’s not obvious … but your WEB application is talking to two different PROGRAMS on Vera … the Web Server on Vera and the LuaUPnP program.
accessing the vera in a programmable fashion/api or external app requires just ONE port 3480!
if you do need port 80 for any reason to make a external app or control work, your code has some serious flaws …
btw. its also not really a big deal to have SSL on port 80 AND 3480
a simple call like this https://yourhst:80 or ssl+http://yourhost would do the trick
HomeWave does not need port 80 as well … and nor does any other app i would ever use
this was planned from day 1 for port 3480 only anyway … vera’s port 80 was never avaiable from the outside network anyway.
so i had the same plan … have a lsws instance listen on the public interface on port 3480 manage the certificates auth and just use a virtual web-app or a small ruby app doing the forwarding and masqurading to the vera itself … the vera will not know any differene and the clients wont either …
with just the difference that the ones NOT have my CA installed simply get a SSL error …
i think i will give it a try next few days and just check if Homewave maybe cooperates if i just use https or ssl+http instead of http
however still the production value is farely low since not everyone has a spare apache or lsws on disposal to babysit veras not existing security.
Best Home Automation shopping experience. Shop at Ezlo!
© 2024 Ezlo Innovation, All Rights Reserved. Terms of Use | Privacy Policy | Forum Rules