HomeGenie Forum
Development => Feature request => Topic started by: Fmstrat on July 29, 2015, 11:29:45 PM
-
Hi,
I've done some searching and did run across this year and a half old thread (http://www.homegenie.it/forum/index.php?topic=107.msg431#msg431 (http://www.homegenie.it/forum/index.php?topic=107.msg431#msg431)) but figured it would be better to start a new one with more details since it was so old (and I'm guessing the response there is no longer valid)
Security is a very important thing with tools like HomeGenie, especially for those using the IP Camera or security system features. The lack of SSL is a big, big turn-off for me in HG, and I'm somewhat surprised it isn't for others either. For instance, a simple sniff of packets could get the codes sent to disarm an alarm connected to HG.
So, this request is to enable SSL support. I propose this be handled in phases:
- Phase 1
- Mobile
- Update settings field in mobile apps to accept current (IP:PORT) format and future format (HOSTNAME:PORT)
- Add settings field toggle for SSL on/off
- Add settings field toggle for "Accept all certificates" to handle those using unvalidated self-signed certs
- Update URL request functions in mobile apps to check format, and use the appropriate connection string with SSL security verification on certs based on the "Accept all certificates" field
- Server
- Ensure JS functions all leverage relative URLs to ensure everything stays in SSL (currently URLs are built that have "http" or the IP/hostname hard-coded
- Update documentation to show how to set up nginx environment as a proxy with a sample config file
- Phase 2
- Server
- Add HTTP configuration fields for specifying a custom cert location, or using a built-in self-signed certificate
-
Hi,
I've done some searching and did run across this year and a half old thread ([url]http://www.homegenie.it/forum/index.php?topic=107.msg431#msg431[/url] ([url]http://www.homegenie.it/forum/index.php?topic=107.msg431#msg431[/url])) but figured it would be better to start a new one with more details since it was so old (and I'm guessing the response there is no longer valid)
Security is a very important thing with tools like HomeGenie, especially for those using the IP Camera or security system features. The lack of SSL is a big, big turn-off for me in HG, and I'm somewhat surprised it isn't for others either. For instance, a simple sniff of packets could get the codes sent to disarm an alarm connected to HG.
So, this request is to enable SSL support. I propose this be handled in phases:
A lot of user could be interested in. But you have different way to do without :
- Use a VPN to connect to your local network on internet
- Don't access outside the house
- Accessible by internet on "exotic" port (to be more difficult to find by hacker) and access by internet only on "secure" access (not on wifi access point you don't know or open wifi access)
"Mobile" is for you Android App and Windows Phone app ?
The android app and old windows phone app has no real development for now. Gene do a long time ago update, but nobody else "work" on. Nico start to develop a new windows phone app (but actually less function than the old one).
So if you are good in app developments (or other HG user), you are welcome to "work" on :)
Update settings field in mobile apps to accept current (IP:PORT) format and future format (HOSTNAME:PORT)
I already use a "dns name" for "IP".
update documentation to show how to set up nginx environment as a proxy with a sample config file
I already configure it and it was not very hard to. And it work fine with a webbrowser (but not with apps).
Bye
-
- Use a VPN to connect to your local network on internet
- Don't access outside the house
- Accessible by internet on "exotic" port (to be more difficult to find by hacker) and access by internet only on "secure" access (not on wifi access point you don't know or open wifi access)
I already do all of these things (except using VPN when accessing from outside), but there is still concern with passing the password in open text even on an internal network.
"Mobile" is for you Android App and Windows Phone app ?
The android app and old windows phone app has no real development for now. Gene do a long time ago update, but nobody else "work" on. Nico start to develop a new windows phone app (but actually less function than the old one).
So if you are good in app developments (or other HG user), you are welcome to "work" on :)
Ahh, had not realized they hadn't been updated in a while. When I finish ownNote, perhaps I'll look into an ionic app that would work in Android/iOS/WP.
I already use a "dns name" for "IP".
Yea, I realize now that would work (but it was really just support for enabling validation of certs with SSL)
update documentation to show how to set up nginx environment as a proxy with a sample config file
I already configure it and it was not very hard to. And it work fine with a webbrowser (but not with apps).
I noticed Firefox reporting that unsecure content was being loaded, even through the proxy. The below two errors come up, the second of which seems to be the culprit. Looks like it's just a font reference issue.
[/list]GET https://automation:21443/hg/html/js/i18n/jquery.ui.datepicker-en.js?_=1438288258314 404 Not Found 41ms
Blocked loading mixed active content "http://fonts.googleapis.com/css?family=Oxygen:400,700&subset=latin,latin-ext" https://automation:21443/hg/html/js/jquery-2.0.2.min.js Line 4
Looks like a result of this line: https://github.com/genielabs/HomeGenie/blob/7215410355c98ccce564e4b68d5d0865947df476/BaseFiles/Common/html/js/api/homegenie.webapp.js#L128
I'll put in an issue ticket on GitHub with a request to pull that JS file locally and use a relative URL so we can feel safe not seeing that mixed content icon in the URL bar.
Thanks!
-
Created an issue and a pull request for the font issue on GitHub. Thanks.
-
Hi,
I went it to look at the Android app, and I'm totally lost in one area. Is com.glabs.homegenie.client.Control buried in a precompiled Jar somewhere? This is where the getHgBaseAddress comes from, but I can't locate the source for that anywhere.
Thanks.
*edit*
Nevermind. Found it: https://github.com/genielabs/HomeGenie-Android-ClientLib
*edit2*
I can't for the life of me figure out how to get this to compile/integrate in Android Studio. Could you provide a run down of how your environment is set up?
-
*edit*
Nevermind. Found it: https://github.com/genielabs/HomeGenie-Android-ClientLib
*edit2*
I can't for the life of me figure out how to get this to compile/integrate in Android Studio. Could you provide a run down of how your environment is set up?
as you can read in the read me note, the ClientLib is meant to be imported into Eclispse. I've also been trying to port the ClientLib to Android Studio, but did not find a way to create a stand-alone android library project with it.
g.
-
as you can read in the read me note, the ClientLib is meant to be imported into Eclispse. I've also been trying to port the ClientLib to Android Studio, but did not find a way to create a stand-alone android library project with it.
As luck would have it, I just figured this out. It's a round-about way, but I use Android Studio and do this:
- Import clientlib from GitHub
- Tools > Rebuild project
- Browse to <project>/out/production/HomeGenie-Android-ClientLib
- Run "jar cf test.jar *"
- Import HomeGenie-Android into Android Studio from GitHub
- Remove clientlib from libraries, insert test.jar
This seems to work for me. There has to be an automated way to create the JAR, but I have no idea how. Playing around in Control.java now to see if SSL will work with any simple changes.
-
Unless you know something I don't, it looks like all the HTTP requests need to get rewritten to support SSL.
I'm thinking HG could use a standard HTTP library like http-request. Here's my fork with some HTTPS TLS v1.1/1.2 fixes: https://github.com/Fmstrat/http-request
If I get time, I'll look to integrate.
-
Unless you know something I don't, it looks like all the HTTP requests need to get rewritten to support SSL.
What are you thinking exactly ?
I didn't inspect to be sure that all request are really "s". But that seems to work (except my autosign certificate ;-)).
-
Unless you know something I don't, it looks like all the HTTP requests need to get rewritten to support SSL.
What are you thinking exactly ?
I didn't inspect to be sure that all request are really "s". But that seems to work (except my autosign certificate ;-)).
Sorry, the above comment was specific to Android.
-
Since your calls were already synchronous and in AsyncTasks, it was actually pretty easy to migrate over to the HttpRequest library and away from the deprecated HttpGet.
So far I've got the app working using HttpRequest and standard HTTP. Next up I'll add in SSL support including my TLS v1.1/1.2 patches and do a pull request.
-
Alright, SSL is fully functional in my fork of the Android app and client library. Here's the compares:
https://github.com/genielabs/HomeGenie-Android-ClientLib/compare/master...Fmstrat:master
https://github.com/genielabs/HomeGenie-Android/compare/master...Fmstrat:master
I've got one thing left to do before I send the pull request over, but I may need your assistance. I think it may be UPnP, but I'm not sure. There is an HTTP call that is happening about once every second that I can't locate.
I think MAYBE it has to do with this line: https://github.com/Fmstrat/HomeGenie-Android/blob/master/HomeGenieAndroid/HomeGenie/src/com/glabs/homegenie/util/UpnpManager.java#L177 since it's part of the service. Perhaps it's pulling the non-proxied port number and replacing the one in settings?
In any event, can you point me in the direction of the call that is repeated over and over? Thanks.
*Edit* Another thing I noticed is it continues to try to query even when the app is backgrounded. This could be causing some serious battery issues if the service is constantly pinging.
*Edit2* Actually, I think it's in the EventSourceClientHandler in the client library. I'm moving through it, but am not at all familiar with how this works. :)
*Edit3* Figured out it's in EventSource.java, where the netty channel pipeline is created. HomeGenie was using a really old version of netty which didn't have SSL support. Unfortunately the addLast call changed between 4.0.0 and 4.0.30, and I'm not at all familiar with netty so it's taking forever to figure out.
*Edit4* For anyone following, I've got Netty upgraded finally. They changed the API around so I had to convert some code. Now I just need to get an SSLContext in there, and it will be good to go.
-
OK, it's all working and the pull requests are in:
ClientLib: https://github.com/genielabs/HomeGenie-Android-ClientLib/pull/1
App: https://github.com/genielabs/HomeGenie-Android/pull/10
I also identified and fixed a bug that was draining the battery by calling the server every 1 second when the application was backgrounded or the screen turned off. You will see that commit pointed out in the pull request notes for the App.
In the clientlib, I took out one line of logging that was running every 1 second as well to keep from filling the logcat on devices that may run this 24/7 as a home control app.
Thanks!
*EDIT* I would be happy to write instructions for nginx for the site, too, but this is the config that works:
server {
listen <YOUR-PORT-HERE>;
server_name <YOUR-HOST-HERE.COM>
gzip on;
gzip_proxied any;
gzip_types text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/$
gzip_vary on;
ssl on;
ssl_certificate /opt/certs/<YOUR-CERTIFICATE-INCLUDING-CA>.cer;
ssl_certificate_key /opt/certs/<YOUR-KEY>.key;
ssl_session_cache shared:SSL:10m;
keepalive_requests 0;
location / {
proxy_pass http://localhost;
proxy_set_header X-Real-IP $remote_addr;
}
}
-
Hi Fmstrat,
Thank you for digging into the security problematic and for your contribution.
This was also my interest, so I setup stunnel (https://www.stunnel.org) (running as front-end to HG on my Raspberry Pi). I'm using CAcert.org (http://CAcert.org) server certificate.
Here is how to configure stunnel as requested by a forum reader.
README for stunnel configuration on raspberry pi
================================================
1. Install the Package
----------------------
sudo apt-get update
sudo apt-get install stunnel
root@raspberrypi:/etc/stunnel# apt-cache show stunnel4
Package: stunnel4
Version: 3:4.53-1.1
Architecture: armhf
Maintainer: Luis Rodrigo Gallardo Cruz <[email protected]>
Installed-Size: 445
Pre-Depends: adduser
Depends: libc6 (>= 2.13-28), libssl1.0.0 (>= 1.0.0), libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4), openssl, netbase, perl-modules
Suggests: logcheck-database
Breaks: stunnel (<< 3:4.20-3)
Replaces: stunnel
Provides: stunnel
Homepage: http://www.stunnel.org/ (http://www.stunnel.org/)
Priority: optional
Section: net
Filename: pool/main/s/stunnel4/stunnel4_4.53-1.1_armhf.deb
Size: 176588
SHA256: 21a2515a94cbe9d58e9a5b1298a573c7753bf4ed3a45c3e1d845c7faebfe5167
SHA1: ef9862f3f97414574f6304369c66f0d296377a31
MD5sum: 5974e6e0792b3d1ebf849be68c766460
Description: Universal SSL tunnel for network daemons
The stunnel program is designed to work as SSL encryption
wrapper between remote client and local (inetd-startable) or
remote server. The concept is that having non-SSL aware daemons
running on your system you can easily setup them to
communicate with clients over secure SSL channel.
.
stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers
without any changes in the programs' code.
.
This package contains a wrapper script for compatibility with stunnel 3.x
2. Copy your Private and public keys into /etc/stunnel
------------------------------------------------------
I'm using CAcert.org (http://CAcert.org) as CA and make them sign my certificates. See procedure below:
# Become Root
sudo -s
# Go in stunnel configuration folder
cd /etc/stunnel/
# Create the private key and certificate signing request
openssl req -nodes -sha256 -newkey rsa:2048 -keyout home.mydomain.net_ssl.key -out home.mydomain.net_ssl.csr
# Secure the files
chmod 600 *
# display the CSR information
openssl req -in home.mydomain.net_ssl.csr -text -noout
# Display the CSR file to copy it
cat home.mydomain.net_ssl.csr
# paste this in the server certificate request in cacert.org
https://www.cacert.org/account.php?id=10 (https://www.cacert.org/account.php?id=10)
# Copy the result in home.mydomain.net_ssl.crt
cat > home.mydomain.net_ssl.crt
# Secure the files
chmod 600 *
wget -O cacert-root.crt "http://www.cacert.org/certs/root.crt"
wget -O cacert-class3.crt "http://www.cacert.org/certs/class3.crt"
cat home.mydomain.net_ssl.crt cacert_class3.crt cacert_root.crt > all_cert_chain.crt
cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample stunnel.conf
chmod 600 *
chown stunnel4.stunnel4 *
# Update /etc/default/stunnel4 to set ENABLED=1
vi /etc/default/stunnel4
3. Configure stunnel
--------------------
Edit file /etc/stunnel/stunnel.conf , here comments are stripped out
Minimal file:
-------------
setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/stunnel4.pid
debug = 7
output = /var/log/stunnel4/stunnel.log
cert = /etc/stunnel/my.domain.com_ssl.crt
key = /etc/stunnel/my.domain.com_ssl.key
; all_cert_chain.crt contains all certificates *.crt concatenated (cacert_root.crt and cacert_class3.crt and my.domain.com_ssl.crt)
CAfile = /etc/stunnel/all_cert_chain.crt
options = NO_SSLv2
[https]
accept = 443
connect = 80
4. Start stunnel
----------------
service stunnel4 start
# Check logs /var/log/stunnel4/stunnel.log to see if all ok
# connect to HG using https://home.mydomain.net/hg (https://home.mydomain.net/hg) and enjoy...
Cheers!
-
Fmstrat,
thanks for all your work on this. does this make hg secure from remote access, or only to android app? there was a tgrea that showed the password could be recovered by a remote site, does your change prevent that?
-
This was also my interest, so I setup stunnel ([url]https://www.stunnel.org[/url]) (running as front-end to HG on my Raspberry Pi). I'm using CAcert.org ([url]http://CAcert.org[/url]) server certificate.
Thanks, your stunnel configuration seems similar to my nginx one. Pretty much any proxy solution would work, and I'm sure the dev's would be happy to get example config files for any service.
thanks for all your work on this. does this make hg secure from remote access, or only to android app? there was a tgrea that showed the password could be recovered by a remote site, does your change prevent that?
Hi, the part that makes HG secure is the proxy. Basically, I use a piece of software called nginx to act as a proxy, so when I go to https://external.server.name/ (https://external.server.name/) it proxies to http://localhost (http://localhost). This means the insecure traffic only exists on the local machine, and not on the network. This is the part that I offered to write instructions on, but am waiting to hear back from the developers. With nginx setup properly, using the web browser to access HG remotely is secure.
The changes I made to the Android app just allow it to connect to HG through nginx securely, just like through the Web Browser.
Thanks.
-
Frmstat - thank you for all your incredible work on this. It sounds really great.
Has a document been written (or is one planned) that describes how to install and use these items?
Thanks!
Jerry
-
Any word from Gene if he will be pulling this in for a new HG release (been a while)?
-
Is the modified homegenie app, which from i understand support https connection, is available or can be available somewhere?
i'm using nginx as https proxy and i would like to test it with android app too
-
Will security improvement be included into recent/new HG build while accessing HG outside home firewall via browser?
-
Do you mean without using nginx ?
I have just try with nginx and android app, it work fine ! :)
-
Any update on this thread? Is the way to get security to use a VPN/Reverse Proxy or has HTTPS support been added?
What about secure coms using the android app?
Also, looks like ca-certificates-mono is no longer in the raspbian distro.. Not sure if it's required anymore?