more G-Labs products

Author Topic: Security fix: SSL Support natively or via proxy (nginx)  (Read 8432 times)

July 29, 2015, 11:29:45 PM
Read 8432 times

Fmstrat

  • **
  • Information
  • Jr. Member
  • Posts: 34
Hi,

I've done some searching and did run across this year and a half old thread (http://www.homegenie.it/forum/index.php?topic=107.msg431#msg431) but figured it would be better to start a new one with more details since it was so old (and I'm guessing the response there is no longer valid)

Security is a very important thing with tools like HomeGenie, especially for those using the IP Camera or security system features. The lack of SSL is a big, big turn-off for me in HG, and I'm somewhat surprised it isn't for others either. For instance, a simple sniff of packets could get the codes sent to disarm an alarm connected to HG.

So, this request is to enable SSL support. I propose this be handled in phases:
  • Phase 1
    • Mobile
      • Update settings field in mobile apps to accept current (IP:PORT) format and future format (HOSTNAME:PORT)
      • Add settings field toggle for SSL on/off
      • Add settings field toggle for "Accept all certificates" to handle those using unvalidated self-signed certs
      • Update URL request functions in mobile apps to check format, and use the appropriate connection string with SSL security verification on certs based on the "Accept all certificates" field
    • Server
      • Ensure JS functions all leverage relative URLs to ensure everything stays in SSL (currently URLs are built that have "http" or the IP/hostname hard-coded
      • Update documentation to show how to set up nginx environment as a proxy with a sample config file
  • Phase 2
    • Server
      • Add HTTP configuration fields for specifying a custom cert location, or using a built-in self-signed certificate

July 30, 2015, 09:21:51 PM
Reply #1

nolio

  • *****
  • Information
  • Global Moderator
  • Posts: 544
Hi,
I've done some searching and did run across this year and a half old thread (http://www.homegenie.it/forum/index.php?topic=107.msg431#msg431) but figured it would be better to start a new one with more details since it was so old (and I'm guessing the response there is no longer valid)

Security is a very important thing with tools like HomeGenie, especially for those using the IP Camera or security system features. The lack of SSL is a big, big turn-off for me in HG, and I'm somewhat surprised it isn't for others either. For instance, a simple sniff of packets could get the codes sent to disarm an alarm connected to HG.

So, this request is to enable SSL support. I propose this be handled in phases:

A lot of user could be interested in. But you have different way to do without :
  • Use a VPN to connect to your local network on internet
  • Don't access outside the house
  • Accessible by internet on "exotic" port (to be more difficult to find by hacker) and access by internet only on "secure" access (not on wifi access point you don't know or open wifi access)
"Mobile" is for you Android App and Windows Phone app ?
The android app and old windows phone app has no real development for now. Gene do a long time ago update, but nobody else "work" on. Nico start to develop a new windows phone app (but actually less function than the old one).
So if you are good in app developments (or other HG user), you are welcome to "work" on :)

Update settings field in mobile apps to accept current (IP:PORT) format and future format (HOSTNAME:PORT)

I already use a "dns name" for "IP".
update documentation to show how to set up nginx environment as a proxy with a sample config file

I already configure it and it was not very hard to. And it work fine with a webbrowser (but not with apps).

Bye

July 30, 2015, 10:37:31 PM
Reply #2

Fmstrat

  • **
  • Information
  • Jr. Member
  • Posts: 34
    Quote
    • Use a VPN to connect to your local network on internet
    • Don't access outside the house
    • Accessible by internet on "exotic" port (to be more difficult to find by hacker) and access by internet only on "secure" access (not on wifi access point you don't know or open wifi access)


    I already do all of these things (except using VPN when accessing from outside), but there is still concern with passing the password in open text even on an internal network.

    Quote
    "Mobile" is for you Android App and Windows Phone app ?
    The android app and old windows phone app has no real development for now. Gene do a long time ago update, but nobody else "work" on. Nico start to develop a new windows phone app (but actually less function than the old one).
    So if you are good in app developments (or other HG user), you are welcome to "work" on :)


    Ahh, had not realized they hadn't been updated in a while. When I finish ownNote, perhaps I'll look into an ionic app that would work in Android/iOS/WP.

    I already use a "dns name" for "IP".


    Yea, I realize now that would work (but it was really just support for enabling validation of certs with SSL)

    Quote
    update documentation to show how to set up nginx environment as a proxy with a sample config file

    I already configure it and it was not very hard to. And it work fine with a webbrowser (but not with apps).


    I noticed Firefox reporting that unsecure content was being loaded, even through the proxy. The below two errors come up, the second of which seems to be the culprit. Looks like it's just a font reference issue.

    [/list]
    Code: [Select]
    GET https://automation:21443/hg/html/js/i18n/jquery.ui.datepicker-en.js?_=1438288258314 404 Not Found 41ms
    Blocked loading mixed active content "http://fonts.googleapis.com/css?family=Oxygen:400,700&subset=latin,latin-ext" https://automation:21443/hg/html/js/jquery-2.0.2.min.js Line 4

    Looks like a result of this line: https://github.com/genielabs/HomeGenie/blob/7215410355c98ccce564e4b68d5d0865947df476/BaseFiles/Common/html/js/api/homegenie.webapp.js#L128

    I'll put in an issue ticket on GitHub with a request to pull that JS file locally and use a relative URL so we can feel safe not seeing that mixed content icon in the URL bar.

    Thanks!

    July 30, 2015, 11:08:25 PM
    Reply #3

    Fmstrat

    • **
    • Information
    • Jr. Member
    • Posts: 34
    Created an issue and a pull request for the font issue on GitHub. Thanks.

    July 31, 2015, 08:04:20 PM
    Reply #4

    Fmstrat

    • **
    • Information
    • Jr. Member
    • Posts: 34
    Hi,

    I went it to look at the Android app, and I'm totally lost in one area. Is com.glabs.homegenie.client.Control buried in a precompiled Jar somewhere? This is where the getHgBaseAddress comes from, but I can't locate the source for that anywhere.

    Thanks.

    *edit*
    Nevermind. Found it: https://github.com/genielabs/HomeGenie-Android-ClientLib

    *edit2*
    I can't for the life of me figure out how to get this to compile/integrate in Android Studio. Could you provide a run down of how your environment is set up?
    « Last Edit: July 31, 2015, 08:24:29 PM by Fmstrat »

    July 31, 2015, 08:50:15 PM
    Reply #5

    Gene

    • *****
    • Information
    • Administrator
    • Posts: 1472
    • Tangible is the future!
      • Yet Another Programmer

    *edit*
    Nevermind. Found it: https://github.com/genielabs/HomeGenie-Android-ClientLib

    *edit2*
    I can't for the life of me figure out how to get this to compile/integrate in Android Studio. Could you provide a run down of how your environment is set up?

    as you can read in the read me note, the ClientLib is meant to be imported into Eclispse. I've also been trying to port the ClientLib to Android Studio, but did not find a way to create a stand-alone android library project with it.

    g.



    July 31, 2015, 09:24:07 PM
    Reply #6

    Fmstrat

    • **
    • Information
    • Jr. Member
    • Posts: 34
    as you can read in the read me note, the ClientLib is meant to be imported into Eclispse. I've also been trying to port the ClientLib to Android Studio, but did not find a way to create a stand-alone android library project with it.

    As luck would have it, I just figured this out. It's a round-about way, but I use Android Studio and do this:
    • Import clientlib from GitHub
    • Tools > Rebuild project
    • Browse to <project>/out/production/HomeGenie-Android-ClientLib
    • Run "jar cf test.jar *"
    • Import HomeGenie-Android into Android Studio from GitHub
    • Remove clientlib from libraries, insert test.jar

    This seems to work for me. There has to be an automated way to create the JAR, but I have no idea how. Playing around in Control.java now to see if SSL will work with any simple changes.

    August 07, 2015, 04:43:15 AM
    Reply #7

    Fmstrat

    • **
    • Information
    • Jr. Member
    • Posts: 34
    Unless you know something I don't, it looks like all the HTTP requests need to get rewritten to support SSL.

    I'm thinking HG could use a standard HTTP library like http-request. Here's my fork with some HTTPS TLS v1.1/1.2 fixes: https://github.com/Fmstrat/http-request

    If I get time, I'll look to integrate.

    August 07, 2015, 08:30:13 AM
    Reply #8

    nolio

    • *****
    • Information
    • Global Moderator
    • Posts: 544
    Unless you know something I don't, it looks like all the HTTP requests need to get rewritten to support SSL.
    What are you thinking exactly ?
    I didn't inspect to be sure that all request are really "s". But that seems to work (except my autosign certificate ;-)).

    August 07, 2015, 02:06:42 PM
    Reply #9

    Fmstrat

    • **
    • Information
    • Jr. Member
    • Posts: 34
    Unless you know something I don't, it looks like all the HTTP requests need to get rewritten to support SSL.
    What are you thinking exactly ?
    I didn't inspect to be sure that all request are really "s". But that seems to work (except my autosign certificate ;-)).

    Sorry, the above comment was specific to Android.

    August 07, 2015, 07:32:47 PM
    Reply #10

    Fmstrat

    • **
    • Information
    • Jr. Member
    • Posts: 34
    Since your calls were already synchronous and in AsyncTasks, it was actually pretty easy to migrate over to the HttpRequest library and away from the deprecated HttpGet.

    So far I've got the app working using HttpRequest and standard HTTP. Next up I'll add in SSL support including my TLS v1.1/1.2 patches and do a pull request.

    August 07, 2015, 11:20:17 PM
    Reply #11

    Fmstrat

    • **
    • Information
    • Jr. Member
    • Posts: 34
    Alright, SSL is fully functional in my fork of the Android app and client library. Here's the compares:

    https://github.com/genielabs/HomeGenie-Android-ClientLib/compare/master...Fmstrat:master
    https://github.com/genielabs/HomeGenie-Android/compare/master...Fmstrat:master

    I've got one thing left to do before I send the pull request over, but I may need your assistance. I think it may be UPnP, but I'm not sure. There is an HTTP call that is happening about once every second that I can't locate.

    I think MAYBE it has to do with this line: https://github.com/Fmstrat/HomeGenie-Android/blob/master/HomeGenieAndroid/HomeGenie/src/com/glabs/homegenie/util/UpnpManager.java#L177 since it's part of the service. Perhaps it's pulling the non-proxied port number and replacing the one in settings?

    In any event, can you point me in the direction of the call that is repeated over and over? Thanks.

    *Edit* Another thing I noticed is it continues to try to query even when the app is backgrounded. This could be causing some serious battery issues if the service is constantly pinging.

    *Edit2* Actually, I think it's in the EventSourceClientHandler in the client library. I'm moving through it, but am not at all familiar with how this works. :)

    *Edit3* Figured out it's in EventSource.java, where the netty channel pipeline is created. HomeGenie was using a really old version of netty which didn't have SSL support. Unfortunately the addLast call changed between 4.0.0 and 4.0.30, and I'm not at all familiar with netty so it's taking forever to figure out.

    *Edit4* For anyone following, I've got Netty upgraded finally. They changed the API around so I had to convert some code. Now I just need to get an SSLContext in there, and it will be good to go.
    « Last Edit: August 08, 2015, 06:13:04 PM by Fmstrat »

    August 12, 2015, 10:35:42 PM
    Reply #12

    Fmstrat

    • **
    • Information
    • Jr. Member
    • Posts: 34
    OK, it's all working and the pull requests are in:

    ClientLib: https://github.com/genielabs/HomeGenie-Android-ClientLib/pull/1
    App: https://github.com/genielabs/HomeGenie-Android/pull/10

    I also identified and fixed a bug that was draining the battery by calling the server every 1 second when the application was backgrounded or the screen turned off. You will see that commit pointed out in the pull request notes for the App.

    In the clientlib, I took out one line of logging that was running every 1 second as well to keep from filling the logcat on devices that may run this 24/7 as a home control app.

    Thanks!

    *EDIT* I would be happy to write instructions for nginx for the site, too, but this is the config that works:
    Code: [Select]
    server {
            listen <YOUR-PORT-HERE>;
            server_name <YOUR-HOST-HERE.COM>
            gzip             on;
            gzip_proxied     any;
            gzip_types       text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/$
            gzip_vary        on;
            ssl on;
            ssl_certificate /opt/certs/<YOUR-CERTIFICATE-INCLUDING-CA>.cer;
            ssl_certificate_key /opt/certs/<YOUR-KEY>.key;
            ssl_session_cache shared:SSL:10m;
            keepalive_requests 0;

            location / {
                    proxy_pass              http://localhost;
                    proxy_set_header        X-Real-IP $remote_addr;
            }
    }
    « Last Edit: August 12, 2015, 10:41:42 PM by Fmstrat »

    August 12, 2015, 11:50:03 PM
    Reply #13

    AutoBob

    • *
    • Information
    • Newbie
    • Posts: 5
    Hi Fmstrat,

    Thank you for digging into the security problematic and for your contribution.

    This was also my interest, so I setup stunnel (running as front-end to HG on my Raspberry Pi). I'm using CAcert.org server certificate.

    Here is how to configure stunnel as requested by a forum reader.


    README for stunnel configuration on raspberry pi
    ================================================

    1. Install the Package
    ----------------------

    sudo apt-get update
    sudo apt-get install stunnel

    [email protected]:/etc/stunnel# apt-cache show stunnel4
    Package: stunnel4
    Version: 3:4.53-1.1
    Architecture: armhf
    Maintainer: Luis Rodrigo Gallardo Cruz <[email protected]>
    Installed-Size: 445
    Pre-Depends: adduser
    Depends: libc6 (>= 2.13-28), libssl1.0.0 (>= 1.0.0), libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4), openssl, netbase, perl-modules
    Suggests: logcheck-database
    Breaks: stunnel (<< 3:4.20-3)
    Replaces: stunnel
    Provides: stunnel
    Homepage: http://www.stunnel.org/
    Priority: optional
    Section: net
    Filename: pool/main/s/stunnel4/stunnel4_4.53-1.1_armhf.deb
    Size: 176588
    SHA256: 21a2515a94cbe9d58e9a5b1298a573c7753bf4ed3a45c3e1d845c7faebfe5167
    SHA1: ef9862f3f97414574f6304369c66f0d296377a31
    MD5sum: 5974e6e0792b3d1ebf849be68c766460
    Description: Universal SSL tunnel for network daemons
     The stunnel program is designed to work  as  SSL  encryption
     wrapper between remote client and local (inetd-startable) or
     remote server. The concept is that having non-SSL aware daemons
     running  on  your  system you can easily setup them to
     communicate with clients over secure SSL channel.
     .
     stunnel can be used to add  SSL  functionality  to  commonly
     used  inetd  daemons  like  POP-2,  POP-3  and  IMAP servers
     without any changes in the programs' code.
     .
     This package contains a wrapper script for compatibility with stunnel 3.x

    2. Copy your Private and public keys into /etc/stunnel
    ------------------------------------------------------

    I'm using CAcert.org as CA and make them sign my certificates. See procedure below:

    # Become Root
    sudo -s
    # Go in stunnel configuration folder
    cd /etc/stunnel/
    # Create the private key and certificate signing request
    openssl req -nodes -sha256 -newkey rsa:2048 -keyout home.mydomain.net_ssl.key -out home.mydomain.net_ssl.csr
    # Secure the files
    chmod 600 *
    # display the CSR information
    openssl req -in home.mydomain.net_ssl.csr -text -noout
    # Display the CSR file to copy it
    cat home.mydomain.net_ssl.csr
    # paste this in the server certificate request in cacert.org
    https://www.cacert.org/account.php?id=10

    # Copy the result in home.mydomain.net_ssl.crt
    cat > home.mydomain.net_ssl.crt
    # Secure the files
    chmod 600 *
    wget -O cacert-root.crt "http://www.cacert.org/certs/root.crt"
    wget -O cacert-class3.crt "http://www.cacert.org/certs/class3.crt"
    cat home.mydomain.net_ssl.crt cacert_class3.crt cacert_root.crt > all_cert_chain.crt
    cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample stunnel.conf
    chmod 600 *
    chown stunnel4.stunnel4 *
    # Update /etc/default/stunnel4 to set ENABLED=1
    vi /etc/default/stunnel4


    3. Configure stunnel
    --------------------

    Edit file /etc/stunnel/stunnel.conf , here comments are stripped out

    Minimal file:
    -------------

    setuid = stunnel4
    setgid = stunnel4
    pid = /var/run/stunnel4/stunnel4.pid
    debug = 7
    output = /var/log/stunnel4/stunnel.log
    cert = /etc/stunnel/my.domain.com_ssl.crt
    key = /etc/stunnel/my.domain.com_ssl.key
    ; all_cert_chain.crt contains all certificates *.crt concatenated (cacert_root.crt and cacert_class3.crt and my.domain.com_ssl.crt)
    CAfile = /etc/stunnel/all_cert_chain.crt
    options = NO_SSLv2
    [https]
    accept  = 443
    connect = 80

    4. Start stunnel
    ----------------
    service stunnel4 start
    # Check logs /var/log/stunnel4/stunnel.log to see if all ok
    # connect to HG using https://home.mydomain.net/hg and enjoy...



    Cheers!
    « Last Edit: January 17, 2016, 06:34:04 PM by AutoBob »
    AutoBob.

    August 13, 2015, 02:52:00 AM
    Reply #14

    kevin1

    • *****
    • Information
    • Hero Member
    • Posts: 330
    Fmstrat,

    thanks for all your work on this.  does this make hg secure from remote access, or only to android app?  there was a tgrea that showed the password could be recovered by a remote site, does your change prevent that?