Core: HA Supports depreciated ssl protocols
Home Assistant release (hass --version):
0.22
Python release (python3 --version):
3.4
Component/platform:
https
Description of problem:
The command openssl s_client -connect hass.local.net:8443 -ssl3 indicates that sslv3 is supported by default. SSL v3 is depreciated.
Expected:
While I understand that HA platforms often have to integrate with outdated platforms require legacy protocols, this should not be an issue for the (potentially) externally facing webserver.
Problem-relevant configuration.yaml entries and steps to reproduce:
openssl s_client -connect hass.local.net:8443 -ssl3
3.
Traceback (if applicable):
Additional info:
danieljkemp
All 9 comments
Yes, from a security POV, SSLv3 should be disabled (the PCI compliance standard even says to disable TLS1.0 as well now). If there are compatibility concerns, then this should be configurable.
For anyone searching for this in the meantime, you can set up nginx in front of HASS and twiddle the SSL options as much as you like in it, which is what I did.
chennin
on 23 Jun 2016
I agree. PR welcome. It's in the http component.
On Thu, Jun 23, 2016, 13:29 AlucardZero [email protected] wrote:
Yes, from a security POV, SSLv3 should be disabled
http://disablessl3.com/#why (the PCI compliance standard even says to
disable TLS1.0 as well now
https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/).
If there are compatibility concerns, then this should be configurable.For anyone searching for this in the meantime, you can set up nginx in
front of HASS and twiddle the SSL options as much as you like in it, which
is what I did.—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/home-assistant/home-assistant/issues/2364#issuecomment-228173708,
or mute the thread
https://github.com/notifications/unsubscribe/ABYJ2i2xVP7DiqyjuEPCgVYAXyQYQmFpks5qOuyYgaJpZM4I9JbA
.
balloob
on 23 Jun 2016
The docs for eventlet.wrap_ssl(...)
https://github.com/home-assistant/home-assistant/blob/dev/homeassistant/components/http.py#L296
indicate the interface matches this: https://docs.python.org/3/library/ssl.html#ssl.wrap_socket
Looks like it should actually be pretty straightforward to add a config option, I am tempted to add an optional config for ciphers but that may be a bit of feature creep.
The big question I have now is: what to default to? Old behavior or non-depreciated behavior?
danieljkemp
on 24 Jun 2016
@danieljkemp non-depreciated should probaly be the default. In general HA is only supported in newer browsers that should have similar ssl support.
Landrash
on 24 Jun 2016
If you are looking to find which ciphers and configurations are recommended, look not further than Mozilla's security config generator.
https://mozilla.github.io/server-side-tls/ssl-config-generator/
It stays up to date with the latest recommendations.
jayrox
on 24 Jun 2016
I am down to follow the Mozilla recommendations to the letter. Not making it configurable.
balloob
on 24 Jun 2016
Mozilla intermediate then? I see the modern one doesn't support 4.X devices which could be problematic. Following a well defined spec is a good idea. Something easy for us to point at for justification.
danieljkemp
on 26 Jun 2016
@danieljkemp would you be able to submit a PR ? Mozilla Intermediate sounds reasonable.
balloob
on 26 Jun 2016
I am working on a PR, I'll try to post it tomorrow
danieljkemp
on 26 Jun 2016
Related issues
ofuangka
·
3Comments
sh0rez
·
3Comments
moskovskiy82
·
3Comments
sogeniusio
·
3Comments
kirichkov
·
3Comments
Most helpful comment
I am working on a PR, I'll try to post it tomorrow