We have moved at community.getvera.com

Author Topic: Setup https on Vera.  (Read 23904 times)

Offline mhn

  • Full Member
  • ***
  • Posts: 152
  • Karma: +0/-0
Re: Setup https on Vera.
« Reply #15 on: May 29, 2011, 02:27:16 pm »
I have not tried it since UI2. I don't use my Vera.

Offline Henk

  • Hero Member
  • *****
  • Posts: 820
  • Karma: +3/-0
Re: Setup https on Vera.
« Reply #16 on: May 29, 2011, 02:47:56 pm »
I have not tried it since UI2. I don't use my Vera.

Shame.. you were dissatisfied?
What did you do with your Vera?
| Vera2 @ UI4 1.1.1350 / 3.20 | Vera Lite @ UI5 | Vera 3 @ UI5 | 2x Merten  504519 | 1x Duewi  064374 | 1x Everspring SM103 doorbell mod |1 Y-cam IP cam | various LUUP plugins |

Offline mhn

  • Full Member
  • ***
  • Posts: 152
  • Karma: +0/-0
Re: Setup https on Vera.
« Reply #17 on: May 29, 2011, 03:42:17 pm »
It's on my desk, and I play with it once in a while, but it will never control my house, hence I don't use much time on it.

Offline Henk

  • Hero Member
  • *****
  • Posts: 820
  • Karma: +3/-0
Re: Setup https on Vera.
« Reply #18 on: May 29, 2011, 03:43:36 pm »
It's on my desk, and I play with it once in a while, but it will never control my house, hence I don't use much time on it.

Sounds a bit like my Action man figure :D
Thanks for your replies
| Vera2 @ UI4 1.1.1350 / 3.20 | Vera Lite @ UI5 | Vera 3 @ UI5 | 2x Merten  504519 | 1x Duewi  064374 | 1x Everspring SM103 doorbell mod |1 Y-cam IP cam | various LUUP plugins |

Offline Henk

  • Hero Member
  • *****
  • Posts: 820
  • Karma: +3/-0
SSL for Vera, secure communications?
« Reply #19 on: May 29, 2011, 04:37:50 pm »
A few years ago it seemed possible to set up ssl for Vera for local connections.
Is there anyone out there knowledgeable about the current status?

Of course a secure connection through cp.mios.com is possible for remote connections.
Also a local login can be enforced (strangely not locally but only through cp.mios.com but that has already discussed in a seperate thread here

Think of it.. There are security devices out there capable of encryption (locks etc)
But if anyone were to hack you local network, he could simply sniff your network communication and get to you Vera.

For those situations a local SSL connection would very much improve security IMHO

So unless i read thread 528 wrong, Vera's underlying architecture and OS should be able to provide this....
Any takers?
« Last Edit: March 09, 2012, 03:52:03 pm by oTi@ »
| Vera2 @ UI4 1.1.1350 / 3.20 | Vera Lite @ UI5 | Vera 3 @ UI5 | 2x Merten  504519 | 1x Duewi  064374 | 1x Everspring SM103 doorbell mod |1 Y-cam IP cam | various LUUP plugins |

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: SSL for Vera, secure communications?
« Reply #20 on: May 29, 2011, 06:22:11 pm »
So unless i read thread 528 wrong, Vera's underlying architecture and OS should be able to provide this....
Any takers?

It might work.  I did some messing about with the Vera HTTP daemon (lighttpd) this morning.

1. On a real computer, generate a self-signed SSL key:
Code: [Select]
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
2. Copy the file server.pem to somewhere on the Vera.

3. Add this section to /etc/lighttpd.conf:
Code: [Select]
$SERVER["socket"] == ":443" {                                                     
  ssl.engine                  = "enable"                                         
  ssl.pemfile                 = "/path/to/server.pem"                                 
}

4. Restart lighttpd:
Code: [Select]
/etc/init.d/lighttpd restart
With this, the Vera is definitely able to serve web pages on port 443 over SSL.  Wireshark picked up nothing but SSL chat.

All the usual spiel about self-signed certificates applies.

This isn't a complete solution: Vera listens on three other ports, and those connections aren't encrypted.  It may not be a solution at all, given that my Vera rebooted once during this test.  SSL adds a great deal more CPU load to a machine, so I'd have fears for the stability of Vera doing constant SSL.

If anyone wants to take this further, please post your experiences here.

Offline hightop32

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
Re: SSL for Vera, secure communications?
« Reply #21 on: June 22, 2011, 11:41:09 am »
So unless i read thread 528 wrong, Vera's underlying architecture and OS should be able to provide this....
Any takers?

It might work.  I did some messing about with the Vera HTTP daemon (lighttpd) this morning.

1. On a real computer, generate a self-signed SSL key:
Code: [Select]
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
2. Copy the file server.pem to somewhere on the Vera.

3. Add this section to /etc/lighttpd.conf:
Code: [Select]
$SERVER["socket"] == ":443" {                                                     
  ssl.engine                  = "enable"                                         
  ssl.pemfile                 = "/path/to/server.pem"                                 
}

4. Restart lighttpd:
Code: [Select]
/etc/init.d/lighttpd restart
With this, the Vera is definitely able to serve web pages on port 443 over SSL.  Wireshark picked up nothing but SSL chat.

All the usual spiel about self-signed certificates applies.

This isn't a complete solution: Vera listens on three other ports, and those connections aren't encrypted.  It may not be a solution at all, given that my Vera rebooted once during this test.  SSL adds a great deal more CPU load to a machine, so I'd have fears for the stability of Vera doing constant SSL.

If anyone wants to take this further, please post your experiences here.


nice work, i appreciate your investigation into this feature yourself, something that should have been implemented/considered from day one.  very disconcerting that it is seemingly crashing the vera. 

Offline gilles

  • Full Member
  • ***
  • Posts: 106
  • Karma: +0/-0
Re: SSL for Vera, secure communications?
« Reply #22 on: August 07, 2011, 04:10:24 pm »
Hi all,

I bought a vera this week and I'm very surprised that there is no ssl on this device.

Nowadays, a minimum of security is a login and password with ssl encryption.

If there is a man in the middle, He just has to sniff the lan and he could do what he wants with my house.

I'm disapointed.

If MCV read that I think , vera has to incorporate in native os ssl encryption as a patch goes away every times the firmware will be updated.

So please add ssl encryption, so it will be secure.

Thank you.

Gilles.

Offline not12bhere

  • Sr. Newbie
  • *
  • Posts: 27
  • Karma: +1/-0
Re: SSL for Vera, secure communications?
« Reply #23 on: August 28, 2011, 12:00:45 am »
People have neen asking for ssl local access for years now. It is clear that mcv is going the opposite direction with the vera product and making it into a local device with third party only access. If that wasnt the goal, we would have had ssl in vera long ago. Now we barely have local account access. Still a neat device...

Offline waynebrady

  • Full Member
  • ***
  • Posts: 110
  • Karma: +0/-0
SSL
« Reply #24 on: March 08, 2012, 09:21:07 pm »
Possible to easily add SSL with either UI4 or 5?

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: SSL
« Reply #25 on: March 08, 2012, 09:37:31 pm »
SSH is on the box for ALL vera platforms.
When Vera boots it creates a secure SSH tunnel to mios.com. When you connect to
mios.com when you are not at home, you are forwarded back to your device through this
secure tunnel.

It should be secure to do a port forward to port 22 on your Vera to allow remote SSH access
to your box directly (without the need for mios.com). If you are SSH savy you can also use the same tunnel to securely access your IP cameras when you are not at home.

You can login using to the Vera root account with your Vera password. (This is NOT your
mios password) Search the forums for how to get this for Vera3 and Vera Lite. It's on the bottom of your Vera2 box.

However if you want to use certificates to eliminate the need for passwords the public keys go
in the the file /etc/dropbear/authorized_keys as opposed to the ~/.ssh/ directory for most linux distributions.

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: SSL
« Reply #26 on: March 09, 2012, 06:47:27 am »
I have had my vera 3 working with ssl. Here are the steps that I used. Use at your own risk:


Step 1: I first created a certificate on my linux workstation. Since openssl is not installed on Vera:

Code: [Select]
cp /tmp
openssl req -new -x509 -keyout vera.pem -out vera.pem -days 365 -nodes

This key is good for one year, or you can change 365 to any number of days you like.

Step 2: Create the proper directories on vera

Code: [Select]
ssh root@veraip
mkdir -p /etc/ssl/certs

Step 3: Copy certificate from workstation over to vera.

Code: [Select]
scp /tmp/vera.pem root@veraip:/etc/ssl/certs

Step 4: On Vera copy /usr/bin/lighttpd_ssl.sh to /etc/

Code: [Select]
ssh root@veraip
cp /usr/bin/lighttpd_ssl.sh /etc/lighttpd_ssl.sh

Step 5: Modify /etc/light_ssl.sh

Code: [Select]
vi /etc/lighttpd_ssl.sh

Change the following line: ssl_file="/etc/mios/sslcerts/CERTIFICATES/local.mios.com.pem" to ssl_file="/etc/ssl/certs/vera.pem"

Remove the line: exit 0

Step 6: Modify /etc/lighttpd.conf

Code: [Select]
vi /etc/lighttpd.conf

Find the section that contains SSL engine

Comment out the line: include_shell "/usr/bin/lighttpd_ssl.sh"

Add line below the commented out line: include_shell "/etc/lighttpd_ssl.sh"

Step 7: Restart lighttpd

Code: [Select]
/etc/init.d/lighttpd restart

You should now be able to access vera's web interface via ssl on port 443. You can change the ssl port to anything you want. You will need to modify /etc/lighttpd_ssl.sh and change the line \$SERVER["socket"] == ":443" where 443 is the number you want to change to say example \$SERVER["socket"] == ":4443"

Also to note that when a firmware upgrade happens, the lighttpd.conf file gets over written and step 6 would need to be applied again.

- Garrett

Offline waynebrady

  • Full Member
  • ***
  • Posts: 110
  • Karma: +0/-0
Re: SSL
« Reply #27 on: March 09, 2012, 02:50:36 pm »
Thanks for the instructions Garrett. Any ideas if this would go smoothly on a Vera2/UI4?

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: SSL
« Reply #28 on: March 09, 2012, 03:43:49 pm »
Not sure, it can not hurt to see if it works. I know it works running on Vera 2 and UI 5.

- Garrett

Offline boingolover

  • Sr. Newbie
  • *
  • Posts: 25
  • Karma: +0/-0
Re: Setup https on Vera.
« Reply #29 on: March 09, 2012, 07:02:39 pm »
I have used this thread to do something similar, though I actually have my own local CA that I sign my keys with.  Though it's still "self signed", I distribute my CA cert all devices that I might use to remotely access anything in my house, such as mine and my wife's android phones, our laptops etc.  "Self-signed" certs can actually be more secure than those signed with public CA's, provided you're careful with the distribution of your CA cert and you never click "okay, I trust you", but manually add your CA cert and never communicate with an unrecognized device.