The Vera Community forums have moved!

Advanced => Security => Topic started by: mhn on February 19, 2009, 07:07:23 am

Title: Setup https on Vera.
Post by: mhn on February 19, 2009, 07:07:23 am
Hi.

Can one of you tell me how to set up SSL on Vera?

I have a Windows certification server in my home, which I would like to use. But a self generated certifcate would also be okay.

To me it looks like only a part of OpenSSL is installed on Vera?

Lighttpd seems easy to set up. But maybe I am missing something. :-)


Regards
Morten
Title: Re: Setup https on Vera.
Post by: micasaverde on February 20, 2009, 03:36:50 pm
We don't have an SSL cert on Vera itself.  For remote access, we put one on findvera.com, of course.  I'm not sure if lighttpd supports ssl, but, if so, it should work.  It's open, so you can reconfigure the conf files.  Just do a factory reset if it gets messed up.
Title: Re: Setup https on Vera.
Post by: mhn on February 24, 2009, 04:33:29 pm
My Vera runs https. :-)
Title: Re: Setup https on Vera.
Post by: ykmag on February 25, 2009, 03:08:18 am
Please tell how you managed to do that.
Title: Re: Setup https on Vera.
Post by: mhn on February 25, 2009, 03:52:29 am
In short.

I unpacked the openssl util ipk pack.

copied openssl to /usr/bin on Vera and used it.

I will try to make at small HowTo within a couple of days. :-)

If you read Danish (or use Google translations) there are a version 0.01 here:

http://zwaves.dk/forum/viewtopic.php?f=22&t=242
Title: Re: Setup https on Vera.
Post by: ykmag on February 25, 2009, 05:02:59 am
I am norwegian so danish is no problem ;D
Title: Re: Setup https on Vera.
Post by: ASIHome on July 01, 2009, 10:34:19 am
Did you ever create the HowTo for this for those of us who don't speak Danish?

Thanks,
Title: Re: Setup https on Vera.
Post by: mhn on July 01, 2009, 12:50:02 pm
I never got around to it.

Terkild made a script, so my Howto seemed obsolete. :-)

log in to vera using telnet / ssh
go to /tmp/ dir
cd /tmp

Download ssl script
wget http://j0nas.dk/dump/vera_ssl.sh

Run script
sh vera_ssl.sh

Press "y" and enter to install ssl
The script now get openssl and make the necassary configuration.

Now you can use https://your_vera

Title: Re: Setup https on Vera.
Post by: ASIHome on July 01, 2009, 12:53:21 pm
Thank you.
Title: Re: Setup https on Vera.
Post by: mhn on July 01, 2009, 01:17:55 pm
Hmm I get 404 on Terkilds site.

A quick translation of my Danish version 0.0.1:

I got openssl-util_0.9.8j-1_mipsel.ipk

Renamed it to openssl-util_0.9.8j-1_mipsel.tar.gz

Unpacked it

Unpacked data.tar.gz

Copied the openssl file to /usr/bin on Vera

ssh or telnet to Vera

cd /etc/ssl

mkdir certs

cd certs

openssl req -new -x509 -keyout lighttpd.pem -out lighttpd.pem -days 365 -nodes

Answer the questions.

edit /etc/lighttpd.conf

add

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/certs/lighttpd.pem"
}

Title: Re: Setup https on Vera.
Post by: mhn on July 01, 2009, 01:24:54 pm
Terkilds site works now. :-)
Title: Re: Setup https on Vera.
Post by: ASIHome on July 01, 2009, 05:29:26 pm
Works, however IE7/8 gets upset about the certificate. Any way to fix that?

Thanks,
Title: Re: Setup https on Vera.
Post by: mhn on July 01, 2009, 05:39:50 pm
Click on "Certificate error" besides the address bar.

Click "View certificate"

Click "Install Certificate"

next

Place all certificates in the following store

browse to "Trusted Root Certification Authorities"

Ok

Next

Yes (in pop up box)


My IE8 is still angry, but I get right in. :-)
Title: Re: Setup https on Vera.
Post by: mhn on July 01, 2009, 05:42:53 pm
It is more simple in Firefox.
Title: Re: Setup https on Vera.
Post by: Henk on May 29, 2011, 01:40:45 pm
Is there any update on this old post?
using https for vera would improve some security!
Title: Re: Setup https on Vera.
Post by: mhn on May 29, 2011, 02:27:16 pm
I have not tried it since UI2. I don't use my Vera.
Title: Re: Setup https on Vera.
Post by: Henk on May 29, 2011, 02:47:56 pm
I have not tried it since UI2. I don't use my Vera.

Shame.. you were dissatisfied?
What did you do with your Vera?
Title: Re: Setup https on Vera.
Post by: mhn on May 29, 2011, 03:42:17 pm
It's on my desk, and I play with it once in a while, but it will never control my house, hence I don't use much time on it.
Title: Re: Setup https on Vera.
Post by: Henk on May 29, 2011, 03:43:36 pm
It's on my desk, and I play with it once in a while, but it will never control my house, hence I don't use much time on it.

Sounds a bit like my Action man figure :D
Thanks for your replies
Title: SSL for Vera, secure communications?
Post by: Henk on May 29, 2011, 04:37:50 pm
A few years ago it seemed possible to set up ssl for Vera for local connections.
Is there anyone out there knowledgeable about the current status?

Of course a secure connection through cp.mios.com is possible for remote connections.
Also a local login can be enforced (strangely not locally but only through cp.mios.com but that has already discussed in a seperate thread here (http://forum.mios.com/index.php?topic=6433.0)

Think of it.. There are security devices out there capable of encryption (locks etc)
But if anyone were to hack you local network, he could simply sniff your network communication and get to you Vera.

For those situations a local SSL connection would very much improve security IMHO

So unless i read thread 528 wrong, Vera's underlying architecture and OS should be able to provide this....
Any takers?
Title: Re: SSL for Vera, secure communications?
Post by: futzle on May 29, 2011, 06:22:11 pm
So unless i read thread 528 wrong, Vera's underlying architecture and OS should be able to provide this....
Any takers?

It might work.  I did some messing about with the Vera HTTP daemon (lighttpd) this morning.

1. On a real computer, generate a self-signed SSL key:
Code: [Select]
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
2. Copy the file server.pem to somewhere on the Vera.

3. Add this section to /etc/lighttpd.conf:
Code: [Select]
$SERVER["socket"] == ":443" {                                                     
  ssl.engine                  = "enable"                                         
  ssl.pemfile                 = "/path/to/server.pem"                                 
}

4. Restart lighttpd:
Code: [Select]
/etc/init.d/lighttpd restart
With this, the Vera is definitely able to serve web pages on port 443 over SSL.  Wireshark picked up nothing but SSL chat.

All the usual spiel about self-signed certificates applies.

This isn't a complete solution: Vera listens on three other ports, and those connections aren't encrypted.  It may not be a solution at all, given that my Vera rebooted once during this test.  SSL adds a great deal more CPU load to a machine, so I'd have fears for the stability of Vera doing constant SSL.

If anyone wants to take this further, please post your experiences here.
Title: Re: SSL for Vera, secure communications?
Post by: hightop32 on June 22, 2011, 11:41:09 am
So unless i read thread 528 wrong, Vera's underlying architecture and OS should be able to provide this....
Any takers?

It might work.  I did some messing about with the Vera HTTP daemon (lighttpd) this morning.

1. On a real computer, generate a self-signed SSL key:
Code: [Select]
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
2. Copy the file server.pem to somewhere on the Vera.

3. Add this section to /etc/lighttpd.conf:
Code: [Select]
$SERVER["socket"] == ":443" {                                                     
  ssl.engine                  = "enable"                                         
  ssl.pemfile                 = "/path/to/server.pem"                                 
}

4. Restart lighttpd:
Code: [Select]
/etc/init.d/lighttpd restart
With this, the Vera is definitely able to serve web pages on port 443 over SSL.  Wireshark picked up nothing but SSL chat.

All the usual spiel about self-signed certificates applies.

This isn't a complete solution: Vera listens on three other ports, and those connections aren't encrypted.  It may not be a solution at all, given that my Vera rebooted once during this test.  SSL adds a great deal more CPU load to a machine, so I'd have fears for the stability of Vera doing constant SSL.

If anyone wants to take this further, please post your experiences here.


nice work, i appreciate your investigation into this feature yourself, something that should have been implemented/considered from day one.  very disconcerting that it is seemingly crashing the vera. 
Title: Re: SSL for Vera, secure communications?
Post by: gilles on August 07, 2011, 04:10:24 pm
Hi all,

I bought a vera this week and I'm very surprised that there is no ssl on this device.

Nowadays, a minimum of security is a login and password with ssl encryption.

If there is a man in the middle, He just has to sniff the lan and he could do what he wants with my house.

I'm disapointed.

If MCV read that I think , vera has to incorporate in native os ssl encryption as a patch goes away every times the firmware will be updated.

So please add ssl encryption, so it will be secure.

Thank you.

Gilles.
Title: Re: SSL for Vera, secure communications?
Post by: not12bhere on August 28, 2011, 12:00:45 am
People have neen asking for ssl local access for years now. It is clear that mcv is going the opposite direction with the vera product and making it into a local device with third party only access. If that wasnt the goal, we would have had ssl in vera long ago. Now we barely have local account access. Still a neat device...
Title: SSL
Post by: waynebrady on March 08, 2012, 09:21:07 pm
Possible to easily add SSL with either UI4 or 5?
Title: Re: SSL
Post by: RichardTSchaefer on March 08, 2012, 09:37:31 pm
SSH is on the box for ALL vera platforms.
When Vera boots it creates a secure SSH tunnel to mios.com. When you connect to
mios.com when you are not at home, you are forwarded back to your device through this
secure tunnel.

It should be secure to do a port forward to port 22 on your Vera to allow remote SSH access
to your box directly (without the need for mios.com). If you are SSH savy you can also use the same tunnel to securely access your IP cameras when you are not at home.

You can login using to the Vera root account with your Vera password. (This is NOT your
mios password) Search the forums for how to get this for Vera3 and Vera Lite. It's on the bottom of your Vera2 box.

However if you want to use certificates to eliminate the need for passwords the public keys go
in the the file /etc/dropbear/authorized_keys as opposed to the ~/.ssh/ directory for most linux distributions.
Title: Re: SSL
Post by: garrettwp on March 09, 2012, 06:47:27 am
I have had my vera 3 working with ssl. Here are the steps that I used. Use at your own risk:


Step 1: I first created a certificate on my linux workstation. Since openssl is not installed on Vera:

Code: [Select]
cp /tmp
openssl req -new -x509 -keyout vera.pem -out vera.pem -days 365 -nodes

This key is good for one year, or you can change 365 to any number of days you like.

Step 2: Create the proper directories on vera

Code: [Select]
ssh root@veraip
mkdir -p /etc/ssl/certs

Step 3: Copy certificate from workstation over to vera.

Code: [Select]
scp /tmp/vera.pem root@veraip:/etc/ssl/certs

Step 4: On Vera copy /usr/bin/lighttpd_ssl.sh to /etc/

Code: [Select]
ssh root@veraip
cp /usr/bin/lighttpd_ssl.sh /etc/lighttpd_ssl.sh

Step 5: Modify /etc/light_ssl.sh

Code: [Select]
vi /etc/lighttpd_ssl.sh

Change the following line: ssl_file="/etc/mios/sslcerts/CERTIFICATES/local.mios.com.pem" to ssl_file="/etc/ssl/certs/vera.pem"

Remove the line: exit 0

Step 6: Modify /etc/lighttpd.conf

Code: [Select]
vi /etc/lighttpd.conf

Find the section that contains SSL engine

Comment out the line: include_shell "/usr/bin/lighttpd_ssl.sh"

Add line below the commented out line: include_shell "/etc/lighttpd_ssl.sh"

Step 7: Restart lighttpd

Code: [Select]
/etc/init.d/lighttpd restart

You should now be able to access vera's web interface via ssl on port 443. You can change the ssl port to anything you want. You will need to modify /etc/lighttpd_ssl.sh and change the line \$SERVER["socket"] == ":443" where 443 is the number you want to change to say example \$SERVER["socket"] == ":4443"

Also to note that when a firmware upgrade happens, the lighttpd.conf file gets over written and step 6 would need to be applied again.

- Garrett
Title: Re: SSL
Post by: waynebrady on March 09, 2012, 02:50:36 pm
Thanks for the instructions Garrett. Any ideas if this would go smoothly on a Vera2/UI4?
Title: Re: SSL
Post by: garrettwp on March 09, 2012, 03:43:49 pm
Not sure, it can not hurt to see if it works. I know it works running on Vera 2 and UI 5.

- Garrett
Title: Re: Setup https on Vera.
Post by: boingolover on March 09, 2012, 07:02:39 pm
I have used this thread to do something similar, though I actually have my own local CA that I sign my keys with.  Though it's still "self signed", I distribute my CA cert all devices that I might use to remotely access anything in my house, such as mine and my wife's android phones, our laptops etc.  "Self-signed" certs can actually be more secure than those signed with public CA's, provided you're careful with the distribution of your CA cert and you never click "okay, I trust you", but manually add your CA cert and never communicate with an unrecognized device.