TLS Errors when Konnected firmware calls Home Assistant : Konnected Help & Support

Malcolm Lashley

started a topic 7 months ago

So I have the device-discovery etc. part working, and ESPlorer shows Konnected trying to send updates when my sensors change - but the updates aren't "received" by HomeAssistant. My HA setup is TLS-enabled (using the DuckDNS addon) Doing a packet capture in the docker-container running HA, and filtering for the IP of the first Konnected device - I can see the TCP connection establish, and the SSL connection proceeds as expected:

=> Client Hello 
<= Server Hello 
<= Certificate, Server 
Key Exchange, Server 
Hello 
Done

And then, Konnected/NodeMCU's TLS implementation returns the following 'Decrypt Error' on the wire

Secure Sockets Layer TLSv1.2 
Record Layer: Alert (Level: Fatal, Description: Decrypt Error) 
Content Type: Alert (21) 
Version: TLS 1.2 (0x0303) 
Length: 2 
Alert Message Level: Fatal (2) 
Description: Decrypt Error (51)

I can obviously connect to HA using TLS from multiple browsers, and from the Linux 'openssl' command-line client. The relevant logs from the NodeMCU device are:

HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33472 HTTP Call: -1 state 1 pin 2 
E:M 528 
HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33288 HTTP Call: -1 state 0 pin 2 E:M 528 
HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33288HTTP Call:-1state1pin2

Any hints as to where to go next - I do know some lua, but I couldn't see if the Konnected scripts had any way to interrupt the boot process.

Konnected firmware 2.2-dev-malc NodeMCU 2.2.0.0 build 20180529 powered by Lua 5.1.4 on SDK 2.2.1(cfd48f3) Heap: 39840 Initializing Konnected Heap: 35280 Version: 2.2.0 Heap: 33656 Connecting to Wifi.. > Heap: 37720 Wifi connected with IP: 192.168.2.68 255.255.255.0 192.168.2.1 Heap: 37656 UPnP: Listening for UPnP discovery Heap: 37448 HTTP: Starting server at http://192.168.2.68:15675 Heap: 37280 Loaded: server Heap:32720 Initializing sensor pin:1 Heap: 32440 Loaded: application HTTP client: Disconnected with error: -11 HTTP client: Connection timeout Heap:36640 HTTP Call: -1 state 0 pin 1 Heap:35768 HTTP Call: 200 state 1 pin 1 E:M 1048 HTTP client: Disconnected with error: 46 HTTP client: Connection timeout Heap:34304 HTTP Call: -1 state 0 pin 1 Heap:35768 HTTP Call: 200 state 1 pin 1 Heap: 33416 Responded to UPnP Discovery request from 192.168.2.59:60202 Heap:35768 HTTP Call: 200 state 0 pin 1 Heap: 33408 Responded to UPnP Discovery request from 192.168.2.59:46434 Heap: 33408 Responded to UPnP Discovery request from 192.168.2.59:59048 Heap: 33408 Responded to UPnP Discovery request from 192.168.2.59:34432 E:M 1048 HTTP client: Disconnected with error: 46 HTTP client: Connection timeout Heap:34312 HTTP Call: -1 state 1 pin 1 HTTP client: Disconnected with error: -11 HTTP client: Connection timeout Heap:36144 HTTP Call: -1 state 0 pin 1 Heap:35776 HTTP Call: 200 state 1 pin 1 Heap:35776 HTTP Call: 200 state 0 pin 1

H

HassCr
said 7 months ago

I just spent a few hours on this and can confirm it is an issue. Hassio gets the initial sensor status but then will not receive updates if duck dns/SSL is enabled.
M

Malcolm Lashley
said 7 months ago

Ugh - the forum ate all my formatting... Thanks for the response. I'm gonna break out a spare NodeMCU board I have and see if I can't get it talking TLS to the same HA instance - that will at least prove whether this is specific to the Konnected firmware build or not. I really don't want to turn *off* TLS at this point.
H

HassCr
said 7 months ago

Hope someone find an easy fix for this. Only ideas I can think of are to see if it is possible to have a TLS connection facing the internet and a non TLS on a different port but only accessible on the Lan. Second idea is to have a dedicated HA install just for konnected and output the sensors to Mqtt to be picked up by the main HA install.
H

HassCr
said 7 months ago

This looks like a similar issue https://github.com/konnected-io/konnected-security/issues/60 If tls support is fixed won't we have another issue if it configures konnected to use the duckdns address instead of the local ip which will fail if the internet and dns server is down? It really needs to use a different port, maybe using a konnected addon for Hassio.
M

Malcolm Lashley
said 7 months ago

I did a custom build of Konnected firmware, but based on the NodeMCU -dev branch. (actually - I've done about 30 custom builds of the firmware to get this far ;-) But - some success - Konnected is now talking to my SSL-enabled HA instance. Now to rationalize those semi-random changes to figure out which are really needed. 2018-05-29 23:11:23 INFO (MainThread) [homeassistant.components.http.view] Serving /api/konnected/device/600194751d6b to 192.168.2.68 (auth: False) 2018-05-29 23:11:23 INFO (MainThread) [homeassistant.core] Bus:Handling , new_state=> 2018-05-29 23:11:33 INFO (MainThread) [homeassistant.components.http.view] Serving /api/konnected/device/600194751d6b to 192.168.2.68 (auth: False) 2018-05-29 23:11:33 INFO (MainThread) [homeassistant.core] Bus:Handling , new_state=>

said 7 months ago

So I did some more poking at this - I couldn't get consistent behaviour from Konnected when it tried to talk HTTPS to HA. Sometimes it worked, sometimes not, often toggling withing the same boot/NodeMCU build-variation etc.

I've switched HA to HTTP, and put an NGINX reverse proxy in front of it to serve SSL to the outside world for now, until Nate or someone can figure out the stability here.

Here's a sample of my SDK-2.2.1 based build (nodeMCU dev branch), sometimes working - sometimes not...

Build with 5120 SSL BUF and 2.2.1(NodeMCU-dev)

I *think* it has to do with the available heap - the failures all /seem/ to happen when it drops below 35K - but I don't have enough data to be 100% sure on that - just a hunch. I also need to get a switch for my test-rig - pulling a jumper lead off/on is getting tiresome ;-)

H

HassCr
said 6 months ago

I noticed that TLS was upgraded in the latest version of konnected to resolve the krack exploit. Has anyone tried an older version from before this upgrade?
R

Richard Walsh
said 6 months ago

Is there any update on a fix for this? Essentially my konnected alarm doesn't work!
H

HassCr
said 6 months ago

I need an update too to at least get a timescale. If it is going to be a drawn out fix, am wondering if I can achieve similar by using Hassio with the raspberry pi gpio as Hassio has built in support and also wired ethernet. I dis want to give konnected a go but can't use it without this feature.
s

sreknob
said 6 months ago

@HassCr - Yes, you can use the GPIO on RPi to achieve the same end result - See the HA documentation here regarding GPIO Binary Sensor and GPIO Switch.
I also am using HA behind a reverse proxy as I eventually found the same problem with using SSL.
I think the underlying issue is how NodeMCU handles SSL so I don't think there will be a fix for Konnected until it gets addressed by the NodeMCU main branch....
H

HassCr
said 6 months ago

There is some more discussion on this on the home assistant forums https://community.home-assistant.io/t/konnected-not-connecting-to-wifi/55787
s

sreknob
said 6 months ago

@HassCr - I don't think that thread is related to the SSL problem.
H

HassCr
said 6 months ago

Look at the end, Nate says there is no reason why it shouldn't work with ssl and he is going to look at it. He says it could be because konnected does not have all the ciphers installed to save memory.
H

HassCr
said 6 months ago

Sorry, just checked and I posted the wrong link Try this https://community.home-assistant.io/t/konnected-alarm-panel-connect-a-wired-alarm-system-to-ha-new-in-0-70/53620/21

TLS Errors when Konnected firmware calls Home Assistant

Topics in this forum

Didn't find what you were looking for?