TLS Errors when Konnected firmware calls Home Assistant

So I have the device-discovery etc. part working, and ESPlorer shows Konnected trying to send updates when my sensors change - but the updates aren't "received" by HomeAssistant. My HA setup is TLS-enabled (using the DuckDNS addon) Doing a packet capture in the docker-container running HA, and filtering for the IP of the first Konnected device - I can see the TCP connection establish, and the SSL connection proceeds as expected:

=> Client Hello 
<= Server Hello 
<= Certificate, Server 
Key Exchange, Server 
Hello 
Done 

And then, Konnected/NodeMCU's TLS implementation returns the following 'Decrypt Error' on the wire 

Secure Sockets Layer TLSv1.2 
Record Layer: Alert (Level: Fatal, Description: Decrypt Error) 
Content Type: Alert (21) 
Version: TLS 1.2 (0x0303) 
Length: 2 
Alert Message Level: Fatal (2) 
Description: Decrypt Error (51) 

I can obviously connect to HA using TLS from multiple browsers, and from the Linux 'openssl' command-line client. The relevant logs from the NodeMCU device are: 

HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33472 HTTP Call: -1 state 1 pin 2 
E:M 528 
HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33288 HTTP Call: -1 state 0 pin 2 E:M 528 
HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33288HTTP Call:-1state1pin2

Any hints as to where to go next - I do know some lua, but I couldn't see if the Konnected scripts had any way to interrupt the boot process.

I just spent a few hours on this and can confirm it is an issue. Hassio gets the initial sensor status but then will not receive updates if duck dns/SSL is enabled.

Ugh - the forum ate all my formatting… Thanks for the response.

I’m gonna break out a spare NodeMCU board I have and see if I can’t get it talking TLS to the same HA instance - that will at least prove whether this is specific to the Konnected firmware build or not. I really don’t want to turn off TLS at this point.

Hope someone find an easy fix for this. Only ideas I can think of are to see if it is possible to have a TLS connection facing the internet and a non TLS on a different port but only accessible on the Lan. Second idea is to have a dedicated HA install just for konnected and output the sensors to Mqtt to be picked up by the main HA install.

This looks like a similar issue
https://github.com/konnected-io/konnected-security/issues/60

If tls support is fixed won’t we have another issue if it configures konnected to use the duckdns address instead of the local ip which will fail if the internet and dns server is down? It really needs to use a different port, maybe using a konnected addon for Hassio.

I did a custom build of Konnected firmware, but based on the NodeMCU -dev branch. (actually - I’ve done about 30 custom builds of the firmware to get this far :wink:

But - some success - Konnected is now talking to my SSL-enabled HA instance.
Now to rationalize those semi-random changes to figure out which are really needed.

2018-05-29 23:11:23 INFO (MainThread) [homeassistant.components.http.view] Serving /api/konnected/device/600194751d6b to 192.168.2.68 (auth: False)
2018-05-29 23:11:23 INFO (MainThread) [homeassistant.core] Bus:Handling , new_state=>

2018-05-29 23:11:33 INFO (MainThread) [homeassistant.components.http.view] Serving /api/konnected/device/600194751d6b to 192.168.2.68 (auth: False)
2018-05-29 23:11:33 INFO (MainThread) [homeassistant.core] Bus:Handling , new_state=>

So I did some more poking at this - I couldn't get consistent behaviour from Konnected when it tried to talk HTTPS to HA. Sometimes it worked, sometimes not, often toggling withing the same boot/NodeMCU build-variation etc.

I've switched HA to HTTP, and put an NGINX reverse proxy in front of it to serve SSL to the outside world for now, until Nate or someone can figure out the stability here.

Here's a sample of my SDK-2.2.1 based build (nodeMCU dev branch), sometimes working - sometimes not...

Build with 5120 SSL BUF and 2.2.1(NodeMCU-dev)

Konnected firmware 2.2-dev-malc
NodeMCU 2.2.0.0 build 20180529 powered by Lua 5.1.4 on SDK 2.2.1(cfd48f3) 
Heap: 39840 Initializing Konnected
Heap: 35280 Version: 2.2.0
Heap: 33656 Connecting to Wifi..
> Heap: 37720 Wifi connected with IP: 192.168.2.68 255.255.255.0 192.168.2.1
Heap: 37656 UPnP: Listening for UPnP discovery
Heap: 37448 HTTP: Starting server at http://192.168.2.68:15675
Heap: 37280 Loaded: server
Heap:32720 Initializing sensor pin:1
Heap: 32440 Loaded: application
HTTP client: Disconnected with error: -11
HTTP client: Connection timeout
Heap:36640 HTTP Call: -1 state 0 pin 1
Heap:35768 HTTP Call: 200 state 1 pin 1
E:M 1048
HTTP client: Disconnected with error: 46
HTTP client: Connection timeout
Heap:34304 HTTP Call: -1 state 0 pin 1
Heap:35768 HTTP Call: 200 state 1 pin 1
Heap: 33416 Responded to UPnP Discovery request from 192.168.2.59:60202
Heap:35768 HTTP Call: 200 state 0 pin 1
Heap: 33408 Responded to UPnP Discovery request from 192.168.2.59:46434
Heap: 33408 Responded to UPnP Discovery request from 192.168.2.59:59048
Heap: 33408 Responded to UPnP Discovery request from 192.168.2.59:34432
E:M 1048
HTTP client: Disconnected with error: 46
HTTP client: Connection timeout
Heap:34312 HTTP Call: -1 state 1 pin 1
HTTP client: Disconnected with error: -11
HTTP client: Connection timeout
Heap:36144 HTTP Call: -1 state 0 pin 1
Heap:35776 HTTP Call: 200 state 1 pin 1
Heap:35776 HTTP Call: 200 state 0 pin 1

I *think* it has to do with the available heap - the failures all /seem/ to happen when it drops below 35K - but I don't have enough data to be 100% sure on that - just a hunch. I also need to get a switch for my test-rig - pulling a jumper lead off/on is getting tiresome ;-)

I noticed that TLS was upgraded in the latest version of konnected to resolve the krack exploit. Has anyone tried an older version from before this upgrade?

Is there any update on a fix for this?  Essentially my konnected alarm doesn't work!


I need an update too to at least get a timescale. If it is going to be a drawn out fix, am wondering if I can achieve similar by using Hassio with the raspberry pi gpio as Hassio has built in support and also wired ethernet. I dis want to give konnected a go but can’t use it without this feature.

@HassCr - Yes, you can use the GPIO on RPi to achieve the same end result - See the HA documentation here regarding GPIO Binary Sensor and GPIO Switch.

I also am using HA behind a reverse proxy as I eventually found the same problem with using SSL.

I think the underlying issue is how NodeMCU handles SSL so I don't think there will be a fix for Konnected until it gets addressed by the NodeMCU main branch....

There is some more discussion on this on the home assistant forums

https://community.home-assistant.io/t/konnected-not-connecting-to-wifi/55787

@HassCr - I don't think that thread is related to the SSL problem.

Look at the end, Nate says there is no reason why it shouldn’t work with ssl and he is going to look at it. He says it could be because konnected does not have all the ciphers installed to save memory.

Sorry, just checked and I posted the wrong link

Try this

https://community.home-assistant.io/t/konnected-alarm-panel-connect-a-wired-alarm-system-to-ha-new-in-0-70/53620/21

Here is the correct link to the other thread
https://community.home-assistant.io/t/konnected-alarm-panel-connect-a-wired-alarm-system-to-ha-new-in-0-70/53620/21

@HassCr - you posted the wrong thread link. I think you meant this one

I'm looking into this now. It's probably something related to the ciphers used by Let's Encrypt. If that's the case, then it should be solvable with a firmware update.

Thanks Nate, I have posted the https information from Google Chrome in the home assistant forum thread. Let me know if you want me to test anything.

Does anyone want to share their DuckDNS/LetsEncrypt hostname with me so I can test against a real-world setup?