INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: SSL Support  (Read 1705 times)

hoyt

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 867
SSL Support
« on: July 21, 2018, 09:30:14 pm »

Does the IdPi not support SSL?  I just got my IdPi and have been playing around with it, pretty neat so far, but when I attempted to connect to my local library it failed.  I turned off the firewall on my local server and it still failed, then I unchecked the "Use HTTPS if available" box and it connected.

I expect to only use this on my home network, but I blocked port 52199 on my server to stop any accidental insecure connection requests from Gizmo and JRemote.

Also - is most of this setup possible without using GUI?  I changed the "remote access password" but what is the remote access username?  I'm assuming this isn't SSH, but what is that?
Logged

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72438
  • Where did I put my teeth?
Re: SSL Support
« Reply #1 on: July 22, 2018, 12:29:01 am »

I expect to only use this on my home network, but I blocked port 52199 on my server to stop any accidental insecure connection requests from Gizmo and JRemote.
52199 should be closed on your cable modem or router, not on the server.
Quote
Also - is most of this setup possible without using GUI?  I changed the "remote access password" but what is the remote access username?  I'm assuming this isn't SSH, but what is that?
remote  -- it's in the instructions.

You'll need a monitor for setup.  I always use the GUI, but Bob always uses text.
Logged

hoyt

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 867
Re: SSL Support
« Reply #2 on: July 22, 2018, 05:54:50 pm »

52199 should be closed on your cable modem or router, not on the server.
You're assuming I want my home network to be a DMZ zone and that I trust all of my internal traffic.  A virus or malware could easily get into my home network and sniff local traffic.  A secure connection should secure both the network and the server.  I'd prefer to have as many connections be as secure as necessary.  Does the Id support an HTTPS connection?

remote  -- it's in the instructions.

Actually, it's not.  The instructions say the password is remote, it doesn't mention the username.  I never realized this, but you can evidently leave the username blank in Microsoft RDP and it'll default to the current user.  RDP comes back with initially with "invalid login" but if you click ok and try it again, it passes.  I was thinking that the headless option would have some form of terminal connection.  But if I pick 2, the Id reboots, and if I connection again with VNC/ RDP, the X session is there.  Is that how it should work?  I guess I was assuming I would be able to get into the options via a terminal line.

Also, it doesn't appear the password accepts special characters on the Id, is that the case or is my keyboard mapped incorrectly?  I can type them into the change password box, but then when it shows me the password, they are stripped out.

Is it possible to see the processes that are running?  I can't seem to connect to Engen (I don't have a Z-Wave stick, but thought I'd still be able to play with it).

Thanks!
Logged

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72438
  • Where did I put my teeth?
Re: SSL Support
« Reply #3 on: July 22, 2018, 11:23:54 pm »

Yes, I believe https is supported.

Admin is the login.  Sorry.

52199 only opens access to whatever is running on it.  MC in this case.

You can't access the Id with a terminal.  VNC works.

Engen won't run unless a Z-Stick is connected.
Logged

hoyt

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 867
Re: SSL Support
« Reply #4 on: July 23, 2018, 10:40:43 am »

Yes, I believe https is supported.
Hmmm, ok, I'm having some issues with this then.  I have tried the following:
1) Reverted to jriver.local signed certificate.
2) Renewed my Let's Encrypt certificate (it was set to expire in <10 days).
3) Rolled back to an old Let's Encrypt certificate (just to see it the behavior was different on the IdPi, it wasn't).

Admin is the login.  Sorry.
You can't access the Id with a terminal.  VNC works.
Engen won't run unless a Z-Stick is connected.

Got it.  I'll grab a Z-stick the next time I have a shopping list.

52199 only opens access to whatever is running on it.  MC in this case.

Right, but if port 52199 is open and someone makes an authenticate request to my server, the password is sent in an insecure manner.  I don't want my MC server to accept any insecure requests.  Knowing this is possible, I blocked port 52199 locally (I'd like to turn off the HTTP server in MC and only run HTTPS, but that option doesn't exist).  I'm by no means an expert in this, but I run multiple web servers, and every one of them runs strictly as HTTPS.  Maybe I'm paranoid, but being paranoid about web security seems like a good thing.

Thanks!
Logged

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72438
  • Where did I put my teeth?
Re: SSL Support
« Reply #5 on: July 23, 2018, 01:34:02 pm »

Blocking the port won't prevent an insecure request being sent.
Logged

hoyt

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 867
Re: SSL Support
« Reply #6 on: July 23, 2018, 03:38:35 pm »

Blocking the port won't prevent an insecure request being sent.

That's true, but I'm assuming most transactions first test to see if a server is there before sending an insecure request.  Blocking the port will at least prevent that.  This is the most that I can do, realistically, MC (MC, Gizmo, and JRiver) should stop sending insecure requests.

Back to the point though, I can't get an IdPi to communicate via SSL.  Even to your outside Id.  I can connect to that on port 52199, but not 52200.  Same with my internal server.  Are you able to connect to your outside id via SSL from an Id?
Logged
Pages: [1]   Go Up