Comments on: Securing HomeAssistant with client certificates (works with Safari/iOS)

By: elratt0r

elratt0r — Fri, 31 May 2019 12:55:51 +0000

Thanks for this great post! Because luacrypt won't compile anymore I rewrote your script for luaossl. (lua-luaossl on debian) Here as a gist: https://gist.github.com/elratt0r/e059aeed5eff5d8a2dab2bfcd1a56728

By: chris

chris — Tue, 04 Dec 2018 23:10:28 +0000

In reply to Anonymous. I'm not familiar with the Google Assistant plugin. If it provides some form of auth, it's possible to mess around with the LUA to detect either that or the client cert.

By: Anonymous

Anonymous — Tue, 04 Dec 2018 22:04:21 +0000

I’ d like to be able to both reach the default hass webinterface securely via client certificates, and use the Google Assistant plugin.

Would it be possible to tweak nginx to allow for this? Or any other method?

Thanks a lot for your advice.

By: Andy

Andy — Mon, 23 Jul 2018 11:57:22 +0000

In reply to Andy. The code above is a bit of a mess ;) I've changed both lua entries in the configure.ac to lua5.1 So far so good, right? After that I did the autoreconf, stopping with this error: /usr/share/automake-1.15/am/ltlibrary.am: warning: 'crypto.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.15/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' So I've added this line to configure.ac before LT_INIT: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) Everything seemed to work fine then. Could run configure but make fails. lcrypto.c:1602:20: error: storage size of ‘ctx’ isn’t known Error 2 and so on.

By: Single Sign On with client certificates | Chris Mullins

Single Sign On with client certificates | Chris Mullins — Sun, 22 Jul 2018 21:08:05 +0000

[…] a previous post, I detailed a trick to get complicated webapps working with client […]

By: chris

chris — Sun, 22 Jul 2018 03:34:23 +0000

In reply to Tor Arne. Er, yeah. Sorry. I guess I probably meant service worker. Or some other similar frontend thing. There's definitely something in either Chrome or HomeAssistant that does not work well with client certs for long periods of time. I actually sort of gave up on using client certs for every request. Doubled down on the HMAC cookies, and now redirect to a domain that drops authed cookies based on client certs when cookies are not present. Works absolutely beautifully -- exactly how I wanted. This makes sense, I would want to use the native app if I were using this feature as well.

By: chris

chris — Sun, 22 Jul 2018 03:31:44 +0000

In reply to Andy. Did the trick I mentioned in the post with patching configure.ac not work for you? Sort of sounds like what you're suggesting would have roughly the same effect.

By: Andy

Andy — Sat, 21 Jul 2018 14:35:46 +0000

I’ve tried a ton of different things to get luacrypto running, even tried other openssl packages, etc. This was the only way I got it working with lua 5.1..:

git clone https://github.com/evanlabs/luacrypto.git
luarocks install rockspecs/luacrypto-git-1.rockspec
ln -s /usr/local/lib/lua/crypto.so /usr/local/lib/lua/5.1

By: Tor Arne

Tor Arne — Tue, 10 Jul 2018 21:01:47 +0000

In reply to Tor Arne. Actually Websockets in Chrome (68.0.3440.42 on macOS) work fine without the Lua workaround, but yes, it's needed for Safari (and Chrome on iOS, which is just wrapping the WebKit engine and networking backend, so it has the same issues as Safari). The advantage of the iOS app is that it supports location updates for presence detection. According to this tech note (https://developer.apple.com/library/archive/qa/qa1745/_index.html) the UIWebView used by the iOS app does not inherit the keys added to the Safari keychain, but it should be possible to add the client certs to the HA iOS app itself. I'll have a look at implementing that.

By: chris

chris — Tue, 10 Jul 2018 17:45:20 +0000

In reply to Tor Arne. Yeah, the entire point of this post is the Lua workaround. Websockets in both Chrome and Safari just do not play nicely with client certificates. I don't think the iOS app supports using client certificates, but I don't use the iOS app. Just use a homepage link which works fine for my purposes.