search

BoschSmartHome / bosch-shc-api-docs

Bosch Smart Home Controller Local REST API
Other
208 stars 44 forks source link

Error SSL alert number 10 and SSL alert number 46 #11

Closed m-h-t closed 4 years ago

m-h-t commented 4 years ago

Hi. I followed your instructions on the setup of postman. I think it might be beneficial to include advice to edit the pre-request script variables and the request body before sending the new client request. :)

After doing so however, I'm getting:

Error: write EPROTO 139987876223616:error:140943F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message:../../vendor/node/deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 10

in the postman console. This seems to be an ssl handshake error. From here:

10  | unexpected_message |  Received an inappropriate message This alert should never be observed in communication between proper implementations. This message is always fatal.

Could you perhaps provide the command you used to generate the .key and .crt files?

philbuettner commented 4 years ago

Hi Martin, you probably generated a certificate with 1024 bits. A possible solution is to generate a certificate with 2048 bits as described here (second point): https://github.com/BoschSmartHome/bosch-shc-api-docs/issues/10

You are right with your first point. We will provide a more detailed description of how to use the API soon.

JohannesKuehnel commented 4 years ago

I tried to generate certificates with the method mentioned in #10 on Win10 as well as with different methods on WSL/Ubuntu, no luck so far. Do I need to use specific values for CN etc?

Postman just tells me "Could not get any response" and the console outputs:

Error: write EPROTO 20140:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:c:\projects\electron\vendor\node\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1407:SSL alert number 46

SSL certificate verification is off, Client Certificates for the controller on 10.0.0.2 with ports 8443 and 8444 have been added to Postman, the certificate is in the body (considering the carriage returns) and _system_passwordbase64 is set to the output of echo "password" | base64 (WSL/Ubuntu).

m-h-t commented 4 years ago

I can confirm. The error changed to SSL alert number 46, which has this (not very helpful) error description:

46 | certificate_unknown | An unspecified issue took place while processing the certificate that made it unacceptable.

I'm using Ubuntu 19.10 and Postman 7.10.0 btw.

philbuettner commented 4 years ago

Could you please try it with the given example certificate in the collection? If this is working, then please use the following command for generating certificates and keys: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout shc-key.pem -out shc-cert.pem With Ubuntu this works for me.

JohannesKuehnel commented 4 years ago

@philbuettner Thanks for the reply! Do you mean the one in the Pre-request Script? We are missing the key-file for that one, aren't we?

I had no luck using the command you provided, although it is the same I used myself, except for -nodes. Can you provide me the details of what you entered for Country, City, etc (especially the Common Name part)?

philbuettner commented 4 years ago

Correct, I meant the one in the Pre-request Script. As I generated this, I did not store the key, to prevent any user using it. I left all details empty as I generated the certificate with openssl.

However, if this is not working could you please try it with a 4096 bit key? openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout shc-key.pem -out shc-cert.pem

JohannesKuehnel commented 4 years ago

@philbuettner No success using openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout shc-key.pem -out shc-cert.pem and only providing a country name ("AT"), as I cannot leave everything blank.

Same issue on my Manjaro notebook. So it's either something I am missing about the certificate (did you add a CA Certificate or something?) or my controller is the problem...or maybe Postman 7.10.0+.

Are there any settings needed on the controller part?

philbuettner commented 4 years ago

No additional settings needed for the controller. Did you tried it with the example certificate? Which OS do you have on your notebook?

JohannesKuehnel commented 4 years ago

@philbuettner How do I try the example certificate without the appropriate key? If I just add the certificate without a key-file I get SSL alert number 42 (bad certificate).

Same issue on my Manjaro notebook.

--> Manjaro Linux (Arch based distro)

Edit: Tried some more tinkering, but even openssl fails to handle the certificate, so I guess it's not Postman's fault:

$ openssl s_client -showcerts -noservername -cert shc-cert.pem -key shc-key.pem -verify 3 -connect 10.0.0.4:8444 > cace
rt.pem
verify depth is 3
depth=2 C = DE, O = Bosch Thermotechnik GmbH, CN = Smart Home Controller Productive Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = DE, O = Bosch Thermotechnik GmbH, CN = Smart Home Controller Productive Root CA
verify return:1
depth=1 C = DE, O = Bosch Thermotechnik GmbH, CN = Smart Home Controller Issuing CA
verify return:1
depth=0 C = DE, O = Bosch Thermotechnik GmbH, CN = <mac>
verify return:1
140462913491392:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1528:SSL alert number 46

Edit2: Do I have to press something on the controller during pairing? This library mentions something like this during pairing:

Activate pairing on Bosch Smart Home Controller by pressing button until flashing.

Edit3: Pressing the button on the controller until it flashes actually enables me to connect, but I get a 401 error. Will try again tomorrow, but the Systempassword should be correct.

philbuettner commented 4 years ago

To post a certificate you first have to press the button of the controller until LEDs flashes. This is the only call where you do not need the key of the certificate but the master password of your controller.

Did you encoded your password to base64? For instance, the base64 encoded password for my_passw0rd is bXlfcGFzc3cwcmQ=. Verify your encoding method with the example encoding to be sure it is correct.

JohannesKuehnel commented 4 years ago

Ok, the part about the button is the important part:

To post a certificate you first have to press the button of the controller until LEDs flashes. This is the only call where you do not need the key of the certificate but the master password of your controller.

This should be in the documentation, in my opinion.

The password was base64 encoded, but apparently appended a new line, so instead of using echo "password" | base64 the -n option had to be added to echo:

echo -n "password" | base64

Now it's working, thanks!

philbuettner commented 4 years ago

Great! A more detailed documentation is coming soon.