Enhancement Request: Enable TLS Certificate Authentication for Enhanced Security in Connection Establishment

arthurdent75 / SimpleScheduler

An Home Assistant AddOn to schedule entities on/off on weekly base

183 stars 36 forks source link

Enhancement Request: Enable TLS Certificate Authentication for Enhanced Security in Connection Establishment #150

Closed h-theLetter closed 7 months ago

h-theLetter commented 8 months ago

To further enhance security in connection establishment, I propose the implementation of TLS certificate authentication. This would add an extra layer of validation, ensuring secure communication between clients and the server.

Proposed Changes

TLS Certificate Validation: Introduce the ability to validate TLS certificates during the connection establishment process. This ensures that only authorized clients with valid certificates can connect.

Specify Certificate, Key, and CA Location: Allow users to specify the location of client certificates, private keys, and the Certificate Authority (CA) files. This could be achieved by adding a configuration option, and the default location could be set to the SSL directory.

Configuration Example (if applicable)

tls:
  enabled: true
  certificate:
    path: client.crt
  key:
    path: client.key
  ca:
    path: ca.crt

I appreciate the incredible work done on this project so far and appreciate any extra effort!

arthurdent75 commented 8 months ago

Hi @h-theLetter, thank you for your support and your suggestion. I'm not sure about the advantages of your proposal. If you publish HA on HTTPS and you choose show in sidebar, SimpleScheduler is proxied (like any other addon) and thus is also in HTTPS. The only insecure communication is between HA and the addon, but they run on the same computer, so it is very unlikely that someone could steal packets in the middle.

Please let me know your thoughts!

PS: Have you tried the beta? https://community.home-assistant.io/t/simple-scheduler-addon/174326/440?u=arthurdent1975

h-theLetter commented 7 months ago

Hi there, the scenario I was thinking of if when you are running an external MQTT broker and not the add-on from HA (Which I am, but requires certs so am not using with SimpleScheduler). However now that I'm thinking about it, you would also have to add configs to point to the broker. It's a big undertaking so maybe just something to keep in mind down the road. Either way, thank you!

arthurdent75 commented 7 months ago

you would also have to add configs to point to the broker. It's a big undertaking so maybe just something to keep in mind down the road.

It is already there:

h-theLetter commented 7 months ago

Perfect! I didn't realize you could enter an external server there. So that would be the benefit if you added this enhancement 😊 Allowing users to connect to external servers that require certificates.

arthurdent75 commented 7 months ago

Don't get me wrong... I think there is too much effort compared to the number of users that could use this. I believe that the majority of users point to Home Assistant Mosquitto Addon... Thank you anyway for your suggestion and for using my addon!