konistehrad
commented
3 months ago Ah, this will require significant changes to allow for self-signed certificates. Closing for now.
Closed konistehrad closed 3 months ago
konistehrad
commented
3 months ago Ah, this will require significant changes to allow for self-signed certificates. Closing for now.
chrivers
commented
3 months ago I think we can make it work - let me know if you're looking into it, and/or need help with it :+1:
konistehrad
commented
3 months ago I imagine the full solution will look a bit like ESPHome's solution for self-signed MQTT certs, where a custom CA can be provided or cert checks skipped altogether. I bet we'll be hamstrung by tungstenite-rs however, as I don't immediately see a way to prevent those checks within their documentation. Again, not a ton of experience here, though, so do please let me know if I'm off base!
chrivers
commented
3 months ago At a quick glance, it looks like tungstenite-rs can be made to work on top of a normal TLS connection, so I think it's feasible.
We could make an option to provide a certificate, or disable checking completely.
Can you elaborate on how your z2m is configured? Is there some kind of proxy in front of it, or does it support tls by itself?
In other words, how can I make a test setup to mirror your use case?
konistehrad
commented
3 months ago Z2M it supports TLS all on it's own via ssl_cert and ssl_key in the frontend configuration: https://www.zigbee2mqtt.io/guide/configuration/frontend.html#advanced-configuration
Unfortunately this is my first experience with Rust, so I'm not 100% sure this is correct, but at least hopefully this will be a jumping off point to handle the case where Zigbee2MQTT is behind TLS.