cweitkamp
commented
5 years ago Alright. HTTPS is not working for my Hue Bridge. Guess why? Invalid TLS certificate!
Now I am going to implement a TlsCertificateProvider. Lets hope it will work because the certificate available on the Hue bridge does not specify any Subject Alternative Name which I can check against. But if I understand #6651 correctly it should be possible to check against the CN too.
Checking the certificate with openssl it gives me this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6624557528005837 (0x1788fffe403ccd)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = NL, O = Philips Hue, CN = 001788fffe403ccd
Validity
Not Before: Jan 1 00:00:00 2017 GMT
Not After : Jan 1 00:00:00 2038 GMT
Subject: C = NL, O = Philips Hue, CN = 001788fffe403ccd
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:64:1f:2f:c1:10:62:bf:fc:f1:aa:9d:41:57:e8:
46:db:d1:49:9d:f0:6c:02:cf:cf:70:9e:ec:2f:9e:
d4:e3:e7:ce:81:c4:20:a3:f2:2a:af:75:3a:be:c7:
7b:58:f4:4a:f8:71:e8:3b:24:a1:2a:19:52:1d:91:
4b:01:41:14:e2
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
38:C8:28:A2:62:A4:AC:2A:53:83:21:4D:EF:67:2D:D3:68:EE:C5:AB
X509v3 Authority Key Identifier:
keyid:38:C8:28:A2:62:A4:AC:2A:53:83:21:4D:EF:67:2D:D3:68:EE:C5:AB
DirName:/C=NL/O=Philips Hue/CN=001788fffe403ccd
serial:17:88:FF:FE:40:3C:CD
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:e4:f8:51:c4:84:80:a6:c6:4a:95:38:b2:f2:
e3:e4:79:56:b4:b0:32:6e:27:e3:56:61:84:c5:4b:f4:85:48:
3a:02:21:00:ec:f3:07:d5:f7:53:8a:90:83:11:ba:5e:e0:e5:
d3:89:de:4e:8e:d4:95:7c:0b:ad:e1:a6:48:17:06:d4:8d:40
davidgraeff
kaikreuzer
// CC @davidgraeff for discussion and testing
Signed-off-by: Christoph Weitkamp github@christophweitkamp.de