search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
73.8k stars 30.9k forks source link

ELK M1 devices need OP_LEGACY_SERVER_CONNECT with openssl3+ (HA 2023.5.x+) #92467

Closed dragonsoul84 closed 1 year ago

dragonsoul84 commented 1 year ago

The problem

ELK M1 integration was working perfect on the newest release before 2023.5.0. Immediately after updating, entities associated to ELK M1 not responding and integration says it can't connect to the M1. Error in log is listed below.

What version of Home Assistant Core has the issue?

2023.5.0

What was the last working version of Home Assistant Core?

2023.4.6

What type of installation are you running?

Home Assistant OS

Integration causing the issue

ELK-M1 Control

Link to integration documentation on our website

https://www.home-assistant.io/integrations/elkm1/

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

Logger: elkm1_lib.connection
Source: runner.py:179
First occurred: 12:07:58 AM (2 occurrences)
Last logged: 12:08:29 AM

Error connecting to ElkM1 ([SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1007)). Retrying in 1 seconds
Error connecting to ElkM1 (). Retrying in 2 seconds

Additional information

No response

home-assistant[bot] commented 1 year ago

Hey there @gwww, @bdraco, mind taking a look at this issue as it has been labeled with an integration (elkm1) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `elkm1` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign elkm1` Removes the current integration label and assignees on the issue, add the integration domain after the command.

(message by CodeOwnersMention)

elkm1 documentation elkm1 source (message by IssueLinks)

codyc1515 commented 1 year ago

I'm facing the same error message with a totally different (custom) integration. I suspect there has been a library update for the SSL libraries used in HA which has caused this. In any case, the actual root cause is the HTTPS server is not that secure.

dragonsoul84 commented 1 year ago

I suspect this is probably the case. I reloaded 2023.4.6 and am still having the same issue, so I guess the ssl libraries weren't under the same snapshot that was created during the update. I did find a minor firmware update for my ethernet device on the M1XEP and am trying it now.

bdraco commented 1 year ago

https://bugs.python.org/issue44888

bdraco commented 1 year ago

Looks like they decided not to back port the option in cpython

https://github.com/python/cpython/issues/89051

bdraco commented 1 year ago

The raw value is 0x4

So

ssl_context.options |= 0x4

bdraco commented 1 year ago

cpython 3.12.0 alpha 4 and later have the new flag

Since it's due to be released in a few months and ha won't likely upgrade for a year or so the flag to turn it off likely won't be available for another year

bdraco commented 1 year ago

I think we are stuck with the horrible hack of using the raw value

bdraco commented 1 year ago

Its the new openssl version that broke this AFAICT

bdraco commented 1 year ago

Can confirm the breakage is openssl related after upgrading my production install's openssl

bdraco commented 1 year ago

breakage is caused by openssl3

bdraco commented 1 year ago

downgrading openssl fixes the issue

bdraco commented 1 year ago

workaround is to connect without secure port.. thats not so great though

bdraco commented 1 year ago

https://github.com/gwww/elkm1/pull/69 will fix it by manually flipping the legacy flag