lephisto / tesla-apiscraper

API Scraper for pulling Vehicle Statistics from the Tesla Owner API into an InfluxDB + Grafana Dashboards
GNU Lesser General Public License v3.0
365 stars 102 forks source link

Support https for scraper api #62

Open galmok opened 5 years ago

galmok commented 5 years ago

I have gotten most if it up and running, but I am concerned about the seemingly lack of HTTPS support for the communication between the Android app and the tesla api scraper. HTTP makes it very easy to sniff out the API key...

So, could we get support for HTTPS? :)

galmok commented 5 years ago

I have added a certificate and made apiscraper.py load it (only 2 lines of code change), but the Android App refuses to talk to the server. I have verified that the certificate indeed is loaded and working, but as it is a self-signed certificate, the Android App flat out refuses it. I even loaded the certificate into the certificate store in the phone, but it wont work. Browsers also warn about the certificate, but lets me bypass the warning.

I tested the webserver using https://www.digicert.com/help/ and it reports every is ok, except there is not CA (which self-signed certificates do not have).

Could you expand on the app and either let all self-signed certificates pass (not a great idea, but better what we have not) or only let the certificate with the correct thumb-print pass? Or check if the certificate is loaded into the phones certificate store, in which case, the app accepts it (I prefer this solution).

The change I made is this:

bme@bme-Virtual-Machine:~/tesla-apiscraper$ diff apiscraper.original.py apiscraper.py
27a28
> import ssl
391a393
>         self.socket = ssl.wrap_socket(self.socket, certfile='certificate.pem', keyfile='private.pem', server_side=True)

And I created the PEM files like this:

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout private.pem -out certificate.pem

I filled out the country code and the common name (with the common name equal to my FQDN).

I converted to CRT (for Android) this way:

openssl x509 -inform PEM -outform DM -in certificate.pem -out certificate.crt
galmok commented 5 years ago

The above certificates were probably not created correctly, but I have since tried two other guides, lastest being this:

https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

and I the app simply wont budge. It doesn't seem like it accepts my personal CA.

If anyone can make this work, please let us know in this thread. Security is kind of important. :)

lephisto commented 5 years ago

It would be easier to put behind a reverseproxy (nginx, apache, you name it). I didn't want to bring the complexity of SSL / Letsencrypt into this project, but if you feel like, send PR :)