vsaw
commented
8 years ago As @kaikreuzer pointed out there's work been done on this at https://github.com/openhab/openhab2-addons/pull/402. However this issue remains in openHAB 1.x therefore I'll leave it open as a point of discussion if it's worth backporting this feature to openHAB 1.x.
teichsta
Problem
Currently openHAB provides a "default" certificate, which gives no proper protection as anyone can download the private key from openHAB and thus decrypt TLS connections to openHAB.
Proposal
Therefore instead of shipping a unsafe certificate I propose to create a self signed certificate on the machine runnings openHAB if there is none present.
In addition
openhab.cfgshould get new options to specify some fields of the certificate like the Common Name (CN) by adding values likesecurity:tls_common_name=<the name>to the configuration. If these options are not present, default values will be assumed.The addon should then check if the certificate in the keystore matches the configuration and create a new one if it has changed.
Usability Considerations
From a user perspective this addon does not change their experience with openHAB. In both cases they will be presented a self-signed certificate they have to add to their browsers.
Security Considerations
While this raises the complexity and possibly the attack surface of openHAB. I believe the added security of having really secret certificates for all openHAB installations out of the box will improve security of the data in transport a lot.
Implementation Considerations
For openHAB instances reachable from the public internet, https://letsencrypt.org/ could be used as a Certificate Authority. This will create a proper trust chain and thus can be validated by clients without the self-signed certificate warnings.