Allow insecure TLS with the HTTP Module

Brooke.

I am using the this module to connect my Flic Hub with a Home Assistant instance running locally on a Raspberry Pi 5. I recently added a self-signed TLS certificate to my Home Assistant instance and am now getting a TlsFailure error fom the http_class used within the module.

I am hoping there is a way to disable the TLS check, Home Assistant provides the verify_ssl: false option. I am looking for something similar to curl --insecure / -k but within the HTTP Class.

Upstream issue: https://github.com/blunan/flic-hub-home-assistant-module/issues/10

okko

@Emil It might be kind of insecure, but with some devices the only API supported. I would like to make requests to a WiiM device. Their API only supports HTTPS with a self-signed certificate. https://www.wiimhome.com/pdf/HTTP API for WiiM Mini.pdf

The Flic Hub configured with the Flic App UI is unable to make requests too, even when I turn off the validation. Is there some way to debug the hub's requests? Requests with curl work ok:

curl 'https://redacted.hostname.fi/httpapi.asp?command=setPlayerCmd:mute:0' --insecure -D - -vvv
*   Trying 10.0.0.39:443...
* Connected to redacted.hostname.fi (10.0.0.39) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Certificate (11):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=CN; ST=Shanghai; L=Shanghai; O=linkplay; OU=linkplay; CN=www.linkplay.com; emailAddress=mail@linkplay.com
*  start date: Nov 14 12:24:18 2018 GMT
*  expire date: Nov 11 12:24:18 2028 GMT
*  issuer: C=CN; ST=Shanghai; L=Shanghai; O=linkplay; OU=linkplay; CN=www.linkplay.com; emailAddress=mail@linkplay.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
> GET /httpapi.asp?command=setPlayerCmd:mute:0 HTTP/1.1
> Host: redacted.hostname.fi
> User-Agent: curl/8.4.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
HTTP/1.0 200 OK
< Date: Mon, 18 Mar 2024 19:29:14 GMT
Date: Mon, 18 Mar 2024 19:29:14 GMT
< Server: Boa/0.94.13
Server: Boa/0.94.13
< Connection: close
Connection: close
< Content-Length: 2
Content-Length: 2
< Last-Modified: Mon, 18 Mar 2024 19:29:14 GMT
Last-Modified: Mon, 18 Mar 2024 19:29:14 GMT
< Content-Type: text/html
Content-Type: text/html

<
* Closing connection
OK

Anyway, here's a use case to use https with no cert validation.

Emil

@Brooke correct! We are planning to add such a feature though.

Brooke.

Can you use an http endpoint instead of an https endpoint?

Of course, as the Home Assistant server is local I can have it be accessible over HTTP. I may look into allowing both HTTP and HTTPS traffic to the server on different ports then only use HTTP for things like Flic.

Https with a non-trusted certificate is kind of insecure anyway.

Sure, it is more about wanting to make sure that all traffic is encrypted within the network. Even if that certificate isn't trusted by a browsers (or a CA) having some encryption is better than none.

The middle ground here would be to set up a DNS server and then have a trusted certificated issued from a known CA.

I was simply hoping that I could either tell the HTTP Module to ignore certificate errors, or add my certificate to a trusted list. Sounds like that is currently not the case, can you confirm?

Emil

@Brooke Can you use an http endpoint instead of an https endpoint? Https with a non-trusted certificate is kind of insecure anyway.