Android app should allow user to accept self-signed TLS certificate

paka · January 26, 2022, 7:17pm

Currently, the Android app refuses https connection to HA, if self-signed TLS certificate is used.

It should ask user, and leave the decision if he wants to take the risk, up to user - similar way like most applications, browsers etc do.

There are valid use cases when self signed certificate can be used, and not allowing user to decide may just result in falling back to using plain http, which is much worse from security point of view. Currently the app is not usable at all in such case.

Note: self-signed certificate is no way a “certificate error”, it is a special case which is of course generally not recommended, but has valid use cases where using “real” cert is either not possible, or makes no sense (like if running in network without internet access, but still expected to be using https), and it should be up to user to decide.

dshokouhi · February 16, 2022, 5:46pm

there is already a pre-existing PR for this request, just waiting for requested changes and more review cycles

github.com/home-assistant/android

TLS Client certificate support for Android and WearOS APP

home-assistant:master ← mircoboschi:master

opened 06:29PM - 18 Dec 21 UTC

mircoboschi

+226 -7

## Summary Add Client TLS support to Android and WearOS APP. This allow to hav…e a NGINX/Cloudflare reverse proxy in front of Home Assistant that accepts connections only from clients having a valid certificate. Without certificate, Home Assistant is kept completely unreachable ## Screenshots No UI changes (not yet, at least) ## Link to pull request in Documentation repository Documentation: https://github.com/home-assistant/companion.home-assistant/pull/636 ## Any other notes Probably cert file upload should be changed. Client cert also works in Wear OS, but is tricky to upload cert files.

wuench · February 16, 2022, 6:01pm

Client certificates are not the same thing as self-signed server certificates. It would probably just translate into allowing the client to disable cert checking.

A workaround would be to load your self-signed cert onto the phone and watches trust store. I know it’s possible to do this on android via the chorme browser. I am not sure if it possible on wearos.

dshokouhi · February 16, 2022, 6:10pm

self signed certificates should work, see: Troubleshooting | Home Assistant Companion Docs

Jackjohnson · May 9, 2023, 1:22pm

Since the original question is still pending that PR that was closed more than a year ago, here’s a somewhat friendly guide that works in case you want to use a personal certificate backed by your own self-signed root CA on Android:

github.com

ouaibe/howto/blob/7c7f9230aa2544f8bf3954261c7094335cb35d9c/HomeAssistant/HomeAssistantTrustedSelfSigned.md


# HomeAssistant: Trusted Self-Signed Certificates (HA Mobile App + Browser)

#### This is a quick guide on creating self-signed IP-backed certificates for your local HomeAssistant server that are validated by the HA Mobile App and can also be added to browsers.

##### Note that the general guidance is to generate valid domain-backed certificates and regularly update them using Let's Encrypt so use this guide as a last resort.

----


1) Create your own CA
---

On your PC use your already-installed OpenSSL (if not, install it using your preferred distro's package manager).

This will create your root key, so make sure the directory you're working in is not world readable and the PC you're using is somewhat trustworthy.

You will need to chose a CN/Organization Name for your Root CA and for your subsequent certificates.

First, generate key curve parameters, as a curve reference for later OpenSSL commands:

This file has been truncated. show original

nick2525 · May 11, 2023, 9:04pm

Please no. We need more security, we need ssl pinning. Self sign certificate should be turn off by default, and you can put it in admin settings.

Rulehammer-69 · April 11, 2024, 6:34pm

Sorry but i disagree, we already have security on a level which most companys do not have! Everbody (especially if you have the knowledge) should be able to decide on himself to accept a invalid or self signed certificate or not - fine for me to put this in any kind of admin area, but give me the option. The alternative is like on my side to just not use any security at all because I just don’t care. At the same moment I cannot decide at which port I want to operate - thats disgusting in terms of security because these are standard ports always included in random port scans. I prefer my open ports to set them in a range where nobody actually is looking at…

nick2525 · April 14, 2024, 5:56am

No, success of HA as a whole depends on whether botnets have appeared on it. And if they appear, you will have to fight them with code. Therefore, you can do anything in your fork, but in the main repository - system should remain super secure.