Hey all,
Since I like to be bleeding-edge on my software I updated to the not-yet-released Debian 10. This update also includes OpenSSL 1.1.1b. Everything went largely smoothly however there was a MASSIVE amount of SSL errors in the log. 100MB+ per day. I just discovered the workaround today and wanted to post it here for the search engines to pick up. If you are seeing these type of errors, read on:
2019-06-10 12:48:06 ERROR (MainThread) [homeassistant.core] Error doing job: SSL error in data received
Traceback (most recent call last):
File "/usr/lib/python3.7/asyncio/sslproto.py", line 526, in data_received
ssldata, appdata = self._sslpipe.feed_ssldata(data)
File "/usr/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
self._sslobj.do_handshake()
File "/usr/lib/python3.7/ssl.py", line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:1056)
2019-06-10 12:48:06 ERROR (MainThread) [homeassistant.helpers.entity] Update for binary_sensor.stove_2 fails
Traceback (most recent call last):
File "/usr/local/lib/python3.7/dist-packages/homeassistant/helpers/entity.py", line 220, in async_update_ha_state
await self.async_device_update()
File "/usr/local/lib/python3.7/dist-packages/homeassistant/helpers/entity.py", line 375, in async_device_update
await self.async_update()
File "/usr/local/lib/python3.7/dist-packages/homeassistant/components/sense/binary_sensor.py", line 109, in async_update
await self._data.update_realtime()
File "/usr/local/lib/python3.7/dist-packages/sense_energy/asyncsenseable.py", line 41, in update_realtime
await self.async_realtime_stream(single=True)
File "/usr/local/lib/python3.7/dist-packages/sense_energy/asyncsenseable.py", line 47, in async_realtime_stream
async with websockets.connect(url) as ws:
File "/usr/local/lib/python3.7/dist-packages/websockets/py35/client.py", line 2, in __aenter__
return await self
File "/usr/local/lib/python3.7/dist-packages/websockets/py35/client.py", line 12, in __await_impl__
transport, protocol = await self._creating_connection
File "/usr/lib/python3.7/asyncio/base_events.py", line 986, in create_connection
ssl_handshake_timeout=ssl_handshake_timeout)
File "/usr/lib/python3.7/asyncio/base_events.py", line 1014, in _create_connection_transport
await waiter
File "/usr/lib/python3.7/asyncio/sslproto.py", line 526, in data_received
ssldata, appdata = self._sslpipe.feed_ssldata(data)
File "/usr/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
self._sslobj.do_handshake()
File "/usr/lib/python3.7/ssl.py", line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:1056)
This issue is actually caused by the security levels set by the web site, in this case Sense. The default security level in Debian 10/OpenSSL 1.1.1b conflict with the lower security of whatever web application. You can read more about this here: https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
Basically, you need to lower the default level back down to level 1. This really is a workaround, the sites in question should be updating their security. To do this you need to open up /etc/ssl/openssl.cnf and change “CipherString” from “DEFAULT@SECLEVEL=2” to “DEFAULT@SECLEVEL=1” Then you will have to reboot your system.
Hope this helps someone else out!