Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PSA: Windows 10 machines running HASS.Agent will not connect to HA instances behind a reverse proxy requiring TLS 1.3 #120

Open
CaptainStealthy opened this issue Jul 12, 2024 · 2 comments
Labels
bug Something isn't working enhancement New feature or request

Comments

@CaptainStealthy
Copy link

CaptainStealthy commented Jul 12, 2024

Describe the bug
I am posting this to avoid a DenverCoder9 situation, in case someone ever has this issue, and attempts to find out why it's happening in a future Google or GitHub search...

This should be a discussion thread, but Discussions are not enabled on this repo, so it's an issue instead, lol.

This is actually a "bug" (air quotes...) in the HADotNet library - and it's not even a bug, more so just a quirk of Windows 10. There might be a way for @qJake to address it in his code, but if he can't, then there is a workaround.

When running HASS.Agent on Windows 10 for the first time, if you try to connect to a Home Assistant install that is behind a reverse proxy (Traefik, in my case) that enforces TLS 1.3, you'll receive a generic connection error. I didn't get this error on my Windows 11 laptop, because (as I found out) Windows 11 has TLS 1.3 enabled by default, so that sent me down a rabbit hole.

After delving into the HASS.Agent logs (thank god for those...), and some Google searches, I found this issue by @VivantSenior in the HADotNet repo, and I also found out that for some mind numbing reason, Windows 10 doesn't actually support TLS 1.3?! 🤯 (at least not out of the box...)

That was mind boggling to me, but anyway...it seems that there is a registry workaround to enable TLS 1.3 on Windows 10 - or at least, it worked on my PC, which is running 22H2. This is purely a guess, but maybe the inner dependencies needed for the TLS 1.3 client are present in the later versions of Windows 10, since 21H2 was the first build of Windows 11? 🤷‍♂️

Long story short, I believe it's possible to set TLS 1.3 as the default protocol in the HADotNet library, which I outlined in this comment in the aforementioned issue thread. But that's something @qJake has to do - or if someone wants to submit a PR to his repo. 😉

TL;DR - Enough talk! What's the workaround for those of us on Windows 10 that aren't programmers?!

As long as you're running Windows 10 21H2 or later, the registry workaround in this link should help - basically, I just created a registry key called TLS 1.3\Client under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, and then added two DWORD values:

  • DisabledByDefault: Value of 0
  • Enabled: Value of 1

After that, reboot the system, and it should work fine. 😁

To Reproduce
Steps to reproduce the behavior:

  1. Install and run HASS.Agent on a Windows 10 machine
  2. Connect to an HA instance behind a proxy that requires TLS 1.3 on client connections
  3. Receive error saying could not connect, check URI and connection settings, etc.

Expected behavior
Self-explanatory...

Misc info (please complete the following information):

  • Windows build (ideally screenshot/info of winver.exe output): Windows 10 22H2
  • Windows' UI language: English
  • HASS.Agent version: 2.0.1
  • HADotNet version: 1.6.0

Please check what's applicable (multiple answers possible):

  • Installed via installer
  • Problem occurs in HASS.Agent (via HADotNet library)

Additional context
N/A - although I did notice that HADotNet is referenced as a DLL file in the repo itself, rather than via the NuGet package - any reason for that? 🤔

Logs

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'.
 ---> System.ComponentModel.Win32Exception (0x80090326): The message received was unexpected or badly formatted.
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at HADotNet.Core.BaseClient.Get[T](String path)
   at HADotNet.Core.Clients.ConfigClient.GetConfiguration()
   at HASS.Agent.HomeAssistant.HassApiManager.CheckHassConfigAsync(String uri, String apiKey, Boolean automaticClientCertificate, Boolean allowUntrustedCertificates, String clientCertificate) in D:\a\HASS.Agent\HASS.Agent\src\HASS.Agent\HASS.Agent\HomeAssistant\HassApiManager.cs:line 331
@CaptainStealthy CaptainStealthy added the bug Something isn't working label Jul 12, 2024
@CaptainStealthy CaptainStealthy changed the title Bug: Windows 10 machines running HASS.Agent will not connect to HA instances behind a reverse proxy requiring TLS 1.3 PSA: Windows 10 machines running HASS.Agent will not connect to HA instances behind a reverse proxy requiring TLS 1.3 Jul 12, 2024
@amadeo-alex
Copy link
Collaborator

This should be framed and put as an example of perfect ticket :D
Thank you for all the info!

This should be a discussion thread, but Discussions are not enabled on this repo, so it's an issue instead, lol.

I take this on me, it will be a good idea to enable them.

although I did notice that HADotNet is referenced as a DLL file in the repo itself, rather than via the NuGet package - any reason for that?

The original HADotNet repository wasn't updated in some time and the published nuget even in longer - original HASS.Agent creator - Sam - opted to build the dll and include in the project. I assume that it was to have some of the bug fixes and features that weren't included in the published nuget.
I don't really like that so I've forked the HADotNet, published the nuget and it's used as a dependency for HASS.Agent 2.1.0-betaX versions and up - https://github.com/amadeo-alex/HADotNet

I think I even saw one of the other issues that you've created and did a bit of research on the topic but not enough to implement anything yet.
I wonder if it's possible to force TLS1.3 on the HADotNet side even if the OS registry might have it disabled.

@CaptainStealthy
Copy link
Author

CaptainStealthy commented Jul 12, 2024

Hahah, no problem. I was glad to be able to solve a .NET problem again! 😉

And makes sense re: why you forked the library. In that case, you should be able to add TLS 1.3 to your custom HTTP client handler that you've already added. I posted a snippet in the other thread I mentioned.

https://github.com/hass-agent/HASS.Agent/blob/main/src/HASS.Agent/HASS.Agent/HomeAssistant/HassApiManager.cs#L143

handler.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls

Like I said, I don't know if you'd still need the OS registry key or not, but it's worth a try.

@amadeo-alex amadeo-alex modified the milestone: 2.1.0 Jul 13, 2024
@amadeo-alex amadeo-alex added the enhancement New feature or request label Jul 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants