|
Post by Michael on Sept 3, 2013 6:08:34 GMT -8
I have not yet downloaded code or purchased the app. Is the communication between the iPad app and the pi python server encrypted (e.g. over SSL?). If or, how difficult would it be to implement and when might that be delivered ? Thanks.
|
|
|
Post by SDL on Sept 3, 2013 7:30:10 GMT -8
Hi Michael,
As far as the app is concerned, it is simple to do. I've asked Engineering to support that as an option in the new version on a server by server basis. They are adding it to the list but have not given me a date. Ask again in about two weeks and I should have an answer.
The server side should be simple to do on the Raspberry pi. A modification to the RasPiConnectServer.
Really not practical on the Arduino server side (hence the server by server option above).
The app currently provides authentication using MD5 and the configuration files are signed.
Hope that is helpful!
Best regards,
BP
|
|
|
Post by Michael on Sept 3, 2013 11:18:34 GMT -8
Thank you and engineering for adding security to the To Do list. I regularly keep my SW updated so will see any new versions fairly promptly.
I did purchase the app and installed server on my pi and it is up and running. Keeping it on my internal LAN for now so security currently not a show stopper. I do not want certain unsecured info out of the local 'net, though, so will wait for SSL before opening the firewall to the server port.
Thanks for the app product and pi server - this is some neat & fun stuff and timely for a couple projects I have planned.
|
|
|
Post by SDL on Sept 3, 2013 16:13:53 GMT -8
Michael, Good news for you. I actually got to sit down with the engineer and ask him what it would take (I had to bring him an espresso) and he looked at me funny and said "It's already in there". All you have to do is edit your Server URL to have "https" instead of "http" and you are running in https mode. You will have to fiddle around with the server to take https requests, but there are some excellent postings out there for doing just that with web.py (for example: groups.google.com/forum/#!topic/webpy/U6fNwHr2_MU but read it to the end!) How's that for a quick solution! Best regards, BP
|
|
|
Post by Michael on Sept 3, 2013 21:16:03 GMT -8
Thank you - that is good news. I had added the S in the app (httpS) but had not modified RasPiConnectServer.py (web.py). Note that python-openssl needs to be installed as well on the pi. Run "sudo apt-get install python-openssl" after making the modifications, e.g. adding lines to RasPiConnectServer.py from web.wsgiserver import CherryPyWSGIServer CherryPyWSGIServer.ssl_certificate = "/etc/postfix/tls/server.crt" CherryPyWSGIServer.ssl_private_key = "/etc/postfix/tls/server.key" I now have server running and in my ipad browser I can see the version number by using URL "httpS://192.168.3.125:9600/Version" However, the ipad app cannot reach the server whether I use http or httpS in the default URL (e.g. httpS://192.168.3.125:9600/raspi). I do not even see the app request to the server (which I started from command line on pi). No disrespect intended; has SSL been tested by engineering (i.e. connect ipad app via SSL to RasPiConnectServer.py) that this does work so that we are past the "theoretically, it should work" stage ? It was working with no SSL earlier. I am not available to work on it anymore for a few days but will provide an update once I have a chance to work on it again.
|
|
|
Post by SDL on Sept 4, 2013 8:31:54 GMT -8
Michael,
I'll get back to you on that. I'll check later on today.
Question for you though: The default URL is only used to determine where to download or upload configuration files from your Raspberry Pi.
You must set a specific URL for each control. Did you do that to, say, a button?
BP
|
|
|
Post by Michael on Sept 5, 2013 18:15:08 GMT -8
Yes, I configured status panel (upper right), number of processes, voltage, remote web view, and Send To for my default URL. Also, in settings, I try the Server Report. No responses from the SSL enabled server when using the app; only via the mobile browser.
|
|
|
Post by SDL on Sept 6, 2013 7:07:57 GMT -8
Michael,
I'll give your setup a try. This will make a good app note and tutorial.
BP
|
|
|
Post by Michael on Sept 9, 2013 16:11:50 GMT -8
Anything ? i looked over my setup again and can find nothing amiss other than that it appears the iPad app is not sending anything to the pi. i run rasPiConnectServer.py from command line on pi. I can see it accept requests from the iPad browser to, e.g. 192.168.3.125:9600/Version (or /raspi). However, when I configure the iPad RasPiConnect app for the (/raspi) URL and make a request (e.g. Server Report from setup, or a configured button), I do not see any request go to the server (based on watching command line of running server on pi ). i have run out of things to do. Have the engineers verified this actually works ? If an upgrade is neede please let me know so I can quit spinning my wheels trying to get this working. Has anyone got a secure connection going between the iPad app and a pi ? thanks for any feedback ...
|
|
|
Post by SDL on Sept 9, 2013 17:50:25 GMT -8
Michael,
I haven't had a chance yet to do this, but I will tomorrow. I looked at Wireshark on our computer and it looks like it is sending it in HTPPS. The problem might be on the Raspberry Pi end, which is what I will test.
Did it accept a connection to "https://192.168.3.125:9600/Version"? That narrows it down a lot.
Best regards,
BP
|
|
|
Post by Michael on Sept 9, 2013 18:06:33 GMT -8
And I just ran tcpdump on the pi and see that the iPad app is sending to port 9600 on the pi. In the iPad mobile Safari browser, the 192.168.3.125:9600/Version will show response from pi. RasPiConnectServer Version 2.8 Looking closer at tcpdump output, it looks to me like the iPad app sends request to pi server, pi server responds, but iPad app does not display response.
|
|
|
Post by SDL on Sept 9, 2013 19:12:42 GMT -8
Michael,
Now that gives me a real clue. I'll talk to the engineer tomorrow. I'l just bet we have a problem reading SSL from a self-generated certificate (which is what I am sure you are using). Simple fix if true, but it will have to go through the appstore so it will be a week or so after we release it.
BP
|
|
|
Post by Michael on Sept 9, 2013 19:15:56 GMT -8
Correct, self generated certificate.
thanks
|
|
|
Post by SDL on Sept 10, 2013 18:19:49 GMT -8
Michael,
Here's the scoop. When we run the app against a web.py https server, we get the error:
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “xxx.xxx.com” which could put your confidential information at risk." UserInfo=0x93bcc40
and the information from the Pi is thrown away.
Now the error isn't a surprise, given that it is self generated. It IS open to a man-in-the-middle attack as well as other potential issues.
There is an API that allows a self signed certificate, but some people say that the Appstore will reject your app if you use it. A bit paranoid, but there you have it.
However, there are free solutions. You can get an signed SSL certificate. Do a search on free ssl certificate.
You do need your own domain.
We are going to prototype the internal App solution for self signed certificates and do some more research about rejection.
BP
|
|
|
Post by SDL on Sept 10, 2013 18:54:53 GMT -8
Michael,
Much to the chagrin of my SO, I decided to build a quick prototype to allow RasPiConnect to connect to an unsigned certificate. It works!!
numid=3,iface=MIXER,name='PCM Playback Route' ; type=INTEGER,access=rw------,values=1,min=0,max=2,step=0 : values=1 "https://rfw.wardner.com:9600/" "https://0.0.0.0:9600/"
<XMLObjectXMLRequests><XMLCOMMAND><OBJECTSERVERID>B-1</OBJECTSERVERID><OBJECTNAME>SSLButton</OBJECTNAME><USERNAME>027C697DC48E9F294D450E5DF7372253</USERNAME><PASSWORD>01A4AFA6E8030895733322634DA47D14</PASSWORD><OBJECTTYPE>16</OBJECTTYPE><OBJECTFLAGS>0</OBJECTFLAGS><OBJECTACTION>SINGLEPUSH</OBJECTACTION><OBJECTID>37</OBJECTID></XMLCOMMAND></XMLObjectXMLRequests> XMLCOMMAND: USERNAME: 027C697DC48E9F294D450E5DF7372253 PASSWORD: 01A4AFA6E8030895733322634DA47D14 OBJECTNAME: SSLButton OBJECTTYPE: 16 OBJECTSERVERID: B-1 OBJECTID: 37 027C697DC48E9F294D450E5DF7372253 01A4AFA6E8030895733322634DA47D14 objectType = 16 objectServerID = B-1 VALIDATE=NO objectServerID = B-1 ACTION_BUTTON_UTYPE of B-1 found Local user objects returns: ACTION_BUTTON_UITYPE found VALIDATE=NO objectServerID = B-1 objectServerID = B-1 Config.i2c_demo=1 <XMLCOMMAND><OBJECTID>37</OBJECTID><OBJECTSERVERID>B-1</OBJECTSERVERID><OBJECTTYPE>16</OBJECTTYPE><OBJECTFLAGS>0</OBJECTFLAGS><RASPICONNECTSERVERVERSIONNUMBER>2.6</RASPICONNECTSERVERVERSIONNUMBER><RESPONSE><![CDATA[OK]]></RESPONSE></XMLCOMMAND> final outgoing data =<XMLRESPONSES><XMLCOMMAND><OBJECTID>37</OBJECTID><OBJECTSERVERID>B-1</OBJECTSERVERID><OBJECTTYPE>16</OBJECTTYPE><OBJECTFLAGS>0</OBJECTFLAGS><RASPICONNECTSERVERVERSIONNUMBER>2.6</RASPICONNECTSERVERVERSIONNUMBER><RESPONSE><![CDATA[OK]]></RESPONSE></XMLCOMMAND></XMLRESPONSES> 98.145.93.45:58573 - - [11/Sep/2013 02:51:53] "HTTP/1.1 POST /raspi" - 200 OK
This will in our next version which should be going out in the next week or two.
Best regards,
BP
|
|