core: RESTful sensors fail to update from HTTPS servers that do not support secure renegotiation since 2023.5.0 when underling OS is using openssl 3+

The problem

Since updating to 2023.5.0 (running under Home Assistant Operating System) updates to sensors which consume from a server that does not support secure renogiation fail.

I do not have any control over the external server so cannot make it conformant.

What version of Home Assistant Core has the issue?

core-2023.5.0

What was the last working version of Home Assistant Core?

core-2023.4.6

What type of installation are you running?

Home Assistant OS

Integration causing the issue

RESTful

Link to integration documentation on our website

https://www.home-assistant.io/integrations/rest/

Diagnostics information

No response

Example YAML snippet

  - platform: rest
    name: Bin Data
    resource: https://www.bathnes.gov.uk/REDACTED
    scan_interval: 21600
    json_attributes:
      - residualNextDate
      - recyclingNextDate
      - organicNextDate
    value_template: "OK"

Anything in the logs that might be useful for us?

Logger: homeassistant.components.rest.sensor
Source: components/rest/sensor.py:72
Integration: RESTful
First occurred: 13:32:15 (1 occurrences)
Last logged: 13:32:15
Error connecting https://REDACTED failed with [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1007)

Additional information

It might make sense to add the ability to allow this on a per-resource basis. I believe the option required on the SSL context is as follows:

ssl_context.options |= 0x4 # set OP_LEGACY_SERVER_CONNECT

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Comments: 30 (19 by maintainers)

Most upvoted comments

Still an issue.

+3
codyc1515 on Oct 22, 2023

@cdevrell In case it’s of interest to you (or anyone else who stumbles across this with particular reference to BANES bin collection) I contributed https://github.com/mampfes/hacs_waste_collection_schedule/pull/1015 and have been using that integration in the meantime.

+1
trvrnrth on Jul 15, 2023

@trozman That will likely be something different. You can see the servers backing that endpoint support secure renegotiation in these SSL labs scan results.

+1
trvrnrth on May 8, 2023

this is the plan … will work on it next few days

+1
mib1185 on May 5, 2023

From the user perspective I’d initially imagined a new ssl_allow_legacy_server_connect config option defaulting to false would work nicely enough.

+1
trvrnrth on May 5, 2023

They decided not to back port the option in cpython

https://github.com/python/cpython/issues/89051

elk won’t be upgrading their SSL support any time soon so the solution for that problem is here https://github.com/gwww/elkm1/pull/69

+1
bdraco on May 4, 2023
Read more comments on GitHub
← core: REST sensors show as "Unavailable" state after upgrading to Home Assistant 0.117.0 (Part 2)
core: Retrying setup: hci0 (49:02:91:02:89:88): Failed to start Bluetooth: [org.bluez.Error.InProgress] Operation already in progress →