1

I have a Samsung Smart AC (heatpump/mini split) and would like to do some automation against it. I have an APP on my Android phone. By researching alot I found out that I could control my AC with OpenSSL.exe like this:

openssl.exe s_client -connect 192.168.1.154:2878

Then after connection has been established I can then copy/paste this:

"<Request Type="AuthToken"><User Token="16968012-2892-M993-N707-3738REMOVED" /></Request>"
"<Request Type="DeviceControl"><Control CommandID="cmd11111" DUID="7825ADREMOVED"><Attr ID="AC_FUN_POWER" Value="On" /></Control></Request>"

And then the AC turns on.

The problem is that I can't automate the task because I have to wait for connection has been established and then copy/paste the request. Openssl.exe doesn't seem to take any parameters that I can use.

I have tried in Powershell with Invoke-WebRequest / RestMethod but I get SSL/TLS error. I have also tried in C# but with same result.

public static bool AcceptAllCertifications(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certification, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
    {
        return true;
    }
    static void Main(string[] args)
    {

        ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(AcceptAllCertifications);
        Uri uri = new Uri("https://192.168.1.154:2878");
        WebRequest webRequest = WebRequest.Create(uri);
        WebResponse webResponse = webRequest.GetResponse();
        webResponse.GetResponseStream();

        Console.Read();

    }

Gives me this error

The request was aborted: Could not create SSL/TLS secure channel.

So as you can see I can't even just GET/connect to AC with C# without getting SSL error.

I can't figure out what 'Openssl.exe s_client' do since it works. Can anybody maybe enlighten me?

UPDATE Output from OpenSSL:


    C:\Program Files (x86)\GnuWin32\bin>openssl.exe s_client -connect 192.168.1.154:2878
    Loading 'screen' into random state - done
    CONNECTED(0000017C)
    depth=0 /C=KR/L=Suwon/O=Samsung Electronics/OU=Digital Applicance/CN=a287848/emailAddress=moweon.lee@samsung.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /C=KR/L=Suwon/O=Samsung Electronics/OU=Digital Applicance/CN=a287848/emailAddress=moweon.lee@samsung.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
     0 s:/C=KR/L=Suwon/O=Samsung Electronics/OU=Digital Applicance/CN=a287848/emailAddress=moweon.lee@samsung.com
       i:/C=KR/L=Suwon/O=Samsung Electronics/OU=Digital Applicance/CN=a287848/emailAddress=moweon.lee@samsung.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDdDCCAt2gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkTELMAkGA1UEBhMCS1Ix
    DjAMBgNVBAcTBVN1d29uMRwwGgYDVQQKExNTYW1zdW5nIEVsZWN0cm9uaWNzMRsw
    GQYDVQQLExJEaWdpdGFsIEFwcGxpY2FuY2UxEDAOBgNVBAMTB2EyODc4NDgxJTAj
    BgkqhkiG9w0BCQEWFm1vd2Vvbi5sZWVAc2Ftc3VuZy5jb20wHhcNNzAwMTAxMDkw
    MDE2WhcNNzAwMjAxMDkwMDE2WjCBkTELMAkGA1UEBhMCS1IxDjAMBgNVBAcTBVN1
    d29uMRwwGgYDVQQKExNTYW1zdW5nIEVsZWN0cm9uaWNzMRswGQYDVQQLExJEaWdp
    dGFsIEFwcGxpY2FuY2UxEDAOBgNVBAMTB2EyODc4NDgxJTAjBgkqhkiG9w0BCQEW
    Fm1vd2Vvbi5sZWVAc2Ftc3VuZy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
    AoGBANWEclyhZblo3TwG39hFVZK+LHTICEbgWwHQdAx1RwLFvIgsTFlgHu8Hb0fC
    AN2Wknx5vb0ks355PycY/xlUY6Rmr3eSU34undtt7jE1K0OYeasUOvxpXyBtmSo6
    72YtDSN6rh3F6SgOKrUVsQFDCJ2V5CQHxKyH5FFwAmcHUbjzAgMBAAGjgdkwgdYw
    CQYDVR0TBAIwADAkBglghkgBhvhCAQ0EFxYVIlNhbXN1bmcgZWxlY3Ryb25pY3Mi
    MB0GA1UdDgQWBBTdhKfUKlp5ocnU6K9BF4smWiDPbzBfBgNVHSMEWDBWoUmkRzBF
    MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
    ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkggkAvwoLvHnlSoIwCwYDVR0PBAQDAgUgMBYG
    A1UdEQQPMA2CC3NhbXN1bmcuY29tMA0GCSqGSIb3DQEBBQUAA4GBAHfi+2JxtpvO
    6MFZReZkXg+GMOt2UEPqFKpeJGCRdCoKnEmvBMUsp8PaopZ6uy/Z3V4FIhP/wcUv
    fC1+feizmZkzO3ixThJH6zo3edEjZAA7KBj+ecfLYd/PTXkAfIJFM9RlCfAkbbbc
    gGSDyBpGJ4wJHhB91bjK8qamUw5LJJrY
    -----END CERTIFICATE-----
    subject=/C=KR/L=Suwon/O=Samsung Electronics/OU=Digital Applicance/CN=a287848/emailAddress=moweon.lee@samsung.com
    issuer=/C=KR/L=Suwon/O=Samsung Electronics/OU=Digital Applicance/CN=a287848/emailAddress=moweon.lee@samsung.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1212 bytes and written 202 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 1024 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID: D4576CA26103343877505F0B1726833E7F3C76481EFD01233EF21B482C4D4FBA
        Session-ID-ctx:
        Master-Key: 7609462DC362B422115C370DA282106208842119047CF97F384F3E1B5079AF5CE72A5CF9FA35A41C2D67400672E70CAE
        Key-Arg   : None
        Start Time: 1498081620
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---
    DRC-1.00
    

    closed
user1281991
  • 763
  • 1
  • 12
  • 34
  • 1
    I assume the AC's certificate is not trusted by your computer. `Openssl s_client` doesn't care (because it's a diagnostic tool), but everything else does. Have you tried opening `https://192.168.1.154:2878` in your browser and ignoring the certificate warning? –  Jun 18 '17 at 21:22
  • Did you try `SslStream`? – Lex Li Jun 19 '17 at 02:24
  • 1
    Post the actual text output that `openssl s_client ...` produces. That will contain a lot of information about the connection. And you should be able to post content to the standard input of `openssl s_client ...`. See https://stackoverflow.com/questions/6763086/why-is-input-redirect-not-implemented-in-powershell to start. – Andrew Henle Jun 19 '17 at 09:36
  • @AndrewHenle I have now updated my post with OpenSSL info, thank you – user1281991 Jun 21 '17 at 21:50
  • It's using a self-signed cert (somewhat expected), but for some reason your `AcceptAllCertifications()` isn't getting called? Put some debug output into your `AcceptAllCertifications()` to verify that it's actually called. It's possible that the SSL implementation being used by your C#/Powershell code can't find a common cipher suite. What OpenSSL version are you using? This might also be useful: https://stackoverflow.com/questions/5977817/debugging-failing-https-webrequest – Andrew Henle Jun 22 '17 at 09:43

1 Answers1

1

The problem you are facing is most likely the version of SSL/TLS protocol.

Your callback is right only.

If your server allows only SSLv3 and TLSv10 and your client needs TLSv12 then you will receive this kind of errors.

Make both of them use the same version.

Use this: 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Note: Based on your protocol version , you change the placeholders accordingly.

Ranadip Dutta
  • 8,857
  • 3
  • 29
  • 45
  • Using Ssl3 gives me new error that I can't figure out how to pass: System.Net.WebException: 'The server committed a protocol violation. Section=ResponseStatusLine' – user1281991 Jun 21 '17 at 22:17
  • Thats what. You server has to allow that first. Check the supported version from the server side first. I dont know which webserver you are using. IIS by default listens for web requests on port 80. In this case, another application is already listening for requests on port 80. Typically, Skype listen on ports 80 and 443 when installed.Hence the issue.`Skype -> Tools -> Options -> Advanced -> Connection:`.Check the [Protocol Violation](http://www.kulov.net/2006/06/server-committed-protocol-violation.html) – Ranadip Dutta Jun 22 '17 at 04:06