ELK M1 devices need OP_LEGACY_SERVER_CONNECT with openssl3+ (HA 2023.5.x+)

[dragonsoul84]

The problem

ELK M1 integration was working perfect on the newest release before 2023.5.0. Immediately after updating, entities associated to ELK M1 not responding and integration says it can't connect to the M1. Error in log is listed below.

What version of Home Assistant Core has the issue?

2023.5.0

What was the last working version of Home Assistant Core?

2023.4.6

What type of installation are you running?

Home Assistant OS

Integration causing the issue

ELK-M1 Control

Link to integration documentation on our website

https://www.home-assistant.io/integrations/elkm1/

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

Logger: elkm1_lib.connection
Source: runner.py:179
First occurred: 12:07:58 AM (2 occurrences)
Last logged: 12:08:29 AM

Error connecting to ElkM1 ([SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1007)). Retrying in 1 seconds
Error connecting to ElkM1 (). Retrying in 2 seconds

Additional information

No response

[home-assistant]

Hey there @gwww, @bdraco, mind taking a look at this issue as it has been labeled with an integration (elkm1) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of elkm1 can trigger bot actions by commenting:

• @home-assistant close Closes the issue.
• @home-assistant rename Awesome new title Renames the issue.
• @home-assistant reopen Reopen the issue.
• @home-assistant unassign elkm1 Removes the current integration label and assignees on the issue, add the integration domain after the command.

_{^{(message by CodeOwnersMention)}}

---

elkm1 documentation
elkm1 source
_{^{(message by IssueLinks)}}

[codyc1515]

I'm facing the same error message with a totally different (custom) integration. I suspect there has been a library update for the SSL libraries used in HA which has caused this. In any case, the actual root cause is the HTTPS server is not that secure.

[dragonsoul84]

I suspect this is probably the case. I reloaded 2023.4.6 and am still having the same issue, so I guess the ssl libraries weren't under the same snapshot that was created during the update. I did find a minor firmware update for my ethernet device on the M1XEP and am trying it now.

[bdraco]

https://bugs.python.org/issue44888

[bdraco]

Looks like they decided not to back port the option in cpython

python/cpython#89051

[bdraco]

The raw value is 0x4

So

ssl_context.options |= 0x4

[bdraco]

cpython 3.12.0 alpha 4 and later have the new flag

Since it's due to be released in a few months and ha won't likely upgrade for a year or so the flag to turn it off likely won't be available for another year

[bdraco]

I think we are stuck with the horrible hack of using the raw value

[bdraco]

Its the new openssl version that broke this AFAICT

[bdraco]

Can confirm the breakage is openssl related after upgrading my production install's openssl

[bdraco]

breakage is caused by openssl3

[bdraco]

downgrading openssl fixes the issue

[bdraco]

workaround is to connect without secure port.. thats not so great though

[bdraco]

gwww/elkm1#69 will fix it by manually flipping the legacy flag