<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:12.0pt'>I don’t have the full context for this discussion, but I’m wondering: is the OTA update mechanism protected against a man-in-the-middle attack?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'> Tom<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>OvmsDev <ovmsdev-bounces@lists.openvehicles.com> on behalf of Mark Webb-Johnson <mark@webb-johnson.net><br><b>Reply-To: </b>OVMS Developers <ovmsdev@lists.openvehicles.com><br><b>Date: </b>Wednesday, April 4, 2018 at 11:51 PM<br><b>To: </b>OVMS Developers <ovmsdev@lists.openvehicles.com><br><b>Subject: </b>Re: [Ovmsdev] OTA status check timeout / SSL problem?<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:.5in'><a name="_MailOriginalBody">I think it was a fault on the </a><a href="http://api.openvehicles.com"><span style='mso-bookmark:_MailOriginalBody'>api.openvehicles.com</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> config - that shouldn’t be redirecting to https.<o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'>I fixed it, and it should be ok now.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'>Regards, Mark.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'><o:p> </o:p></span></p><div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'>On 5 Apr 2018, at 12:44 AM, Michael Balzer <</span><a href="mailto:dexter@expeedo.de"><span style='mso-bookmark:_MailOriginalBody'>dexter@expeedo.de</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'>> wrote:<o:p></o:p></span></p></div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'><o:p> </o:p></span></p><div><div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'>Mark,<br><br>the server check for an OTA update now fails every time, times out after 10 seconds.<br><br>I think that's because the new server currently does a redirect from http to https also on the </span><a href="http://api.openvehicles.com"><span style='mso-bookmark:_MailOriginalBody'>api.openvehicles.com</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'> host. Not sure why the module doesn't fail<br>directly on that, maybe it tries to validate the certificate which also does not match.<br><br>As the openvehicles server has frequent connectivity issues from here I've added a "nocheck" option to the ota status command and use that for the standard web<br>status page. The OTA page still checks for the update.<br><br>Regards,<br>Michael<br><br>-- <br>Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal<br>Fon 02333 / 833 5735 * Handy 0176 / 206 989 26<br><br>_______________________________________________<br>OvmsDev mailing list<br></span><a href="mailto:OvmsDev@lists.openvehicles.com"><span style='mso-bookmark:_MailOriginalBody'>OvmsDev@lists.openvehicles.com</span><span style='mso-bookmark:_MailOriginalBody'></span></a><span style='mso-bookmark:_MailOriginalBody'><br>http://lists.openvehicles.com/mailman/listinfo/ovmsdev<o:p></o:p></span></p></div></div></blockquote></div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'><o:p> </o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><span style='mso-bookmark:_MailOriginalBody'>_______________________________________________ OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev </span><o:p></o:p></p></div></body></html>