How to enable strict TLS option on Evoko Liso?
Important! To avoid accidentally disabling all Lisos in your system, please read this article before enabling strict TLS check.
In Evoko Home v2.5 and above, there is an option under global settings to enable strict TLS check on Liso:
In this article we are outlining a number of precautions for - and consequences of - this setting.
Note! Strict TLS checking is disabled by default.
Background
When installing Evoko Home, a self-signed certificate is generated. This certificate is why you are getting a certificate warning when opening Evoko Home in the web browser post-install.
For better security, you can replace the self-signed certificate with your own trusted certificate either during or after the initial configuration of Evoko Home. This will get rid of the warning message and you will see the padlock icon in your address bar, indicating the connection is secure:
What does the Enable strict TLS on Liso option do?
When enabled, the strict TLS check requires Evoko Home to present a valid, trusted certificate for the Lisos to connect. If the Liso is not presented with a trusted certificate by Evoko Home, it will refuse to connect.
What is it for?
Enabling strict TLS check on the Lisos will improve overall security by ensuring the Evoko Home server is valid and reducing the risk of MITM attacks.
Requirements
All of the below points needs to be true for the Lisos to use strict TLS checking:
- Evoko Home is v2.5+
- Evoko Liso firmware is v2.5+
- Lisos are connected to Evoko Home via a full server + domain name - i.e. not IP number.
- A trusted and valid certificate for this domain name is installed in Evoko Home.
- The Enable strict TLS on Liso option is enabled.
Important notes
If no valid certificate is installed, and all the other requirements are fulfilled, the Lisos will refuse to connect. Disabling strict TLS check will not help at this point, since the Lisos will already be disconnected and thus will not receive the configuration change.
In this scenario there are three options:
- Install a valid certificate and restart the Evoko Home service, then either wait for every Liso to reboot (done automatically every night) or manually reboot them by cycling PoE power or removing the power cable from each Liso.
- Disable strict TLS checking, log on to each Liso using an admin PIN and reconnect it to Evoko Home. This can not be made remotely; each Liso needs to be physically visited.
- Disable strict TLS checking, then firmware reset each Liso and reconnect them to Evoko Home. This option applies as a last resort if you neither are able to install a valid certificate nor know the admin PIN.