Android 5.0

[oberkc]

After updating to android lollipop, Mobilinc can no longer connect to the ISY through the secure port while on a cellular network. Connection through the local network when on wifi appears to be u affected.

 

I have a static IP address established through mynetgear.com. This address works when accessing through mobilinc on other android devices.

 

Mobilinc worked prior to update to android 5.0. Besides the android update, no changes were made to mobilinc settings.

 

Thoughts?

[larryllix]

This does sound like a MobiLinc compatibility problem.

 

Can you access ISY using the URL link some other way? Browser maybe? I can't access ISY with Android 4 as Java seems to be a stumbling block.

[Jimbo.Automates]

Yes, others have this issue as well and Wes has not followed up yet http://forum.mobilinc.com/viewtopic.php?t=2896

 

Sent from my Nexus 7 using Tapatalk

[oberkc]

Thanks, jimbo. I probably should have thought to check that forum.

 

Larrylix...that is an interesting question, so I tried. Yes, I could get to the ISY via browser on the phone, but not without many warnings about this being non-secure. There was also a warning about lack of certificate.

 

I have always found these kinds of things to be a little baffling, but cannot help but suspect that these are clues of some type.

[Xathros]

Thanks, jimbo. I probably should have thought to check that forum.

 

Larrylix...that is an interesting question, so I tried. Yes, I could get to the ISY via browser on the phone, but not without many warnings about this being non-secure. There was also a warning about lack of certificate.

 

I have always found these kinds of things to be a little baffling, but cannot help but suspect that these are clues of some type.

As I recall from earlier Android days, there may be a setting that allows you to override and accept invalid certificates / server name mismatches etc.  If this is set to disallow, this may be the stumbling point.  I have no recent Android stuff, so I'm just guessing here.

 

-Xathros

[oberkc]

As I recall from earlier Android days, there may be a setting that allows you to override and accept invalid certificates / server name mismatches etc.  If this is set to disallow, this may be the stumbling point.  I have no recent Android stuff, so I'm just guessing here.

 

-Xathros

I suspect that this is more likely not factor. The second android device (v4.4) I have still works with mobilinc, and accessing through the bowser yields similar warnings. I ill snoop around however...it is worth a shot.

[MWareman]

Android 5 likely dropped support for SSL3 (as well as SSL2) due to the BEAST (Edit: Sorry. POODLE vulnerability...) protocol vulnerability. Your ISY needs to use at least TLS1.0 for connections from devices that have disabled the older encryption mechanisms.

 

Use the ISY dashboard to see what 'server' ciphers your ISY is set to support.

 

My ISY 'server' strength is set to 'All', and MobiLinc connects just fine from Android 5 (on a Nexus 5).

 

Michael.

[oberkc]

The more I look into this, the more I become confident that I have some problem with certificates or something.  Perhaps the older version of android allowed things through that it should not have.

 

My HTTPS Server Settings are TLS1.0 and low.  I will change them to ALL and see what happens.  I do NOT, apparently, have a certificate of any kind and am studying the documentation on that.

[taisau]

It looks like only the isy pro, not the non-pro version like I have, allows changing https protocol. Mobilinc is now a pro-only feature?

[MWareman]

It looks like only the isy pro, not the non-pro version like I have, allows changing https protocol. Mobilinc is now a pro-only feature?

Not quite. 4.2.18 now defaults the non-pro to TLS 1.0 instead of SSL3.

 

http://forum.universal-devices.com/topic/11538-whats-in-4218-official/

 

Yet another reason to upgrade old 99i devices as well......

[oberkc]

The more I read, the more I conclude that certificates are not required in my case.  In my dashboard network settings, I do not "verify" server or "client". 

 

As near as I can tell, all is set up consistently.  HTTP port is 88.  HTTPS port is 555.  I believe port-forwarding rules are set up properly on router.  Clearly, however, something is not quite right.

 

The one clue that I continue to find interesting is that, when I log on remotely via chrome browser, if I try HTTPS: with port 555 (my "secure" port), I am unable to reach ISY.  If, however, I try HTTP: with my "secure" port 555, I am able to access the ISY. 

[larryllix]

Did you reinstall MobiLinc after the Android 5 update? Unfortunately sometimes these things are not very accommodating.

 

I found after a MobiLinc auto update I have to rebuilt everything from scratch.

[oberkc]

I did not (yet). I continue to more and more suspect that the issue lies elsewhere. I will certainly try this, however, if I get desperate.

[auger66]

Android 5 likely dropped support for SSL3 (as well as SSL2) due to the BEAST (Edit: Sorry. POODLE vulnerability...) protocol vulnerability. Your ISY needs to use at least TLS1.0 for connections from devices that have disabled the older encryption mechanisms.

 

Use the ISY dashboard to see what 'server' ciphers your ISY is set to support.

 

My ISY 'server' strength is set to 'All', and MobiLinc connects just fine from Android 5 (on a Nexus 5).

 

Michael.

 

This was it for me. I changed my server strength from low to all. Works fine now.

[oberkc]

I have still yet to try this.  The reason is that when I attempt to connect to the ISY through a chrome browser rather than mobilinc, it still fails.  My best guess at this point is that this is not a problem specific to mobilinc, and I would rather not mess up my settings with mobilinc and tasker if need not be.

 

I have tried combinations of strength, and TCL 1.0, 1.1, and 1.2 (whatever that all means).  NOthing yet.

[auger66]

Just to be clear, I'm only talking about Mobilinc.

 

I did a clean install of Lollipop (Android 5.0) on my Nexus 5, and installed Mobilinc from scratch. I also have the latest ISY firmware--4.2.18. Mobilinc did not work via secure https; it did work via local http connection. I'm using Internet Explorer, and that worked fine--local or remote. I have no security certificates installed.

 

When I checked, TLS 1.0 was already selected, and Mobilinc did not work via secure https. All I changed was "low" to "all."

 

Mobilinc works perfectly now via cellular connection with this one change.

[oberkc]

Thanks. I understood you were speaking only of mobilinc. Unfortuantel, when one uninstalls mobilinc, it will break any related tasker profiles or tasks or widgets.

 

I will continue to try different options in mobilinc security settings as you suggest and see if this helps. It sure seems as if I have tried most possible combinations.

[rick.curl]

I've got the same problem. Just upgraded to Android 5 on a Nexus 7. If I restart Mobilinc several times it will occasionally work.  It was fine before the Android 5 upgrade. My wife's nexus 7 is doing the same thing.

 

I'll be watching this thread with great interest.

 

-Rick

 

[oberkc]

Wes, from mobilinc, and Steve Lee from UDI, has been kind enough to offer some assistance with this.  At this point, I have some settings that I would never have tried.  In my ISY, I have HTTP assigned to port 122 and HTTPS assigned to 1443.  In my router forwarding rules, however, I have both internal AND external ports assigned 1443.  I have no router port-forwarding rule associated with port 122.  I have phone mobilinc set to local port 122 and secure port assinged to 1443, with connection method auto detect. 

 

This appears to allow connections, at least, on cellular AND wifi.  Unfortunately, the response to commands now includes a delay of about 30 seconds, even when on wifi.  On tablets used exclusively at home, I have the same settings on mobilinc, except for connection method is "local connection".  The delays exist on these tablets as well.

 

These settings don't sound correct to me, but they are the first since android 5.0 that I have been able to establish a connection via cellular network.  (Though the ability to connect via wifi remained.)  Unfortunately, the 30-second delays between command and response renders my home tablets useless, for all intents and purposes. 

[InsteonNut]

Hi folks, 

 

Just catching up on the forum traffic. If you need to get ahold of us faster, our email support line found in the MobiLinc app is monitored daily.

 

To follow-up with oberkc results for clarity, the external port needs to route to the ISY's HTTPS port. MobiLinc uses HTTP for the local connection and HTTPS for the external/secure connection. If the external port in MobiLinc routes down to the ISY's HTTP port this will fail. Route the external port to the ISY's HTTPS port.

 

Also, when changing the strength of the cipher, if you choose "HIGH" you will see a very long delay to connect to the ISY as oberkc is reporting. The reason is with HIGH selected that's equal to a key strength of 2048 bits which will cause the ISY to take about 30 seconds to handshake via HTTPS with any client. You have two options. Start with ALL or a Low strength cipher and move up till you find your balance of security and acceptable delay OR use our MobiLinc Connect service which is equal to the HIGH Setting in the ISY with no added delay from connecting MobiLinc clients using MobiLinc Connect.

 

Wes 

[oberkc]

To summarize my settings at this point:

 

ISY HTTP port is 122 and HTTPS port is 1443.  ISY server settings are TLS1.2 and ALL.  ISY client settings are the same, though I suspect these don't matter.  I cannot use default 80/443 ports, because other devices have already taken these ports.

 

Router configuration is that internal AND external port forwarding are assigned to 1443.  I have NO PORT FORWARDING RULE relating to port 122, even though the ISY shows port 122 as the HTTP port.

 

In mobilinc, tablets used exclusively around the house are set to connect method "local", and local port 122.  I have populated the secure port settings, but doubt that this matters in this case.  After several tries, response times are now fast.  I have no explanation why they were once slow, but now are fast.  Persistence, I guess.

 

In moblinc for cell phone or other devices that could be used around the house or elsewhere, I have connect method "autodetect, local port is 122, and secure port is 1443.  Such devices, at this point, continue to be slow responding, regardless of whether on wifi or cellular.

 

One thing I learned was that when changing settings on the ISY, give it time to reboot before trying to connect via moblinc. 

 

Another thing I learned was that things I thought I understood about routers and stuff were not true.  I understand these things less now than before.  I suspect I will have forgotten everything by the time I need to replace one of my tablet devices.

 

I cannot imagine many companies providing as good as hands-on guidance as I have received from UDI and mobilinc.  Simply incredible.

 

I am now officially tired of technology and need a break.  Tomorrow, I may go to the woodshop and actually make something. 

[Scottx]

Hi folks,

 

I just emailed Wes at Mobilinc only because he was active on this thread and he might have some quick info, but he pretty much summed up what I *think* I know - that the problem is on the Isy side. 

 

I too lost my connectivity from Mobilinc on Android after the update to 5.0.  I've been running this setup for many months with no issues and can still get to the Isy from a browser from outside.

 

I have a 994i ( NON-PRO ) and do not have the ability to change the server strength setting to low as seems to have worked for others.  In this case, if this is the cure, how can this be resolved?  I have a call in to UD, but really don't like where this -seems- to be headed.

 

Thanks, Scott

[oberkc]

I will give it a shot.  My perceptions, after what seemed like hours at trying to understand this, with much help from Wes and SteveL, is that everything appears to work GREAT now.  I don't see any problems with mobilinc OR ISY OR routers.  My problems were my misunderstanding of what is an "external" port and an "internal" port.  

 

I assume you know, or can find, or verify, your own IP address.  I assume, also you know the internal address of the ISY (most likely something like 192.168.x.xx).  Here would be my summary...from your admin panel configuration page, or your dashboard network window, find:

 

ISY HTTP Port = NNN (mine is 122)

ISY HTTPS Port = SSSS (mine is 1443)

 

In the mobilinc settings, make sure your local port is set to either NNN or SSSS (if you prefer secure comms when on your own network).  For the secure port, add your ISY HTTPS port number RRRR (random port number that does not necessarily have to match anything in the ISY settings.  Mine is 5000).  In mobilinc settings, your local IP address would be that of the ISY, 192.168.x.xx.  In mobilinc settings your secure IP address would the address you get when go to whatismyip.com, or your static IP address if you have established one.  Use "autodetect" as the connection method if you care to have mobilinc try to use your non-secure port when on the wifi LAN.

 

The next part is where I had messed up, due to a complete misunderstanding of the meaning of router settings "internal" and "external" port.  The port forward rule you need to create is to associate the mobilinc port RRRR (5000, in my case), with the ISY secure port SSSS (1443, in my case).  In my netgear router, it is called external and internal ports.  The external port is the port through which mobilinc connects to your network when outside your wifi (WAN).  The internal port is the ISY port you wish to route to, from your external port.  In essence, I perceive the port forwarding as connecting an external device (mobilinc, in this case) connected via an external port (5000) to an internal device (ISY) on the internal port (1443).  This port forwarding rule is associated with the ISY internal address 192.168.x.xx.

 

In summary, my settings:

 

ISY HTTP 122

ISY HTTPS 1443

 

Mobilinc local http; 192.168.x.xx

mobilinc local port 122

mobilinc secure https: whatismyip or static IP address

mobilinc secure port 5000

 

router port forwarding rules for isy 192.168.x.xx

external port 5000 routed to internal port 1443

 

Has worked like a champ so far!  I hope this was clear and that it works for you.  Based on my experience with various security settings, I doubt that your "non-pro" version is a factor.  I tried various security settings, and mine worked on all, including TLS 1.0, 1.1, and 1.2.

[Scottx]

Thanks Ober, but I'm ok in the router department - I appreciate the feedback, though.  I was not aware that upgrading to an ISY Pro was as simple as a software update - thought I needed a new device.  So I upgraded my Isy to Pro and now I can see the server and client proto strength settings that others here have referred to.  NOTE for others though... after the upgrade, I still ONLY saw low, medium and high strength. (On an older PC with XP in Firefox) I still could NOT get Mobilinc to communicate with the Isy, though. 

 

I bit the bullet and installed Java on my Mac, then loaded the dashboard with Firefox and then I saw the additional 'All' setting - that finally worked.  So, it took a bit, but ultimately I can confirm the same result as the others here - that the 'All' option, under strength (while using the Isy 994i PRO) does in fact fix the issue.

[oberkc]

I played around with these settings, but did not find these to be a factor for me.