Configuration description

This Forum is about the Opentherm gateway (OTGW) from Schelte

Moderator: hvxl

Post Reply
Ghostbird
Starting Member
Starting Member
Posts: 14
Joined: Wed Mar 11, 2015 8:03 pm

Configuration description

Post by Ghostbird »

Is there a page/wiki that gives more details about the otmonitor configuration?
At the moment it is rather hard to configure for an application that one could reasonably expect to be run on a headless server (it even has a --daemon flag so it was expected)
I could not find a way to configure the gateway trough the web interface, and using X11 forwarding is a major pain as it is excruciatingly slow.

I hope there's a good description of the various configuration option somewhere.
Also, what format is the config file using? What can I use to comment certain lines when I don't want to remove them entirely?

Personally I think that a Github/Bitbucket repository for the otmonitor source code would be a good idea as it makes access to, and modification of, the source easier to do and to coordinate. (It also comes with a wiki page)

At the moment I'm using the page: http://otgw.tclcode.com/otmonitor.html and making educated guesses based on that.
For example:
The "Automatically update the gateway clock" option will make otmonitor take care of that. It will also update the date value every day at midnight.
I am guessing this means that setting the clock { auto=true } does the same as enabling this option in the GUI, but I would need several test cycles to accept or reject that hypothesis.

EDIT:
Addtional question:

How do I upgrade the SSL version to something resembling actual security? Is it a problem with my installation or is it a problem with the code of otmonitor? Currently it uses SSLv3.0 which is outdated and vulnerable to POODLEs (CVE­2014­3566). The main issue is that I want my otmonitor web server to be securely accessible from the internet, and modern browsers no longer accept broken SSL versions.
hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Re: Configuration description

Post by hvxl »

When you ask a question, please read the answer I provide. That saves me from having to answer them repeatedly.

The SSLv3 issue is discussed (and answered) here.
Schelte
Ghostbird
Starting Member
Starting Member
Posts: 14
Joined: Wed Mar 11, 2015 8:03 pm

Re: Configuration description

Post by Ghostbird »

hvxl wrote:When you ask a question, please read the answer I provide. That saves me from having to answer them repeatedly.

The SSLv3 issue is discussed (and answered) here.
I'm sorry, I guess I missed something? Anyway I have things almost working as I want them.
I guess I will have to download and modify the source code to fix the SSL issue?
A bit tedious for a relatively simple issue, but I guess it will lower the threshold to further source modifications, which I will probably do, and enjoy.

I'll set up the TCL environment on the Pi.
hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Re: Configuration description

Post by hvxl »

There is no description of the otmonitor configuration file because you are not expected to edit it by hand. You can run the otmonitor GUI (on the target machine or another machine that is more conveniently accessible) to create/modify the config file.
Schelte
hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Re: Configuration description

Post by hvxl »

Ghostbird wrote:I guess I will have to download and modify the source code to fix the SSL issue?
A bit tedious for a relatively simple issue, but I guess it will lower the threshold to further source modifications, which I will probably do, and enjoy.

I'll set up the TCL environment on the Pi.
No you don't have to do download and modify the source code to fix the SSL issue. You can wait for the next version of otmonitor.

You also don't have to "set up the TCL environment". You download two files and unzip one of them. That's all.

I provide all these tools for free and even indicate how you can fix problems yourself if you don't want to wait for the next release, but all you can do is whine that you have to do something yourself because some things don't work exactly like you want out of the box? Poor you.
Schelte
Ghostbird
Starting Member
Starting Member
Posts: 14
Joined: Wed Mar 11, 2015 8:03 pm

Re: Configuration description

Post by Ghostbird »

Ok, I've fixed it (in my opinion), here's the diff, feel free to use it:

Code: Select all

Common subdirectories: original/otmonitor.vfs/docroot and otmonitor.vfs/docroot
Common subdirectories: original/otmonitor.vfs/images and otmonitor.vfs/images
Common subdirectories: original/otmonitor.vfs/lib and otmonitor.vfs/lib
diff -c original/otmonitor.vfs/otmonitor.tcl otmonitor.vfs/otmonitor.tcl
*** original/otmonitor.vfs/otmonitor.tcl	2015-02-13 17:58:38.000000000 +0100
--- otmonitor.vfs/otmonitor.tcl	2015-03-15 22:34:55.676041551 +0100
***************
*** 1454,1459 ****
--- 1454,1460 ----
      web,sslport		0
      web,nopass		true
      web,certonly	false
+     web,usetls          true
      server,port		7686
      server,enable	true
      server,relay	false
diff -c original/otmonitor.vfs/web.tcl otmonitor.vfs/web.tcl
*** original/otmonitor.vfs/web.tcl	2014-11-29 11:26:26.000000000 +0100
--- otmonitor.vfs/web.tcl	2015-03-15 22:54:33.296034103 +0100
***************
*** 37,42 ****
--- 37,45 ----
  	} else {
  	    lappend cmd -request 0 -require 0
  	}
+ 	if {$cfg(web,usetls)} {
+ 	    lappend cmd -tls1 1
+ 	}
  	if {![catch {wibble listen $cfg(web,sslport) $cmd} fd]} {
  	    dict set rc https [dict create fd $fd port $cfg(web,sslport)]
  	} else {
Basically this just makes tls1 the default SSL version, but adds a configuration option that can be used to disable it if so desired.
The configuration option is "hidden" at the moment, because including it in the GUI would likely take a lot of time for me. I never saw TCL before, so these few lines took quite a long time already.

EDIT:
I've changed the diff above to a contextual diff. If anyone wants to add the option to their source easily, you can copy-paste the code block above into a file (e.g. tls.patch) in the same location as the otmonitor.vfs directory. Then run:

Code: Select all

patch -p0 < tls.patch
Note: It is good practice to always review a patch you receive over the internet to ensure that people don't leave nasty surprises in them in additional to the intended changes. (Whether intentional or trough bad programming.)
P.S. I would've put the whole bunch of code in an uploaded file, but the forum rejects any file I try to upload with: “extension ... not allowed” I guess my user account is too new or something.
Post Reply

Return to “Opentherm Gateway Forum”