SSL Error for Kia Canada

[djensenius]

Describe the bug
When running npm debug I'm getting:

debug: write EPROTO 00DE05DC01000000:error:0A000172:SSL routines:tls12_check_peer_sigalg:wrong signature type:ssl/t1_lib.c:1573:

Usefull info(please complete the following information):

• OS: [e.g. macOS, Windows, Linux] macOS
• Bluelinky Version [e.g. v5.2.3] (current master branch)
• Region: [e.g. US, CA, EU] CA
• Brand: [kia, hyundai] Kia

Additional context
Node: 18.16.1
Happy to privately provide login details.

[Hacksore]

since it's a TLS issue it could be an issue with your machine and or dependencies.

I'd try in another machine or even in a docker container to troubleshoot.

[djensenius]

Tried with a linux machine and node 20.4.0 with the same error :(

I think both are using openssl@3

[djensenius]

Just tried on a GitHub Codespace

@djensenius ➜ /workspaces/bluelinky (master) $ npm run debug

> [email protected] debug
> cross-env LOG_LEVEL=debug ts-node debug.ts

? What Region are you in? CA
? Which brand are you using? kia
{ region: 'CA', brand: 'kia' }
Logging in...
[2023-07-12 01:20:21] debug: CA Controller created
[2023-07-12 01:20:21] debug: Bluelinky is logging in automatically, to disable use autoLogin: false
[2023-07-12 01:20:21] info: Begin login request
[2023-07-12 01:20:21] debug: [https://kiaconnect.ca/tods/api/lgn] {} {"loginId":"hiding_this","password":"hiding_this"}
[2023-07-12 01:20:21] info: Begin getVehicleList request
[2023-07-12 01:20:21] debug: [https://kiaconnect.ca/tods/api/vhcllst] {} {}
[2023-07-12 01:20:22] debug: write EPROTO 00483CBC0B7F0000:error:0A000172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../deps/openssl/openssl/ssl/t1_lib.c:1572:

[2023-07-12 01:20:22] debug: Found 0 on the account```

[Hacksore]

can you try curl -vvv https://kiaconnect.ca/tods/api/vhcllst and see if you get errors that relate to TLS?

[djensenius]

Hmm, nope:

❯ curl -vvv https://kiaconnect.ca/tods/api/vhcllst
*   Trying 209.198.184.19:443...
* Connected to kiaconnect.ca (209.198.184.19) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=US; ST=California; O=Kia Motors America Inc; CN=www.kiaconnect.ca
*  start date: Sep 13 00:00:00 2022 GMT
*  expire date: Oct  6 23:59:59 2023 GMT
*  subjectAltName: host "kiaconnect.ca" matched cert's "kiaconnect.ca"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Organization Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/1.x
> GET /tods/api/vhcllst HTTP/1.1
> Host: kiaconnect.ca
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error
< Date: Wed, 12 Jul 2023 01:27:40 GMT
< Server: Oracle-Application-Server-11g
< Access-Control-Allow-Methods: POST, GET
< Access-Control-Max-Age: 1000
< Access-Control-Allow-Headers: language, offset, UCID, From, x-requested-with, Content-Type, origin, authorization, accept, client-security-token, accesstoken, clientId, clientSecret
< Access-Control-Allow-Credentials: true
< Allow: POST
< Set-Cookie: JSESSIONID=2AD79C7CD36EE3A300DDEC91582646B5; Path=/; HttpOnly
< Content-Length: 358
< Access-Control-Allow-Origin: *
< Connection: close
< Content-Type: text/html;charset=UTF-8
< Content-Language: en
< ```

[Hacksore]

I just ran debug with CA and i got the same issue 💀.

> [email protected] debug
> cross-env LOG_LEVEL=debug ts-node debug.ts

? What Region are you in? CA
? Which brand are you using? kia
{ region: 'CA', brand: 'kia' }
Logging in...
[2023-07-11 20:29:55] debug: CA Controller created
[2023-07-11 20:29:55] debug: Bluelinky is logging in automatically, to disable use autoLogin: false
[2023-07-11 20:29:55] info: Begin login request
[2023-07-11 20:29:55] debug: [https://kiaconnect.ca/tods/api/lgn] {} {"loginId":"[email protected]","password":"<REEEEEEEEEEEEEEEEDACTED>"}
[2023-07-11 20:29:56] info: Begin getVehicleList request
[2023-07-11 20:29:56] debug: [https://kiaconnect.ca/tods/api/vhcllst] {} {}
[2023-07-11 20:29:56] debug: write EPROTO 005ED0EE01000000:error:0A000172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../deps/openssl/openssl/ssl/t1_lib.c:1572:

[2023-07-11 20:29:56] debug: Found 0 on the account

[djensenius]

Same thing is happening with the login method, it's just not logging the response by default.

I looked at upgrading got thinking that might have something to do with it. But the new version has a lot of breaking changes. 🤷

[Hacksore]

Hmmm I tried without got and native fetch in node v18 and got a similar issue with the CA endpoint.

I have to assume the TLS settings were changed on their server causing this issue 🤔.

Code:

fetch('https://kiaconnect.ca/test')
  .then(res => res.json())
  .then(console.log)
  .catch(console.error);

Error:

TypeError: fetch failed
    at Object.fetch (node:internal/deps/undici/undici:11457:11)
    at processTicksAndRejections (node:internal/process/task_queues:95:5) {
  cause: [Error: 005ED0EE01000000:error:0A000172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../deps/openssl/openssl/ssl/t1_lib.c:1572:
  ] {
    library: 'SSL routines',
    reason: 'wrong signature type',
    code: 'ERR_SSL_WRONG_SIGNATURE_TYPE'
  }
}

[djensenius]

Looks like OpenSSL 3, which newer versions of node are compiled against, does not like the certificate. Can’t get a workaround working unfortunately.

Guess we wait for the cert to expire, which is luckily not a terribly long wait.

[Hacksore]

Could you downgrade node and try to see if that's a workaround for now?

[djensenius]

@Hacksore Yep, downgrading to node 16 is MUCH happier:

Logging in...
[2023-07-14 10:31:05] debug: CA Controller created
[2023-07-14 10:31:05] debug: Bluelinky is logging in automatically, to disable use autoLogin: false
[2023-07-14 10:31:05] info: Begin login request
[2023-07-14 10:31:05] debug: [https://kiaconnect.ca/tods/api/lgn] {} {"loginId":"<nope>","password":"<nope>"}
[2023-07-14 10:31:06] debug: {
  "accessToken": "<nope>",
  "scope": [
    "profile"
  ],
  "tokenType": "bearer",
  "expireIn": 86400,
  "refreshToken": "<nope>",
  "signature": ""
}
[2023-07-14 10:31:06] info: Begin getVehicleList request
[2023-07-14 10:31:06] debug: [https://kiaconnect.ca/tods/api/vhcllst] {} {}
[2023-07-14 10:31:07] debug: CA Vehicle <nope> created
[2023-07-14 10:31:07] debug: Found 1 on the account

[Hacksore]

Woot woot!

Maybe once they update the cert this won't be an issue like you said 😅.

Closing for now as we have a workaround, thanks for digging into this.

[carlosgamezvillegas]

Hello @Hacksore and team,

Have we found a solutions for issue? The workaround provided is not going to work for much longer since node.js 16 has been deprecated.

Kind regards,

[Hacksore]

related got issue sindresorhus/got#2271

We could switch to fetch which has a workaround. However, that's a considerable amount of work and something is probably bound to break.

import crypto from 'crypto';
import { Agent } from 'undici';

fetch('https://kiaconnect.ca', {
  dispatcher: new Agent({
    connect: {
      rejectUnauthorized: false,
      secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT,
    },
  }),
}).then((res) => console.log(res.status));

If anyone wants to ship a PR 🙏

[gruijter]

A fix is indeed needed. The new Homey Home automation platform only runs on node 18. So Bluelinky is broken there :(

See details here: https://community.homey.app/t/app-pro-kia-and-hyundai/32487/560

Someone here that can do a PR? 🙏

[glenviewjeff]

Why is this closed?

[Hacksore]

Why is this closed?

I don't have bandwidth to fix it, PRs are welcomed tho!

[glenviewjeff]

FYI I ran into this with a US Hyundai. I can't remember right now if it was an old version of Bluelinky that I was trying when I added this comment or the current version.