stakach · October 22, 2025 13:32
diff --git a/docker-compose.yml b/docker-compose.yml
 services:
  homebridge:
    image: homebridge/homebridge:latest
    restart: always
    network_mode: host
    environment:
      TZ: Australia/Sydney
      OPENSSL_CONF: /etc/ssl/openssl_unsafe_reneg.cnf
      OPENSSL_SHARED_CONFIG: 1
      NODE_OPTIONS: "--require=/etc/ssl/node_tls12_legacy.js"
    volumes:
      - ./volumes/homebridge:/homebridge
      - ./openssl_unsafe_reneg.cnf:/etc/ssl/openssl_unsafe_reneg.cnf:ro
      - ./node_tls12_legacy.js:/etc/ssl/node_tls12_legacy.js:ro
    logging:
      driver: json-file
      options:
        max-size: "10mb"
        max-file: "1"
    healthcheck:
      test: curl --fail localhost:8581 || exit 1
      interval: 60s
      retries: 5
      start_period: 300s
      timeout: 2s
diff --git a/node_tls12_legacy.js b/node_tls12_legacy.js
 // Force TLS1.2 and allow old renegotiation globally for Node HTTPS/TLS
 const https = require('https');
 const tls = require('tls');
 const crypto = require('crypto');

 const SECURE_OPTS =
  (crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT || 0) |
  (crypto.constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION || 0);

 // Set process-wide defaults
 tls.DEFAULT_MIN_VERSION = 'TLSv1.2';
 tls.DEFAULT_MAX_VERSION = 'TLSv1.2';

 // Replace the global HTTPS agent so libraries (axios, node-fetch, request, etc.) inherit it
 https.globalAgent = new https.Agent({
  keepAlive: true,
  minVersion: 'TLSv1.2',
  maxVersion: 'TLSv1.2',
  secureOptions: SECURE_OPTS,
 });
diff --git a/openssl_unsafe_reneg.cnf b/openssl_unsafe_reneg.cnf
 openssl_conf = default_conf

 [ default_conf ]
 ssl_conf = ssl_sect

 [ ssl_sect ]
 system_default = system_default_sect

 [ system_default_sect ]
 # Allow pre-RFC5746 behavior used by your AC module
 Options = UnsafeLegacyRenegotiation,UnsafeLegacyServerConnect
 # Keep the process on TLS 1.2 only (TLS 1.3 removed renegotiation)
 MinProtocol = TLSv1.2
 MaxProtocol = TLSv1.2
	services:
	homebridge:
	image: homebridge/homebridge:latest
	restart: always
	network_mode: host
	environment:
	TZ: Australia/Sydney
	OPENSSL_CONF: /etc/ssl/openssl_unsafe_reneg.cnf
	OPENSSL_SHARED_CONFIG: 1
	NODE_OPTIONS: "--require=/etc/ssl/node_tls12_legacy.js"
	volumes:
	- ./volumes/homebridge:/homebridge
	- ./openssl_unsafe_reneg.cnf:/etc/ssl/openssl_unsafe_reneg.cnf:ro
	- ./node_tls12_legacy.js:/etc/ssl/node_tls12_legacy.js:ro
	logging:
	driver: json-file
	options:
	max-size: "10mb"
	max-file: "1"
	healthcheck:
	test: curl --fail localhost:8581 \|\| exit 1
	interval: 60s
	retries: 5
	start_period: 300s
	timeout: 2s
	// Force TLS1.2 and allow old renegotiation globally for Node HTTPS/TLS
	const https = require('https');
	const tls = require('tls');
	const crypto = require('crypto');

	const SECURE_OPTS =
	(crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT \|\| 0) \|
	(crypto.constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION \|\| 0);

	// Set process-wide defaults
	tls.DEFAULT_MIN_VERSION = 'TLSv1.2';
	tls.DEFAULT_MAX_VERSION = 'TLSv1.2';

	// Replace the global HTTPS agent so libraries (axios, node-fetch, request, etc.) inherit it
	https.globalAgent = new https.Agent({
	keepAlive: true,
	minVersion: 'TLSv1.2',
	maxVersion: 'TLSv1.2',
	secureOptions: SECURE_OPTS,
	});
	openssl_conf = default_conf

	[ default_conf ]
	ssl_conf = ssl_sect

	[ ssl_sect ]
	system_default = system_default_sect

	[ system_default_sect ]
	# Allow pre-RFC5746 behavior used by your AC module
	Options = UnsafeLegacyRenegotiation,UnsafeLegacyServerConnect
	# Keep the process on TLS 1.2 only (TLS 1.3 removed renegotiation)
	MinProtocol = TLSv1.2
	MaxProtocol = TLSv1.2