Description

Question that's occasionally pops into my mind: would it be technically feasible to (optionally) encrypt and authenticate the connection between ebusd and a remote eBUS/TCP client with mutual TLS?

Since the eBUS protocol itself is unauthenticated, doing "naked" eBUS over TCP is potentially quite dangerous given that any device on the network can (theoretically) mess with the physical parameters of the heating system. On wirelessly connected systems this can be tricky to mitigate--WLAN host isolation only gets you so far, and is easy to break accidentally in setups with multiple APs if they're configured naively.

mTLS would solve this problem at the session layer without requiring any changes to the eBUS/TCP protocol itself. Given that the eBUS adapter shield already supports TLS for HTTP access, perhaps the technical delta to do the same for the eBUS connection (+ adding client auth) isn't too bad? Other than the fact that it requires changes in both ebusd and the ESP32 firmware, that is. :)