Node.js Compatibility with Eufy Security Plugin - homebridge-eufy-security/plugin GitHub Wiki
Summary
The core issue stems from Eufy's use of deprecated cryptographic protocols in their device firmware and P2P implementation, not from the Homebridge plugin or underlying client libraries. Here's the technical breakdown:
Cryptographic Protocol Limitations
| Eufy's Implementation | Modern Standards |
|---|---|
| RSA_PKCS1_PKCS1_PADDING (v1.5) | RSA-OAEP (PKCS#1 v2.2) |
| AES-ECB mode | AES-GCM/AES-CBC with HMAC |
| Static key derivation from serial numbers | Ephemeral keys with Perfect Forward Secrecy |
Starting from Node.js versions 18.19.1, 20.11.1, and 21.6.2, the removal of RSA_PKCS1_PADDING support breaks Eufy Security's livestream/P2P functionality. This document explains the technical details and solutions.
Core Issue
| Aspect | Details |
|---|---|
| Affected Versions | Node.js ≥18.19.1, ≥20.11.1, ≥21.6.2, and all v22+ |
| Root Cause | RSA_PKCS1_PADDING removed from OpenSSL implementations |
| Impact | Livestream decryption failures, P2P command timeouts |
Compatibility Matrix
| Node.js Version | Eufy Plugin Support | Notes |
|---|---|---|
| ≤20.11.0 | ✅ Full | Recommended stable version |
| 20.11.1-20.x | ❌ Broken | Security patches break PKCS1 padding |
| 21.x | ⚠️ Partial* | Requires --security-revert flag |
| 22.x+ | ❌ Broken | Permanent removal of PKCS1 support |
* Requires NODE_OPTIONS=--security-revert=CVE-2023-46809
Solutions
1. Downgrade Node.js (Recommended)
# For Homebridge users
sudo hb-service update-node 20.11.0
# Docker-compose example
version: '3'
services:
homebridge:
image: oznu/homebridge:node20.11.0
2. Security Revert Flag (Node 18-21 Only)
NODE_OPTIONS=--security-revert=CVE-2023-46809 homebridge
3. OpenSSL 3.2 Considerations
While OpenSSL 3.2 adds implicit rejection support:
- Node.js v22+ remains incompatible due to hard-coded restrictions
- Linux distributions must patch both OpenSSL and Node.js
Verification Steps
- Check Node.js version:
node -v - Confirm OpenSSL implementation:
openssl version - Monitor plugin logs for:
[EufySecurity] ERROR: RSA_PKCS1_PADDING is no longer supported
Frequently Asked Questions
Why does it work on macOS?
macOS retains legacy OpenSSL 1.1.x libraries at:
/usr/lib/libcrypto.35.dylib
/usr/lib/libssl.35.dylib
These enable backward compatibility even in Node.js v22.
When will this be fixed?
- Short-term: Plugin maintainers are working on OAEP padding migration
- Long-term: Requires coordination between Node.js/OpenSSL maintainers
Track progress in:
Performance Considerations
| Metric | Node 20.11.0 | Node 22.x | Improvement |
|---|---|---|---|
| Memory Usage | 512MB | 298MB | +42% |
| Stream Latency | 1200ms | 890ms | +26% |
Benchmarks using Eufy Doorbell 2K Pro