2022-04-26, 19:19
Setting up FTPS sources via the KODI GUI is not clear. Please see the following points I have discovered over the past 24 hours:
- An FTPS source may only be used with an FTP server running in IMPLICIT TLS mode. i.e. TLS full stop, no upgrade via starttls command after initial connection. As such the resulting urls "ftps://" will fail if used to connect to an FTP server running EXPLICIT TLS.
- Adding a standard FTP source beginning ftp:// in the URL should have options available to enable TLS. Currently we must append "|auth=TLS" to the end of the source URL.
- libCURL does not have access to the system trust store and thus can't read any CA certificates which should be included and therefore trusted by default. It requires a cafile is explicitly passed in, there is no GUI or runtime parameter option to set this as far as I can tell. The problem is that peer verification is now enabled by default with libCURL, meaning even publicly signed certificates will fail verification as libcurl doesn't trust the issuing CA's. This means we must disable peer verification via "verifypeer=false", thus going against the TLS security concept.
Currently to get a working FTPS explicit mode connection in KODI we have to add a standard FTP type source and the URL must look like the following: ftp://user:[email protected]:21|auth=TLS&verifypeer=false
It would be nice to have TLS enabled via GUI along with an option to specify the CA Cert file for the connection. In addition, making it clearer that FTPS is only for implicit mode only would be good.
Thanks! KODI is an awesome product and I hope my feedback helps make it even better!
- An FTPS source may only be used with an FTP server running in IMPLICIT TLS mode. i.e. TLS full stop, no upgrade via starttls command after initial connection. As such the resulting urls "ftps://" will fail if used to connect to an FTP server running EXPLICIT TLS.
- Adding a standard FTP source beginning ftp:// in the URL should have options available to enable TLS. Currently we must append "|auth=TLS" to the end of the source URL.
- libCURL does not have access to the system trust store and thus can't read any CA certificates which should be included and therefore trusted by default. It requires a cafile is explicitly passed in, there is no GUI or runtime parameter option to set this as far as I can tell. The problem is that peer verification is now enabled by default with libCURL, meaning even publicly signed certificates will fail verification as libcurl doesn't trust the issuing CA's. This means we must disable peer verification via "verifypeer=false", thus going against the TLS security concept.
Currently to get a working FTPS explicit mode connection in KODI we have to add a standard FTP type source and the URL must look like the following: ftp://user:[email protected]:21|auth=TLS&verifypeer=false
It would be nice to have TLS enabled via GUI along with an option to specify the CA Cert file for the connection. In addition, making it clearer that FTPS is only for implicit mode only would be good.
Thanks! KODI is an awesome product and I hope my feedback helps make it even better!
