Login at Kodi Home

JohnPlayerSpecial · 2018-05-18, 12:36

Oh, it's not about LAN!

In current builds you are now forced to use DAV/HTTP or FTP instead of DAVS/HTTPS or SFTP accessing your own sources: NAS, OwnCloud, Nextcloud.. from outside, mobile use. This would mean plain text auth. This is why unverified SSL for own sources definitely needs an option (like Chrome, FF, Es File Explorer do and Kodi did in the past) that's not forcing you handling certificates - which is not a trivial workaround for any user aside from beeing unnecessary from my point of view.

Koying · 2018-05-18, 12:59

(2018-05-15, 15:12)wsnipex Wrote: there was so certificate verification previously, but from a security POV, SSL without cert verification is pretty much useless.

I'll differ on that.

Having encrypted traffic is already one step above http.

Preventing MITM decrypting by trusted certificates is one step above.

It's far easier to sniff traffic than mounting a MITM attack Wink

**wsnipex** · 2018-05-18, 16:29

(2018-05-18, 12:59)Koying Wrote:
(2018-05-15, 15:12)wsnipex Wrote: there was so certificate verification previously, but from a security POV, SSL without cert verification is pretty much useless.
I'll differ on that.

Having encrypted traffic is already one step above http.

Preventing MITM decrypting by trusted certificates is one step above.

It's far easier to sniff traffic than mounting a MITM attack

I can do a mitm attack on my phone. Using SSL without verification is giving a false sense of security.

Koying · 2018-05-18, 17:12

I wonder how you'd redirect someone's traffic just with your phone Wink

You can totally sniff the traffic just with a phone, though...

Koying · 2018-05-18, 17:19

Btw, just put a valid certificate in your MITM soft, and this step is bypassed (most companies block unapproved https traffic that way).

This is barely more secure...

Only ssl-ma is actually secure.

JohnPlayerSpecial · 2018-05-18, 19:45

(2018-05-18, 12:59)Koying Wrote:
(2018-05-15, 15:12)wsnipex Wrote: there was so certificate verification previously, but from a security POV, SSL without cert verification is pretty much useless.
Having encrypted traffic is already one step above http.

Isnt it? I was in the assumption and for my understanding having encrypted traffic (without cert verification and its weaknesses) is not the same security level than than http. Youre discussing about what is most secure.

In the meantime I, thread opener and other people cannot access their sources via kodi anymore - unless they use completely unencrypted connections in current builds or implement a proofed certificate, but without documentation how. I repeat that's not trivial to any user, especially dumbest assumable users like me.

I asked my CE developer - atm he is not able to help me, I tried to edit /etc/ssl/certs/ without success and now I asked you for help. Why not just giving the option to ingore untrusted connections like other software?

thekingswolf · 2018-05-19, 08:51

i want it for FTP. as soon as i make it secure, kodi won't connect to my server anymore.

https://forum.kodi.tv/showthread.php?tid=331938

**wsnipex** · 2018-05-21, 18:52

https://github.com/xbmc/xbmc/pull/13909

**wsnipex** · 2018-05-22, 19:29

untrusted/unverified SSL sources are now possible, see the link above.

JohnPlayerSpecial · 2018-05-23, 18:44

(2018-05-22, 19:29)wsnipex Wrote: untrusted/unverified SSL sources are now possible, see the link above.

Thanks for your support! Today I tested it with my raspi but it does not work yet for webdav (and I suppose sftp) with https://github.com/xbmc/xbmc/pull/13909 only for repository.

log:

18:15:04.448 T:1939861520 NOTICE: special://profile/ is mapped to: special://masterprofile/
18:15:04.448 T:1939861520 NOTICE: -----------------------------------------------------------------------
18:15:04.448 T:1939861520 NOTICE: Starting Kodi (18.0-ALPHA2 Git:19eb19e). Platform: Linux ARM 32-bit
18:15:04.448 T:1939861520 NOTICE: Using Release Kodi x32 build (version for Raspberry Pi)
18:15:04.448 T:1939861520 NOTICE: Kodi compiled May 22 2018 by GCC 7.3.0 for Linux ARM 32-bit version 4.14.42 (265770)
18:15:04.448 T:1939861520 NOTICE: Running on LibreELEC (Milhouse): devel-20180522210516-#0522-g1626fdb [Build #0522] 9.0, kernel: Linux ARM 32-bit version 4.14.42
18:15:04.449 T:1939861520 NOTICE: FFmpeg version/source: 4.0-Kodi
18:15:04.449 T:1939861520 NOTICE: Host CPU: ARMv7 Processor rev 4 (v7l), 4 cores available
18:15:04.449 T:1939861520 NOTICE: ARM Features: Neon enabled

##########               ###########
######### Does not work for davs (/sftps) ###########
##########               ##########

18:19:25.146 T:1939861520   ERROR: CCurlFile::FillBuffer - Failed: Peer certificate cannot be authenticated with given CA certificates(60)
18:19:25.146 T:1939861520   ERROR: CCurlFile::Open failed with code 0 for davs://USERNAME Tongue

[email protected]:5003/webdav/nas:
18:19:25.146 T:1939861520 ERROR: GetDirectory - Unable to get dav directory (davs://USERNAME Tongue

[email protected]:5003/webdav/nas)
18:19:25.146 T:1939861520 ERROR: GetDirectory - Error getting davs://USERNAME Tongue

[email protected]:5003/webdav/nas
18:19:42.539 T:1939861520 ERROR: CCurlFile::FillBuffer - Failed: Peer certificate cannot be authenticated with given CA certificates(60)
18:19:42.539 T:1939861520 ERROR: CCurlFile::Open failed with code 0 for davs://USERNAME Tongue

[email protected]:5003/webdav/nas/:
18:19:42.539 T:1939861520 ERROR: GetDirectory - Unable to get dav directory (davs://USERNAME Tongue

[email protected]:5003/webdav/nas/)
18:19:42.539 T:1939861520 ERROR: GetDirectory - Error getting davs://USERNAME Tongue

[email protected]:5003/webdav/nas/
18:19:42.539 T:1939861520 ERROR: CGUIDialogFileBrowser::GetDirectory(davs://USERNAME Tongue

[email protected]:5003/webdav/nas/) failed

######                   ########
########## here it works for repository ######
##########               ########

18:26:30.369 T:1939861520 WARNING: Repository LibreELEC Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!
18:26:30.372 T:1939861520 WARNING: Repository LibreELEC Retroplayer Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!
18:26:30.503 T:1793033072   ERROR: GetDirectory - Error getting
18:26:30.510 T:1939861520   ERROR: Previous line repeats 2 times.
18:26:30.510 T:1939861520 WARNING: Repository LibreELEC Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!
18:26:30.511 T:1939861520 WARNING: Repository LibreELEC Retroplayer Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!
18:26:36.744 T:1939861520   ERROR: Control 6 in window 10146 has been asked to focus, but it can't
18:26:40.972 T:1490731888 WARNING: Repository LibreELEC Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!

**Rechi** · 2018-05-23, 21:31

I can't help you without a full Debug Log (wiki).

JohnPlayerSpecial · 2018-05-24, 00:58

(2018-05-23, 21:31)Rechi Wrote: I can't help you without a full Debug Log (wiki).

Here is a debug log https://pastebin.com/raw/pCG1Fb28

Clean install, just tried to add my webdav but problem still exist..

**Rechi** · 2018-05-24, 09:41

I just tested it again for a https source and looking at it with the File manager worked fine.

Have you added your source like 'davs://username:[email protected]:5003/webdav/|verifypeer=false'? Important is the |verifypeer=false at the end only in this case cert checking is disabled.
If you have already done it like this enable libCURL component logging and post a new log.

JohnPlayerSpecial · (This post was last modified: 2018-05-24, 15:18 by JohnPlayerSpecial.)

(2018-05-24, 09:41)Rechi Wrote: Have you added your source like 'davs://username:[email protected]:5003/webdav/|verifypeer=false'? Important is the |verifypeer=false at the end only in this case cert checking is disabled.
If you have already done it like this enable libCURL component logging and post a new log.

I did not know that but have done it manually now (-> a setting option in the skin would be more easy to handle). Now it looks like you wrote:
<mediasources>
    <network>
        <location id="0">davs://USER:[email protected]:5003/webdav/nas/|verifypeer=false</location>     ####also tried [...]/nas/ |verifypeer=false< or [...]/nas|verifypeer=false/<####
    </network>
</mediasources>

Then I added the source in file manager again but although Kodi still seems to check the cert: https://pastebin.com/raw/g9ZT9zr7

**wsnipex** · 2018-05-24, 13:10

Code:
SSL: certificate subject name 'NAS326' does not match target host name 'kpbsfsffe0nsfd.myfritz.net'

you're NAS cert doesn't match it's host name