v18 SSL Certificates Issues
#16
Oh, it's not about LAN!

In current builds you are now forced to use DAV/HTTP or FTP instead of DAVS/HTTPS or SFTP accessing your own sources: NAS, OwnCloud, Nextcloud.. from outside, mobile use. This would mean plain text auth. This is why unverified SSL for own sources definitely needs an option (like Chrome, FF, Es File Explorer do and Kodi did in the past) that's not forcing you handling certificates - which is not a trivial workaround for any user aside from beeing unnecessary from my point of view.
Reply
#17
(2018-05-15, 15:12)wsnipex Wrote: there was so certificate verification previously, but from a security POV, SSL without cert verification is pretty much useless.
I'll differ on that.

Having encrypted traffic is already one step above http.

Preventing MITM decrypting by trusted certificates is one step above.

It's far easier to sniff traffic than mounting a MITM attack Wink
Reply
#18
(2018-05-18, 12:59)Koying Wrote:
(2018-05-15, 15:12)wsnipex Wrote: there was so certificate verification previously, but from a security POV, SSL without cert verification is pretty much useless.
I'll differ on that.

Having encrypted traffic is already one step above http.

Preventing MITM decrypting by trusted certificates is one step above.

It's far easier to sniff traffic than mounting a MITM attack Wink 
 I can do a mitm attack on my phone. Using SSL without verification is giving a false sense of security.
Reply
#19
I wonder how you'd redirect someone's traffic just with your phone Wink

You can totally sniff the traffic just with a phone, though...
Reply
#20
Btw, just put a valid certificate in your MITM soft, and this step is bypassed (most companies block unapproved https traffic that way).

This is barely more secure...

Only ssl-ma is actually secure.
Reply
#21
(2018-05-18, 12:59)Koying Wrote:
(2018-05-15, 15:12)wsnipex Wrote: there was so certificate verification previously, but from a security POV, SSL without cert verification is pretty much useless.
Having encrypted traffic is already one step above http. 
Isnt it? I was in the assumption and for my understanding having encrypted traffic (without cert verification and its weaknesses) is not the same security level than than http. Youre discussing about what is most secure.

In the meantime I, thread opener and other people cannot access their sources via kodi anymore - unless they use completely unencrypted connections in current builds or implement a proofed certificate, but without documentation how. I repeat that's not trivial to any user, especially dumbest assumable users like me.

I asked my CE developer - atm he is not able to help me, I tried to edit /etc/ssl/certs/ without success and now I asked you for help. Why not just giving the option to ingore untrusted connections like other software?
Reply
#22
i want it for FTP.  as soon as i make it secure, kodi won't connect to my server anymore.  

https://forum.kodi.tv/showthread.php?tid=331938
Reply
#23
https://github.com/xbmc/xbmc/pull/13909
Reply
#24
untrusted/unverified SSL sources are now possible, see the link above.
Reply
#25
(2018-05-22, 19:29)wsnipex Wrote: untrusted/unverified SSL sources are now possible, see the link above.
 Thanks for your support! Today I tested it with my raspi but it does not work yet for webdav (and I suppose sftp) with https://github.com/xbmc/xbmc/pull/13909 only for repository.

log:

18:15:04.448 T:1939861520  NOTICE: special://profile/ is mapped to: special://masterprofile/
18:15:04.448 T:1939861520  NOTICE: -----------------------------------------------------------------------
18:15:04.448 T:1939861520  NOTICE: Starting Kodi (18.0-ALPHA2 Git:19eb19e). Platform: Linux ARM 32-bit
18:15:04.448 T:1939861520  NOTICE: Using Release Kodi x32 build (version for Raspberry Pi)
18:15:04.448 T:1939861520  NOTICE: Kodi compiled May 22 2018 by GCC 7.3.0 for Linux ARM 32-bit version 4.14.42 (265770)
18:15:04.448 T:1939861520  NOTICE: Running on LibreELEC (Milhouse): devel-20180522210516-#0522-g1626fdb [Build #0522] 9.0, kernel: Linux ARM 32-bit version 4.14.42
18:15:04.449 T:1939861520  NOTICE: FFmpeg version/source: 4.0-Kodi
18:15:04.449 T:1939861520  NOTICE: Host CPU: ARMv7 Processor rev 4 (v7l), 4 cores available
18:15:04.449 T:1939861520  NOTICE: ARM Features: Neon enabled

##########                ###########
######### Does not work for davs (/sftps) ###########
##########                ##########

18:19:25.146 T:1939861520   ERROR: CCurlFile::FillBuffer - Failed: Peer certificate cannot be authenticated with given CA certificates(60)
18:19:25.146 T:1939861520   ERROR: CCurlFile::Open failed with code 0 for davs://USERNAMETongue[email protected]:5003/webdav/nas:
18:19:25.146 T:1939861520   ERROR: GetDirectory - Unable to get dav directory (davs://USERNAMETongue[email protected]:5003/webdav/nas)
18:19:25.146 T:1939861520   ERROR: GetDirectory - Error getting davs://USERNAMETongue[email protected]:5003/webdav/nas
18:19:42.539 T:1939861520   ERROR: CCurlFile::FillBuffer - Failed: Peer certificate cannot be authenticated with given CA certificates(60)
18:19:42.539 T:1939861520   ERROR: CCurlFile::Open failed with code 0 for davs://USERNAMETongue[email protected]:5003/webdav/nas/:
18:19:42.539 T:1939861520   ERROR: GetDirectory - Unable to get dav directory (davs://USERNAMETongue[email protected]:5003/webdav/nas/)
18:19:42.539 T:1939861520   ERROR: GetDirectory - Error getting davs://USERNAMETongue[email protected]:5003/webdav/nas/
18:19:42.539 T:1939861520   ERROR: CGUIDialogFileBrowser::GetDirectory(davs://USERNAMETongue[email protected]:5003/webdav/nas/) failed

######                    ########
########## here it works for repository ######
##########                ########

18:26:30.369 T:1939861520 WARNING: Repository LibreELEC Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!
18:26:30.372 T:1939861520 WARNING: Repository LibreELEC Retroplayer Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!
18:26:30.503 T:1793033072   ERROR: GetDirectory - Error getting
18:26:30.510 T:1939861520   ERROR: Previous line repeats 2 times.
18:26:30.510 T:1939861520 WARNING: Repository LibreELEC Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!
18:26:30.511 T:1939861520 WARNING: Repository LibreELEC Retroplayer Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!
18:26:36.744 T:1939861520   ERROR: Control 6 in window 10146 has been asked to focus, but it can't
18:26:40.972 T:1490731888 WARNING: Repository LibreELEC Add-ons uses plain HTTP for add-on downloads - this is insecure and will make your Kodi installation vulnerable to attacks if enabled!
Reply
#26
I can't help you without a full Debug Log (wiki).
Reply
#27
(2018-05-23, 21:31)Rechi Wrote: I can't help you without a full Debug Log (wiki).
 Here is a debug log https://pastebin.com/raw/pCG1Fb28

Clean install, just tried to add my webdav but problem still exist..
Reply
#28
I just tested it again for a https source and looking at it with the File manager worked fine.

Have you added your source like 'davs://username:[email protected]:5003/webdav/|verifypeer=false'? Important is the |verifypeer=false at the end only in this case cert checking is disabled.
If you have already done it like this enable libCURL component logging and post a new log.
Reply
#29
(2018-05-24, 09:41)Rechi Wrote: Have you added your source like 'davs://username:[email protected]:5003/webdav/|verifypeer=false'? Important is the |verifypeer=false at the end only in this case cert checking is disabled.
If you have already done it like this enable libCURL component logging and post a new log.
 I did not know that but have done it manually now (-> a setting option in the skin would be more easy to handle). Now it looks like you wrote:
<mediasources>
    <network>
        <location id="0">davs://USER:[email protected]:5003/webdav/nas/|verifypeer=false</location>     ####also tried [...]/nas/ |verifypeer=false< or [...]/nas|verifypeer=false/<####
    </network>
</mediasources>

Then I added the source in file manager again but although Kodi still seems to check the cert: https://pastebin.com/raw/g9ZT9zr7
Reply
#30
Code:
SSL: certificate subject name 'NAS326' does not match target host name 'kpbsfsffe0nsfd.myfritz.net'

you're NAS cert doesn't match it's host name
Reply



Logout Mark Read Team Forum Stats Members Help
SSL Certificates Issues2
This forum uses Lukasz Tkacz MyBB addons.