v18 SSL Certificates Issues
#61
replaced log
Reply
#62
Try again with ftp://user:[email protected]:port/|AUTH=TLS&verifypeer=false, correct seperator for multiple url options is & not |.
Reply
#63
Thank you for help. With new sources links its still not working.
There are three different test sources I used

Pastebin Log

EDIT: I checked my vsftpd again and changed all user:pass logins and checked connections by ftp clients.
It is only refusing with Kodi. The Logs are always the same.
 
Quote:15:34:17.318 T:4640   ERROR: CCurlFile::FillBuffer - Failed: Login denied(67)
15:34:17.318 T:4640   ERROR: CCurlFile::Open failed with code 530 for ftp://USERNAME:PASSWORD@HOSTNAME:port/:
15:34:19.936 T:4640 ERROR: CCurlFile::FillBuffer - Failed: Login denied(67)
15:34:19.936 T:4640 ERROR: CCurlFile::Open failed with code 530 for ftp://USERNAME:[email protected]:port/:
In vsftpd log I only see this, No user no password error message:
Quote:Sat Sep 22 15:34:23 2018 [pid 32758] CONNECT: Client "192.168.1.8"
All other clients are connecting well.
Finally set logs to verbose in server
Sat Sep 22 16:40:29 2018 [pid 15456] [user] FTP response: Client "192.168.1.8", "530 Non-anonymous sessions must use encryption."

Then I changed source links to:
Quote:ftps://user:[email protected]:port/|verifypeer=false
And kodi.log showing this:
Quote:16:59:40.876 T:6908   DEBUG: CGUIMediaWindow::GetDirectory (ftps://USERNAME:[email protected]:port/|verifypeer=false)
16:59:40.876 T:6908   DEBUG:   ParentPath = [ftps://USERNAME:[email protected]:port/|verifypeer=false]
16:59:40.877 T:6908   DEBUG: CurlFile::Open(0x86558f4b90) ftps://USERNAME:[email protected]:port/
16:59:40.886 T:6908   ERROR: CCurlFile::FillBuffer - Failed: SSL connect error(35)
16:59:40.886 T:6908   ERROR: CCurlFile::Open failed with code 0 for ftps://USERNAME:[email protected]:port/:
16:59:40.886 T:6908   ERROR: XFILE::CDirectory::GetDirectory - Error getting ftps://USERNAME:[email protected]:port/|verifypeer=false
16:59:40.891 T:6908   ERROR: CGUIMediaWindow::GetDirectory(ftps://USERNAME:[email protected]:port/|verifypeer=false) failed
16:59:40.891 T:6908   DEBUG: CGUIMediaWindow::GetDirectory ()
16:59:40.891 T:6908   DEBUG:   ParentPath = [ftps://USERNAME:[email protected]:port/|verifypeer=false]

And here is vsftpd.log:
xml:
Sat Sep 22 16:59:44 2018 [pid 18969] CONNECT: Client "192.168.1.8"
Sat Sep 22 16:59:44 2018 [pid 18969] FTP response: Client "192.168.1.8", "220 Hello"
Sat Sep 22 16:59:44 2018 [pid 18969] FTP command: Client "192.168.1.8", "HuhHuh?U?,??@>=?HHuh7??VK7??J?.......
Sat Sep 22 16:59:44 2018 [pid 18969] FTP response: Client "192.168.1.8", "530 Please login with USER and PASS."
Sat Sep 22 16:59:44 2018 [pid 18969] FTP command: Client "192.168.1.8", "Huh?K?J?I?H?9..........
Sat Sep 22 16:59:44 2018 [pid 18969] FTP response: Client "192.168.1.8", "530 Please login with USER and PASS."
Sat Sep 22 16:59:44 2018 [pid 18969] FTP command: Client "192.168.1.8", "Huh.....HuhHuhHOSTNAMEHuhHuhHuh"
Sat Sep 22 16:59:44 2018 [pid 18969] FTP response: Client "192.168.1.8", "530 Please login with USER and PASS."
Sat Sep 22 16:59:44 2018 [pid 18969] FTP command: Client "192.168.1.8", Huh...
Sat Sep 22 16:59:44 2018 [pid 18969] FTP response: Client "192.168.1.8", "530 Please login with USER and PASS."
Reply
#64
@ködi-zömbie

A few things...

Please pay a bit more attention when your are plastering log files/snippets into the forum. Some of those logs are triggering our forum emoji's, which can make the logs pretty much illegible and useless.

Also, you already gave the link for the full kodi.log file at the start of your post. Then this happens: And kodi.log showing this:... *sigh*.
Just refer to the linked log file. Pasting parts of the kodi.log again in your post is not very efficient.
Reply
#65
Enable libcURL component logging and repost your log. There is also no need to try anything except '|auth=TLS&verifypeer=false' (also not the lowercase auth) as that is the only correct way of setting both values.
Reply
#66
Rainbow 
(2018-09-23, 17:26)Rechi Wrote: Enable libcURL component logging and repost your log. There is also no need to try anything except '|auth=TLS&verifypeer=false' (also not the lowercase auth) as that is the only correct way of setting both values.
  Thanks, now I found the error:

 
Quote:DEBUG: Curl:Big Grinebug - TEXT: SSL: certificate subject name 'host' does not match target host name 'xxxxx'
DEBUG: Curl:Big Grinebug - TEXT: SSL: certificate subject name 'host' does not match target host name '192.168.1.254'

VSFTPD cert, CN=Name need to match the hostname in the sources.xml. Even in a private LAN with IPs its not possible.

That's not funny guys !!!
Reply
#67
if you use SSL, do it right. You can always import the cert in your trust store
Reply
#68
@wsnipex it is not about the validity of the cert, checking that is already disabled by verifypeer=false, so putting it in the trust store won't help. I agree though that it would be saner to do that in any case :-)

@ködi-zömbie In a private LAN when you use self-signed certs it should not be a problem to have a cert CN that matches the host name or IP, whatever you use in Kodi. You should set it up correctly.
Reply
#69
@yol putting it in the trust store usually disables subject name validation as well.
Reply
#70
I have my cert in \system\certs\cacert.pem all the time. It does not connect if Hostname not match CommonName

@yol I know that I can give a Hostname to any private address Wink. Thank you
Reply
#71
(2018-09-27, 10:09)ködi-zömbie Wrote: I have my cert in \system\certs\cacert.pem all the time.

Great, then you should remove verifypeer=false

So this is solved then?
Reply
#72
(2018-09-27, 09:44)wsnipex Wrote: @yol putting it in the trust store usually disables subject name validation as well.

Are you sure? This sounds really strange. Why should it?
Reply
#73
(2018-05-15, 11:26)wsnipex Wrote: you have to add your server cert to kodi's cert store: [install_dir]\system\certs\cacert.pem
Alternatively, you can provide your own Cert file, by setting the env var SSL_CERT_FILE

Is there a way to do this for a non rooted android device? its easy enough to edit the /data/data/etc...etc/cacert.pem in rooted devices but is there a way round this in a non rooted device?
Reply
#74
Sorry for lifting this up but for some strange reasons i cant get access to my filezilla server using my multipurpose letsencrypt certs for the last 2 90 day renews if i dont use that verifypeer=false hack
Reply

Logout Mark Read Team Forum Stats Members Help
SSL Certificates Issues2