[tomstephens89]

I am trying to make an FTPS connection to a server of mine running filezilla server. Its set to require explicit FTPS (min TLS v1.2) and has a public wildcard certificate (issued by major public CA). This configuration is tested working from various FTPS clients at different locations. Should probably say that I'm a network/infrastructure guy and configure servers/networks/certificates all day long. The FTPS server is good.

However adding an FTPS connection within the Kodi interface does not work. It cannot make a connection. Upon investigation heres what the client kodi logs and the filezilla server logs show. IP's/Domains changed for privacy of course.

Code:

KODI LOG:

2022-04-25 07:31:29.882 T:1002    DEBUG <general>: CurlFile::Open(0xff8e0700) ftps://USERNAME:[email protected]:21/
2022-04-25 07:31:29.882 T:1002    DEBUG <general>: easy_acquire - Created session to ftps://FTP.MYSERVERHERE.COM
2022-04-25 07:31:30.097 T:1002    DEBUG <general>: Curl::Debug - TEXT:   Trying 1.1.1.1:21...
2022-04-25 07:31:30.127 T:1002    DEBUG <general>: Curl::Debug - TEXT: Connected to FTP.MYSERVERHERE.COM (1.1.1.1) port 21 (#0)
2022-04-25 07:31:30.143 T:1002    DEBUG <general>: Curl::Debug - TEXT: successfully set certificate verify locations:
2022-04-25 07:31:30.143 T:1002    DEBUG <general>: Curl::Debug - TEXT:  CAfile: /run/libreelec/cacert.pem
2022-04-25 07:31:30.143 T:1002    DEBUG <general>: Curl::Debug - TEXT:  CApath: none
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT:
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - TEXT: TLSv1.3 (OUT), TLS handshake, Client hello (1):
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT:
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT: e▒▒▒▒@}
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT: ▒
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT:
2022-04-25 07:31:30.144 T:1002     INFO <general>: Skipped 2 duplicate messages..
2022-04-25 07:31:30.144 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_OUT:

2022-04-25 07:31:30.157 T:1002    DEBUG <general>: Curl::Debug - SSL_DATA_IN: 220-F
2022-04-25 07:31:30.157 T:1002    DEBUG <general>: Curl::Debug - TEXT: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2022-04-25 07:31:30.157 T:1002    DEBUG <general>: Curl::Debug - TEXT: Closing connection 0
2022-04-25 07:31:30.159 T:1002    ERROR <general>: CCurlFile::FillBuffer - Failed: SSL connect error(35)
2022-04-25 07:31:30.159 T:1002    ERROR <general>: CCurlFile::Open failed with code 0 for ftps://USERNAME:[email protected]:21/:

2022-04-25 07:31:30.159 T:1002    ERROR <general>: GetDirectory - Error getting ftps://USERNAME:[email protected]:21/



SERVER LOG:

2022-04-25T06:36:26.058Z !! [FTP Session 1 5.5.5.5] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-04-25T06:36:26.058Z !! [FTP Server] Session 1 ended with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-04-25T06:36:31.789Z !! [FTP Session 2 5.5.5.5] Control channel closed with error from source 1. Reason: EINVAL - Invalid argument passed.
2022-04-25T06:36:31.790Z !! [FTP Server] Session 2 ended with error from source 0. Reason: EINVAL - Invalid argument passed.
2022-04-25T06:36:38.577Z !! [FTP Session 3 5.5.5.5] Control channel closed with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-04-25T06:36:38.577Z !! [FTP Server] Session 3 ended with error from source 0. Reason: ECONNABORTED - Connection aborted.
2022-04-25T06:36:40.889Z !! [FTP Session 4 5.5.5.5] Control channel closed with error from source 1. Reason: EINVAL - Invalid argument passed.
2022-04-25T06:36:40.889Z !! [FTP Server] Session 4 ended with error from source 0. Reason: EINVAL - Invalid argument passed.


This is the line of concern:

Code:

TEXT: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

From my research, it appears this Curl FTPS library is having a hard time dealing with TLS 1.2 or above and actually looks like its trying to use SSLv3, which of course will fail.

Any ideas?

[tomstephens89]

Sorry forgot to add, I am running kodi 19.4 under libreelec 10.0.2.

[Klojum]

Sorry forgot to add, I am running kodi 19.4 under libreelec 10.0.2.

We would have seen that with the full Kodi debug log (wiki), something we always prefer and recommend.
Also please use a pastebin service for long(er) log files as per our bold red request below.

[tomstephens89]

Full log:

https://pastebin.com/8RPAJ3dr

[Klojum]

2021-02-02 15:29:51.345 T:985 INFO <general>: Starting Kodi (19.4 (19.4.0) Git:19.4-Matrix). Platform: Linux ARM 32-bit

For starters, enable the "Wait for network" option in the LibreELEC Settings Add-on, so you have an internet connection from the start. Set it to 30 secs on a RPi device.
Also, after enabling debugging, restart LibreELEC for a full debug-enabled log file. Starting debugging somewhere in the middle may miss certain things/settings.

[tomstephens89]

2021-02-02 15:29:51.345 T:985 INFO <general>: Starting Kodi (19.4 (19.4.0) Git:19.4-Matrix). Platform: Linux ARM 32-bit

For starters, enable the "Wait for network" option in the LibreELEC Settings Add-on, so you have an internet connection from the start. Set it to 30 secs on a RPi device.
Also, after enabling debugging, restart LibreELEC for a full debug-enabled log file. Starting debugging somewhere in the middle may miss certain things/settings.

I will do, however I don't see what going round the houses with seeing startup logs is going to tell you. The Pi has internet connectivity at the time I try to add an FTPS source. It immediately fails and you can clearly see the errors in the log after the initial TLS handshake.

[Klojum]

The Pi has internet connectivity at the time I try to add an FTPS source.

Sure, but your clock for starters hasn't been synced yet, see the datetime stamps.

And maybe other components need to use a working networking connecting in the background, such as this one:
2021-02-02 15:29:54.545 T:1028 ERROR <general>: ## LibreELEC Addon ## oe::load_url(http://releases.libreelec.tv/releases.json) ## ERROR: (URLError(gaierror(-3, 'Temporary failure in name resolution')))

[tomstephens89]

I reset to defaults shortly before sending that log as a test. Thats probably why.

[tomstephens89]

I know its only been a day but any ideas with this one? Seems like a very specific issue related to libcurl.

[tomstephens89]

Just stumbled across this.

https://everything.curl.dev/ftp/ftps

I wonder if this is what is happening. My FTP server is configured for Explicit TLS rather than Implicit (since its deprecated in filezilla server) and that CURL doc says the correct way to handle Explicit FTPS is to use ftp:// and NOT ftps://, but then to add the "--ssl-reqd" flag on the curl command.

I guess that flag can't be added to the URL in KODI? How about adding |AUTH=tls instead? So ftp://user:[email protected]/Movies|AUTH=tls

[tomstephens89]

I have resolved this by using a standard FTP source URL.

ftp://user:[email protected]/Movies/|aut...peer=false

Note that I had to include verifypeer=false even though I am using a publicly signed wildcard certificate which would be trusted and verifiable by just about anything. So it seems curl does not have access to a system trust store that might contain said CA root certs.

I have confirmed that libcurl enforces host verification by default now and also requires you pass a ca cert file to it explicitly as documented here:

https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html

I think it would be good to see TLS options added to the GUI of FTP or FTPS sources. Along with indication on where to set up Explicit vs Implicit connections.

In addition, so we don't have to disable host verification, an option to load in or specify a CA cert as well.

[wsnipex]

there is an advanced setting to override cacerts: https://kodi.wiki/view/Advancedsettings.xml#network