OK, I'm sorry. I accidentally posted the thread while typing. Let's try this again.
Hello.
I was looking for a way to make Kodi work with self-signed certificates for an FTPS share.
I found the following page:
https://kodi.wiki/view/SSL_certificates
Basically, it lists three possible ways to accomplish this:
- get a Let's Encrypt certificate — not possible for me as the IP address of the server can change every now and then (I'm running it at home), and I don't think the Let's Encrypt folks would accept my use case anyway;
- set the SSL_CERT_FILE environment variable — which doesn't work on my Linux machine (I believe this is the issue), and to my knowledge I'm not able to do this on Android without rooting, which is my second device with Kodi;
- use the verifypeer=false option — which sort of undermines the whole point of using FTPS in the first place, as the IP address could easily be spoofed.
I have found a
thread from 2018 which seems to be about the same topic. From wsnipex's response I understand that the Kodi team was not interested in adding any more ways of dealing with this, and instead suggest using a reverse proxy (to be honest I'm not even sure how it's supposed to help me)
I was thinking about adding a simple url option like verifypeer to specify path to a certificate. After some digging through curl documentation I came up with a simple way to do it:
diff:
diff --git a/xbmc/filesystem/CurlFile.cpp b/xbmc/filesystem/CurlFile.cpp
index 872cc781ba..4d6438f925 100644
--- a/xbmc/filesystem/CurlFile.cpp
+++ b/xbmc/filesystem/CurlFile.cpp
@@ -521,6 +521,9 @@ void CCurlFile::SetCommonOptions(CReadState* state, bool failOnError /* = true *
if (!m_verifyPeer)
g_curlInterface.easy_setopt(h, CURLOPT_SSL_VERIFYPEER, 0);
+ if (!m_cacert.empty())
+ g_curlInterface.easy_setopt(h, CURLOPT_CAINFO, m_cacert.c_str());
+
g_curlInterface.easy_setopt(m_state->m_easyHandle, CURLOPT_URL, m_url.c_str());
g_curlInterface.easy_setopt(m_state->m_easyHandle, CURLOPT_TRANSFERTEXT, CURL_OFF);
@@ -747,6 +750,9 @@ void CCurlFile:
arseAndCorrectUrl(CURL &url2)
if (url2.GetProtocolOption("verifypeer") == "false")
m_verifyPeer = false;
}
+ if (url2.HasProtocolOption("cacert"))
+ m_cacert = url2.GetProtocolOption("cacert");
+
m_ftppasvip = url2.HasProtocolOption("pasvip") && url2.GetProtocolOption("pasvip") != "0";
}
else if(url2.IsProtocol("http") ||
diff --git a/xbmc/filesystem/CurlFile.h b/xbmc/filesystem/CurlFile.h
index 2fb05f3040..1125547730 100644
--- a/xbmc/filesystem/CurlFile.h
+++ b/xbmc/filesystem/CurlFile.h
@@ -184,6 +184,7 @@ namespace XFILE
bool m_postdataset;
bool m_allowRetry;
bool m_verifyPeer = true;
+ std:
tring m_cacert;
bool m_failOnError = true;
CRingBuffer m_buffer; // our ringhold buffer
So, it seems to be possible to do it. I suppose an alternative way of handling this would be using a dialog window asking the user if they want to trust the certificate or not when a share is accessed for the first time, kind of like FTP clients do it.
I'm wondering if the Kodi team's attitude has changed and you'd be interested in a feature like this, or if I'm supposed to maintain a personal fork of Kodi.
Thank you in advance!
