TLS & certs for web interface

Hello everyone,

I have two issues with the web interface, specifically the security of. One has me stumped, and the other… I am pretty sure I am missing something small, I just don’t know how to solve it.

I am running Kodi 19.4 (March OSMC release) and have a Let’s Encrypt certificate for the Chorus2 web interface. I would like to disable TLS 1.1 completely and restrict access to strong ciphers only (as per Configurable TLS cipher config for HTTPS webserver · Issue #19735 · xbmc/xbmc (github.com)) but the configuration doesn’t seem to work - my guess is perhaps something in the OSMC build distro is doing something different. A scan of the system shows the below:

Has someone done this? I am fairly sure it is possible, just not sure what I am missing.

The second problem is related as well to certificates: there seems to be a problem with the chain and I think this is because I have not placed files in the correct location.

image

My public certs are still valid, but nothing I have tried so far as resolved this. Its probably something small but I am a little stuck at this point.

Any help would be much appreciated, thanks!

Have you tried this on another Kodi instance? I can’t think of any downstream changes that would cause an issue here.

Hi Sam,

No I have not, I can maybe spin up a VM with OSMC/LE or something like that and try there.

Is this something that can be solved downstream perhaps? I am not familiar with the build process and I definitely feel this is not something for OSMC to solve but it may be the only option for the time being (unless I can get this to work somehow).

I’d be surprised if it’s an issue with OSMC (downstream).

Keep in mind that Kodi’s web interface isn’t designed to be public facing. If I were you, I’d use a reverse proxy and set up HTTPS there. I’d also add some additional authentication.

1 Like

Hi Sam,

I have no intention of exposing the interface publicly and my network is fronted by a firewall. I am just on a (probably entirely pointless) mission to shore up security and learn some things while I am at it; if it is at all possible, I would prefer not to spin up a reverse proxy just for this.

Quick question, which up until now I have merely assumed: gnutls is the flavour in use on OSMC correct? I believe it is, but would like some confirmation from someone more knowledgeable than myself.

We are using OpenSSL.