TLS & certs for web interface

Hello everyone,

I have two issues with the web interface, specifically the security of. One has me stumped, and the other… I am pretty sure I am missing something small, I just don’t know how to solve it.

I am running Kodi 19.4 (March OSMC release) and have a Let’s Encrypt certificate for the Chorus2 web interface. I would like to disable TLS 1.1 completely and restrict access to strong ciphers only (as per Configurable TLS cipher config for HTTPS webserver · Issue #19735 · xbmc/xbmc ( but the configuration doesn’t seem to work - my guess is perhaps something in the OSMC build distro is doing something different. A scan of the system shows the below:

Has someone done this? I am fairly sure it is possible, just not sure what I am missing.

The second problem is related as well to certificates: there seems to be a problem with the chain and I think this is because I have not placed files in the correct location.


My public certs are still valid, but nothing I have tried so far as resolved this. Its probably something small but I am a little stuck at this point.

Any help would be much appreciated, thanks!

Have you tried this on another Kodi instance? I can’t think of any downstream changes that would cause an issue here.

Hi Sam,

No I have not, I can maybe spin up a VM with OSMC/LE or something like that and try there.

Is this something that can be solved downstream perhaps? I am not familiar with the build process and I definitely feel this is not something for OSMC to solve but it may be the only option for the time being (unless I can get this to work somehow).

I’d be surprised if it’s an issue with OSMC (downstream).

Keep in mind that Kodi’s web interface isn’t designed to be public facing. If I were you, I’d use a reverse proxy and set up HTTPS there. I’d also add some additional authentication.

1 Like

Hi Sam,

I have no intention of exposing the interface publicly and my network is fronted by a firewall. I am just on a (probably entirely pointless) mission to shore up security and learn some things while I am at it; if it is at all possible, I would prefer not to spin up a reverse proxy just for this.

Quick question, which up until now I have merely assumed: gnutls is the flavour in use on OSMC correct? I believe it is, but would like some confirmation from someone more knowledgeable than myself.

We are using OpenSSL.

This might be my problem then… I am trying to configure something which does not exist or is not in use. Will spend some time digging deeper and trying to rework it and will report back with my findings.

Thanks Sam - and thanks for OSMC, it is great <3