Is Webdav mTLS possible with LibreELEC / Kodi?

    I've setup sftpgo which now serves a webdav share. I have traefik configured to proxy this share and configured to check for client certs against my cert authority. Testing this in Win11 works fine i.e. with a personal cert imported into the Win11 cert store I can successfully map a file explorer drive to the webdav endpoint. Without the personal cert in the Win11 cert store the connection fails.

    I was hoping to find a solution in LE/Kodi to take the same approach as the above but I misunderstood the purpose of the SSL/TLS section of the wiki and realise thats only for Kodi to be happy to use to self-signed TLS connections.

    I'd appreicate an experienced view on whether that I'm wanting to do is possible or not.

    I don't believe mTLS is possible. Kodi supports the following TLS options via URL append:

    xbmc/xbmc/addons/kodi-dev-kit/include/kodi/c-api/filesystem.h at master · xbmc/xbmc
    Kodi is an award-winning free and open source home theater/media center software and entertainment hub for digital media. With its beautiful interface and…
    github.com

    Looking wider in the codebase I only find references to defining the CA bundle used for server cert verification. It's typically done using the SSL_CERT_FILE environment variable, although LE uses another approach (as you found in the wiki).

    To use mTLS you normally provide --cert=/path/to/cert and --key=/path/to/key in the curl command and unlike the CA bundle curl/libCURL does not appear to support a client cert defined through an environment variable, so Kodi would need code changes to support those being defined, e.g. through advancedsettings.xml config.

    I also didn't find any existing references to mTLS in existing Kodi issues or pull requests, or forum threads. So you'd need to make a feature request via that section of the Kodi forum.

    Thanks again. Will raise a feature request into Kodi for this.

    As a hack I was thinking adding a small reverse proxy into LE so Kodi talks to a localhost process to request the webdav endpoint, the local proxy can then handle the mTLS negotiation. Appreciate this isn't the ideal but probably something within my reach to contribute in a meaningful timeline. I get its niche though so probably low user demand.

    Any absolute blockers to this you can think off?

    I'd keep it simple: add the CA to cacert.pem so the client trusts the server and then authenticate the user over WebDAV within a secure TLS session. I get that mTLS can fail things earlier in the connection sequence, but that's enough to avoid issues.

    Ha but I'm paranoid!

    My traefik public edge uses the inbuilt Letsencrypt functionality so the TLS certs are verifiable so I've no need to add my offline CA into the mix. The bit I'm worried about is a brute force on the webdav password, I'll dig into sftpgo some more as I think it can detect and ban failed attempts but I still want a 2nd factor auth which is what mTLS provides.

    I've just implemented a basic caddy service in LE, this is working for now, needs a little more testing but its doing what I want.

    Now given you've had to deal with my 2nd ever github pull request and how clumsy it was I will completely understand if you don't want to bother with me any more on this :D