Posts by VvJ44q1Z

Just for an info, in a moment of being pissed off to non working proxy, I took Kodi source code and figured out the issue was actually in how Kodi was handling proxy requests without authentication. I have written a fix and submitted it to Kodi team, it should be merged into Kodi for about a year.

Now I am waiting for libreelec to actually start supporting proxy. Kodi does it, libreelec not (at least for updates).

I am not letting contacting the internet without a VPN any single request due to potentially illegal (i have no clue) content in my media library. It would be really helpful if you would implement usage of defined proxy.

Actually it seems the offending code is within kodi, have you maybe set some compiler flags to libcurl?

This is dragging for years, each and every release there is something wrong with certificates and each and every time I install it, I have week or more of research wtf is going on.

I have installed version 10 beta.

Add proxy, ok works (as I have submitted the code fix to kodi developers and they have merged it).

Where to put my proxy ca certificate to. /storage/.config/cacert.pem and yes it is in pem format. Set the date using ssh as the local time server doesnt work and you dont use the dhcp time. Ok.

Then the even more usual, the communication doesnt work. Start logs, check the logs.

Communication starts, the connection is correctly mitmed (sure, I have wrote the proxy and it works; if it is good for firefox and chrome it should be good for curl/libreelec too), the data came back and then the beautiful libreelec fun begins:

2021-07-20 20:00:33.181 T:895 DEBUG <general>: Curl::Debug - TEXT: TLSv1.3 (OUT), TLS alert, unknown CA (560):

2021-07-20 20:00:33.181 T:895 DEBUG <general>: Curl::Debug - TEXT: SSL certificate problem: self signed certificate in certificate chain

2021-07-20 20:00:33.181 T:895 DEBUG <general>: Curl::Debug - TEXT: Closing connection 1

2021-07-20 20:00:33.184 T:895 ERROR <general>: CCurlFile::FillBuffer - Failed: SSL peer certificate or SSH remote key was not OK(60)

Sure, why not. It is very awful if you are using self signed certificate (even more as ALL root CA certificates on whole internet are self signed) that you have manually added to cacert.pem as trusted so the connection must be closed. Great. Another quest for where to stuff my ca certificate to.

Sorry for the tone guys, I really like your work but can you PLEASE (please,please,please,please,please,please,please,please,please,please,...) fix those damn certificates once and for all or at least provide a way to disable curl nonsense. I would do it but your system for building the whole thing is just too complex. I just want to watch some movie.

Ubuntu 20.04, when I start LibreELEC.USB-SD.Creator.Linux-64bit.bin with sudo GUI opens but it is very slow and unresponsive.

Every action takes forever, for even the GUI to show it takes 2-3 minutes.

Any suggestion?

Hm, ok, so /run/libreelec/cacert.pem is your single source of truth, softlinked to every part of system, but not into kodi... where it has /usr/share/kodi/system/certs/cacert.pem

Yep, remounting the root doesnt work I just took larger hammer.

I have refined script but it just doesnt help, also putting ca certificate into /storage/.config/cacert.pem doesnt. There is something strange with kodi, they are using two ways to communicate over https, one is curl and second one is urllib. I have no clue why this is not working as python on its own should load the certificates from the system but it looks like it does not.

I was checking Adding own certs to connect via webdavs/sftp again but this is not exactly the same case, the http proxy is performing mitm attack on https connections, serving back on the fly generated certificates with its own ca. All https trafic is affected. I am just puzzled why adding it to all cacert.pem files on the system doesnt work.

There is a second option, to kill certificate checking by environment variable but unfortunately busybox is executing /etc/profile which doesnt execute . ~/.profile (or whatever writtable). touch /storage/.cache/debug.libreelec logs didnt reveal anything usefull so I would asume kodi is using normal functions to read certificates.

I am cloning your git repo (and really dont understand why you have locked down the whole libreelec so much =/), either the problem is there or within kodi, which is next... =/

I would like to use my http proxy (squid) but to use https connections i need to install my ca certificate to trusted cacert.pem. I have located the one that kodi is using in /usr/share/kodi/system/certs/ but the issue is that I cant make it survive the reboots. Is there any other location where custom CA certificate can be installed?

I have read your privacy policy but to me it seems it is done for a website, which is fine. Where can I find your privacy policy for LibreELEC? Just to explain, I am alergic to corporations spying on me using "smart tv" (as an example) and this is the reason, I bought Raspberry and will install kodi (long time user on freeBSD but now I am moving to another apartmant and I will stash my server away from living romm). But I dont want to install OS that is doing what I wanted to avoid in the first place... Thank you very much.