INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel  (Read 19271 times)

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10968

In Media Center 23, MC gained the ability to host the Library Server and MCWS, and all related services like WebGizmo and Panel, over HTTPS.

This feature is disabled by default due to the required certificates, and can be enabled in Options -> Media Network -> Advanced -> Enable SSL

The server is based on the most recent security technologies and supports TLS 1.0 up to TLS 1.2 (older SSLv2 or SSLv3 protocols are not supported, as they are considered insecure).

Certificates
To use SSL/TLS encryption, you need a certificate. Media Center supports generating a self-signed certificate automatically, or lets you provide your own certificate.
Here is a short primer what these differences basically mean to you:

Self-signed certificates have the advantage of being immediately available, however web browsers do not trust them, and you'll get a security warning when connecting to MCWS or Panel with a browser, and because everyone can just create a new self-signed certificate, you have no information about which server you are actually connecting to. They otherwise provide the same secure encryption as "trusted" certificates, however.

Certificates issued by a Certificate Authority have the advantage of creating a chain of trust, if you own a certificate for a certain Domain/Server, the Certificate Authority will have verified in some way or form that you actually own this server, and a chain of trust is established - when you connect to this server, you know that it's this server. Browsers trust these certificates, as long as the Certificate Authority is trust-worthy.

So what kind of certificate do you need for Media Center? Well, that's up to you. Setting up a fully trusted certificate, especially for a library server running from your home, can be a bit complicated, while generating a self-signed certificate happens in a matter of seconds. In my opinion, if your primary goal is to be able to securely communicate with MC so that your username/password and your media cannot be "snooped", even on open WiFi or insecure networks, then a self-signed certificate will do the job.

Status
- 23.0.2: Implemented HTTPS server support
- 23.0.8: HTTPS Client support for Media Center clients is available
- Support in mobile remote apps is planned

Why don't you automatically get certificates from Lets Encrypt?
Some of you interested in HTTPS support have expressed interest in services like Lets Encrypt being integrated directly into MC to try to obtain trusted certificates automatically. We've explored these ideas, but due to the fact that MC most of the time is hosted on home connections, behind a router/firewall and without a permanent DNS name, the effort required to set this up on the user's side takes the value out of such an "automation", and we're more likely to investigate options to allow power users to update the certificate MC uses automatically (ie. in a script), so such an automation could be set up externally.
Logged
~ nevcairiel
~ Author of LAV Filters

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10968

One note on the upcoming client support (even though i'm not sure when 23.0.3 will be made available, which would include it)

We currently disable any certificate verification, until we can decide how to handle this.

The Access Key server will actually list the fingerprint of the certificate used by the server (if you use an Access Key to connect), so we're thinking we can establish a secondary line of trust through the Access Key server, and only if that fails, perhaps prompt the user once, but this will require some more work, and in the meantime MC will just accept any certificate.

PS:
In the current state (unless it changes until the build is made), to connect to a HTTPS server you'll need to enter the URL directly: m01ps://xx.xx.xx.xx:52200 - m01ps:// being the prefix for the HTTPS-based library server connection. Maybe I'll make a checkbox instead.
Logged
~ nevcairiel
~ Author of LAV Filters

Awesome Donkey

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 7879
  • Long cold Winter...

Are you using OpenSSL for this? TLSv1.3 is coming soon (though still in a working draft and only is available if building from the OpenSSL Git) but I wouldn't rush to support it yet. Firefox has support for draft 18 enabled by default and Chrome did too until users started noticing issues with it enabled so they disabled it. :P

This is a VERY important feature indeed. :D
Logged
I don't work for JRiver... I help keep the forums safe from "male enhancements" and other sources of sketchy pharmaceuticals.

Windows 11 24H2 Update 64-bit + Ubuntu 24.10 Oracular Oriole 64-bit | Windows 11 24H2 Update 64-bit (Intel N305 Fanless NUC 16GB RAM/500GB M.2 NVMe SSD)
JRiver Media Center 33 (Windows + Linux) | iFi ZEN DAC 3 | JBL 306P MkII Studio Monitors | Audio-Technica ATH-M50x Headphones

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10968

We're using GnuTLS. We scored an "A-" on SSL Labs SSL Server Test, mostly because of some older ciphers that are still enabled for compatibility.
Logged
~ nevcairiel
~ Author of LAV Filters

Awesome Donkey

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 7879
  • Long cold Winter...

Oh, nice! This *should* allow for cross-platform support too. :D
Logged
I don't work for JRiver... I help keep the forums safe from "male enhancements" and other sources of sketchy pharmaceuticals.

Windows 11 24H2 Update 64-bit + Ubuntu 24.10 Oracular Oriole 64-bit | Windows 11 24H2 Update 64-bit (Intel N305 Fanless NUC 16GB RAM/500GB M.2 NVMe SSD)
JRiver Media Center 33 (Windows + Linux) | iFi ZEN DAC 3 | JBL 306P MkII Studio Monitors | Audio-Technica ATH-M50x Headphones

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10968

Definitely works on Linux already. Mac is still in the work I think, due to some build issues, but yes, its fully cross-platform.
Logged
~ nevcairiel
~ Author of LAV Filters

AndrewFG

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 3392

Great news!

Logged
Author of Whitebear Digital Media Renderer Analyser - http://www.whitebear.ch/dmra.htm
Author of Whitebear - http://www.whitebear.ch/mediaserver.htm

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5239
  • "Linux Merit Badge" Recipient

This is great news!
Logged

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10968

Even though it didn't quite make the change log yet because its not fully complete, you can make MC 23.0.3 connect to a MC23 Library Server using HTTPS now, as hinted in a post above by specifying the protocol directly:
Like this: m01ps://xx.xx.xx.xx:52200

If you use Access Key, there is no way to do it yet. The full GUI for that is still in the work.
Logged
~ nevcairiel
~ Author of LAV Filters

AndrewFG

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 3392

I assume there will be a JRemote release too?.
Logged
Author of Whitebear Digital Media Renderer Analyser - http://www.whitebear.ch/dmra.htm
Author of Whitebear - http://www.whitebear.ch/mediaserver.htm

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10968

Updates for mobile clients will be coming a bit later. Probably Android first, unless someone beats me to it.  ;)
Obviously server support had to be the first, and MC client support is just relatively easy (even if a bit wasted for something most people likely only use locally).
Logged
~ nevcairiel
~ Author of LAV Filters

hoyt

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 867

This alone is a huge step for MC23.  Glad to see it be incorporated, looking forward to seeing the change in JRemote :)

Thanks!
Logged

WeeHappyPixie

  • Regular Member
  • Galactic Citizen
  • ****
  • Posts: 388
  • Gonnae no dae that..

Any plans to support LetsEncrypt, this way we get a free SSL certificate that browsers don't moan about.


Logged

AndrewFG

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 3392

Any plans to support LetsEncrypt, this way we get a free SSL certificate that browsers don't moan about.

It's probably not that easy. I have done a few tests on Let's encrypt, and currently it only works with sites that have a registered domain name; but it won't help you at all with sites using an IP address (like 192.168.1.xxx). (And IMHO nor should it).

Basically cert validation depends (at least partly) in proving a binding between a domain and a cert..

Logged
Author of Whitebear Digital Media Renderer Analyser - http://www.whitebear.ch/dmra.htm
Author of Whitebear - http://www.whitebear.ch/mediaserver.htm

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5239
  • "Linux Merit Badge" Recipient

It's probably not that easy. I have done a few tests on Let's encrypt, and currently it only works with sites that have a registered domain name; but it won't help you at all with sites using an IP address (like 192.168.1.xxx). (And IMHO nor should it).

Basically cert validation depends (at least partly) in proving a binding between a domain and a cert..

Assuming you've got a domain name and a letsencrypt cert, the certs can be made to work with no browser complaints with local IPs as well provided you're willing to setup split DNS on your router (and that your router supports it).  Basically use your router as your DNS cache (which is often the default configuration, and has a lot of other potential advantages), and then configure your router to resolve the domain name in question to a local address when traffic originates inside the LAN, etc.  I've been doing that for about a year with other services and it works great (no browser complaints). 

Obviously not trivial to set up even if you've got everything already working with LetsEncrypt, but possible with some elbow grease.  Automating letsencrypt for most home users is not likely to be viable; much easier for most people to just to set your self-signed cert to trusted in your and your families browsers.
Logged

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10968
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #15 on: July 14, 2017, 10:00:55 am »

I use a CNAME DNS entry (ie. an alias) in my own domain that points to a DynDNS account, and acquire a LetsEncrypt cert for that. However, there is a bunch of manual work involved for the initial setup, and a custom script to renew that certificate so I don't have to keep port 443 open at all times (for tls-sni auth).

As commented on in the original post in this thread, automating LE certificate retrieval for home connections is complicated, for various reasons. Lack of a domain name for one, problems with firewalls/routers on port 80 or 443 for authentication, and whatnot.

Of course nothing stops you from achieving this manually and feeding the cert to media center. I do plan to try to offer command line commands to renew the certs used by MC somehow, for full scripting. Although thats not done yet.
Logged
~ nevcairiel
~ Author of LAV Filters

tzr916

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 1392
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #16 on: July 14, 2017, 12:30:09 pm »

I don't understand what this is all about. Does this allow easy access to a Server Library when outside my home network (like over the internet)?
Logged
JRiverMC v33 •Windows 10 Pro 64bit •Defender Exclusions •ṈŘ 3rd party AV
•ASUS TUF gaming WiFi z590 •Thermaltake Toughpower GX2 600W
•i7-11700k @ 3.6GHz~5GHz •32GB PC4-25600 DDR4
•OS on Crucial P5 Plus M.2 PCIe Gen4 •Tv Recordings on SATA 6TB WD Red Pro
•4 OTA & 6 CableCard SiliconDust Tuners
•nVidia RTX2060 •XBR65Z9D •AVRX3700H •Fluance 7.2.2 [FH]
•SMP1000DSPѫRSS315HE-22■DIYSG Cube-12
•eD LT.500ѫeD 13ov.2■eD A3-300

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5239
  • "Linux Merit Badge" Recipient
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #17 on: July 14, 2017, 12:44:37 pm »

I don't understand what this is all about. Does this allow easy access to a Server Library when outside my home network (like over the internet)?

It doesn't make external access easier, but it does make it more secure by encrypting the traffic and your login credentials.  If you ever notice the small lock in your browser bar when visiting bank or commerce websites that's a sign that your connection to those sites is encrypted, which adds a layer of security; this is the same thing.  Previously if you wanted to use JRiver outside of your network, you could only communicate using an uncrypted protocol (http); the new feature allows you to instead communicate via an encrypted protocol (https).  This is significantly more secure if you ever access your jriver server from insecure locations, like, for example, using public wifi as there's a much smaller chance that someone on the public wifi network with you could sniff your login credentials.  It's some extra work to setup, but has benefits.

TL;DR, It doesn't provide "easy" access outside your home LAN, but it does provide more secure access when outside your own LAN
Logged

stevedig

  • Recent member
  • *
  • Posts: 15
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #18 on: July 23, 2017, 08:02:45 am »

I think I have a bug in web gizmo SSL support in 23.0.19. This is something I've longed for. I access my library over the internet from remote locations on a regular basis and web gizmo and the flash player are close to my heart...

SSL access works with web gizmo but when you attempt to play a movie or tv show you get a file not found error.

The url referenced in the error begins with HTTP:// instead of HTTPS:// tho the port number is correct for the ssl connection. This is likely why you get the file not found error.

The flash player launch process needs to to be updated to understand that there is an https:// path to the file and to use it when your using secure access. please... :)

Thanks very much for this btw! If you travel for a living and want access to your library while on the road this is the BOMB!

(side query: any chance flash is going to retire in favor of an html5 player? flash support in browsers is fading away. they all require extra tweaking to get flash to run now...)


Steve D.
Logged

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72531
  • Where did I put my teeth?
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #19 on: July 23, 2017, 08:12:03 am »

We're working in this area now.  Thanks for the report.
Logged

mattkhan

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 4267
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #20 on: August 04, 2017, 03:14:05 pm »

Even though it didn't quite make the change log yet because its not fully complete, you can make MC 23.0.3 connect to a MC23 Library Server using HTTPS now, as hinted in a post above by specifying the protocol directly:
Like this: m01ps://xx.xx.xx.xx:52200

If you use Access Key, there is no way to do it yet. The full GUI for that is still in the work.
am I right in thinking the above is the current state?

I added this to MC because I just setup a ssl equipped vpn. Should I care if mc is using ssl or not given the connection is via a secure vpn? I would think it is irrelevant in that case but I am definitely not a security expert!
Logged

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10968
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #21 on: August 04, 2017, 03:51:37 pm »

Recent versions have a checkbox to set connection to secure. You can still use the m01ps protocol prefix if you want to, or you can just enter the IP/Port or Access Key and click the checkbox.
If SSL is being used, it'll say so on the library page (ie. "Library Name" is a client of the Library Server with the access key xxxxxx (secure connection))

If you're already running on an encrypted VPN, and thats the only way you ever use it, encrypting the connection on top of that is probably not very meaningful.
Logged
~ nevcairiel
~ Author of LAV Filters

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5239
  • "Linux Merit Badge" Recipient
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #22 on: September 08, 2017, 02:16:49 pm »

A question:

I'm trying to host an ssl enabled MC instance behind a web-reachable domain name, but my IP address is not static (I'm using a dynamic DNS service to keep my domain pointing at my IP).  I can access webgizmo/panel via the domain name easily enough, but it seems like Android Gizmo and JRemote won't accept FQDNs as server addresses, they'll only accept IP addresses. 

Is there any way currently to use a FQDN for the android apps, and if not could this be added?
Logged

cncb

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 3122
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #23 on: November 13, 2017, 07:31:57 pm »

- Support in mobile remote apps is planned

Is this coming soon?
Logged
-Craig    MO 4Media remote and player:  Android/TV/Auto | iOS | Windows 10/UWP

hoyt

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 867
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #24 on: January 02, 2018, 02:55:55 pm »

Quote from: Hendrik
- Support in mobile remote apps is planned

Is this coming soon?

I have the same question.  Since the mobile apps are most likely the connections coming through insecure networks, one would have assumed this to be a priority.
Logged

TheShoe

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 826
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #25 on: February 14, 2018, 04:11:57 am »

Is there an update for JRmote (iOS) needed to take advantage of this?

I use JRemote daily for accessing my library outside of my home network.

--

Logged

TheShoe

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 826
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #26 on: February 16, 2018, 12:02:09 am »

can we get an update on this?

if there is a different/preferred channel to ask this question let us know.

thanks in advance
Logged

michmartin

  • Recent member
  • *
  • Posts: 14
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #27 on: February 16, 2018, 10:52:53 pm »

How do you set up webgizmo to work with MC 23?  Is there a step by step instruction?
Logged

Awesome Donkey

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 7879
  • Long cold Winter...
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #28 on: February 17, 2018, 05:49:52 am »

How do you set up webgizmo to work with MC 23?  Is there a step by step instruction?

If I recall correctly, Panel replaced WebGizmo.

https://yabb.jriver.com/interact/index.php/topic,105883.0.html
Logged
I don't work for JRiver... I help keep the forums safe from "male enhancements" and other sources of sketchy pharmaceuticals.

Windows 11 24H2 Update 64-bit + Ubuntu 24.10 Oracular Oriole 64-bit | Windows 11 24H2 Update 64-bit (Intel N305 Fanless NUC 16GB RAM/500GB M.2 NVMe SSD)
JRiver Media Center 33 (Windows + Linux) | iFi ZEN DAC 3 | JBL 306P MkII Studio Monitors | Audio-Technica ATH-M50x Headphones

michmartin

  • Recent member
  • *
  • Posts: 14
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #29 on: February 17, 2018, 09:30:12 am »

Im hoping panel will be enhanced to allow building playlists on the fly, add, play next, play only - with similar features as webgizmo.  Unless there is another method to build playlists using an app with my web browser on a remote notebook, MC 23 won't work in my setup.
Logged

Bernhard

  • Recent member
  • *
  • Posts: 47
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #30 on: July 06, 2020, 03:02:05 am »

Should SSL work with JRemote on iOS as well?  ::)
Logged

atreides

  • Junior Woodchuck
  • **
  • Posts: 82
Re: NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel
« Reply #31 on: December 04, 2022, 08:51:31 pm »

Is there an update on this for the mobile apps?
Logged
Pages: [1]   Go Up