More > JRiver Media Center 23 for Windows

NEW: HTTPS/SSL support for Library Server, MCWS, WebGizmo and Panel

(1/7) > >>

Hendrik:
In Media Center 23, MC gained the ability to host the Library Server and MCWS, and all related services like WebGizmo and Panel, over HTTPS.

This feature is disabled by default due to the required certificates, and can be enabled in Options -> Media Network -> Advanced -> Enable SSL

The server is based on the most recent security technologies and supports TLS 1.0 up to TLS 1.2 (older SSLv2 or SSLv3 protocols are not supported, as they are considered insecure).

Certificates
To use SSL/TLS encryption, you need a certificate. Media Center supports generating a self-signed certificate automatically, or lets you provide your own certificate.
Here is a short primer what these differences basically mean to you:

Self-signed certificates have the advantage of being immediately available, however web browsers do not trust them, and you'll get a security warning when connecting to MCWS or Panel with a browser, and because everyone can just create a new self-signed certificate, you have no information about which server you are actually connecting to. They otherwise provide the same secure encryption as "trusted" certificates, however.

Certificates issued by a Certificate Authority have the advantage of creating a chain of trust, if you own a certificate for a certain Domain/Server, the Certificate Authority will have verified in some way or form that you actually own this server, and a chain of trust is established - when you connect to this server, you know that it's this server. Browsers trust these certificates, as long as the Certificate Authority is trust-worthy.

So what kind of certificate do you need for Media Center? Well, that's up to you. Setting up a fully trusted certificate, especially for a library server running from your home, can be a bit complicated, while generating a self-signed certificate happens in a matter of seconds. In my opinion, if your primary goal is to be able to securely communicate with MC so that your username/password and your media cannot be "snooped", even on open WiFi or insecure networks, then a self-signed certificate will do the job.

Status
- 23.0.2: Implemented HTTPS server support
- 23.0.8: HTTPS Client support for Media Center clients is available
- Support in mobile remote apps is planned

Why don't you automatically get certificates from Lets Encrypt?
Some of you interested in HTTPS support have expressed interest in services like Lets Encrypt being integrated directly into MC to try to obtain trusted certificates automatically. We've explored these ideas, but due to the fact that MC most of the time is hosted on home connections, behind a router/firewall and without a permanent DNS name, the effort required to set this up on the user's side takes the value out of such an "automation", and we're more likely to investigate options to allow power users to update the certificate MC uses automatically (ie. in a script), so such an automation could be set up externally.

Hendrik:
One note on the upcoming client support (even though i'm not sure when 23.0.3 will be made available, which would include it)

We currently disable any certificate verification, until we can decide how to handle this.

The Access Key server will actually list the fingerprint of the certificate used by the server (if you use an Access Key to connect), so we're thinking we can establish a secondary line of trust through the Access Key server, and only if that fails, perhaps prompt the user once, but this will require some more work, and in the meantime MC will just accept any certificate.

PS:
In the current state (unless it changes until the build is made), to connect to a HTTPS server you'll need to enter the URL directly: m01ps://xx.xx.xx.xx:52200 - m01ps:// being the prefix for the HTTPS-based library server connection. Maybe I'll make a checkbox instead.

Awesome Donkey:
Are you using OpenSSL for this? TLSv1.3 is coming soon (though still in a working draft and only is available if building from the OpenSSL Git) but I wouldn't rush to support it yet. Firefox has support for draft 18 enabled by default and Chrome did too until users started noticing issues with it enabled so they disabled it. :P

This is a VERY important feature indeed. :D

Hendrik:
We're using GnuTLS. We scored an "A-" on SSL Labs SSL Server Test, mostly because of some older ciphers that are still enabled for compatibility.

Awesome Donkey:
Oh, nice! This *should* allow for cross-platform support too. :D

Navigation

[0] Message Index

[#] Next page