SSL Certificates & Xibo

Hello,
I’ve bee using Xibo now for several years; excepting a few issues resulting from my inexperience, all has gone quite well.

I’m now adding SSL to both my main domain, and the subdomain where my CMS resides.
I searched the forums and the manuals on using Xibo with SSL but wasn’t able to locate much apart from short entries of different people resolving minor issues.

Is there a guide or segment of content regarding SSL and the preparations I’ll need to make on CMS and the clients? If so, could someone spare a moment and direct me to that link? If not, are there pointers or areas of interest anyone would be willing to share with me to help me avoid “common mistakes”?

Thanks!
-Eric

There really isn’t anything much to do Xibo side.

Your webserver handles the SSL, and tells Xibo that SSL is in use.

Ideally, you don’t want the webserver to hard redirect from non-SSL to SSL, as Xibo can handle that for you (there’s a setting for requiring SSL).

If you’re using a reverse proxy, make sure it’s passing through the Host header, the X-Forwarded-Proto header set to https when SSL is in use, and the standard X-Forwarded-For headers.

Hello Alex,

Thank you. No, nothing as complex as proxies and the like. I have a very clean, straight-forward setup. If there is nothing on the clients (Android or Windows) I need to be concerned with, and only the setting for SSL on the CMS, which I have seen… then it sounds like I should be in great shape.

This is great news to hear - I won’t have to travel and update anything on my clients!

Thank you for your time.

If you want to switch the clients over to using HTTPS then you will need to change the URL in the Player settings to do that.

You can’t use a redirect on the server because POST requests can’t be redirected.

Hello Alex,

I have set my client to the CMS https://mycmsserver.acme.com (example) and running Xibo 2.0.3 and getting the following error when I attempt to connect to the CMS server:
Method: XmdsBase.Message: E = class.javax.net.ssl.SSL.HandshakeException/java.security.cert.CertPathValidatorException: Trust anchor for certification path not found… Method: onHandlelntent. Message: Network status is connected, cannot reach XMDS

This is a Viewsonic 5520T device and we recently installed a company ssl certificate on our CMS server. The client devices that are not connecting are Viewsonic 5520T Any guidance would be appreciated. Thank you

Bill

It means your Android device doesn’t trust the certificate you’ve bought.

First check you’ve correctly installed the intermediate certificate bundle your certificate vendor provided you as well as the main certificate.

If you did, then it would seem that the device doesn’t support certificates from that vendor. You can ask them about their certificates support for Android devices (which will be specific to the Android version you’re running).

Bottom line is, there’s nothing to configure in the Player or the Android device really - it’s all down to how you set the webserver up.

Dear Alex,

I had this problem: In my players (android TV 5.1.1), I’ve wrote https://xibo.mydomain.com in “CMS address”. Sometimes, I must click many times on “connect to the CMS” to get the connection, sometimes it doesn’t work at all (connection refused). But when I write http://xibo.mydomain.com in “CMS address”, the first try works immediatly!

I’ve watched the log and activated the debug mode.
So, when I try to connect with https adress and get no success, I have these log informations:

2019-05-29 17:20:13 Access 86.245.235.109 200 GET /index.php?p=clock&q=GetClock&ajax=true&_=1559142130310 HTTP/1.0 https://xibo.mydomain.com/index.php?p=display& Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 893 Accès SSL/TLS Apache
2019-05-29 17:20:13 Access 86.245.235.109 200 GET /index.php?p=index&q=PingPong&ajax=true&_=1559142130311 HTTP/1.0 https://xibo.mydomain.com/index.php?p=display& Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 855 Accès SSL/TLS Apache

But when I change https to http in my Xibo player CMS address, it connects immediatly. Then I get these log:

2019-05-29 17:20:41 Access 86.245.235.109 200 GET /xmds.php?what HTTP/1.0 okhttp/3.6.0 287 Accès Apache
2019-05-29 17:20:42 Access 86.245.235.109 200 POST /xmds.php?v=4 HTTP/1.0 ksoap2-android/2.6.0+ 1.12 K Accès Apache

In the Xibo Report fault wizard, I get:

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
RemoteAddress: 86.245.235.109
Session Data
pagename|s:5:“fault”;token|s:32:“db4bb5bacb948a669fa7b6ba6d628756”;token_timeout|i:1559143683;message|s:0:"";username|s:10:“superadmin”;usertype|s:1:“1”;content|a:9:{s:11:“filter_type”;s:0:"";s:11:“filter_name”;s:0:"";s:8:“filterId”;i:0;s:12:“filter_owner”;i:0;s:14:“filter_retired”;i:0;s:26:“filter_duration_in_seconds”;i:0;s:20:“filter_showThumbnail”;i:0;s:8:“showTags”;i:0;s:6:“Filter”;i:0;}layout|a:9:{s:13:“filter_layout”;s:0:"";s:13:“filter_userid”;i:0;s:14:“filter_retired”;i:0;s:20:“filterLayoutStatusId”;s:1:“1”;s:17:“showDescriptionId”;s:1:“2”;s:8:“showTags”;i:0;s:13:“showThumbnail”;i:1;s:11:“filter_tags”;s:0:"";s:12:“LayoutFilter”;i:0;}gridToken|s:32:“cf66cb5120519fbb55d40bc5f11cb0c3”;gridToken_timeout|i:1559142133;timeLineView|s:4:“list”;display|a:7:{s:14:“filter_display”;s:0:"";s:16:“filterMacAddress”;s:0:"";s:19:“filter_displaygroup”;i:0;s:15:“filter_showView”;i:0;s:13:“filterVersion”;s:0:"";s:18:“filter_autoRefresh”;i:0;s:13:“DisplayFilter”;i:0;}userid|s:1:“1”;

UserAgent: Microsoft Office Excel 2014

RemoteAddress: 86.245.235.109
Session Data
pagename|s:5:“index”;token|s:32:“e2aabd79ccbb0529389c56f45f6b48a4”;token_timeout|i:1554303736;message|s:0:"";

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

RemoteAddress: 86.245.235.109
Session Data
pagename|s:5:“index”;token|s:32:“68346062438063b9504f16f5462de471”;token_timeout|i:1553621158;message|s:0:"";

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36

RemoteAddress: 86.245.235.109
Session Data
pagename|s:5:“index”;token_timeout|i:1555691150;message|s:0:"";usertype|s:1:“1”;content|a:9:{s:11:“filter_type”;s:0:"";s:11:“filter_name”;s:0:"";s:8:“filterId”;i:0;s:12:“filter_owner”;i:0;s:14:“filter_retired”;i:0;s:26:“filter_duration_in_seconds”;i:0;s:20:“filter_showThumbnail”;i:0;s:8:“showTags”;i:0;s:6:“Filter”;i:0;}display|a:7:{s:14:“filter_display”;s:0:"";s:16:“filterMacAddress”;s:0:"";s:19:“filter_displaygroup”;i:0;s:15:“filter_showView”;i:0;s:13:“filterVersion”;s:0:"";s:18:“filter_autoRefresh”;i:0;s:13:“DisplayFilter”;i:0;}gridToken|s:32:“315f4f639a8b4103f66abd387cce36cc”;gridToken_timeout|i:1555689483;layout|a:9:{s:13:“filter_layout”;s:0:"";s:13:“filter_userid”;i:0;s:14:“filter_retired”;i:0;s:20:“filterLayoutStatusId”;s:1:“1”;s:17:“showDescriptionId”;s:1:“2”;s:8:“showTags”;i:0;s:13:“showThumbnail”;i:1;s:11:“filter_tags”;s:0:"";s:12:“LayoutFilter”;i:0;}timeLineView|s:4:“list”;template|a:3:{s:11:“filter_name”;s:0:"";s:11:“filter_tags”;s:0:"";s:6:“Filter”;i:0;}DisplayGroupIDs|a:0:{}user_admin|a:4:{s:15:“filter_username”;s:0:"";s:17:“filter_usertypeid”;i:0;s:13:“filterRetired”;i:0;s:6:“Filter”;i:0;}token|s:32:“18286ecb4601bfe9208b2776ceb7e529”;usergroup|a:2:{s:6:“Filter”;i:0;s:11:“filter_name”;s:0:"";}mediamanager|a:5:{s:18:“filter_layout_name”;s:0:"";s:18:“filter_region_name”;s:0:"";s:17:“filter_media_name”;s:0:"";s:11:“filter_type”;i:0;s:6:“Filter”;i:0;}ErrorMessage|s:47:“You do not have permission to access this page.”;userid|s:1:“1”;username|s:10:“superadmin”;

It is weird because, with other Xibo player with https://xibo.mydomain.com in CMS Address, for most of them, there is no connection problem…

2019-05-29 17:47:57 Access 193.248.32.15 200 POST /xmds.php?v=4 HTTP/1.0 ksoap2-android/2.6.0+ 2.03 K Accès SSL/TLS Apache
2019-05-29 17:48:07 Access 193.248.32.15 200 GET /xmds.php?what HTTP/1.0 okhttp/3.6.0 458 Accès SSL/TLS Apache

For information, there is no 301 redir between http://xibo.mydomain.com and https://xibo.mydomain.com.

So, what is the problem with my https CMS connection? Do I have to do something in my XIBO CMS? On my webserver ? Please help.

Best regards.

Boris

Connection refused comes from your webserver. You’d need to look at its logs to see why its rejecting the connection.

Checking your SSL setup with SSL labs is also a good idea as it will catch broken SSL setups.

Thanks Alex.

But I get an “A” on the SSL Labs test.

Can you explain to me why I got, when the CMS does not connect en HTTPS, “2019-05-29 17:20:13 Access 86.245.235.109 200 GET /index.php?p=clock&q=GetClock&ajax=true&_=1559142130310 HTTP/1.0 https://xibo.mydomain.com/index.php?p=display& Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 893 Accès SSL/TLS Apache” VS, when it connects on HTTP, “2019-05-29 17:20:41 Access 86.245.235.109 200 GET /xmds.php?what HTTP/1.0 okhttp/3.6.0 287 Accès Apache”?

Best regards.

The log line isn’t from a Player. That’s the clock in the CMS UI updating itself, and then someone clicking on the Displays page.

SSL labs will give you a grade based on accessing that URL with a modern browser. Android 5 dates from 2014, so you’ll need to check the connection simulations SSL labs does to see what it says for Android 5 devices. You may well need to make changes to the cypher preferences you have setup.

Fundamentally though, the webserver handles everything to do with SSL. The CMS plays no part in it. If it works over http, and not over https, the issue is with your webserver and not with Xibo.

One thing you might try here - this has worked for me in the past when connecting a mail application on my Android phone to a mail server which is behind an SSL web server, is to connect from the Android device to your CMS machine with a web browser - going to the https address.

When you do that from a web browser, you may - if you are lucky - be interactively prompted whether to trust the certificate that server provides, and if you are prompted, the Android device may cache that decision at the operating system level, which would probably solve your problem here.

In the case of my email client, there was no way for it to provide me with that question interactively on a mail retrieval, but doing it from a web browser got me the question, to which I could say yes, and that cached the certificate on that Android device, at which point the mail client could then receive mail. Worth a try.

Thanks Baylink. So, I just open a web browser, go to my CMS adress (https://xibo.mydomainname.com) and that’s all?

Alex, here are the CypherSuite configured on my server. Something wrong?
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
| TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
| TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

Thanks.

If this approach is going to solve the problem, then yes, that should be all.

  1. Open browser on device
  2. Navigate to https version of the CMS login page
  3. Browser says “Hey! Waitaminnit! Should I trust this self-signed certificate??”
  4. Say yes

Then try your previously failing process.

As I mentioned before, you need to go in to SSL labs and look at the connection simulations. It will show you which versions of Android will be able to connect and which won’t. I suspect your cipher suites are too new for the Android version you have.

Xibo for Android won’t connect to a server with a certificate it doesn’t trust under any circumstances. The certificate must be properly trusted - but that isn’t the issue here.