Merge pull request #688 from croneter/enforce_ssl

Never ignore SSL certificate errors for Kodi >= 18 - just like Kodi

resources/lib/app/connection.py

@@ -3,7 +3,7 @@
 from __future__ import absolute_import, division, unicode_literals
 from logging import getLogger
 
-from .. import utils, json_rpc as js
+from .. import utils, json_rpc as js, variables as v
 
 LOG = getLogger('PLEX.connection')
 
@@ -38,7 +38,9 @@ class Connection(object):
     def load(self):
         LOG.debug('Loading connection settings')
         # Shall we verify SSL certificates? "None" will leave SSL enabled
-        self.verify_ssl_cert = None if utils.settings('sslverify') == 'true' \
+        # Ignore this setting for Kodi >= 18 as Kodi 18 is much stricter
+        # with checking SSL certs
+        self.verify_ssl_cert = None if v.KODIVERSION >= 18 or utils.settings('sslverify') == 'true' \
             else False
         # Do we have an ssl certificate for PKC we need to use?
         self.ssl_cert_path = utils.settings('sslcert') \
@@ -61,7 +63,7 @@ class Connection(object):
                   self.server_name, self.machine_identifier, self.server)
 
     def load_entrypoint(self):
-        self.verify_ssl_cert = None if utils.settings('sslverify') == 'true' \
+        self.verify_ssl_cert = None if v.KODIVERSION >= 18 or utils.settings('sslverify') == 'true' \
             else False
         self.ssl_cert_path = utils.settings('sslcert') \
             if utils.settings('sslcert') != 'None' else None

resources/lib/downloadutils.py

@@ -40,16 +40,12 @@ class DownloadUtils():
     def __init__(self):
         self.__dict__ = self._shared_state
 
-    def setSSL(self, verifySSL=None, certificate=None):
+    def setSSL(self):
         """
-        verifySSL must be 'true' to enable certificate validation
-
         certificate must be path to certificate or 'None'
         """
-        if verifySSL is None:
+        verifySSL = app.CONN.verify_ssl_cert
-            verifySSL = app.CONN.verify_ssl_cert
+        certificate = app.CONN.ssl_cert_path
-        if certificate is None:
-            certificate = app.CONN.ssl_cert_path
         # Set the session's parameters
         self.s.verify = verifySSL
         if certificate:

resources/lib/initialsetup.py

@@ -212,7 +212,8 @@ class InitialSetup(object):
         not set before
         """
         answer = True
-        chk = PF.check_connection(app.CONN.server, verifySSL=False)
+        chk = PF.check_connection(app.CONN.server,
+                                  verifySSL=True if v.KODIVERSION >= 18 else False)
         if chk is False:
             LOG.warn('Could not reach PMS %s', app.CONN.server)
             answer = False
@@ -245,8 +246,8 @@ class InitialSetup(object):
         if server['local']:
             url = ('%s://%s:%s'
                    % (server['scheme'], server['ip'], server['port']))
-            # Deactive SSL verification if the server is local!
+            # Deactive SSL verification if the server is local for Kodi 17
-            verifySSL = False
+            verifySSL = True if v.KODIVERSION >= 18 else False
         else:
             url = server['baseURL']
             verifySSL = True

resources/lib/plex_functions.py

@@ -131,7 +131,11 @@ def check_connection(url, token=None, verifySSL=None):
     if token is not None:
         header_options = {'X-Plex-Token': token}
     if verifySSL is True:
-        verifySSL = None if utils.settings('sslverify') == 'true' else False
+        if v.KODIVERSION >= 18:
+            # Always verify with Kodi >= 18
+            verifySSL = True
+        else:
+            verifySSL = True if utils.settings('sslverify') == 'true' else False
     if 'plex.tv' in url:
         url = 'https://plex.tv/api/home/users'
     LOG.debug("Checking connection to server %s with verifySSL=%s",
@@ -424,7 +428,7 @@ def _poke_pms(pms, queue):
     xml = DU().downloadUrl('%s/identity' % url,
                            authenticate=False,
                            headerOptions={'X-Plex-Token': pms['token']},
-                           verifySSL=False,
+                           verifySSL=True if v.KODIVERSION >= 18 else False,
                            timeout=10)
     try:
         xml.attrib['machineIdentifier']
@@ -804,14 +808,14 @@ def _pms_https_enabled(url):
     """
     res = DU().downloadUrl('https://%s/identity' % url,
                            authenticate=False,
-                           verifySSL=False)
+                           verifySSL=True if v.KODIVERSION >= 18 else False)
     try:
         res.attrib
     except AttributeError:
         # Might have SSL deactivated. Try with http
         res = DU().downloadUrl('http://%s/identity' % url,
                                authenticate=False,
-                               verifySSL=False)
+                               verifySSL=True if v.KODIVERSION >= 18 else False)
         try:
             res.attrib
         except AttributeError:
@@ -833,7 +837,7 @@ def GetMachineIdentifier(url):
     """
     xml = DU().downloadUrl('%s/identity' % url,
                            authenticate=False,
-                           verifySSL=False,
+                           verifySSL=True if v.KODIVERSION >= 18 else False,
                            timeout=10,
                            reraise=True)
     try:
@@ -958,7 +962,7 @@ def get_PMS_settings(url, token):
     return DU().downloadUrl(
         '%s/:/prefs' % url,
         authenticate=False,
-        verifySSL=False,
+        verifySSL=True if v.KODIVERSION >= 18 else False,
         headerOptions={'X-Plex-Token': token} if token else None)
 
 

resources/lib/service_entry.py

@@ -481,7 +481,7 @@ class Service():
                         PF.check_connection,
                         self.on_connection_check,
                         server,
-                        verifySSL=True)
+                        verifySSL=app.CONN.verify_ssl_cert)
                     backgroundthread.BGThreader.addTasksToFront([task])
                     continue
             elif not app.ACCOUNT.authenticated: