SSL/HTTPS custom certificate authority

[Talkabout 5]

Hi all,

I have started to use Emby as a replacement for multiple Kodi installations (FireTV, Android). Everything works fine except one thing: I am not able to convince my FireTVs to connect to the Emby Server (installed on a Synology NAS) via https. I have already read a lot of posts about this, but most of them are dealing with Let's Encrypt. In my case the situation looks a little bit different. I have my own certificate authority where I am managing certificates for all my devices (Windows, Mac, Linux). I have created a custom DNS name for my Emby Server and am accessing it via a reverse proxy, with a certificate signed by my certificate authority. Access works fine via browser (secure connection), but FireTV tells me "Could not connect to server". I am assuming this is because of the CA as via http it works completely fine. Now I have digged a little bit into that topic and also installed my CA on my FireTV stick. Unfortunately this is not sufficient as stated here:

Network Proxy (Developer Tools on Fire TV) | Amazon Fire TV

It seems that with Android it is required to tell the app explicitly that it needs to allow user defined certificate authorities. I am aware that this seems to be no optimal solution, as it is considered to be for debugging, but the question is if it is really better to connect via http (unsecured) instead?

Wanted to ask if there is any chance that using custom CAs will be possible in the future with the Emby apps for Android?

Thanks!

Bye

[ebr 14984]

Hi. Please try the beta version of the app.

[Talkabout 5]

Thanks for the hint. I can see that there is a change log entry with "handle untrusted certs", which is great! Any information when this change will hit the release version?

[ebr 14984]

Sorry, I cannot say at this point.  As soon as it is ready (and Google approves it).

[rbjtech 4365]

On 18/11/2021 at 18:49, Talkabout said:

..  but the question is if it is really better to connect via http (unsecured) instead?

If it's on your own internal LAN - then while I admire your rationale to use https over http, what is the layer of data encryption/TLS really giving you between the devices ?  If you or anybody else already has access to the local end points, then it is likely those that are the 'weak' points.  Is all your storage encrypted at rest for example ?

https is essential outside of any devices/transport you do not directly control, but internally, I'm still of the view that using it is more grief vs the risk of not using it - I'm sure others will disagree haha.

[Talkabout 5]

@rbjtech

these days encryption is becoming more and more important and I decided to use it also internally in my LAN wherever possible. Most likely, as you said, it is not required as it does not give me more security in a sense that I need to protect things, but it simply gives me a better feeling of having a more secure infrastructre and device communication in general . Who knows what the future brings