digiserver-v2/old_code_documentation/player_analisis/KIWY_PLAYER_ANALYSIS_INDEX.md

Kiwy-Signage Player HTTPS/SSL Analysis - Complete Documentation

Overview

This documentation provides a comprehensive analysis of how the Kiwy-Signage player (https://gitea.moto-adv.com/ske087/Kiwy-Signage.git) handles HTTPS connections and SSL certificate verification, along with implementation guides for adding self-signed certificate support.

Analysis Date: January 16, 2026
Player Version: Latest from repository
Server Compatibility: DigiServer v2

---

Key Findings

Current State

• ✅ HTTPS Support: Yes, fully functional for CA-signed certificates
• ❌ Self-Signed Certificates: NOT supported without code modifications
• ❌ Custom CA Bundles: NOT supported without code modifications
• ✅ SSL Verification: Enabled by default (uses requests library defaults)
• ⚠️ Hardcoded Settings: None (relies entirely on requests library)

Architecture

• HTTP Client: Python requests library (v2.32.4)
• HTTPS Requests: 6 locations in 2 main files
• Certificate Verification: Implicit verify=True (default behavior)
• Configuration: Via config/app_config.json (no SSL options currently)

---

Documentation Files

1. 📋 KIWY_PLAYER_HTTPS_ANALYSIS.md

Main technical analysis document - Start here for comprehensive understanding

Contents:

• Executive summary
• HTTP client library details
• Main connection files and locations
• HTTPS connection architecture
• Certificate verification code analysis
• Current SSL/certificate behavior
• Required changes for self-signed support
• Testing instructions
• Summary tables and references

Read this if you need: Full technical details, code references, line numbers

---

2. ⚡ KIWY_PLAYER_HTTPS_QUICK_REF.md

Quick reference guide - Use this for quick lookups and summaries

Contents:

• Quick facts and key statistics
• Where HTTPS requests are made (code locations)
• What gets sent over HTTPS (data flow)
• The problem with self-signed certificates
• How to enable self-signed certificate support
• Configuration files overview
• Network flow diagrams
• SSL error troubleshooting
• Testing instructions

Read this if you need: Quick answers, quick start, troubleshooting

---

3. 🔧 KIWY_PLAYER_SSL_PATCHES.md

Implementation guide with exact code patches - Use this to implement the changes

Contents:

• Complete PATCH 1: Create ssl_config.py (NEW FILE)
• Complete PATCH 2: Modify src/player_auth.py (7 changes)
• Complete PATCH 3: Modify src/get_playlists_v2.py (2 changes)
• PATCH 4: Extract server certificate
• PATCH 5: Using environment variables
• Testing procedures after patches
• Implementation checklist
• Rollback instructions

Read this if you need: To implement self-signed certificate support

---

4. 📐 KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md

Visual architecture and flow diagrams - Use this to understand the system visually

Contents:

• Current architecture before patches (with ASCII diagrams)
• New architecture after patches
• Certificate resolution flow
• File structure before/after
• Deployment scenarios (production, self-signed, dev)
• Request flow sequence diagram
• Error handling flow
• Security comparison table

Read this if you need: Visual understanding, deployment planning

---

Quick Navigation

I want to...

Understand how the player works: → Read KIWY_PLAYER_HTTPS_ANALYSIS.md Section 3

Find where HTTPS requests happen: → Read KIWY_PLAYER_HTTPS_QUICK_REF.md "Where HTTPS Requests Are Made"

Implement self-signed cert support: → Follow KIWY_PLAYER_SSL_PATCHES.md step by step

See a visual diagram: → Read KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md

Understand the problem: → Read KIWY_PLAYER_HTTPS_QUICK_REF.md "The Problem with Self-Signed Certificates"

Check specific code lines: → Read KIWY_PLAYER_HTTPS_ANALYSIS.md Section 3 "All HTTPS Request Points"

See the recommended solution: → Read KIWY_PLAYER_HTTPS_ANALYSIS.md Section 6 "Option 2: Custom CA Certificate Bundle"

---

Implementation Path

For Production Deployment (Recommended)

1. Review the analysis

   • Read KIWY_PLAYER_HTTPS_ANALYSIS.md sections 1-5
   • Understand current limitations and proposed solution

2. Plan the implementation

   • Review KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md deployment scenarios
   • Decide on environment-specific configurations

3. Implement patches

   • Follow KIWY_PLAYER_SSL_PATCHES.md
   • Create src/ssl_config.py
   • Modify src/player_auth.py (7 changes)
   • Modify src/get_playlists_v2.py (2 changes)

4. Deploy certificates

   • Export certificate from DigiServer
   • Place in config/ca_bundle.crt
   • Verify using KIWY_PLAYER_SSL_PATCHES.md Test section

5. Test thoroughly

   • Test with self-signed server
   • Test with production server (verify backward compatibility)
   • Monitor player logs for SSL errors

6. Document

   • Update player README with SSL certificate setup instructions
   • Document certificate rotation procedures

For Quick Testing (Development)

1. Review KIWY_PLAYER_HTTPS_QUICK_REF.md "Quickest Fix"
2. Use SSLConfig.disable_verification() temporarily
3. ⚠️ Never use in production

---

File Summary

File	Purpose	Length	Best For
KIWY_PLAYER_HTTPS_ANALYSIS.md	Main technical document	~400 lines	Complete understanding
KIWY_PLAYER_HTTPS_QUICK_REF.md	Quick reference	~300 lines	Quick lookups
KIWY_PLAYER_SSL_PATCHES.md	Implementation guide	~350 lines	Applying changes
KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md	Visual diagrams	~400 lines	Visual learning

---

Key Statistics

Current Implementation

• HTTP Client Library: requests v2.32.4
• HTTPS Request Locations: 6 (5 in player_auth.py, 1 in get_playlists_v2.py)
• Lines With Certificate Handling: 0 (all use implicit defaults)
• SSL Configuration Options: 0 (all use system defaults)
• Custom CA Support: ❌ Not implemented

After Patches

• New Files: 1 (ssl_config.py)
• Modified Files: 2 (player_auth.py, get_playlists_v2.py)
• Code Lines Added: ~60 (new module)
• Code Lines Modified: ~8 (in existing modules)
• New Dependencies: 0 (uses existing requests library)
• Breaking Changes: 0 (fully backward compatible)

Code Locations

src/player_auth.py:

• Line 95: requests.post(auth_url, ...)
• Line 157: requests.post(verify_url, ...)
• Line 178: requests.get(playlist_url, ...)
• Line 227: requests.post(heartbeat_url, ...)
• Line 254: requests.post(feedback_url, ...)

src/get_playlists_v2.py:

• Line 159: requests.get(file_url, ...)

---

Configuration

Current Configuration (No SSL Options)

File: config/app_config.json

{
  "server_ip": "digi-signage.moto-adv.com",
  "port": "443",
  "screen_name": "tv-terasa",
  "quickconnect_key": "8887779",
  "orientation": "Landscape",
  "touch": "True",
  "max_resolution": "1920x1080",
  "edit_feature_enabled": true
}

After Patches - New Files

New: config/ca_bundle.crt (Certificate file)

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1/iNAZwqDMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
... (certificate content)
-----END CERTIFICATE-----

New: src/ssl_config.py (Module for SSL configuration)

---

Architecture Overview

Before Patches

Player Application
  ├─ main.py (GUI)
  ├─ player_auth.py (Auth)
  └─ get_playlists_v2.py (Playlists)
        │
        ├─ requests.post/get(..., timeout=30)
        │  └─ Uses default: verify=True
        │     └─ Only works with CA-signed certs
        │
        └─ Python requests library
           └─ System CA certificates
              ├─ Production certs: ✅ Works
              └─ Self-signed certs: ❌ Fails

After Patches

Player Application
  ├─ main.py (GUI)
  ├─ player_auth.py (Auth) [MODIFIED]
  ├─ get_playlists_v2.py (Playlists) [MODIFIED]
  └─ ssl_config.py [NEW]
        │
        ├─ requests.post/get(..., verify=ca_bundle)
        │  └─ Uses SSLConfig.get_verify_setting()
        │     └─ Works with multiple cert types
        │
        └─ Python requests library
           ├─ Custom CA: 'config/ca_bundle.crt'
           ├─ Env var: REQUESTS_CA_BUNDLE
           ├─ System certs: True
           │
           ├─ Production certs: ✅ Works
           ├─ Self-signed certs: ✅ Works (with ca_bundle.crt)
           └─ Custom CA: ✅ Works (with env var)

---

Security Considerations

Current Implementation ✅

• ✅ SSL certificate verification enabled
• ✅ Works securely with CA-signed certificates
• ✅ No hardcoded insecure defaults
• ✅ Uses Python best practices

Self-Signed Support (After Patches) ✅

• ✅ Maintains security with custom CA verification
• ✅ No downgrade to insecure verify=False
• ✅ Backward compatible with production
• ✅ Supports environment-specific configurations

NOT Recommended

• ❌ Using verify=False in production
• ❌ Disabling SSL verification permanently
• ❌ Ignoring certificate errors
• ❌ Man-in-the-middle attack risks

---

Troubleshooting

Common Issues

Problem: "certificate verify failed" Solution: See KIWY_PLAYER_HTTPS_QUICK_REF.md "SSL Error Troubleshooting"

Problem: Player won't connect to DigiServer Solution: See KIWY_PLAYER_HTTPS_ANALYSIS.md Section 5

Problem: Not sure if patches are applied correctly Solution: See KIWY_PLAYER_SSL_PATCHES.md "Testing After Patches"

Problem: Need to rollback changes Solution: See KIWY_PLAYER_SSL_PATCHES.md "Rollback Instructions"

---

References

Source Repository

• URL: https://gitea.moto-adv.com/ske087/Kiwy-Signage.git
• Main Files:
  • src/player_auth.py - Authentication and API communication
  • src/get_playlists_v2.py - Playlist management
  • src/main.py - GUI application
  • config/app_config.json - Configuration

Python Libraries Used

• requests v2.32.4 - HTTP client with SSL support
• kivy ≥2.3.0 - GUI framework
• aiohttp v3.9.1 - Async HTTP (not used for auth)

Related Documentation

• Python requests SSL verification
• OpenSSL certificate export
• Requests CA bundle documentation

---

Changelog

2026-01-16 - Initial Analysis

• Complete HTTPS analysis of Kiwy-Signage player
• Identified 6 locations making HTTPS requests
• Documented lack of self-signed certificate support
• Created 4 comprehensive documentation files
• Provided ready-to-apply code patches
• Created visual architecture diagrams

---

Support and Questions

If you have questions about:

• How HTTPS works in the player: See KIWY_PLAYER_HTTPS_ANALYSIS.md
• How to implement changes: See KIWY_PLAYER_SSL_PATCHES.md
• Specific code locations: See KIWY_PLAYER_HTTPS_QUICK_REF.md
• Visual understanding: See KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md

---

Document Status

Document	Status	Last Updated	Completeness
KIWY_PLAYER_HTTPS_ANALYSIS.md	✅ Complete	2026-01-16	100%
KIWY_PLAYER_HTTPS_QUICK_REF.md	✅ Complete	2026-01-16	100%
KIWY_PLAYER_SSL_PATCHES.md	✅ Complete	2026-01-16	100%
KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md	✅ Complete	2026-01-16	100%

---

Next Steps

1. Read the main analysis: Start with KIWY_PLAYER_HTTPS_ANALYSIS.md
2. Review your requirements: Decide if you need self-signed certificate support
3. Plan implementation: Use KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md for deployment scenarios
4. Apply patches: Follow KIWY_PLAYER_SSL_PATCHES.md step by step
5. Test thoroughly: Verify with both production and self-signed servers
6. Deploy: Roll out to player devices and monitor logs

---

Created: January 16, 2026
For: DigiServer v2 Integration
Repository: https://gitea.moto-adv.com/ske087/Kiwy-Signage.git