ske087/digiserver-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f2470e27ec04dd084decffae714c63a44cda17a7
digiserver-v2/old_code_documentation/player_analisis/KIWY_PLAYER_ANALYSIS_INDEX.md

13 KiB
Raw Blame History

Kiwy-Signage Player HTTPS/SSL Analysis - Complete Documentation

Overview

This documentation provides a comprehensive analysis of how the Kiwy-Signage player (https://gitea.moto-adv.com/ske087/Kiwy-Signage.git) handles HTTPS connections and SSL certificate verification, along with implementation guides for adding self-signed certificate support.

Analysis Date: January 16, 2026
Player Version: Latest from repository
Server Compatibility: DigiServer v2

Key Findings

Current State

  • HTTPS Support: Yes, fully functional for CA-signed certificates
  • Self-Signed Certificates: NOT supported without code modifications
  • Custom CA Bundles: NOT supported without code modifications
  • SSL Verification: Enabled by default (uses requests library defaults)
  • ⚠️ Hardcoded Settings: None (relies entirely on requests library)

Architecture

  • HTTP Client: Python requests library (v2.32.4)
  • HTTPS Requests: 6 locations in 2 main files
  • Certificate Verification: Implicit verify=True (default behavior)
  • Configuration: Via config/app_config.json (no SSL options currently)

Documentation Files

1. 📋 KIWY_PLAYER_HTTPS_ANALYSIS.md

Main technical analysis document - Start here for comprehensive understanding

Contents:

  • Executive summary
  • HTTP client library details
  • Main connection files and locations
  • HTTPS connection architecture
  • Certificate verification code analysis
  • Current SSL/certificate behavior
  • Required changes for self-signed support
  • Testing instructions
  • Summary tables and references

Read this if you need: Full technical details, code references, line numbers

2. KIWY_PLAYER_HTTPS_QUICK_REF.md

Quick reference guide - Use this for quick lookups and summaries

Contents:

  • Quick facts and key statistics
  • Where HTTPS requests are made (code locations)
  • What gets sent over HTTPS (data flow)
  • The problem with self-signed certificates
  • How to enable self-signed certificate support
  • Configuration files overview
  • Network flow diagrams
  • SSL error troubleshooting
  • Testing instructions

Read this if you need: Quick answers, quick start, troubleshooting

3. 🔧 KIWY_PLAYER_SSL_PATCHES.md

Implementation guide with exact code patches - Use this to implement the changes

Contents:

  • Complete PATCH 1: Create ssl_config.py (NEW FILE)
  • Complete PATCH 2: Modify src/player_auth.py (7 changes)
  • Complete PATCH 3: Modify src/get_playlists_v2.py (2 changes)
  • PATCH 4: Extract server certificate
  • PATCH 5: Using environment variables
  • Testing procedures after patches
  • Implementation checklist
  • Rollback instructions

Read this if you need: To implement self-signed certificate support

4. 📐 KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md

Visual architecture and flow diagrams - Use this to understand the system visually

Contents:

  • Current architecture before patches (with ASCII diagrams)
  • New architecture after patches
  • Certificate resolution flow
  • File structure before/after
  • Deployment scenarios (production, self-signed, dev)
  • Request flow sequence diagram
  • Error handling flow
  • Security comparison table

Read this if you need: Visual understanding, deployment planning

Quick Navigation

I want to...

Understand how the player works: → Read KIWY_PLAYER_HTTPS_ANALYSIS.md Section 3

Find where HTTPS requests happen: → Read KIWY_PLAYER_HTTPS_QUICK_REF.md "Where HTTPS Requests Are Made"

Implement self-signed cert support: → Follow KIWY_PLAYER_SSL_PATCHES.md step by step

See a visual diagram: → Read KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md

Understand the problem: → Read KIWY_PLAYER_HTTPS_QUICK_REF.md "The Problem with Self-Signed Certificates"

Check specific code lines: → Read KIWY_PLAYER_HTTPS_ANALYSIS.md Section 3 "All HTTPS Request Points"

See the recommended solution: → Read KIWY_PLAYER_HTTPS_ANALYSIS.md Section 6 "Option 2: Custom CA Certificate Bundle"

Implementation Path

For Production Deployment (Recommended)

  1. Review the analysis

  2. Plan the implementation

  3. Implement patches

    • Follow KIWY_PLAYER_SSL_PATCHES.md
    • Create src/ssl_config.py
    • Modify src/player_auth.py (7 changes)
    • Modify src/get_playlists_v2.py (2 changes)

  4. Deploy certificates

  5. Test thoroughly

    • Test with self-signed server
    • Test with production server (verify backward compatibility)
    • Monitor player logs for SSL errors

  6. Document

    • Update player README with SSL certificate setup instructions
    • Document certificate rotation procedures

For Quick Testing (Development)

  1. Review KIWY_PLAYER_HTTPS_QUICK_REF.md "Quickest Fix"
  2. Use SSLConfig.disable_verification() temporarily
  3. ⚠️ Never use in production

File Summary

File Purpose Length Best For
KIWY_PLAYER_HTTPS_ANALYSIS.md Main technical document ~400 lines Complete understanding
KIWY_PLAYER_HTTPS_QUICK_REF.md Quick reference ~300 lines Quick lookups
KIWY_PLAYER_SSL_PATCHES.md Implementation guide ~350 lines Applying changes
KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md Visual diagrams ~400 lines Visual learning

Key Statistics

Current Implementation

  • HTTP Client Library: requests v2.32.4
  • HTTPS Request Locations: 6 (5 in player_auth.py, 1 in get_playlists_v2.py)
  • Lines With Certificate Handling: 0 (all use implicit defaults)
  • SSL Configuration Options: 0 (all use system defaults)
  • Custom CA Support: Not implemented

After Patches

  • New Files: 1 (ssl_config.py)
  • Modified Files: 2 (player_auth.py, get_playlists_v2.py)
  • Code Lines Added: ~60 (new module)
  • Code Lines Modified: ~8 (in existing modules)
  • New Dependencies: 0 (uses existing requests library)
  • Breaking Changes: 0 (fully backward compatible)

Code Locations

src/player_auth.py:

  • Line 95: requests.post(auth_url, ...)
  • Line 157: requests.post(verify_url, ...)
  • Line 178: requests.get(playlist_url, ...)
  • Line 227: requests.post(heartbeat_url, ...)
  • Line 254: requests.post(feedback_url, ...)

src/get_playlists_v2.py:

  • Line 159: requests.get(file_url, ...)

Configuration

Current Configuration (No SSL Options)

File: config/app_config.json

{
  "server_ip": "digi-signage.moto-adv.com",
  "port": "443",
  "screen_name": "tv-terasa",
  "quickconnect_key": "8887779",
  "orientation": "Landscape",
  "touch": "True",
  "max_resolution": "1920x1080",
  "edit_feature_enabled": true
}

After Patches - New Files

New: config/ca_bundle.crt (Certificate file)

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1/iNAZwqDMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
... (certificate content)
-----END CERTIFICATE-----

New: src/ssl_config.py (Module for SSL configuration)

Architecture Overview

Before Patches

Player Application
  ├─ main.py (GUI)
  ├─ player_auth.py (Auth)
  └─ get_playlists_v2.py (Playlists)
        │
        ├─ requests.post/get(..., timeout=30)
        │  └─ Uses default: verify=True
        │     └─ Only works with CA-signed certs
        │
        └─ Python requests library
           └─ System CA certificates
              ├─ Production certs: ✅ Works
              └─ Self-signed certs: ❌ Fails

After Patches

Player Application
  ├─ main.py (GUI)
  ├─ player_auth.py (Auth) [MODIFIED]
  ├─ get_playlists_v2.py (Playlists) [MODIFIED]
  └─ ssl_config.py [NEW]
        │
        ├─ requests.post/get(..., verify=ca_bundle)
        │  └─ Uses SSLConfig.get_verify_setting()
        │     └─ Works with multiple cert types
        │
        └─ Python requests library
           ├─ Custom CA: 'config/ca_bundle.crt'
           ├─ Env var: REQUESTS_CA_BUNDLE
           ├─ System certs: True
           │
           ├─ Production certs: ✅ Works
           ├─ Self-signed certs: ✅ Works (with ca_bundle.crt)
           └─ Custom CA: ✅ Works (with env var)

Security Considerations

Current Implementation

  • SSL certificate verification enabled
  • Works securely with CA-signed certificates
  • No hardcoded insecure defaults
  • Uses Python best practices

Self-Signed Support (After Patches)

  • Maintains security with custom CA verification
  • No downgrade to insecure verify=False
  • Backward compatible with production
  • Supports environment-specific configurations

NOT Recommended

  • Using verify=False in production
  • Disabling SSL verification permanently
  • Ignoring certificate errors
  • Man-in-the-middle attack risks

Troubleshooting

Common Issues

Problem: "certificate verify failed" Solution: See KIWY_PLAYER_HTTPS_QUICK_REF.md "SSL Error Troubleshooting"

Problem: Player won't connect to DigiServer Solution: See KIWY_PLAYER_HTTPS_ANALYSIS.md Section 5

Problem: Not sure if patches are applied correctly Solution: See KIWY_PLAYER_SSL_PATCHES.md "Testing After Patches"

Problem: Need to rollback changes Solution: See KIWY_PLAYER_SSL_PATCHES.md "Rollback Instructions"

References

Source Repository

Python Libraries Used

  • requests v2.32.4 - HTTP client with SSL support
  • kivy ≥2.3.0 - GUI framework
  • aiohttp v3.9.1 - Async HTTP (not used for auth)

Related Documentation

Changelog

2026-01-16 - Initial Analysis

  • Complete HTTPS analysis of Kiwy-Signage player
  • Identified 6 locations making HTTPS requests
  • Documented lack of self-signed certificate support
  • Created 4 comprehensive documentation files
  • Provided ready-to-apply code patches
  • Created visual architecture diagrams

Support and Questions

If you have questions about:

Document Status

Document Status Last Updated Completeness
KIWY_PLAYER_HTTPS_ANALYSIS.md Complete 2026-01-16 100%
KIWY_PLAYER_HTTPS_QUICK_REF.md Complete 2026-01-16 100%
KIWY_PLAYER_SSL_PATCHES.md Complete 2026-01-16 100%
KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md Complete 2026-01-16 100%

Next Steps

  1. Read the main analysis: Start with KIWY_PLAYER_HTTPS_ANALYSIS.md
  2. Review your requirements: Decide if you need self-signed certificate support
  3. Plan implementation: Use KIWY_PLAYER_ARCHITECTURE_DIAGRAM.md for deployment scenarios
  4. Apply patches: Follow KIWY_PLAYER_SSL_PATCHES.md step by step
  5. Test thoroughly: Verify with both production and self-signed servers
  6. Deploy: Roll out to player devices and monitor logs

Created: January 16, 2026
For: DigiServer v2 Integration
Repository: https://gitea.moto-adv.com/ske087/Kiwy-Signage.git

Reference in New Issue View Git Blame Copy Permalink