From SpinetiX Support Wiki
This page is about external web servers usage. See also the player's embedded web server page.
Web server can refer to hardware or software, or both of them working together.
- On the software side, a web server includes several parts that control how web clients access hosted files, at minimum an HTTP server. An HTTP server is a piece of software that understands URLs (web addresses) and HTTP (the protocol your browser uses to view webpages). It can be accessed through the domain names (like mozilla.org) of websites it stores, and delivers their content to the end-user's device.
At the most basic level, whenever a client (e.g., browser) needs a file which is hosted on a web server, the client requests the file via HTTP. When the request reaches the correct web server (hardware), the HTTP server (software) accepts the request, finds the requested file (if it doesn't then a 404 response is returned), and sends it back to the client, also through HTTP.
- WebDAV is an extension of HTTP protocol to allow reading (and writing) files on a web server - this is employed to get the list of files from a server location by media files widgets and by some content pull methods.
- Other protocols like FTP, NFS or SMB/CIFS are not supported by the HMP.
- Although you can publish content on an FTP server or on a Windows Shared Folder (accessible via UNC path) from Elementi M and X (see Publish Location page), the HMP can only access those locations via HTTP.
All player models are able to access remote resources via HTTPS.
- The list of trusted root certificates matches that of Firefox. Certificate validation can be controlled from Control Center ⇾ Network ⇾ Trusted Certificates page.
- SSL with Virtual Hosts using Server Name Indication (SNI) is supported starting with firmware 3.1.0.
- The OpenSSL version used by the player is not affected by the Heartbleed bug.
The credentials to use when accessing resources from remote servers requiring authentication, are configured from:
- Control Center ⇾ System ⇾ Saved Passwords on players
- Menu ⇾ Settings ⇾ Network Credentials... on Elementi
Supported authentication methods
The players support the following methods for connecting to servers requiring authentication:
- Basic access authentication
- HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes. The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred over or used in conjunction with Basic Authentication.
- Digest access authentication
- Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of encryption, making it non-secure unless used in conjunction with SSL. Technically, digest authentication is an application of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. It uses the HTTP protocol.
- NTLM (added in firmware 3.2.0)
- NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is a challenge-response authentication protocol which uses three messages to authenticate a client in a connection oriented environment (connectionless is similar), and a fourth additional message if integrity is desired. NTLM is supported only over secured HTTP connections. Note that NTLM is an insecure protocol when not over SSL.
- Form-based authentication (added in firmware 4.5.0)
Non-supported authentication methods
- Many Microsoft-based web services including SharePoint and Exchange are set to use Integrated Windows Authentication by default; this setting must be changed site-wide.
- See these security considerations for reasons why using FORM based authentication with the HMP is not a good idea.
- Server certificate verification failed: certificate has expired
- This happens when the server certificate is no longer valid - to solve this, a new server certificate must be issued.
- Server certificate verification failed: certificate issued for a different hostname
- This happens when the server name doesn't match the one mentioned within the SSL certificate, for instance when using the server's IP address instead of its hostname - to solve this, use the server name as mentioned within the SSL certificate.
- Server certificate verification failed: issuer is not trusted
- This happens when the server root certificate is not within the player built-in database of the root certificates of public certification authorities, for instance when the certificate was delivered by a private, or enterprise internal, certification authority. To solve this, you can add that root certificates on the player from HMP Control Center > Network > Trusted Certificates.
- SSL handshake failed: SSL error code -1/1/336032856
- This can happen when the hostname reported by the server does not the match the hostname given in the SSL certificate. Make sure your server configuration uses correct values for "ServerName" and "NameVirtualHost".
- SSL handshake failed: SSL error: unknown message digest algorithm
- The sha256WithRSAEncryption algorithm was not supported before 3.1.0 release. The solution is to update the firmware on the HMP or use sha1WithRSAEncryption algorithm when generating the certificate.