Blue Iris 5 - Stunnel & HTTPS Issues

[tech101]

Interesting.. Same thing happened for me stunnel just stopped working... Today.. Did you figure it out why it was ?



2020.03.26 19:37:54 LOG3[30]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2020.03.26 19:37:54 LOG5[30]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2020.03.26 19:37:54 LOG3[31]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2020.03.26 19:37:54 LOG5[31]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2020.03.26 19:37:54 LOG5[32]: Service [blueiris] accepted connection from 1****
2020.03.26 19:37:54 LOG5[33]: Service [blueiris] accepted connection from 1*****
2020.03.26 19:37:54 LOG3[32]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2020.03.26 19:37:54 LOG5[32]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2020.03.26 19:37:54 LOG3[33]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2020.03.26 19:37:54 LOG5[33]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2020.03.26 19:37:54 LOG5[34]: Service [blueiris] accepted connection from 1****
2020.03.26 19:37:54 LOG3[34]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback
2020.03.26 19:37:54 LOG5[34]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2020.03.26 19:37:54 LOG5[35]: Service [blueiris] accepted connection from 1***
2020.03.26 19:37:54 LOG3[35]: SSL_accept: ssl/statem/statem_srvr.c:1746: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback

 

[tech101]

Okay I did update the IOS on the iPhone yesterday wonder if that has anything to do with this .. Because I can reach it thru a browser just fine ..

Both on internal and external ips..

Its just the iOS app now which is not working .. After the IOS 13.4.. Any idea.. what can I do to fix it off course cannot roll back the iPhone to old iOS

Update : - Okay, So Turns out in the new iOS 13.4 they have dropped the support for TLS 1.0 and 1.1 .. With that said BlueIris iOS app is not working with stunnel... Any work around does anyone know off ?

 

[TL1096r]

Okay I did update the IOS on the iPhone yesterday wonder if that has anything to do with this .. Because I can reach it thru a browser just fine ..

Both on internal and external ips..

Its just the iOS app now which is not working .. After the IOS 13.4.. Any idea.. what can I do to fix it off course cannot roll back the iPhone to old iOS

Update : - Okay, So Turns out in the new iOS 13.4 they have dropped the support for TLS 1.0 and 1.1 .. With that said BlueIris iOS app is not working with stunnel... Any work around does anyone know off ?

I went with openvpn through asus router. much easier and quicker in my opinion with less bugs. Sorry I could not be more help with your question. I gave up on stunnel.

 

[miles267]

Yes, confirming the iOS issue was definitely due to changes in the new iOS 13.4 update. That's also when my issue began.

Either way, was also able to troubleshoot the issue with ZeroSSL (above) after much tedious trial and error. The fix was:
1.) you can edit the stunnel.pem file in Notepad++ with admin rights
2.) you must replace the legacy key data in stunnel.pem with the new one, including the --- BEGIN RSA PRIVATE KEY --- AND --- END RSA PRIVATE KEY --- lines.
3.) This was the most peculiar step of all. You must replace the text BETWEEN the --- BEGIN CERTIFICATE --- and --- END CERTIFICATE --- lines with what's in cert.txt file. DO NOT replace the BEGIN and END lines of text themselves or stunnel server will not run.

After this you'll be back up and running with stunnel after iOS 13.4 update. Until the ZeroSSL expires and needs to be recreated.

 

[tech101]

Yes, confirming the iOS issue was definitely due to changes in the new iOS 13.4 update. That's also when my issue began.

Either way, was also able to troubleshoot the issue with ZeroSSL (above) after much tedious trial and error. The fix was:
1.) you can edit the stunnel.pem file in Notepad++ with admin rights
2.) you must replace the legacy key data in stunnel.pem with the new one, including the --- BEGIN RSA PRIVATE KEY --- AND --- END RSA PRIVATE KEY --- lines.
3.) This was the most peculiar step of all. You must replace the text BETWEEN the --- BEGIN CERTIFICATE --- and --- END CERTIFICATE --- lines with what's in cert.txt file. DO NOT replace the BEGIN and END lines of text themselves or stunnel server will not run.

After this you'll be back up and running with stunnel after iOS 13.4 update. Until the ZeroSSL expires and needs to be recreated.

I already did this For me 13.4 is still no go .. After doing this the old iOS on my iPad is still working.. So I am not sure how you got your working on 13.4..

 

[miles267]

Post your stunnel error log. Will see whether we can help. I spent several hours trying all sorts of combinations before I was able to get it to work on iOS 13.4. Turned out that step #3 was the critical and, in my case, accidental.

 

[tech101]

When I leave the old .pem key config loads fine.. when I generated a key using the zero ssl.. and change that keys..


2020.03.27 10:44:18 LOG5[main]: Reading configuration from file stunnel.conf
2020.03.27 10:44:18 LOG5[main]: UTF-8 byte order mark detected
2020.03.27 10:44:18 LOG3[main]: error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_fileEM lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/pem/pem_pkey.c:88: error:0907B00DEM routinesEM_read_bio_PrivateKey:ASN1 lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
2020.03.27 10:44:18 LOG3[main]: Wrong passphrase: retrying
2020.03.27 10:44:18 LOG3[main]: error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_fileEM lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/pem/pem_pkey.c:88: error:0907B00DEM routinesEM_read_bio_PrivateKey:ASN1 lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
2020.03.27 10:44:18 LOG3[main]: Wrong passphrase: retrying
2020.03.27 10:44:18 LOG3[main]: error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_fileEM lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/pem/pem_pkey.c:88: error:0907B00DEM routinesEM_read_bio_PrivateKey:ASN1 lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: SSL_CTX_use_PrivateKey_file: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
2020.03.27 10:44:18 LOG3[main]: Service [blueiris]: Failed to initialize TLS context
2020.03.27 10:44:18 LOG3[main]: Failed to reload the configuration file

 

[miles267]

Correct. If you follow my instructions, it will overcome those errors. Have been there, faced all variations, until I figured it out. Steps posted above.

 

[tech101]

Correct. If you follow my instructions, it will overcome those errors. Have been there, faced all variations, until I figured it out. Steps posted above.

Okay so still it errors out.. (When try to re-load configuration or connect.. (This cert also does not work at all even thru browser or anything.)

"
2020.03.28 09:11:43 LOG3[main]: error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_fileEM lib
2020.03.28 09:11:43 LOG3[main]: error queue: crypto/pem/pem_pkey.c:88: error:0907B00DEM routinesEM_read_bio_PrivateKey:ASN1 lib
2020.03.28 09:11:43 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2020.03.28 09:11:43 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2020.03.28 09:11:43 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
2020.03.28 09:11:43 LOG3[main]: Wrong passphrase: retrying
2020.03.28 09:11:43 LOG3[main]: error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_fileEM lib
2020.03.28 09:11:43 LOG3[main]: error queue: crypto/pem/pem_pkey.c:88: error:0907B00DEM routinesEM_read_bio_PrivateKey:ASN1 lib
2020.03.28 09:11:43 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2020.03.28 09:11:43 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2020.03.28 09:11:43 LOG3[main]: SSL_CTX_use_PrivateKey_file: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
2020.03.28 09:11:43 LOG3[main]: Service [blueiris]: Failed to initialize TLS context
2020.03.28 09:11:43 LOG3[main]: Failed to reload the configuration file""

This is what I am doing I am opening the stunnel.pem file in notepad++ with admin rights ..

Generated the cert .. From Zero SSL by putting my public IP address only ipv4.

Once the cert has been generated.. download it as txt file both the cert and key..

Replacing the key between the lines and the cert.. Again not copying the rsa line or anything just the keys.. Still It is failing to load..

What else I could be missing ? Thank you !

 

[tech101]

Does this require the keys to be somewhere else as well or just stunnel.pem ?

 

[tech101]

YAY !! GOt it to work for me what it was...


You have to replace everything in the stunnel.pem basically blank file and then put everything including the line from zero ssl..



As soon I did that it worked !!!

 

[MachAF]

I was having issues..Make sure you use "Self-Signed Certificate Generator"

Free SSL Certificates and SSL Tools - ZeroSSL

Free SSL certificates issued instantly online, supporting ACME clients, SSL monitoring, quick validation and automated SSL renewal via ZeroSSL Bot or REST API.

zerossl.com

 

[tech101]

I was having issues..Make sure you use "Self-Signed Certificate Generator"

Free SSL Certificates and SSL Tools - ZeroSSL

Free SSL certificates issued instantly online, supporting ACME clients, SSL monitoring, quick validation and automated SSL renewal via ZeroSSL Bot or REST API.

zerossl.com

Thanks That is the one I end up using earlier and that worked !

 

[MachAF]

I was using the "
FREE SSL Certificate Wizard
Free SSL certificates trusted by all major browsers issued in minutes."

RSA key was 58 lines long instead of 27. Was getting all sorts of errors. I used the self signed one and it fixed it. I'm not sure why Stunnel self-signing cert doesn't work with new iOS. Wonder if this new cert will work with my Safari on my iMac (once I updated to new MACOS months ago it stopped working and I had to use Firefox.

 

[tech101]

Basically to make it work with iOS I had to replace everything in the .pem file including the -----Begin Private Key---- Lines and everything and it worked.. there after also works in iPad .. Have not tested the mac.. I guess I can give it a shot..

 

[tech101]

Have the latest running and can confirm it worked on Safari as well.. On the macbook pro.

So Zero SSL cert fixed it not only on the iPhone , iPad but Mac latest os and safari works as well.

 

[JeffC]

I had the same problem and was unable to use the Zero SSL cert to fix.

What DID fix my issue was to use a LetsEncrypt cert and key. Now everything is working on all browsers and devices. I fortunately had an ubuntu box running with Certbot. Just reused it from there...

 

[mchipser]

I am getting the same error, Key / Cert from zeroSSL isnt working for me either..

 

[voelker250]

I went through all of the Zero SSL steps with no success, along with using LetsEncrypt. Like Tech101 said, TLSv1.0 and 1.1 are no longer supported by iOS. So, I forced stunnel onto TLSv1.2. It worked for me.

In the stunnel.conf file, you'll see the following default SSL config:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3

You need to force stunnel to use TLSv1.2 with the follwing line:

sslVersion = TLSv1.2

So, your SSL config should look as follows:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
sslVersion = TLSv1.2

 

[MachAF]

Errors are because you're NOT using the correct ZeroSSL link. YOU MUST USE the Self-Signed Certificate Generator