Blue Iris 5 - Stunnel & HTTPS Issues

[miles267]

Since updating to the latest BI 5.2.5.2 x64 I've noticed stunnel has stopped working. BI5 runs fine. Stunnel seems to run OK, but am unable to make an incoming connection from internet to BI5 over stunnel and no firewall config changes have been made.

 

[dohat leku]

If your folks are still having Android issues I have done a lot of troubleshooting directly with the author and is developers and they were not able to fix it. It's something to do with certificates

 

[Thepretender]

It seems you need to update the stunnel.pem file

NOTE in video disabling TLS 1.3 doesn't always allow you to connect to UI3 in Chrome.
@Walrus figured out that you can use zerossl website to create a self signed certificate (see setup below this video):

Website used for SSL:
Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL

See steps below to set this up from forum member walrus

After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

It now works with both the updated version of chrome on my android phone, and chrome on my work computer.


The Stunnel program is a bit of a mess to get working. I find it works as follows:

If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.

Upon a windows restart, whatever you had running (service or GUI) will run again.

I can confirm this was the solution for me. - something to do with an old version of TLS/SSL - I seem to think it may be due to chrome ending support for SSLv3? - if you're having this problem, try to load in IE - it should work if this is your issue!

Eitherway - I editied the stunnel.pem files as in this post with details for a certificate made for my domain - this is now working perfectly from both mobile and desktop verisons of chrome.

 

[denywinarto]

I went through all of the Zero SSL steps with no success, along with using LetsEncrypt. Like Tech101 said, TLSv1.0 and 1.1 are no longer supported by iOS. So, I forced stunnel onto TLSv1.2. It worked for me.

In the stunnel.conf file, you'll see the following default SSL config:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3

You need to force stunnel to use TLSv1.2 with the follwing line:

sslVersion = TLSv1.2

So, your SSL config should look as follows:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
sslVersion = TLSv1.2

Thanks this fixed it for my case!
At first only my note 8 was working, but my wife's huawei P30 wont, then i changed it to TLSv1.2 and it works

 

[johnmcc]

Thanks this fixed it for my case!
At first only my note 8 was working, but my wife's huawei P30 wont, then i changed it to TLSv1.2 and it works

Hi thanks for sslVersion = TLSv1.2 which initially failed! still generating self signed via stunnel

To get it to work also had to change
[BlueIris]
accept=1440
connect=8080
cert = stunnel.pem

To
[BlueIris]
accept=1440
connect=192.168.0.2:8080
cert = stunnel.pem

I tried connect 127.0.0.1 which failed hence pointing to actual ip address.

 

[VorlonFrog]

I went through all of the Zero SSL steps with no success, along with using LetsEncrypt. Like Tech101 said, TLSv1.0 and 1.1 are no longer supported by iOS. So, I forced stunnel onto TLSv1.2. It worked for me.

In the stunnel.conf file, you'll see the following default SSL config:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3

You need to force stunnel to use TLSv1.2 with the follwing line:

sslVersion = TLSv1.2

So, your SSL config should look as follows:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
sslVersion = TLSv1.2

This configuration issue just struck me today.
I'm VERY happy you posted this, it fixed my iPhone app issue.

 

[Priority]

I went through all of the Zero SSL steps with no success, along with using LetsEncrypt. Like Tech101 said, TLSv1.0 and 1.1 are no longer supported by iOS. So, I forced stunnel onto TLSv1.2. It worked for me.

….

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
sslVersion = TLSv1.2

Got me up and running again. THANKS!

Other info for those struggling with this issue:
I manage 3 different BI5 installations that are accessed with both Android and iOS. Android has been problematic with this issue for months; originally gave up fixing it.

iOS has been more "interesting". A few weeks ago, one iPhone stopped being able to connect, other iPhones were happily working and accessing the BI servers. Over the course of roughly a month, all iPhones lost the ability to connect to the 3 different servers. I surmise that iOS caches the credentials and trusts them for some length of time, maybe 30 days. Certainly forced me to do a lot of unnatural acts in debugging since I initially thought the issue was with the BI server!!!

 

[TheSwede]

Hi all !

Now I got my Iphone upp and running again, Android phone was not affected so everything is good now.

As voelker250 wrote before.

The only thing I needed to do was editing the Stunnel.conf file and add a line
sslVersion = TLSv1.2



No change in .pem file.
No zerossl that need to be shanged further on.


Brgds TheSwede

 

[austwhite]

As a few others have said. Add the sslVersion = TLSv1.2 and no messing with certificates are needed. It will just work with the default stunnel.pem file at TLSv1.2.
Adding one line to the config file certainly is easier than messing about with zerossl and trying to actually find the self-signed certificate option. The result is the same. You get SSL with the warning that the cert is self signed.
Much easier.

 

[jtsull]

sslVersion = TLSv1.2 I spent many hours trying to get stunnel to work. Wish I went looking for this earlier.
Added that line to the stunnel.conf file. WORKS! Thank you for the posts.

 

[tech101]

Does anyone know if zero SSL stopped issuing cert or do we have to verify the email ? Before they give us cert and is it only 90 days ? now ? for free

 

[Brandon1776]

Does anyone know if zero SSL stopped issuing cert or do we have to verify the email ? Before they give us cert and is it only 90 days ? now ? for free

it appears they stopped issuing the self signed certs. I was not able to get past the verification.

I used this site and it worked for me: Self-Signed Certificate Generator

 

[tech101]

it appears they stopped issuing the self signed certs. I was not able to get past the verification.

I used this site and it worked for me: Self-Signed Certificate Generator

Thank you for that site. Also I think Voelker250 had a work around which worked for me..

It was editing the Stunnel.conf file and add a line
sslVersion = TLSv1.2

 

[majones]

I was puzzled why my older Android phone connected to the BI server fine, but my daughter's newer Android phone wouldn't no matter what I did. Editing the stunnel.conf file to add the line sslVersion = TLSv1.2 fixed it! Brilliant!

 

[tech101]

So today I just noticed I am having issue connecting to my BI since I use stunnel from outside. Now not sure if Comcast is just simply blocking ports.. My firewall rules are correct And I can connect from inside fine over stunnel which tells me Stunnel piece is working fine what ever it is has to do with ports. I did turn off the windows built in firewall as well to see and that is not causing this. Not sure what changed since I did not change anything.. Anyone else ?

 

[tech101]

All Sorted turns out it was the stupid google wifi and I did restart the device it did not help but today I power it off for 10 sec and power it back up and all in sudden everything is now working. Ahh.. Ubiquiti Soon for sure

 

[Tayobo]

New user of Blue Iris, just going through all the videos to configure, specifically the stunnel video. Here is my setup:

Server - Windows 10 Patched and updated
Blue Iris 5
stunnel 5.55
Netgear Orbi router
Android - Essential PH1 on Q

Configs:
Port forward setup to BI Server - Port 8081 to 192.168.1.26

Blue Iris 5 Web server config:
Remote external x.x.x.x:8081
Local Lan 192.168.1.26:8081
Enable http web server on port 81
HTTPS Lan Also

Stunnel Confg:
Under TLS Client Mode
accept = 8081
connect = 81
cert = stunnel.pem



The problems:

On the server, if I open chrome and go to

https://192.168.1.26:8081/

I get site cant be reached "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

On the server, if I open IE and go to

https://192.168.1.26:8081/

works as expected.


From a workstation outside the network does the same thing, I can use IE but hates Chrome.

On the Android app, does not connect from outside the network. If I


Android App - Just simply does not connect.
If I use Chrome on the phone to browse to the site I get site cannot be reached. ERR_SSL_KEY_INCOMPATIBLE

Checking the log of stunnel I have lots of this error:
2019.06.12 14:35:07 LOG3[2734]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2019.06.12 14:35:07 LOG5[2734]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2019.06.12 14:35:07 LOG3[2735]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2019.06.12 14:35:07 LOG5[2735]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket


Anyone have any ideas?

same issue, did you ever figure this out?

 

[positiveday]

The question is another : WHY if I can connect to my stunnel/blueiris server from an android smartphone using Firefox (adding manually a security exception to Firefox due to the self signed certificate), instead the BlueIris app is not able to do the same or show some useful message instead of "unable to connect"?
It's a so complex matter to show a question like Firefox do, to ask the about the certificate security, and save certificate credential for future access?
Apps like BlueIris for Android push android development back ten years in time.

 

[beepbeep]

The question is another : WHY if I can connect to my stunnel/blueiris server from an android smartphone using Firefox (adding manually a security exception to Firefox due to the self signed certificate), instead the BlueIris app is not able to do the same or show some useful message instead of "unable to connect"?
It's a so complex matter to show a question like Firefox do, to ask the about the certificate security, and save certificate credential for future access?
Apps like BlueIris for Android push android development back ten years in time.

coming from the dev, android is forcing proper certs with apps so it won't connect unless you have one. I have a zerossl cert

 

[OgRoar]

I think its best to just post here as a lot of you are doing what I did.

I had a 3mo cert from letsencrypt working and after messing with it every 3 months, I'm done. Plus I cant figure out how to get past the limit of 3 as it still thinks I have 3 SSL's even though they are all expired.

I'm trying to use a CloudFare cert and getting the following error in chrome:
NET::ERR_CERT_AUTHORITY_INVALID