Blue Iris HTTPS?

ZaSz

n3wb
Joined
Dec 10, 2014
Messages
3
Reaction score
0
I am trying to use Blue Iris via iOS on HTTPS.
It doesn't work, says can't connect.
On my computer when I try I get this error:
"SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) "

What did I miss?
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Welcome to the forum..
Have you setup stunnel? From the help file.
How to use HTTPS (SSL) with the Blue Iris web serverWhen you have selected Secure Only on the Options/Webserver page, you are presented with a Blue Iris login page instead of the browser's own username/password form. When this login page is used, your user name and password are NOT sent to the Blue Iris web server. A secure hash (encryption) is created from a combination of these credentials and a unique session key.While your authentication is securely protected by this mechanism, some users will want to know that the actual video itself is encrypted. This is only possible with the use of an add-on SSL (Secure Socket Layer) technology.We have recently discovered stunnel (www.stunnel.org) which you may install as a service onto your PC. Instead of configuring your router to forward traffic to Blue Iris, you would configure that traffic to go to stunnel, and then configure stunnel to then forward the traffic to the Blue Iris web server. For example, external port 443 (the standard HTTPS port) forwards to stunnel port 443, and stunnel forwards to Blue Iris on the same PC on port 80 or 81.
 

ZaSz

n3wb
Joined
Dec 10, 2014
Messages
3
Reaction score
0
Ah I thought the login could be SSL and if you wanted videos to be SLL also you needed stunnel.
So "Secure Only" =/= HTTPS. It is only a different login page.
So without stunnel, there is no way to make the iOS app send credentials in a secure way?
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
If I understand it correctly, as long as you set secure only, then the credentials are encrypted but not the video..if you want the actual video encrypted then you need stunnel...
 

ZaSz

n3wb
Joined
Dec 10, 2014
Messages
3
Reaction score
0
Ok, well as long as the credentials are not sent in clear from iOS then it's ok for me :)
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
If the mobile apps using using Blue Iris' JSON API for logins, which I am fairly certain they must be, then it does not send the password raw. It sends a cryptographic hash string instead. You can read a bit about how that works in the help file, under the JSON API section
 

MWinTX

n3wb
Joined
Dec 23, 2014
Messages
1
Reaction score
0
I would like to seek confirmation on a specific aspect of what I think people mean when they speak of using stunnel in conjunction with Blue Iris. I assume they mean stunnel set up with ports and server certificate properly configured, but do not necessarily mean stunnel would be configured to use its own certificate-based client authentication ("verify") capability.

More specifically, in the same stunnel configuration file where the port numbers are set up and server certificate location is identified, there is a section on setting up client verification via certificates "to prevent MITM attacks." I am thinking that people using BI with stunnel are not necessarily generating peer certificates and configuring stunnel to use them, on the theory that the BI password security provides protection that, if not equivalent, is "good enough" under the circumstances. Is this right?

If one wanted to set up SSL client verification for BI using stunnel and client certificates, could it be done? I'm guessing I could (eventually) figure out how to do it for a browser on a laptop client, but if the client is a mobile device such as an iPhone, would this require a modification of the BI mobile app?
 
Last edited by a moderator:

jking3

n3wb
Joined
Jan 5, 2015
Messages
3
Reaction score
0
Its funny you mention stunnel verify feature using certs. I played with this just the other night. Using a self signed cert I was able to get this working on IOS with safari, by installing the p12 file on the ios.

However, ios apps won't use self signed certs. I'm not sure it would even use a verified cert if installed - I'd be willing to pay for a verified cert if this was the case, but need to verify.

There could be a work around if, BI is willing to modify their ios app to allow a section to import a self signed cert, it would be fantastic with a great level of security.

Here is my email to support@blueiris.com

____
Hi,

I’m trying to use stunnel to establish ssl to blueiris. It works 443-80 of course. But I would like to also like to further validate client/server cert authentication, by using a self signed cert installed on the mobile device (ios in this case).

If I install my p12 cert into IOS, I can browse successfully via safari. However, ios apps won’t use self-signed certs in the chain, such as the blueiris ios app. So client/server cer auth won’t work via ios apps with self-signed cert.

Would you consider doing something like this in your ios app?

http://stackoverflow.com/questions/17393488/how-to-use-self-signed-certificate-at-ios-app

This would allow users to import .p12/cer into your app.

Let me know what you think, I think this could really help provide a solid solution for checking remotely.

Thanks.
_______
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
If you buy a certificate from a major authority (and have it configured right for your host name) then iOS apps would be able to use it without question. However this assumes that the app in question is written to support SSL in the first place.
 

jking3

n3wb
Joined
Jan 5, 2015
Messages
3
Reaction score
0
Yeah, I know the BI ios app connects via SSL, but not sure if its written to hit the keychain for certs or not.... Anyone have any success with stunnel verify and BI IOS/SSL ?

J
 
Top