stunnel

johnmcc

Young grasshopper
Joined
Mar 9, 2015
Messages
44
Reaction score
13
Stunnel 5.4.3 has a bug resulting in fail to connect. Make the following changes

[BlueIris]
;due to a bug accept must be as follows
; normally would be as follows
;accept = 1440
accept = 0.0.0.0:1440 <======== need to enter the address as 0.0.0.0
connect = 127.0.0.1:81
cert = stunnel.pem
 

gtj

Getting the hang of it
Joined
Sep 13, 2017
Messages
114
Reaction score
23
Stunnel 5.4.3 has a bug resulting in fail to connect. Make the following changes

[BlueIris]
;due to a bug accept must be as follows
; normally would be as follows
;accept = 1440
accept = 0.0.0.0:1440 <======== need to enter the address as 0.0.0.0
connect = 127.0.0.1:81
cert = stunnel.pem

Thanks for your quick response John.
I'm getting closer! Now when I run the ''remote access wizard'' in the stunnel configuration relevant info I get a green tick while I didn't previously. However, I'm still not able to connect via https.

Should I try an older Stunnel version?
 

johnmcc

Young grasshopper
Joined
Mar 9, 2015
Messages
44
Reaction score
13
I never managed to get the remote access wizard to work to work. When you setup stunnel orginally, did you add entries in the certificate creation. Entering a"." for each entry results in a failure.

I have been using stunnel for a few years now. The bug above was first time I had a failure.
 

johnmcc

Young grasshopper
Joined
Mar 9, 2015
Messages
44
Reaction score
13
Thanks for your quick response John.
I'm getting closer! Now when I run the ''remote access wizard'' in the stunnel configuration relevant info I get a green tick while I didn't previously. However, I'm still not able to connect via https.

Should I try an older Stunnel version?
Just a thought how are you connecting? I use the iPhone app.

If you are attempting to connect via a web browser you will require a certificate from a recognised certificate authority.
 

gtj

Getting the hang of it
Joined
Sep 13, 2017
Messages
114
Reaction score
23
Just a thought how are you connecting? I use the iPhone app.

If you are attempting to connect via a web browser you will require a certificate from a recognised certificate authority.
I'm trying to connect via a browser but it does't even get back an error certificate warning.
 

johnmcc

Young grasshopper
Joined
Mar 9, 2015
Messages
44
Reaction score
13
Have you tried for test purposes disabling the firewall on the PC where stunnel and blueiris are running, to eliminate firewall blocking the incoming connection
 

johnmcc

Young grasshopper
Joined
Mar 9, 2015
Messages
44
Reaction score
13
Run stunnel in GUI mode and ensure no server errors, if the running icon is colored red then stunnel has not started correctly
 

gtj

Getting the hang of it
Joined
Sep 13, 2017
Messages
114
Reaction score
23
Run stunnel in GUI mode and ensure no server errors, if the running icon is colored red then stunnel has not started correctly
I have disabled frewall completely on this server as it is not destined for anything else other than the BI server duty.

Running the stunnel GUI I get:

Code:
Reading configuration from file stunnel.conf
2017.11.17 16:57:38 LOG5[main]: UTF-8 byte order mark detected
2017.11.17 16:57:38 LOG5[main]: FIPS mode disabled
2017.11.17 16:57:38 LOG5[main]: Configuration successful
2017.11.17 16:58:32 LOG5[0]: Service [blue-iris] accepted connection from 192.168.1.10:52158
2017.11.17 16:58:32 LOG3[0]: SSL_accept: Peer suddenly disconnected
2017.11.17 16:58:32 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.11.17 16:58:32 LOG5[1]: Service [blue-iris] accepted connection from 192.168.1.10:52159
2017.11.17 16:58:32 LOG5[1]: s_connect: connected 127.0.0.1:81
2017.11.17 16:58:32 LOG5[1]: Service [blue-iris] connected remote server from 127.0.0.1:52160
2017.11.17 16:58:32 LOG5[1]: Connection closed: 295 byte(s) sent to TLS, 326 byte(s) sent to socket
2017.11.17 16:58:32 LOG5[2]: Service [blue-iris] accepted connection from 192.168.1.10:52161
2017.11.17 16:58:32 LOG5[2]: s_connect: connected 127.0.0.1:81
2017.11.17 16:58:32 LOG5[2]: Service [blue-iris] connected remote server from 127.0.0.1:52162
2017.11.17 16:58:32 LOG5[2]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.11.17 16:58:32 LOG5[3]: Service [blue-iris] accepted connection from 192.168.1.10:52163
2017.11.17 16:58:32 LOG5[3]: s_connect: connected 127.0.0.1:81
2017.11.17 16:58:32 LOG5[3]: Service [blue-iris] connected remote server from 127.0.0.1:52164
2017.11.17 16:58:54 LOG3[3]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054)
2017.11.17 16:58:54 LOG5[3]: Connection reset: 11611 byte(s) sent to TLS, 344 byte(s) sent to socket
which shows that the conf is loaded correctly in the beginning but fails after a while.
 

gtj

Getting the hang of it
Joined
Sep 13, 2017
Messages
114
Reaction score
23
Unfortunately in my case it won't work under any browser, nor with my mobile's one.
I can't think of anything else really. I even uninstalled stunnel and installed it several times to no avail.
If I could find an older version of the software, I'd try it but it seems there are no available older versions.

Anyway. Thanks for all your help John.
 

gtj

Getting the hang of it
Joined
Sep 13, 2017
Messages
114
Reaction score
23
Link to archives

Index of /mirrors/stunnel/archive/5.x

Here is a copy of the config I use, need to rename to stunnel.conf
Thank you so much!
I'll try it asap when I get home.

I will use your own conf (by deleting the existing details and copying-pasting yours from the text below) and see how it goes. If it won't work, then it's safe to assume there is something within the pfSense firewall.

I will report back.
 

gtj

Getting the hang of it
Joined
Sep 13, 2017
Messages
114
Reaction score
23
Thanks for posting this John.
I've stil yet to try the above fixes you suggested, hence not responded as of now.
I hope I will be able to test the new Stunnel either tomorrow or Tuesday.
Thanks again!
 

vfrex

n3wb
Joined
Jan 14, 2018
Messages
21
Reaction score
9
I am finding that BI accepts connections via Stunnel from the mobile apps (at least Android). However for web connections the Stunnel session is dropped at the BI authentication page. I can view cameras/footage if I set the BI webserver to allow all connections without authentication; I get funneled back to the authentication page if I set the webserver to non-LAN authentication only (all my testing is over LAN so far).
 

nejakejnick

Getting the hang of it
Joined
Aug 30, 2015
Messages
138
Reaction score
24
I installed 5.44 and it does not work for me. The browser just hangs on "establish a secure connection". Any idea?
Windows 7

Code:
debug = debug

[Blue Iris]
client = yes
accept  = 0.0.0.0:443
connect = 127.0.0.1:8888
cert  = stunnel.pem

Code:
2018.03.07 10:12:35 LOG7[main]: Running on Windows 6.1
2018.03.07 10:12:35 LOG7[main]: No limit detected for the number of clients
2018.03.07 10:12:35 LOG5[main]: stunnel 5.44 on x86-pc-msvc-1500 platform
2018.03.07 10:12:35 LOG5[main]: Compiled/running with OpenSSL 1.0.2m-fips  2 Nov 2017
2018.03.07 10:12:35 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2018.03.07 10:12:35 LOG7[main]: errno: (*_errno())
2018.03.07 10:12:35 LOG7[ui]: GUI message loop initialized
2018.03.07 10:12:35 LOG7[main]: Running on Windows 6.1
2018.03.07 10:12:35 LOG5[main]: Reading configuration from file stunnel.conf
2018.03.07 10:12:35 LOG5[main]: UTF-8 byte order mark detected
2018.03.07 10:12:35 LOG5[main]: FIPS mode disabled
2018.03.07 10:12:35 LOG7[main]: Compression disabled
2018.03.07 10:12:35 LOG7[main]: Snagged 64 random bytes from C:/.rnd
2018.03.07 10:12:35 LOG7[main]: Wrote 0 new random bytes to C:/.rnd
2018.03.07 10:12:35 LOG7[main]: PRNG seeded successfully
2018.03.07 10:12:35 LOG6[main]: Initializing service [Blue Iris]
2018.03.07 10:12:35 LOG7[main]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
2018.03.07 10:12:35 LOG7[main]: TLS options: 0x03000004 (+0x03000000, -0x00000000)
2018.03.07 10:12:35 LOG6[main]: Loading certificate from file: stunnel.pem
2018.03.07 10:12:35 LOG6[main]: Certificate loaded from file: stunnel.pem
2018.03.07 10:12:35 LOG6[main]: Loading private key from file: stunnel.pem
2018.03.07 10:12:35 LOG6[main]: Private key loaded from file: stunnel.pem
2018.03.07 10:12:35 LOG7[main]: Private key check succeeded
2018.03.07 10:12:35 LOG4[main]: Service [Blue Iris] needs authentication to prevent MITM attacks
2018.03.07 10:12:35 LOG5[main]: Configuration successful
2018.03.07 10:12:35 LOG7[main]: Binding service [Blue Iris]
2018.03.07 10:12:35 LOG7[main]: Listening file descriptor created (FD=484)
2018.03.07 10:12:35 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket
2018.03.07 10:12:35 LOG7[main]: Service [Blue Iris] (FD=484) bound to 0.0.0.0:443
2018.03.07 10:12:35 LOG5[main]: Logging to C:\Users\KAMERY\AppData\Local\stunnel.log
2018.03.07 10:12:35 LOG7[cron]: Cron thread initialized
2018.03.07 10:13:24 LOG7[main]: Found 1 ready file descriptor(s)
2018.03.07 10:13:24 LOG7[main]: FD=484 ifds=r-x ofds=r--
2018.03.07 10:13:24 LOG7[main]: Service [Blue Iris] accepted (FD=584) from 192.168.2.97:50257
2018.03.07 10:13:24 LOG7[main]: Creating a new thread
2018.03.07 10:13:24 LOG7[main]: New thread created
2018.03.07 10:13:24 LOG7[main]: Found 1 ready file descriptor(s)
2018.03.07 10:13:24 LOG7[main]: FD=484 ifds=r-x ofds=r--
2018.03.07 10:13:24 LOG7[main]: Service [Blue Iris] accepted (FD=592) from 192.168.2.97:50258
2018.03.07 10:13:24 LOG7[main]: Creating a new thread
2018.03.07 10:13:24 LOG7[main]: New thread created
2018.03.07 10:13:24 LOG7[0]: Service [Blue Iris] started
2018.03.07 10:13:24 LOG7[0]: Option TCP_NODELAY set on local socket
2018.03.07 10:13:24 LOG5[0]: Service [Blue Iris] accepted connection from 192.168.2.97:50257
2018.03.07 10:13:24 LOG6[0]: s_connect: connecting 127.0.0.1:8888
2018.03.07 10:13:24 LOG7[0]: s_connect: s_poll_wait 127.0.0.1:8888: waiting 10 seconds
2018.03.07 10:13:24 LOG5[0]: s_connect: connected 127.0.0.1:8888
2018.03.07 10:13:24 LOG5[0]: Service [Blue Iris] connected remote server from 127.0.0.1:50259
2018.03.07 10:13:24 LOG7[0]: Option TCP_NODELAY set on remote socket
2018.03.07 10:13:24 LOG7[0]: Remote descriptor (FD=612) initialized
2018.03.07 10:13:24 LOG6[0]: SNI: sending servername: 127.0.0.1
2018.03.07 10:13:24 LOG6[0]: Peer certificate not required
2018.03.07 10:13:24 LOG7[0]: TLS state (connect): before/connect initialization
2018.03.07 10:13:24 LOG7[0]: TLS state (connect): SSLv2/v3 write client hello A
2018.03.07 10:13:24 LOG7[1]: Service [Blue Iris] started
2018.03.07 10:13:24 LOG7[1]: Option TCP_NODELAY set on local socket
2018.03.07 10:13:24 LOG5[1]: Service [Blue Iris] accepted connection from 192.168.2.97:50258
2018.03.07 10:13:24 LOG6[1]: s_connect: connecting 127.0.0.1:8888
2018.03.07 10:13:24 LOG7[1]: s_connect: s_poll_wait 127.0.0.1:8888: waiting 10 seconds
2018.03.07 10:13:24 LOG5[1]: s_connect: connected 127.0.0.1:8888
2018.03.07 10:13:24 LOG5[1]: Service [Blue Iris] connected remote server from 127.0.0.1:50260
2018.03.07 10:13:24 LOG7[1]: Option TCP_NODELAY set on remote socket
2018.03.07 10:13:24 LOG7[1]: Remote descriptor (FD=644) initialized
2018.03.07 10:13:24 LOG6[1]: SNI: sending servername: 127.0.0.1
2018.03.07 10:13:24 LOG6[1]: Peer certificate not required
2018.03.07 10:13:24 LOG7[1]: TLS state (connect): before/connect initialization
2018.03.07 10:13:24 LOG7[1]: TLS state (connect): SSLv2/v3 write client hello A
 

Attachments

Last edited:

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
I installed 5.44 and it does not work for me. The browser just hangs. Any idea?
Windows 7
I don't see any problems either in the logs or your configurations (although I don't use stunnel myself so I wouldn't know if something was missing).
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
It might not have anything to do with this, but two things that might have an effect:

1) The logs suggest it is using SSLv2/v3 which is old and considered insecure. Your browser might have decided it doesn't like that anymore. See if you can make stunnel use only TLS 1.2 for the https encryption.

2) Some antivirus/antimalware software can hold your connections hostage while they try to scan the content. Try temporarily disabling protection, if you have any. Windows Defender doesn't have this problem as far as I know so you can probably ignore that.
 
Top