stunnel
- Thread starter matsburr
- Start date
TL1096r
IPCT Contributor
- Jan 28, 2017
- 1,211
- 469
From what I have been told by a couple people, disabling TLS 1.3 in chrome just makes the browser revert to using version 1.2. So its not disabling the security check altogether... just version 1.3
Great point, thanks for sharing. But like you state it does require doing it in all browsers. Might be adding unnecessary steps since it doesn't actually add any security
Can you expand a little more on this
Correct. Doing this didn't allow to conect https://
TL1096r
IPCT Contributor
- Jan 28, 2017
- 1,211
- 469
Got it to work.. thanks ipcamtalk and @Dasstrum
2019.04.30 22:34:30 LOG5[66]: Service [blueiris] connected remote server from xxx.x.x.x:xx
2019.04.30 22:34:30 LOG5[67]: Service [blueiris] accepted connection from xx.xx.xx.xx:xxx
2019.04.30 22:36:11 LOG5[92]: s_connect: connected xxx.x.x.x:xxxx
2019.04.30 22:36:11 LOG5[92]: Service [blueiris] connected remote server from ..
2019.04.30 22:36:11 LOG5[94]: s_connect: connected ...
2019.04.30 22:36:11 LOG5[94]: Service [blueiris] connected remote server from ..
2019.04.30 22:36:11 LOG5[93]: s_connect: connected ...
2019.04.30 22:36:11 LOG5[93]: Service [blueiris] connected remote server from ..
2019.04.30 22:36:12 LOG5[94]: Connection closed: 5712 byte(s) sent to TLS, 220 byte(s) sent to socket
2019.04.30 22:36:12 LOG3[92]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054)
2019.04.30 22:36:12 LOG5[92]: Connection reset: 10122 byte(s) sent to TLS, 221 byte(s) sent to socket
2019.04.30 22:36:12 LOG5[93]: Connection closed: 5267 byte(s) sent to TLS, 221 byte(s) sent to socket
Unable to log in with https:// even after disabled tls with chrome://flags which I understands doesn't disable but downgrades to 1.2 vs 1.3 on chrome. Anyway around this?
How concerned should I be about port forwarding through my router now? Can anyone access this port on my BI machine even though it is viewing BI through stunnel app?
I cannot setup a VPN through router which everyone seems to do (my ISP doesn't have it as an option that I see in DIYs)
Does anyone have a really good video/diy like this thread to setup VPN on computer to run BI out?
2019.04.30 22:34:30 LOG5[66]: Service [blueiris] connected remote server from xxx.x.x.x:xx
2019.04.30 22:34:30 LOG5[67]: Service [blueiris] accepted connection from xx.xx.xx.xx:xxx
2019.04.30 22:36:11 LOG5[92]: s_connect: connected xxx.x.x.x:xxxx
2019.04.30 22:36:11 LOG5[92]: Service [blueiris] connected remote server from ..
2019.04.30 22:36:11 LOG5[94]: s_connect: connected ...
2019.04.30 22:36:11 LOG5[94]: Service [blueiris] connected remote server from ..
2019.04.30 22:36:11 LOG5[93]: s_connect: connected ...
2019.04.30 22:36:11 LOG5[93]: Service [blueiris] connected remote server from ..
2019.04.30 22:36:12 LOG5[94]: Connection closed: 5712 byte(s) sent to TLS, 220 byte(s) sent to socket
2019.04.30 22:36:12 LOG3[92]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054)
2019.04.30 22:36:12 LOG5[92]: Connection reset: 10122 byte(s) sent to TLS, 221 byte(s) sent to socket
2019.04.30 22:36:12 LOG5[93]: Connection closed: 5267 byte(s) sent to TLS, 221 byte(s) sent to socket
Unable to log in with https:// even after disabled tls with chrome://flags which I understands doesn't disable but downgrades to 1.2 vs 1.3 on chrome. Anyway around this?
How concerned should I be about port forwarding through my router now? Can anyone access this port on my BI machine even though it is viewing BI through stunnel app?
I cannot setup a VPN through router which everyone seems to do (my ISP doesn't have it as an option that I see in DIYs)
Does anyone have a really good video/diy like this thread to setup VPN on computer to run BI out?
Last edited:
I don't follow. It works, or it doesn't?
See here a few posts back where I had to do something different with the cert to get chrome to work:
stunnel
Also, VPN has nothing to do with your ISP. If you are still using the modem/router combo they provide, they are usually garbage. If you have to use their modem, put it in bridge mode, and buy a better wifi router that can do VPN. Most on here go for one of the ASUS ones.
See here a few posts back where I had to do something different with the cert to get chrome to work:
stunnel
Also, VPN has nothing to do with your ISP. If you are still using the modem/router combo they provide, they are usually garbage. If you have to use their modem, put it in bridge mode, and buy a better wifi router that can do VPN. Most on here go for one of the ASUS ones.
TL1096r
IPCT Contributor
- Jan 28, 2017
- 1,211
- 469
Yes it worked until restart and now have an error/issue. [!] Server is down
But it worked well prior to restart.
The Stunnel program is a bit of a mess to get working. I find it works as follows:
If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.
Upon a windows restart, whatever you had running (service or GUI) will run again.
If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.
Upon a windows restart, whatever you had running (service or GUI) will run again.
Last edited:
TL1096r
IPCT Contributor
- Jan 28, 2017
- 1,211
- 469
Ok great. I will get that sorted.
How do you know it is running as I did not see anything running when I went to start the GUI.
TL1096r
IPCT Contributor
- Jan 28, 2017
- 1,211
- 469
Am I going crazy or did stunnel: Home just redo their entire website overnight?
-It seems that they did. This new website is much better and would give people more confidence on downloading stunnel
-It seems that they did. This new website is much better and would give people more confidence on downloading stunnel
Last edited:
TL1096r
IPCT Contributor
- Jan 28, 2017
- 1,211
- 469
Sorry the way I worded it was confusing.
I did not mean the GUI. I meant how do I know if the "server is running" because when I started the GUI I didn't see anything with stunnel running prior to launching the GUI.
----reference----
If you do run the 'Stunnel GUI start' program with the server running, it will say the server is down.
If you stop the server, you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the server again, you need to stop the GUI with the 'Stunnel GUI stop' program.
Weather_Junkie
Getting the hang of it
I just got a new router and added BI to the one port I want to be opened. I can see the cameras on the BI app when I'm on the home wifi but when I leave the house, the server won't open. What did I forget to setup?
giomania
IPCT Contributor
- Jun 1, 2017
- 784
- 540
My remote access via the app (using Stunnel) stopped working several weeks ago. I was on BI4, and since push notifications had not been working in awhile, and since I have been working from home, it was not a priority to fix.
Last night, I decided to perform the BI5 upgrade last night, which went fairly well, but still cannot access https either from the LAN or remotely. It is not related to BI5, as it stopped working under BI4. I have checked the external IP address on my cable modem has not changed. On the remote access test, there is red X and the verified server box has the following message: "The operation has timed out". I also thought that maybe Comcast started blocking port 8080, but it is not on their list of blocked ports. I was thinking that since everything was working, and no changes were made on my end, that Comcast (via IP address change or port blocking) was the culprit, but this is apparently not the cause.
If anyone has any advice, I am all ears.
Thanks.
Mark
Last night, I decided to perform the BI5 upgrade last night, which went fairly well, but still cannot access https either from the LAN or remotely. It is not related to BI5, as it stopped working under BI4. I have checked the external IP address on my cable modem has not changed. On the remote access test, there is red X and the verified server box has the following message: "The operation has timed out". I also thought that maybe Comcast started blocking port 8080, but it is not on their list of blocked ports. I was thinking that since everything was working, and no changes were made on my end, that Comcast (via IP address change or port blocking) was the culprit, but this is apparently not the cause.
If anyone has any advice, I am all ears.
Thanks.
Mark
Last edited:
Have you updated STunnel to the latest/greatest release?
Mine was being wonky some time back, and updating to 5.56 resolved the issues.
I'm using it in the simplest fashion, redirecting the incoming SSL port 8444 to the BI webserver on port 8899:
Code:
; TLS front-end to a web server
[https]
accept = 192.168.1.nn:8444
connect = 192.168.1.nn:8899
cert = stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0Attachments
giomania
IPCT Contributor
- Jun 1, 2017
- 784
- 540
Thanks for the reply. I did update stunnel last night, but the results are the same. I am also using it in simple fashion, and went through Dasstrum's video setup again, just to make sure I had everything set up correctly again.
I have about given up on stunnel and gone back to using a vpn. I have watched the video several times and have followed all the instructions. I have even tried entering the line sslVersion = TLSv1.2 as recommended by some to eliminate the need for a certificate. I also get the "The operation has timed out" under verified sever when going through the remote access wizard. When I use a different port check tool, I get "connection timed out". When I reload the stunnel configuration file, it shows proper connections with no errors. I have no problems accessing from my LAN, but am unable to access from the iOS app.