stunnel

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
I read this entire thread twice before reading first 6 pages were a bit outdated. Doh!

I thought I would post in case anyone has connectivity issues. My problem seemed to get fixed by using the absolute path to the certificate files.

cert = C:\Program Files (x86)\stunnel\config\mycert.pem
Mine did not have any mycert.pem in that folder?

I'm having issues any help is appreciated.

2019.01.21 19:55:15 LOG5[main]: stunnel 5.50 on x64-pc-mingw32-gnu platform
2019.01.21 19:55:15 LOG5[main]: Compiled/running with OpenSSL 1.1.1a 20 Nov 2018
2019.01.21 19:55:15 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
2019.01.21 19:55:15 LOG5[main]: Reading configuration from file stunnel.conf
2019.01.21 19:55:15 LOG5[main]: UTF-8 byte order mark detected
2019.01.21 19:55:15 LOG5[main]: Configuration successful
2019.01.21 19:57:51 LOG5[main]: Reading configuration from file stunnel.conf
2019.01.21 19:57:51 LOG5[main]: UTF-8 byte order mark detected
2019.01.21 19:57:51 LOG5[main]: Configuration successful
2019.01.21 19:57:51 LOG5[main]: Binding service [blue iris] to xxx.xxx.xx.xx:8080: Address already in use (WSAEADDRINUSE) (10048)
2019.01.21 19:57:51 LOG3[main]: Binding service [blue iris] failed

config:

[blue iris]
accept = xxx.xxx.xx.xx:8080
connect = xxx.xxx.xx.xx:81
cert = stunnel.pem

(ip's are x's as I don't want to give away my blueiris lan ip)

If anyone has any guidance I also want to add blueiris to my domain as a subdomain such as cam.****.com

Same issues. Did you get this fixed?

@Dasstrum thanks for the video and info.
 
Last edited:

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
From what I have been told by a couple people, disabling TLS 1.3 in chrome just makes the browser revert to using version 1.2. So its not disabling the security check altogether... just version 1.3



Great point, thanks for sharing. But like you state it does require doing it in all browsers. Might be adding unnecessary steps since it doesn't actually add any security


Can you expand a little more on this :D
Correct. Doing this didn't allow to conect https://
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Got it to work.. thanks ipcamtalk and @Dasstrum
2019.04.30 22:34:30 LOG5[66]: Service [blueiris] connected remote server from xxx.x.x.x:xx
2019.04.30 22:34:30 LOG5[67]: Service [blueiris] accepted connection from xx.xx.xx.xx:xxx
2019.04.30 22:36:11 LOG5[92]: s_connect: connected xxx.x.x.x:xxxx
2019.04.30 22:36:11 LOG5[92]: Service [blueiris] connected remote server from ..
2019.04.30 22:36:11 LOG5[94]: s_connect: connected ...
2019.04.30 22:36:11 LOG5[94]: Service [blueiris] connected remote server from ..
2019.04.30 22:36:11 LOG5[93]: s_connect: connected ...
2019.04.30 22:36:11 LOG5[93]: Service [blueiris] connected remote server from ..
2019.04.30 22:36:12 LOG5[94]: Connection closed: 5712 byte(s) sent to TLS, 220 byte(s) sent to socket
2019.04.30 22:36:12 LOG3[92]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054)
2019.04.30 22:36:12 LOG5[92]: Connection reset: 10122 byte(s) sent to TLS, 221 byte(s) sent to socket
2019.04.30 22:36:12 LOG5[93]: Connection closed: 5267 byte(s) sent to TLS, 221 byte(s) sent to socket


Unable to log in with https:// even after disabled tls with chrome://flags which I understands doesn't disable but downgrades to 1.2 vs 1.3 on chrome. Anyway around this?

How concerned should I be about port forwarding through my router now? Can anyone access this port on my BI machine even though it is viewing BI through stunnel app?

I cannot setup a VPN through router which everyone seems to do (my ISP doesn't have it as an option that I see in DIYs)
Does anyone have a really good video/diy like this thread to setup VPN on computer to run BI out?
 
Last edited:

Walrus

Getting comfortable
Joined
Nov 19, 2018
Messages
593
Reaction score
449
Location
Ontario
I don't follow. It works, or it doesn't?

See here a few posts back where I had to do something different with the cert to get chrome to work:

stunnel

Also, VPN has nothing to do with your ISP. If you are still using the modem/router combo they provide, they are usually garbage. If you have to use their modem, put it in bridge mode, and buy a better wifi router that can do VPN. Most on here go for one of the ASUS ones.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
I don't follow. It works, or it doesn't?

See here a few posts back where I had to do something different with the cert to get chrome to work:

stunnel

Also, VPN has nothing to do with your ISP. If you are still using the modem/router combo they provide, they are usually garbage. If you have to use their modem, put it in bridge mode, and buy a better wifi router that can do VPN. Most on here go for one of the ASUS ones.
Yes it worked until restart and now have an error/issue. [!] Server is down

But it worked well prior to restart.
 

Walrus

Getting comfortable
Joined
Nov 19, 2018
Messages
593
Reaction score
449
Location
Ontario
The Stunnel program is a bit of a mess to get working. I find it works as follows:

If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.

Upon a windows restart, whatever you had running (service or GUI) will run again.
 
Last edited:

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
The Stunnel program is a bit of a mess to get working. I find it works as follows:

If you have the server running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the server running, it will say the server is down.
If you stop the server, you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the server again, you need to stop the GUI with the 'Stunnel GUI stop' program.

Upon a windows restart, whatever you had running (server or GUI) will run again.
Ok great. I will get that sorted.

How do you know it is running as I did not see anything running when I went to start the GUI.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Am I going crazy or did stunnel: Home just redo their entire website overnight?
-It seems that they did. This new website is much better and would give people more confidence on downloading stunnel
 
Last edited:

Walrus

Getting comfortable
Joined
Nov 19, 2018
Messages
593
Reaction score
449
Location
Ontario
When you start the GUI there is a round symbol in the task bar upload_2019-5-3_6-20-31.png
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
When you start the GUI there is a round symbol in the task bar View attachment 42115
Sorry the way I worded it was confusing.

I did not mean the GUI. I meant how do I know if the "server is running" because when I started the GUI I didn't see anything with stunnel running prior to launching the GUI.

----reference----
If you do run the 'Stunnel GUI start' program with the server running, it will say the server is down.
If you stop the server, you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the server again, you need to stop the GUI with the 'Stunnel GUI stop' program.
 

Walrus

Getting comfortable
Joined
Nov 19, 2018
Messages
593
Reaction score
449
Location
Ontario
You don't, unless you check task manager. When just the service is running, there is no icon in the bottom right. Same with Blue Iris.. how do you know it's running?
 

Weather_Junkie

Getting the hang of it
Joined
Oct 16, 2017
Messages
101
Reaction score
15
Location
Smoky Mountains, TN
I just got a new router and added BI to the one port I want to be opened. I can see the cameras on the BI app when I'm on the home wifi but when I leave the house, the server won't open. What did I forget to setup?
 

giomania

IPCT Contributor
Joined
Jun 1, 2017
Messages
780
Reaction score
538
I just got a new router and added BI to the one port I want to be opened. I can see the cameras on the BI app when I'm on the home wifi but when I leave the house, the server won't open. What did I forget to setup?
If you have not gone through the @Dasstrum video on Stunnel, I would suggest following that step by step.
 

giomania

IPCT Contributor
Joined
Jun 1, 2017
Messages
780
Reaction score
538
My remote access via the app (using Stunnel) stopped working several weeks ago. I was on BI4, and since push notifications had not been working in awhile, and since I have been working from home, it was not a priority to fix.

Last night, I decided to perform the BI5 upgrade last night, which went fairly well, but still cannot access https either from the LAN or remotely. It is not related to BI5, as it stopped working under BI4. I have checked the external IP address on my cable modem has not changed. On the remote access test, there is red X and the verified server box has the following message: "The operation has timed out". I also thought that maybe Comcast started blocking port 8080, but it is not on their list of blocked ports. I was thinking that since everything was working, and no changes were made on my end, that Comcast (via IP address change or port blocking) was the culprit, but this is apparently not the cause.

If anyone has any advice, I am all ears.

Thanks.

Mark
 
Last edited:
Joined
Aug 3, 2015
Messages
3,791
Reaction score
12,182
Location
Charlotte
If anyone has any advice, I am all ears.
Have you updated STunnel to the latest/greatest release?
Mine was being wonky some time back, and updating to 5.56 resolved the issues.
I'm using it in the simplest fashion, redirecting the incoming SSL port 8444 to the BI webserver on port 8899:
Code:
; TLS front-end to a web server
[https]
accept  = 192.168.1.nn:8444
connect = 192.168.1.nn:8899
cert = stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0
 

Attachments

giomania

IPCT Contributor
Joined
Jun 1, 2017
Messages
780
Reaction score
538
Have you updated STunnel to the latest/greatest release?
Mine was being wonky some time back, and updating to 5.56 resolved the issues.
I'm using it in the simplest fashion, redirecting the incoming SSL port 8444 to the BI webserver on port 8899:
Code:
; TLS front-end to a web server
[https]
accept  = 192.168.1.nn:8444
connect = 192.168.1.nn:8899
cert = stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0
Thanks for the reply. I did update stunnel last night, but the results are the same. I am also using it in simple fashion, and went through Dasstrum's video setup again, just to make sure I had everything set up correctly again.
 

BayAreaDave

Getting the hang of it
Joined
Aug 3, 2018
Messages
25
Reaction score
29
Location
SF Bay Area
My remote access via the app (using Stunnel) stopped working several weeks ago. I was on BI4, and since push notifications had not been working in awhile, and since I have been working from home, it was not a priority to fix.

Last night, I decided to perform the BI5 upgrade last night, which went fairly well, but still cannot access https either from the LAN or remotely. It is not related to BI5, as it stopped working under BI4. I have checked the external IP address on my cable modem has not changed. On the remote access test, there is red X and the verified server box has the following message: "The operation has timed out". I also thought that maybe Comcast started blocking port 8080, but it is not on their list of blocked ports. I was thinking that since everything was working, and no changes were made on my end, that Comcast (via IP address change or port blocking) was the culprit, but this is apparently not the cause.

If anyone has any advice, I am all ears.

Thanks.

Mark
I have about given up on stunnel and gone back to using a vpn. I have watched the video several times and have followed all the instructions. I have even tried entering the line sslVersion = TLSv1.2 as recommended by some to eliminate the need for a certificate. I also get the "The operation has timed out" under verified sever when going through the remote access wizard. When I use a different port check tool, I get "connection timed out". When I reload the stunnel configuration file, it shows proper connections with no errors. I have no problems accessing from my LAN, but am unable to access from the iOS app.
 
Top