stunnel

nejakejnick

Getting the hang of it
Joined
Aug 30, 2015
Messages
138
Reaction score
24
Oh, "client = yes" was the problem. I must have copypasted it when I was googling some strange errors... :facepalm:
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
I never would have guessed that. Even now that I've looked up the meaning of the "client" parameter, the meaning is ambiguous to me.
 

awahl101

Young grasshopper
Joined
Sep 21, 2017
Messages
66
Reaction score
15
Just an update to this it now is under TLS not SSL.

Also you need to add this after connect = * cert = stunnel.pem


Is there any reason why this would break the chromecast in the app? It no longer shows up as being available, another connection using http shows this option but says you need to use https.

Would love to get this working
 

Weather_Junkie

Getting the hang of it
Joined
Oct 16, 2017
Messages
101
Reaction score
15
Location
Smoky Mountains, TN
My Stunnel.conf file under "TLS Client Mode Services"

[blue iris]
accept = 8080
connect = 8081
cert = stunnel.pem

My Router is forwarding port 8080 to BI/Stunnel computer.

My BI Web server settings reads as follows "Enable the HTTP Web server on port 8081"

Check mark in "Stunnel is installed for HTTPS on Port: 8080"


I don't have HTTPS checked off in my BI app. I'm using no-ip as a ddns service and I switched it to https on the no-ip configuration page.
Thanks to you, I stopped banging my head on the desk. I'm not an IT guy but am tech-savvy and I still couldn't figure it all out. Until now!
 

Weather_Junkie

Getting the hang of it
Joined
Oct 16, 2017
Messages
101
Reaction score
15
Location
Smoky Mountains, TN
I didn't read every single post within this thread as I skipped around to the ones that were relevant to me but just to double check that Stunnel is working, The only port I have open in my router is what I have now configured through Stunnel. The old one I originally had open (and unsecured) is now closed and I can instantly log into BI through the app. Even though the new port shows up as open in canyouseeme.org, is it really secure behind the scenes? Just as a test I shut down stunnel on my PC and tried to access BI using the app and it wouldn't open. Once I started the service again, I could login. Did I answer my own question?

Also BIG TIME THANKS tobradconverse.The step-by-step was such a big help.
[URL='https://ipcamtalk.com/members/smiticans.9393/']smiticans
post above just helped me cross the finish line.
[/URL]
 
Last edited:

LeeZ

n3wb
Joined
May 27, 2018
Messages
17
Reaction score
0
Location
California
I have a few questions that I wonder if someone can help with.

I too would like to utilize Stunnel to achieve at least some level of security when viewing my camera feeds remotely on my smartphone. I'd like to install a VPN that would encrypt the video feeds to allow me that security. But, since my router consists of 3 Google Wifi pucks, and due to my difficulty configuring a VPN client with Google Wifi without rooting it and installing a new firmware, I have not been successful in getting a VPN server (i.e., OpenVPN, onboard Windows 7 VPN, ExpressVPN) to work on that router. So, I'm now trying to use Stunnel to add at least some security. I'm viewing and recording the feeds for 4 cameras using BI on a 64-bit PC with Windows 7 Pro. However, even after downloading stunnel-5.49.tar.gz and unzipping the file from stunnel: Downloads, I'm unable to locate an .exe file to install Stunnel. I'm hoping stunnel-5.49.tar.gz is the correct file to download for a 64-bit machine. If not, please let me know. It seems that there should be an .exe file for Stunnel as part of the download. Should I even expect to find an .exe file, and if not, what files would help me to install it?

Thank you in advance.
Lee
 

Vettester

Getting comfortable
Joined
Feb 5, 2017
Messages
740
Reaction score
693
I'm hoping stunnel-5.49.tar.gz is the correct file to download for a 64-bit machine. If not, please let me know. It seems that there should be an .exe file for Stunnel as part of the download. Should I even expect to find an .exe file, and if not, what files would help me to install it?

Thank you in advance.
Lee
Use stunnel-5.49-win32-installer.exe
 

LeeZ

n3wb
Joined
May 27, 2018
Messages
17
Reaction score
0
Location
California
Hello from Germany.
My english is maybe not the best. But i got BI&Stunnel running fine. Only the following Info by testing (The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.) isn´t fixed. But i think it is combined with the own-certificate stunnel.pem which is not signed as trusted.

[blue iris]
accept = 8151
connect = 8141
cert = stunnel.pem.

[blue iris], here you can also take [https]
accept = 443 (https)
connect = 99 (htp)
cert = stunnel.pem

I have a windows10x64 system with an fritzbox7490 router with portforward and also a dns-site, connected from the router. Everything works fine and the wan refreshs automatically. Only the warning because of the certificate if i connect via browser isn´t fixed. But i have no dns with textchanges and no homepage. So i think, it is the best solution until now.

With an friend we tried to connect to the site without typing "https://xxxxxxx.xxdns.xx" and only type the url without https but i didn´t work.

Shoud we fix that, we call it luxusproblems, i would fresh you up. It would be great if the software could be in german. I would offer myself to translate it :)
There are so many and awesome posibilietes to use this software differently, that it seems, that no one without me got such ideas in this area. But as you know, germans are stupid :-D

If i can help anyone, i would do. Sometimes it is useful to work with Teamviewer to connect to each other to fix probs without travelling arround the world.

Mobile browser with firefox on android works, if you switch to desktop-site.

Best regards.

ME
I was able to set up Stunnel, and I too am having the same problem as the poster above, i.e., getting the error message when I click the "Test Again" button towards the end of the "Remote Access Test" procedure: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. I am able to use the Blue Iris app to view my cameras' streams remotely on my smart phone, but I'm concerned the streams will not be encrypted when I get the above error message.

My Stunnel.conf file shows the following under ; ***************************************** Example TLS client mode services

[BlueIris]
;due to a bug accept must be as follows
; normally would be as follows
;accept = xxxx
accept = 0.0.0.0:xxxx
connect = 192.168.1.200:8081
cert = stunnel.pem

Please see attached screenshot of page with error.

Can someone please offer guidance on how I can resolve this? Please forgive my ignorance, but I couldn't quite follow the discussion about how to resolve this.

Thanks in advance.
Lee
 

Attachments

Last edited:

vwsplitty

Young grasshopper
Joined
Oct 21, 2015
Messages
78
Reaction score
20
fd


I was able to set up Stunnel, and I too am having the same problem as the poster above, i.e., getting the error message when I click the "Test Again" button towards the end of the "Remote Access Test" procedure: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. I am able to use the Blue Iris app to view my cameras' streams remotely on my smart phone, but I'm concerned the streams will not be encrypted when I get the above error message.

My Stunnel.conf file shows the following under ; ***************************************** Example TLS client mode services

[BlueIris]
;due to a bug accept must be as follows
; normally would be as follows
;accept = 1440
accept = 0.0.0.0:1440
connect = 192.168.1.200:8081
cert = stunnel.pem

Please see attached screenshot of page with error.

Can someone please offer guidance on how I can resolve this? Please forgive my ignorance, but I couldn't quite follow the discussion about how to resolve this.

Thanks in advance.
Lee

I wouldn’t be posting my WAN ip and port here for people to see!
 

LeeZ

n3wb
Joined
May 27, 2018
Messages
17
Reaction score
0
Location
California
Hi,
I set up stunnel according to posts in this thread, but not sure if it's correct and as secure as it can be using stunnel by itself as I am doing. I am able to connect remotely and view my home camera feeds using blue iris on my android smart phone using the blue iris app, and I am able to view the video feeds of the camera in a browser on my smart phone using the WAN https:// address I set up and is specified under "Client app login" when using the "remote access wizard" under the "Web server" tab. However, in the address bar when I enter this WAN https address on my smart phone without wifi, the "https//" part of the address has a red line through it and I get a message saying "Your connection to this site is not secure. You should not enter any sensitive information on this site (for example, passwords or credit cards) because it can be stolen by hackers". The identify of this website has not been verified. Server's certificate does not match the URL. Server's certificate is not trusted."

Can anyone share if this is a concern, and if so, how I can resolve it? Do I need to modify the certificate somehow, and if so, how?

Also, as stated in my post above, I get the page in the attached screenshot that shows an error when I run the remote access wizard.

Any help would be much appreciated.

Thanks,
Lee
 

Attachments

Last edited:

brettcp

Young grasshopper
Joined
Jul 30, 2018
Messages
34
Reaction score
15
Location
CA
I've been messing around with this for a couple of hours now.. tried certificates from multiple providers (ZeroSSL and others), etc.. I can access BI via HTTPS but my browser prompts that "Your connection is not secure" and I have to add an exception to continue.. when coming from my LAN (works fine when using my WAN/external IP). I assume I've done something wrong as I believe I should not be getting this warning if Stunnel and my certificate is setup properly.. When I attempt to connect from a browser, I get this in the Stunnel log:

2018.11.18 14:35:59 LOG5[0]: Service [Blue-Iris] accepted connection from 192.168.2.121:50291
2018.11.18 14:35:59 LOG3[0]: SSL_accept: 14094412: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2018.11.18 14:35:59 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Any ideas?
 
Last edited:

davej

Getting the hang of it
Joined
Apr 25, 2014
Messages
279
Reaction score
69
I've been messing around with this for a couple of hours now.. tried certificates from multiple providers (ZeroSSL and others), etc.. I can access BI via HTTPS but my browser prompts that "Your connection is not secure" and I have to add an exception to continue..
[...]
Any ideas?
Don't modern browsers always issue such warnings for free self-signed certificates?
 

Dasstrum

IPCT Contributor
Joined
Nov 4, 2016
Messages
578
Reaction score
736
Location
Florida
Hello everyone!

I am in the process of creating a "How To" video on properly configuring stunnel on your machines. I should have the video ready within the week :)

I am also going to make a video on "How To" on setting up a VPN and how to connect Blue Iris to it. Both videos will be very generic as some configuration is required on your router and not all are the same
 

Dasstrum

IPCT Contributor
Joined
Nov 4, 2016
Messages
578
Reaction score
736
Location
Florida
Also, I am not an expert in network security, merely someone that enjoys helping others and learning how to do this stuff myself. As of a week ago I knew nothing about stunnel but I have successfully configured it on my system and am ready to show how I did it However:

if anyone here is familiar with network security I do have some technical data flow questions to ask if they could please send me a message. Thanks :)
 

Dasstrum

IPCT Contributor
Joined
Nov 4, 2016
Messages
578
Reaction score
736
Location
Florida
Video will be back up shortly... I had to take it down bc I didn't blur my public IP address in 2 parts of the video /facepalm
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
I tried it again today. I did it exactly as video, down to using same ports... I am still getting WSAECONNREFUSED (10061)

I cannot figure out what that error is to fix it... Very unfortunate.

Anyone have an idea? I installed the latest (5.50 64bit) one...

edited to add -

I changed the config from just ports to the IP of computer... that worked! so pretty much
accept = 192.1.1.5:8080
connect = 192.1.1.5:81

now is there a way we can get stunnel.pem signed by maybe like let's encrypt?
 
Last edited:

jmhmcse

Pulling my weight
Joined
Dec 30, 2018
Messages
211
Reaction score
129
Location
usa
Its done:

Great video, will likely follow the instructions and install/configure STUNNEL later this week.


One note though... totally disabling security checking for your browser is risky (unwise). Why not simply add the self-signed certificate (ssc) to the browser?

chrome://settings/privacy then Manage Certificates, Import

Yes, that requires the ssc file to be installed on any/all systems that would be used to connect to BI.


In addition to using STUNNEL's ssc, documentation implies that any ssc can be used as long as it is a PEM or P12 format.
 

razorseal

Getting the hang of it
Joined
Oct 17, 2014
Messages
149
Reaction score
6
where is the stunnel cert kept? I thought in documents but I was wrong.
 

Dasstrum

IPCT Contributor
Joined
Nov 4, 2016
Messages
578
Reaction score
736
Location
Florida
One note though... totally disabling security checking for your browser is risky (unwise).
From what I have been told by a couple people, disabling TLS 1.3 in chrome just makes the browser revert to using version 1.2. So its not disabling the security check altogether... just version 1.3

Why not simply add the self-signed certificate (ssc) to the browser?

chrome://settings/privacy then Manage Certificates, Import

Yes, that requires the ssc file to be installed on any/all systems that would be used to connect to BI.
Great point, thanks for sharing. But like you state it does require doing it in all browsers. Might be adding unnecessary steps since it doesn't actually add any security
In addition to using STUNNEL's ssc, documentation implies that any ssc can be used as long as it is a PEM or P12 format.
Can you expand a little more on this :D
 
Top