Blue Iris 5 - Stunnel & HTTPS Issues

miles267

n3wb
Joined
Dec 25, 2014
Messages
17
Reaction score
4
Since updating to the latest BI 5.2.5.2 x64 I've noticed stunnel has stopped working. BI5 runs fine. Stunnel seems to run OK, but am unable to make an incoming connection from internet to BI5 over stunnel and no firewall config changes have been made.
 

dohat leku

Getting the hang of it
Joined
May 19, 2018
Messages
278
Reaction score
30
Location
usa
If your folks are still having Android issues I have done a lot of troubleshooting directly with the author and is developers and they were not able to fix it. It's something to do with certificates
 
Joined
Jan 4, 2020
Messages
20
Reaction score
13
Location
Uk
It seems you need to update the stunnel.pem file

NOTE in video disabling TLS 1.3 doesn't always allow you to connect to UI3 in Chrome.
@Walrus figured out that you can use zerossl website to create a self signed certificate (see setup below this video):

Website used for SSL:
Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL

See steps below to set this up from forum member walrus

After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

It now works with both the updated version of chrome on my android phone, and chrome on my work computer.


The Stunnel program is a bit of a mess to get working. I find it works as follows:

If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.

Upon a windows restart, whatever you had running (service or GUI) will run again.
I can confirm this was the solution for me. - something to do with an old version of TLS/SSL - I seem to think it may be due to chrome ending support for SSLv3? - if you're having this problem, try to load in IE - it should work if this is your issue!

Eitherway - I editied the stunnel.pem files as in this post with details for a certificate made for my domain - this is now working perfectly from both mobile and desktop verisons of chrome.
 

denywinarto

Young grasshopper
Joined
Mar 15, 2018
Messages
53
Reaction score
3
I went through all of the Zero SSL steps with no success, along with using LetsEncrypt. Like Tech101 said, TLSv1.0 and 1.1 are no longer supported by iOS. So, I forced stunnel onto TLSv1.2. It worked for me.

In the stunnel.conf file, you'll see the following default SSL config:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3

You need to force stunnel to use TLSv1.2 with the follwing line:

sslVersion = TLSv1.2

So, your SSL config should look as follows:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
sslVersion = TLSv1.2

Thanks this fixed it for my case!
At first only my note 8 was working, but my wife's huawei P30 wont, then i changed it to TLSv1.2 and it works
 

johnmcc

Young grasshopper
Joined
Mar 9, 2015
Messages
44
Reaction score
13
Thanks this fixed it for my case!
At first only my note 8 was working, but my wife's huawei P30 wont, then i changed it to TLSv1.2 and it works
Hi thanks for sslVersion = TLSv1.2 which initially failed! still generating self signed via stunnel

To get it to work also had to change
[BlueIris]
accept=1440
connect=8080
cert = stunnel.pem

To
[BlueIris]
accept=1440
connect=192.168.0.2:8080
cert = stunnel.pem

I tried connect 127.0.0.1 which failed hence pointing to actual ip address.
 
Joined
Aug 3, 2015
Messages
3,791
Reaction score
12,182
Location
Charlotte
I went through all of the Zero SSL steps with no success, along with using LetsEncrypt. Like Tech101 said, TLSv1.0 and 1.1 are no longer supported by iOS. So, I forced stunnel onto TLSv1.2. It worked for me.

In the stunnel.conf file, you'll see the following default SSL config:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3

You need to force stunnel to use TLSv1.2 with the follwing line:

sslVersion = TLSv1.2

So, your SSL config should look as follows:

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
sslVersion = TLSv1.2
This configuration issue just struck me today.
I'm VERY happy you posted this, it fixed my iPhone app issue. :)
 

Priority

n3wb
Joined
Apr 15, 2019
Messages
18
Reaction score
9
Location
Central Texas
I went through all of the Zero SSL steps with no success, along with using LetsEncrypt. Like Tech101 said, TLSv1.0 and 1.1 are no longer supported by iOS. So, I forced stunnel onto TLSv1.2. It worked for me.

….

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
sslVersion = TLSv1.2
Got me up and running again. THANKS!

Other info for those struggling with this issue:
I manage 3 different BI5 installations that are accessed with both Android and iOS. Android has been problematic with this issue for months; originally gave up fixing it.

iOS has been more "interesting". A few weeks ago, one iPhone stopped being able to connect, other iPhones were happily working and accessing the BI servers. Over the course of roughly a month, all iPhones lost the ability to connect to the 3 different servers. I surmise that iOS caches the credentials and trusts them for some length of time, maybe 30 days. Certainly forced me to do a lot of unnatural acts in debugging since I initially thought the issue was with the BI server!!!
 

TheSwede

Pulling my weight
Joined
Dec 27, 2016
Messages
108
Reaction score
102
Location
Sweden...
Hi all !

Now I got my Iphone upp and running again, Android phone was not affected so everything is good now.

As voelker250 wrote before.

The only thing I needed to do was editing the Stunnel.conf file and add a line
sslVersion = TLSv1.2



No change in .pem file.
No zerossl that need to be shanged further on.


Brgds TheSwede
 

austwhite

Getting the hang of it
Joined
Jun 7, 2020
Messages
93
Reaction score
92
Location
USA
As a few others have said. Add the sslVersion = TLSv1.2 and no messing with certificates are needed. It will just work with the default stunnel.pem file at TLSv1.2.
Adding one line to the config file certainly is easier than messing about with zerossl and trying to actually find the self-signed certificate option. The result is the same. You get SSL with the warning that the cert is self signed.
Much easier.
 

jtsull

n3wb
Joined
Dec 14, 2015
Messages
20
Reaction score
2
sslVersion = TLSv1.2 I spent many hours trying to get stunnel to work. Wish I went looking for this earlier.
Added that line to the stunnel.conf file. WORKS! Thank you for the posts.
 

tech101

Known around here
Joined
Mar 30, 2015
Messages
1,472
Reaction score
2,125
Location
SF BayArea, USA
Does anyone know if zero SSL stopped issuing cert or do we have to verify the email ? Before they give us cert and is it only 90 days ? now ? for free
 

majones

n3wb
Joined
May 25, 2018
Messages
21
Reaction score
11
Location
UK
I was puzzled why my older Android phone connected to the BI server fine, but my daughter's newer Android phone wouldn't no matter what I did. Editing the stunnel.conf file to add the line sslVersion = TLSv1.2 fixed it! Brilliant!
 

tech101

Known around here
Joined
Mar 30, 2015
Messages
1,472
Reaction score
2,125
Location
SF BayArea, USA
So today I just noticed I am having issue connecting to my BI since I use stunnel from outside. Now not sure if Comcast is just simply blocking ports.. My firewall rules are correct And I can connect from inside fine over stunnel which tells me Stunnel piece is working fine what ever it is has to do with ports. I did turn off the windows built in firewall as well to see and that is not causing this. Not sure what changed since I did not change anything.. Anyone else ?
 

tech101

Known around here
Joined
Mar 30, 2015
Messages
1,472
Reaction score
2,125
Location
SF BayArea, USA
All Sorted turns out it was the stupid google wifi and I did restart the device it did not help but today I power it off for 10 sec and power it back up and all in sudden everything is now working. Ahh.. Ubiquiti Soon for sure
 

Tayobo

n3wb
Joined
Apr 3, 2020
Messages
1
Reaction score
0
Location
CO
New user of Blue Iris, just going through all the videos to configure, specifically the stunnel video. Here is my setup:

Server - Windows 10 Patched and updated
Blue Iris 5
stunnel 5.55
Netgear Orbi router
Android - Essential PH1 on Q

Configs:
Port forward setup to BI Server - Port 8081 to 192.168.1.26

Blue Iris 5 Web server config:
Remote external x.x.x.x:8081
Local Lan 192.168.1.26:8081
Enable http web server on port 81
HTTPS Lan Also

Stunnel Confg:
Under TLS Client Mode
accept = 8081
connect = 81
cert = stunnel.pem



The problems:

On the server, if I open chrome and go to I get site cant be reached "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

On the server, if I open IE and go to works as expected.


From a workstation outside the network does the same thing, I can use IE but hates Chrome.

On the Android app, does not connect from outside the network. If I


Android App - Just simply does not connect.
If I use Chrome on the phone to browse to the site I get site cannot be reached. ERR_SSL_KEY_INCOMPATIBLE

Checking the log of stunnel I have lots of this error:
2019.06.12 14:35:07 LOG3[2734]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2019.06.12 14:35:07 LOG5[2734]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2019.06.12 14:35:07 LOG3[2735]: SSL_accept: ssl/record/rec_layer_s3.c:1535: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter
2019.06.12 14:35:07 LOG5[2735]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket


Anyone have any ideas?
same issue, did you ever figure this out?
 
Joined
Jun 27, 2021
Messages
1
Reaction score
0
Location
Italy
The question is another : WHY if I can connect to my stunnel/blueiris server from an android smartphone using Firefox (adding manually a security exception to Firefox due to the self signed certificate), instead the BlueIris app is not able to do the same or show some useful message instead of "unable to connect"?
It's a so complex matter to show a question like Firefox do, to ask the about the certificate security, and save certificate credential for future access?
Apps like BlueIris for Android push android development back ten years in time.
 
Last edited:

beepbeep

n3wb
Joined
Feb 18, 2021
Messages
4
Reaction score
0
Location
USA
The question is another : WHY if I can connect to my stunnel/blueiris server from an android smartphone using Firefox (adding manually a security exception to Firefox due to the self signed certificate), instead the BlueIris app is not able to do the same or show some useful message instead of "unable to connect"?
It's a so complex matter to show a question like Firefox do, to ask the about the certificate security, and save certificate credential for future access?
Apps like BlueIris for Android push android development back ten years in time.

coming from the dev, android is forcing proper certs with apps so it won't connect unless you have one. I have a zerossl cert
 

OgRoar

Getting the hang of it
Joined
Apr 1, 2021
Messages
31
Reaction score
32
Location
US
I think its best to just post here as a lot of you are doing what I did.

I had a 3mo cert from letsencrypt working and after messing with it every 3 months, I'm done. Plus I cant figure out how to get past the limit of 3 as it still thinks I have 3 SSL's even though they are all expired.

I'm trying to use a CloudFare cert and getting the following error in chrome:
NET::ERR_CERT_AUTHORITY_INVALID
 
Top