Blue Iris HTTPS?
- Thread starter ZaSz
- Start date
fenderman
Staff member
- Mar 9, 2014
- 36,891
- 21,407
Welcome to the forum..
Have you setup stunnel? From the help file.
Have you setup stunnel? From the help file.
How to use HTTPS (SSL) with the Blue Iris web serverWhen you have selected Secure Only on the Options/Webserver page, you are presented with a Blue Iris login page instead of the browser's own username/password form. When this login page is used, your user name and password are NOT sent to the Blue Iris web server. A secure hash (encryption) is created from a combination of these credentials and a unique session key.While your authentication is securely protected by this mechanism, some users will want to know that the actual video itself is encrypted. This is only possible with the use of an add-on SSL (Secure Socket Layer) technology.We have recently discovered stunnel (www.stunnel.org) which you may install as a service onto your PC. Instead of configuring your router to forward traffic to Blue Iris, you would configure that traffic to go to stunnel, and then configure stunnel to then forward the traffic to the Blue Iris web server. For example, external port 443 (the standard HTTPS port) forwards to stunnel port 443, and stunnel forwards to Blue Iris on the same PC on port 80 or 81.
Ah I thought the login could be SSL and if you wanted videos to be SLL also you needed stunnel.
So "Secure Only" =/= HTTPS. It is only a different login page.
So without stunnel, there is no way to make the iOS app send credentials in a secure way?
So "Secure Only" =/= HTTPS. It is only a different login page.
So without stunnel, there is no way to make the iOS app send credentials in a secure way?
I would like to seek confirmation on a specific aspect of what I think people mean when they speak of using stunnel in conjunction with Blue Iris. I assume they mean stunnel set up with ports and server certificate properly configured, but do not necessarily mean stunnel would be configured to use its own certificate-based client authentication ("verify") capability.
More specifically, in the same stunnel configuration file where the port numbers are set up and server certificate location is identified, there is a section on setting up client verification via certificates "to prevent MITM attacks." I am thinking that people using BI with stunnel are not necessarily generating peer certificates and configuring stunnel to use them, on the theory that the BI password security provides protection that, if not equivalent, is "good enough" under the circumstances. Is this right?
If one wanted to set up SSL client verification for BI using stunnel and client certificates, could it be done? I'm guessing I could (eventually) figure out how to do it for a browser on a laptop client, but if the client is a mobile device such as an iPhone, would this require a modification of the BI mobile app?
More specifically, in the same stunnel configuration file where the port numbers are set up and server certificate location is identified, there is a section on setting up client verification via certificates "to prevent MITM attacks." I am thinking that people using BI with stunnel are not necessarily generating peer certificates and configuring stunnel to use them, on the theory that the BI password security provides protection that, if not equivalent, is "good enough" under the circumstances. Is this right?
If one wanted to set up SSL client verification for BI using stunnel and client certificates, could it be done? I'm guessing I could (eventually) figure out how to do it for a browser on a laptop client, but if the client is a mobile device such as an iPhone, would this require a modification of the BI mobile app?
Last edited by a moderator:
Its funny you mention stunnel verify feature using certs. I played with this just the other night. Using a self signed cert I was able to get this working on IOS with safari, by installing the p12 file on the ios.
However, ios apps won't use self signed certs. I'm not sure it would even use a verified cert if installed - I'd be willing to pay for a verified cert if this was the case, but need to verify.
There could be a work around if, BI is willing to modify their ios app to allow a section to import a self signed cert, it would be fantastic with a great level of security.
Here is my email to [email protected]
____
Hi,
I’m trying to use stunnel to establish ssl to blueiris. It works 443-80 of course. But I would like to also like to further validate client/server cert authentication, by using a self signed cert installed on the mobile device (ios in this case).
If I install my p12 cert into IOS, I can browse successfully via safari. However, ios apps won’t use self-signed certs in the chain, such as the blueiris ios app. So client/server cer auth won’t work via ios apps with self-signed cert.
Would you consider doing something like this in your ios app?
http://stackoverflow.com/questions/17393488/how-to-use-self-signed-certificate-at-ios-app
This would allow users to import .p12/cer into your app.
Let me know what you think, I think this could really help provide a solid solution for checking remotely.
Thanks.
_______
However, ios apps won't use self signed certs. I'm not sure it would even use a verified cert if installed - I'd be willing to pay for a verified cert if this was the case, but need to verify.
There could be a work around if, BI is willing to modify their ios app to allow a section to import a self signed cert, it would be fantastic with a great level of security.
Here is my email to [email protected]
____
Hi,
I’m trying to use stunnel to establish ssl to blueiris. It works 443-80 of course. But I would like to also like to further validate client/server cert authentication, by using a self signed cert installed on the mobile device (ios in this case).
If I install my p12 cert into IOS, I can browse successfully via safari. However, ios apps won’t use self-signed certs in the chain, such as the blueiris ios app. So client/server cer auth won’t work via ios apps with self-signed cert.
Would you consider doing something like this in your ios app?
http://stackoverflow.com/questions/17393488/how-to-use-self-signed-certificate-at-ios-app
This would allow users to import .p12/cer into your app.
Let me know what you think, I think this could really help provide a solid solution for checking remotely.
Thanks.
_______
If you buy a certificate from a major authority (and have it configured right for your host name) then iOS apps would be able to use it without question. However this assumes that the app in question is written to support SSL in the first place.
Yeah, I know the BI ios app connects via SSL, but not sure if its written to hit the keychain for certs or not.... Anyone have any success with stunnel verify and BI IOS/SSL ?
J
J