Live Stream Broken - Client Cert

[JamesM85]

Platform & OS Version

IOS 12.1.2

The version of zmNinja you are reporting:

1.3.039 - works in 1.3.004D

The version of ZoneMinder you are using:

1.33.1

Device details:

iPhone 8 plus

What is the nature of your issue

bug

Details

Ok, I appreciate that I have a non standard setup here, but this is something that works in v1.3.004 and now doesn't in 1.3.039.

My setup:
due to only having one external IP and wanting to run all services hosted on my server over https on 443, I have deployed HAProxy. This has a multi domain lets encrypt certificate on it and rules setup to send the relevant services to to the correct backend server.

eg: https://zm.mydomain proxys to my zoneminder server
https://sab.mydomain proxys to my sabnzbd server
etc.

So that I don't have to keep using long and annoying passwords for authentication to these services from my phone, I use client certificates as an optional alternative to basic authentication.

Due to the way this works, the HAProxy service has to ask for a client certificate when the client first connects (therefore I can't filter the zm.mydomain requests out of this). If the client declines it will check some other rules (is it a local network etc) and eventually will fall down to requesting basic auth. If that fails it sends a 401.

When zmninja connects everything validates correctly, I see the events there. When I try to stream (live or events) I get "SSL handshake failure" logged in the HAProxy logs.

If I disable the request for a client cert this instantly starts working (proving configuration is all correct) and as mentioned this only seems to have stopped working on my iphone since 1.3.039 got installed. If it's an easy fix I'd really appreciate it working again.

Happy to provide login credentials to my server to test privately if it helps.

[welcome]

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you follow the issue template or I may not respond.

[pliablepixels]

Hi,
I'm very surprised to hear that client certificates worked in some old version. To the best of my knowledge client certificates were never supported on mobile devices. (see #3). The key issue is that there was no way to present a prompt asking for certificate details in mobile devices.

That being said, I had a user recently have SSL handshake errors and it was because the proxy added an SSL algorithm that was not compatible. See https://github.com/pliablepixels/zmNinja/wiki/FAQ#ssl-settings

So in conclusion:

1. I'm surprised client certs worked before - zmNinja mobile never had support for it
2. If this requires client cert support, then I'm afraid I don't have a solution

[JamesM85]

Sorry, I wasn't very clear on that part! Client certificates have never worked for authentication in zmNinja.

In zmNinja I'm authenticating using basic authentication (appending basic auth token in images). It just seems to be the fact that HAProxy is asking for the client cert (which I can't avoid) that is now upsetting zmNinja.

[pliablepixels]

I'm sorry, but I'm still not following. If HA Proxy is asking for the client cert when zmNinja tries to authenticate, is that not the same as using client certificates for authentication (something that zmNinja did not support) ?

In recent versions of zmNinja for mobile, I've switched the HTTP stack. In old versions, I used the browser HTTP stack but in new versions, I am using a native HTTP stack. Neither stack supports client certs. It is possible that the browser stack supported some feature the native one does not that is not directly related to client certs. Unfortunately, I can't go back to the browser stack - there were many changes in the core framework that made it impossible to continue using the old stack.

[JamesM85]

Ah I see, that makes sense then - it must be to do with the change in HTTP stack.

Not to worry, I'll see if there's something else I can do

[pliablepixels]

If you do manage to resolve it, would you mind posting here what you did? I'll add it to the FAQ

[JamesM85]

I've added a work around for now - setup another front end on HAProxy running on a different port (8443) which doesn't ask for client cert, only accepts basic authentication and only sends to the zoneminder backend server.

[JamesM85]

Just in case anyone else looks at this, looking for a better solution, I've found one! Rather than running zm on a different port, I've configured HAProxy to use SNI to send requests for zm-api.mydomain.com to a different https frontend that doesn't ask for client certs.

Now I only have to have port 443 open and it all appears as one server again. There are plenty of guides out there for SNI, so I won't repeat them, but this looks to be the best starting point: https://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate