ZoneMinder Forums

I am getting an error in the logs for getAPIversion error handler {"status":-2,":"TLS connection could not be established:javax.net.ssl.SSLHandshakeException: Handshake failed"}

What versions of TLS or ssl cipher keys work with zmNinja? Perhaps my setup is too restrictive.

I am running through a nginx reverse proxy but it is passing web requests with absolute_uri so nginx shouldn't be mangling the request.

When I try and login to zmNinja I get "Login validated but API failed"

I have done all of the suggested steps in the FAQ and they seem to check out.

I added ssl_ecdh_curve secp521r1:secp384r1:prime256v1; to the nginx config to make the curves less strict.

I am using signed LetsEncrypt certs.

This is on an android 6.0 phone.

getVersion.json returns version 1.34.0 and api version 2.0.
view-source also reveals both versions.

monitors.json and events.json also reveal valid info.

The user has access to view 'monitors' 'system' 'events' and 'stream' with api enabled. With a simple password.

I entered all the addresses into the expert mode for zmNinja for portal, path to cgi-bin and api url.

I don't know for sure. The FAQ entry (which looks like you have read) came from a user who faced a similar issue.
It seems it is either TLS version related or Cipher suite related.

Do the answers in https://stackoverflow.com/questions/391 ... roid-n-7-0 help?
Edited:I also found this suggestion (which may be closer to what you want to check)

Also maybe start with the most permissive TLS settings in nginx and tighten step by step? If you find out the key issue, please let me know so I can update the faq.

Looks like it only supports TLSv1.2.

I was supporting all three TLSv1.3 256 ciphers and no 1.2 ciphers because the syntax between apache and nginx is slightly different and I just copy pasted the config and killed TLS1.2.

I am not sure which cipher it prefers but these are the three TLSv1.2 ciphers my site is using after I fixed the config

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (It seems like this one is the hot thing for mobile apps).
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (hopefully its not this one as it is marked weak, I must have mistyped it in nginx, will cut it later and see if it still works).

I am only using secp521r1 and secp384r1.

TLSv1.3 would be the easiest thing to add in the future I dont think anyone using IP security cameras and https is logging in with outdated browsers.

Now I can log in, but no stream or video is showing. The problem is different than this one I will post it in another topic.