rfc5766-turn-server - how to enable TLS and HTTP CONNECT method with it?

user285594 picture user285594 · Jul 16, 2014 · Viewed 7.2k times · Source

I have this following setup for rfc5766-turn-server but i am not sure yet how to enable the TLS in turnserver.conf?

Any idea what is missing to make sure TLS is activated and what else related sources are missing?

# cat turnserver.conf
user=root:root
realm=x.x.x.x
#no-tls
#no-dtls
syslog
aux-server=x.x.x.x:80
aux-server=x.x.x.x:443

Problem: When TURN client connects with following primitives, to that above TURN server then there is auto TURN session close issue.

config: '{"iceServers":[{"urls":"stun:stun.l.google.com:19302"},        
         {"credential":"root","urls":"turn:root@XXXXX:443?transport=tcp"}], 
          "iceTransports":"relay"}';

NOTE: 443 TCP

or

config: '{"iceServers":[{"urls":"stun:stun.l.google.com:19302"},        
         {"credential":"root","urls":"turn:root@XXXXX:80?transport=tcp"}], 
          "iceTransports":"relay"}';

NOTE: 80 TCP

Answer

mido picture mido · Aug 19, 2015

I guess I am answering the question bit late, hoping it would help the people who will stumble upon this question later on.

I do not think you can add users in the TURN config files directly, either a seperate flatfile/ some db or part of command for starting turnserver ( or through turnadmin)

let assume listening ip is XXXXX and port PPP( from what I understand, this port can be whatever you want, irrespective of the transport being udp or tcp and the if you are running on port <1024 you are gonna need elevated access)

using turnconfig file(turnconfig.conf):

listening-ip=XXXXX
tls-listening-port=PPP
cert=( certificate location)
pkey=( private key location)
lt-cred-mech
realm=someRealm
log-file=/var/tmp/turn.log
no-sslv2
no-sslv3

the start cmdwould be: turnserver -v -c turnconfig.conf -o -u user:root

without configuration file:

turnserver --tls-listening-port PPP -L XXXXX -r someRealm -a -o -v -n -u user:root -l '/var/tmp/turn.log' --no-sslv2 --no-sslv3 

Note: is this is hosted behind NAT( usually in the case of Amazon EC2), another feild external-ip is required.

and config( of RTCPeerConnection on WebRTC app) is :

config: {
            'iceServers':[
                {
                    'url': 'stun:stun.l.google.com:19302' 
                },
                {   
                    'url': 'turn:user@XXXXX:PPP?transport=udp',
                    'credential': 'root'
                },
                {   
                    'url': 'turn:user@XXXXX:PPP?transport=tcp',
                    'credential': 'root'
                }
            ]
    };

as for generating the certificate and private key, you can use openssl:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3001 -nodes