Merge branch 'master' into PR288

2025-10-26 12:31:00 +01:00 · 2021-01-07 12:00:22 +00:00 · 2021-01-07 12:00:22 +00:00 · 05ecf28a95
commit 05ecf28a95
parent 40b39e2392 5b13fdd37b
38 changed files with 1094 additions and 643 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -66,11 +66,46 @@ matrix:
        - libhiredis-dev
  - os: osx
    osx_image: xcode11.3
-  - os: osx
+ # - os: osx
-    osx_image: xcode11.6
+ #   osx_image: xcode11.6
  - os: osx
    osx_image: xcode12
-
+  - os: linux
    arch: ppc64le
    dist: xenial
    sudo: required
    addons:
      apt:
        packages:
        - mysql-client
        - debhelper
        - dpkg-dev
        - libssl-dev
        - libevent-dev
        - sqlite3
        - libsqlite3-dev
        - postgresql-client
        - libpq-dev
        - libmysqlclient-dev
        - libhiredis-dev
  - os: linux
    arch: ppc64le
    dist: bionic
    sudo: required
    addons:
      apt:
        packages:
        - mysql-client
        - debhelper
        - dpkg-dev
        - libssl-dev
        - libevent-dev
        - sqlite3
        - libsqlite3-dev
        - postgresql-client
        - libpq-dev
        - libmysqlclient-dev
        - libhiredis-dev
 notifications:
  slack:
--- a/29
+++ b/29
@ -3,6 +3,35 @@ Version 4.5.2 'dan Eider':
 	- fix null pointer dereference in case of out of memory. (thanks to Thomas Moeller for the report)
 	- merge PR #517 (by wolmi)
 		* add prometheus metrics
 	- merge PR #637 (by David Florness)
 	    * Delete trailing whitespace in example configuration files
 	- merge PR #631 (by Debabrata Deka)
 	    * Add architecture ppc64le to travis build
 	- merge PR #627 (by Samuel)
 		* Fix misleading option in doc (prometheus)
 	- merge PR #643 (by tupelo-schneck)
 		* Allow RFC6062 TCP relay data to look like TLS
 	- merge PR #655 (by plinss)
 		* Add support for proxy protocol V1 
 	- merge PR #618 (by Paul Wayper)
 		* Print full date and time in logs
 		* Add new options: "new-log-timestamp" and "new-log-timestamp-format"
 	- merge PR #599 (by Cédric Krier)
 		* Do not use FIPS and remove hardcode OPENSSL_VERSION_NUMBER with LibreSSL
 	- update Docker mongoDB and fix with workaround the missing systemctl
 	- merge PR #660 (by Camden Narzt)
 		* fix compilation on macOS Big Sur
 	- merge PR #546 (by jelmd)
 		* Add ACME redirect url
 	- merge PR #551 (by jelmd)
 		* support of --acme-redirect <URL>
 	- merge PR #672 further acme fixes (by jemld)
 		* fix acme security, redundancy, consistency
 	- Disable binding request logging to avoid DoS attacks. (Breaking change!)
 		* Add new --log-binding option to enable binding request logging
 	- Fix stale-nonce documentation. Resolves #604
 	- Version number is changed to semver 2.0
 24/06/2020 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
 Version 4.5.1.3 'dan Eider':
 	- merge PR #575: (by osterik)
--- a/Makefile.in
+++ b/Makefile.in
@ -21,7 +21,7 @@ COMMON_MODS = src/apps/common/apputils.c src/apps/common/ns_turn_utils.c src/app
 COMMON_DEPS = ${LIBCLIENTTURN_DEPS} ${COMMON_MODS} ${COMMON_HEADERS}
 IMPL_HEADERS = src/apps/relay/ns_ioalib_impl.h src/apps/relay/ns_sm.h src/apps/relay/turn_ports.h
-IMPL_MODS = src/apps/relay/ns_ioalib_engine_impl.c src/apps/relay/turn_ports.c src/apps/relay/http_server.c
+IMPL_MODS = src/apps/relay/ns_ioalib_engine_impl.c src/apps/relay/turn_ports.c src/apps/relay/http_server.c src/apps/relay/acme.c
 IMPL_DEPS = ${COMMON_DEPS} ${IMPL_HEADERS} ${IMPL_MODS}
 HIREDIS_HEADERS = src/apps/common/hiredis_libevent2.h
--- a/README.md
+++ b/README.md
@ -121,7 +121,8 @@ Contact information:
 https://groups.google.com/forum/#!forum/turn-server-project-rfc5766-turn-server
-email:mom040267@gmail.com
+email:misi@majd.eu
      mom040267@gmail.com
 ### Feedback is very welcome (bugs, issues, suggestions, stories, questions). ###
--- a/README.turnadmin
+++ b/README.turnadmin
@ -271,4 +271,8 @@ to see the man page.
 	Bradley T. Hughes <bradleythughes@fastmail.fm>
-        Mihaly Meszaros <misi@majd.eu>
+	Mihály Mészáros <misi@majd.eu>
  ACTIVE MAINTAINERS
 	Mihály Mészáros <misi@majd.eu>
--- a/README.turnserver
+++ b/README.turnserver
@ -225,6 +225,12 @@ Flags:
 			name will be constructed as-is, without PID and date appendage.
 			This option can be used, for example, together with the logrotate tool.
 --new-log-timestamp				Enable full ISO-8601 timestamp in all logs.
 --new-log-timestamp-format    	<format>	Set timestamp format (in strftime(1) format)
 --log-binding					Log STUN binding request. It is now disabled by default to avoid DoS attacks.
 --secure-stun		Require authentication of the STUN Binding request.
 			By default, the clients are allowed anonymous access to the STUN Binding functionality.
@ -265,8 +271,8 @@ Flags:
 			check: across the session, all requests must have the same
 			main ORIGIN attribute value (if the ORIGIN was
 			initially used by the session).
- --no-prometheus	Disable prometheus metrics. By default it is
+ --prometheus		Enable prometheus metrics. By default it is
-			enabled and listening on port 9641 unther the path /metrics
+			disabled. Would listen on port 9641 unther the path /metrics
 			also the path / on this port can be used as a health check
 -h			Help.
@ -275,6 +281,7 @@ Options with values:
 --stale-nonce[=<value>]		Use extra security with nonce value having
 							limited lifetime, in seconds (default 600 secs).
 							Set it to 0 for unlimited nonce lifetime.
 --max-allocate-lifetime		Set the maximum value for the allocation lifetime.
 							Default to 3600 secs.
@ -543,6 +550,12 @@ Options with values:
 			Default is /var/run/turnserver.pid (if superuser account is used) or
 			/var/tmp/turnserver.pid .
 --acme-redirect  <URL>	Redirect ACME/RFC8555 (like Let's Encrypt challenge) requests, i.e.
 			HTTP GET requests matching '^/.well-known/acme-challenge/(.*)'
 			to <URL>$1 with $1 == (.*). No validation of <URL> will be done,
 			so make sure you do not forget the trailing slash. If <URL> is an empty
 			string (the default value), no special handling of such requests will be done.
 --proc-user		User name to run the process. After the initialization, the turnserver process
 			will make an attempt to change the current user ID to that user.
@ -997,4 +1010,8 @@ https://groups.google.com/forum/?fromgroups=#!forum/turn-server-project-rfc5766-
 	Bradley T. Hughes <bradleythughes@fastmail.fm>
-        Mihaly Meszaros <misi@majd.eu>
+    Mihály Mészáros <misi@majd.eu>
  ACTIVE MAINTAINERS
 	Mihály Mészáros <misi@majd.eu>
--- a/README.turnutils
+++ b/README.turnutils
@ -474,4 +474,8 @@ SEE ALSO
 	Bradley T. Hughes <bradleythughes@fastmail.fm>
-        Mihaly Meszaros <misi@majd.eu>
+	Mihály Mészáros <misi@majd.eu>
  ACTIVE MAINTAINERS
 	Mihály Mészáros <misi@majd.eu>
--- a/11
+++ b/11
@ -423,6 +423,17 @@ if [ "${SYSTEM}" = "NetBSD" ] ; then
 	fi
 fi
 # If acme_redirect does not work, send_data_from_ioa_socket_nbh() probably
 # does not work. Set LIBEV_OK=1 to use a workaround for it.
 if [ -z "${LIBEV_OK}" ]; then
 	LIBEV_OK=1
 	if [ "${SYSTEM}" = "Linux" ]; then
 		OS=$( lsb_release -si 2>/dev/null )
 		[ "${OS}" = "Ubuntu" ] && LIBEV_OK=0
 	fi
 fi
 [ "${LIBEV_OK}" = "1" ] && OSCFLAGS="${OSCFLAGS} -DLIBEV_OK"
 ###########################
 # Install shell commands
 ###########################
--- a/docker/coturn/Dockerfile
+++ b/docker/coturn/Dockerfile
@ -13,7 +13,7 @@ WORKDIR ${BUILD_PREFIX}
 RUN git clone https://github.com/coturn/coturn.git
 # Build Coturn
-WORKDIR coturn
+WORKDIR ${BUILD_PREFIX}/coturn
 RUN ./configure
 RUN make
@ -34,14 +34,17 @@ COPY --from=coturn-build ${BUILD_PREFIX}/coturn/turndb ${INSTALL_PREFIX}/turndb
 # Install lib dependencies
 RUN export DEBIAN_FRONTEND=noninteractive && \
 	apt-get update && \
-	apt-get install -y libc6>=2.15 libevent-core-2.1-6>=libevent-core-2.1-6 libevent-extra-2.1-6>=2.1.8-stable-4 libevent-openssl-2.1-6>=2.1.8-stable-4 libevent-pthreads-2.1-6>=2.1.8-stable-4 libhiredis0.14>=0.14.0 libmariadbclient-dev>=10.3.17 libpq5>=8.4~ libsqlite3-0>=3.6.0 libssl1.1>=1.1.0 libmongoc-1.0 libbson-1.0
+	apt-get install -y libc6 libevent-core-2.1-6 libevent-extra-2.1-6 libevent-openssl-2.1-6 libevent-pthreads-2.1-6 libhiredis0.14 libmariadbclient-dev libpq5 libsqlite3-0 libssl1.1 libmongoc-1.0-0 libbson-1.0-0
 RUN apt-get install -y default-mysql-client postgresql-client redis-tools
 # Workaround for MongoDB
 RUN ln -s /bin/echo /bin/systemctl
 # Install MongoDB
 RUN apt-get update && \
  apt-get install -y wget gnupg && \
-  wget -qO - https://www.mongodb.org/static/pgp/server-4.0.asc | apt-key add - && \
+  wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | apt-key add - && \
-  echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/4.0 main" | tee /etc/apt/sources.list.d/mongodb-org-4.0.list && \
+  echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/4.4 main" | tee /etc/apt/sources.list.d/mongodb-org-4.4.list && \
  echo "deb http://deb.debian.org/debian/ stretch main" | tee /etc/apt/sources.list.d/debian-stretch.list && \
  apt-get update && \
  apt-get install -y libcurl3 mongodb-org mongodb-org-server mongodb-org
--- a/docker/coturn/turnserver.conf
+++ b/docker/coturn/turnserver.conf
@ -411,9 +411,9 @@ realm=example.org
 # Uncomment if extra security is desired,
 # with nonce value having a limited lifetime.
-# By default, the nonce value is unique for a session,
+# The nonce value is unique for a session.
 # and has an unlimited lifetime. 
 # Set this option to limit the nonce lifetime.
 # Set it to 0 for unlimited lifetime.
 # It defaults to 600 secs (10 min) if no value is provided. After that delay,
 # the client will get 438 error and will have to re-authenticate itself.
 #
--- a/examples/etc/turnserver.conf
+++ b/examples/etc/turnserver.conf
@ -423,9 +423,9 @@
 # Uncomment if extra security is desired,
 # with nonce value having a limited lifetime.
-# By default, the nonce value is unique for a session,
+# The nonce value is unique for a session.
 # and has an unlimited lifetime. 
 # Set this option to limit the nonce lifetime.
 # Set it to 0 for unlimited lifetime.
 # It defaults to 600 secs (10 min) if no value is provided. After that delay,
 # the client will get 438 error and will have to re-authenticate itself.
 #
@ -534,6 +534,16 @@
 #
 #simple-log
 # Enable full ISO-8601 timestamp in all logs.
 #new-log-timestamp
 # Set timestamp format (in strftime(1) format)
 #new-log-timestamp-format "%FT%T%z"
 # Disabled by default binding logging in verbose log mode to avoid DoS attacks.
 # Enable binding logging and UDP endpoint logs in verbose log mode.
 #log-binding
 # Option to set the "redirection" mode. The value of this option
 # will be the address of the alternate server for UDP & TCP service in the form of
 # <ip>[:<port>]. The server will send this value in the attribute
@ -713,6 +723,10 @@
 #
 #web-admin-listen-on-workers
 #acme-redirect=http://redirectserver/.well-known/acme-challenge/
 # Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.
 # Default is '', i.e. no special handling for such requests.
 # Server relay. NON-STANDARD AND DANGEROUS OPTION.
 # Only for those applications when you want to run
 # server applications on the relay endpoints.
--- a/examples/scripts/pack.sh
+++ b/examples/scripts/pack.sh
@ -2,7 +2,7 @@
 # Run it from the root of the coturn source tree
-V=4.5.1.3
+V=4.5.2
 PACKDIR=`pwd`/../coturn-releases/
 SRCDIR=`pwd`
--- a/man/man1/turnadmin.1
+++ b/man/man1/turnadmin.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "03 August 2020" "" ""
+.TH TURN 1 "05 January 2021" "" ""
 .SH GENERAL INFORMATION
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage
@ -48,8 +48,8 @@ is equivalent to:
 .fi
 You have always the use the \fB\-r\fP <realm> option with commands for long term credentials \-
 because data for multiple realms can be stored in the same database.
-.SH =====================================
+.PP
-
+=====================================
 .SS  NAME
 \fB
 \fBturnadmin \fP\- a TURN relay administration tool.
@ -288,8 +288,8 @@ $ \fIturnadmin\fP \fB\-\-file\-key\-path\fP <key\-file> \fB\-v\fP <encrypted>
 Help:
 .PP
 $ \fIturnadmin\fP \fB\-h\fP
-.SH =======================================
+.PP
-
+=======================================
 .SS  DOCS
 After installation, run the \fIcommand\fP:
@ -301,8 +301,8 @@ or in the project root directory:
 $ man \fB\-M\fP man \fIturnadmin\fP
 .PP
 to see the man page.
-.SH =====================================
+.PP
-
+=====================================
 .SS  FILES
 /etc/turnserver.conf
@ -314,8 +314,8 @@ to see the man page.
 /var/lib/turn/turndb
 .PP
 /usr/local/etc/turnserver.conf
-.SH =====================================
+.PP
-
+=====================================
 .SS  DIRECTORIES
 /usr/local/share/\fIturnserver\fP
@ -323,13 +323,14 @@ to see the man page.
 /usr/local/share/doc/\fIturnserver\fP
 .PP
 /usr/local/share/examples/\fIturnserver\fP
-.SH ======================================
+.PP
-
+======================================
 .SS  SEE ALSO
 \fIturnserver\fP, \fIturnutils\fP
-.SH ======================================
+.RE
-
+.PP
 ======================================
 .SS  WEB RESOURCES
 project page:
@ -343,8 +344,9 @@ https://github.com/coturn/coturn/wiki
 forum:
 .PP
 https://groups.google.com/forum/?fromgroups=#!forum/turn\-server\-project\-rfc5766\-turn\-server/
-.SH ======================================
+.RE
-
+.PP
 ======================================
 .SS  AUTHORS
 Oleg Moskalenko <mom040267@gmail.com>
@ -373,4 +375,7 @@ Federico Pinna <fpinna@vivocha.com>
 .PP
 Bradley T. Hughes <bradleythughes@fastmail.fm>
 .PP
-Mihaly Meszaros <misi@majd.eu>
+Mihály Mészáros <misi@majd.eu>
 .SS  ACTIVE MAINTAINERS
 Mihály Mészáros <misi@majd.eu>
--- a/man/man1/turnserver.1
+++ b/man/man1/turnserver.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "03 August 2020" "" ""
+.TH TURN 1 "05 January 2021" "" ""
 .SH GENERAL INFORMATION
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client
@ -78,8 +78,7 @@ is equivalent to:
 .fam T
 .fi
-.SH =====================================
+=====================================
 .SS  NAME
 \fB
 \fBturnserver \fP\- a TURN relay server implementation.
@ -338,6 +337,18 @@ name will be constructed as\-is, without PID and date appendage.
 This option can be used, for example, together with the logrotate tool.
 .TP
 .B
 \fB\-\-new\-log\-timestamp\fP
 Enable full ISO\-8601 timestamp in all logs.
 .TP
 .B
 \fB\-\-new\-log\-timestamp\-format\fP
 <format>        Set timestamp format (in \fBstrftime\fP(1) format)
 .TP
 .B
 \fB\-\-log\-binding\fP
 Log STUN binding request. It is now disabled by default to avoid DoS attacks.
 .TP
 .B
 \fB\-\-secure\-stun\fP
 Require authentication of the STUN Binding request.
 By default, the clients are allowed anonymous access to the STUN Binding functionality.
@ -400,9 +411,9 @@ initially used by the session).
 .RS
 .TP
 .B
-\fB\-\-no\-prometheus\fP
+\fB\-\-prometheus\fP
-Disable prometheus metrics. By default it is
+Enable prometheus metrics. By default it is
-enabled and listening on port 9641 unther the path /metrics
+disabled. Would listen on port 9641 unther the path /metrics
 also the path / on this port can be used as a health check
 .RE
 .TP
@ -416,6 +427,7 @@ Options with values:
 \fB\-\-stale\-nonce\fP[=<value>]
 Use extra security with nonce value having
 limited lifetime, in seconds (default 600 secs).
 Set it to 0 for unlimited nonce lifetime.
 .TP
 .B
 \fB\-\-max\-allocate\-lifetime\fP
@ -780,6 +792,14 @@ Default is /var/run/turnserver.pid (if superuser account is used) or
 /var/tmp/turnserver.pid .
 .TP
 .B
 \fB\-\-acme\-redirect\fP
 <URL>  Redirect ACME/RFC8555 (like Let's Encrypt challenge) requests, i.e.
 HTTP GET requests matching '^/.well\-known/acme\-challenge/(.*)'
 to <URL>$1 with $1 == (.*). No validation of <URL> will be done,
 so make sure you do not forget the trailing slash. If <URL> is an empty
 string (the default value), no special handling of such requests will be done.
 .TP
 .B
 \fB\-\-proc\-user\fP
 User name to run the process. After the initialization, the \fIturnserver\fP process
 will make an attempt to change the current user ID to that user.
@ -840,15 +860,15 @@ By default it is disabled for security resons!
 .B
 \fB\-\-ne\fP=[1|2|3]
 Set network engine type for the process (for internal purposes).
-.SH ==================================
+.PP
-
+==================================
 .SH LOAD BALANCE AND PERFORMANCE TUNING
 This topic is covered in the wiki page:
 .PP
 https://github.com/coturn/coturn/wiki/turn_performance_and_load_balance
-.SH ===================================
+.PP
-
+===================================
 .SH WEBRTC USAGE
 This is a set of notes for the WebRTC users:
@ -885,8 +905,8 @@ Usually WebRTC uses fingerprinting (\fB\-f\fP).
 .IP 5) 4
 \fB\-\-min\-port\fP and \fB\-\-max\-port\fP may be needed if you want to limit the relay endpoints ports
 number range.
-.SH ===================================
+.PP
-
+===================================
 .SH TURN REST API
 In WebRTC, the browser obtains the TURN connection information from the web
@ -1024,8 +1044,8 @@ examples/scripts/restapi/shared_secret_maintainer.pl .
 .PP
 A very important thing is that the nonce must be totally random and it must be
 different for different clients and different sessions.
-.SH ===================================
+.PP
-
+===================================
 .SH DATABASES
 For the user database, the \fIturnserver\fP has the following \fIoptions\fP:
@ -1088,8 +1108,8 @@ it will set the users for you (see the \fIturnadmin\fP manuals). If you are usin
 \fIturnserver\fP or \fIturnadmin\fP will initialize the empty database, for you, when started. The
 TURN server installation process creates an empty initialized SQLite database in the default
 location (/var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb, depending on the system).
-.SH =================================
+.PP
-
+=================================
 .SH ALPN
 The server supports ALPNs "stun.turn" and "stun.nat\-discovery", when
@ -1098,16 +1118,16 @@ ClientHello message that contains one or both of those ALPNs, then the
 server chooses the first stun.* label and sends it back (in the ServerHello)
 in the ALPN extension field. If no stun.* label is found, then the server
 does not include the ALPN information into the ServerHello.
-.SH =================================
+.PP
-
+=================================
 .SH LIBRARIES
 In the lib/ sub\-directory the build process will create TURN client messaging library.
 In the include/ sub\-directory, the necessary include files will be placed.
 The C++ wrapper for the messaging functionality is located in TurnMsgLib.h header.
 An example of C++ code can be found in stunclient.c file.
-.SH =================================
+.PP
-
+=================================
 .SH DOCS
 After installation, run the command:
@ -1122,8 +1142,8 @@ to see the man page.
 .PP
 In the docs/html subdirectory of the original archive tree, you will find the client library
 reference. After the installation, it will be placed in PREFIX/share/doc/\fIturnserver\fP/html.
-.SH =================================
+.PP
-
+=================================
 .SH LOGS
 When the \fBTURN Server\fP starts, it makes efforts to create a log file turn_<pid>.log
@ -1146,8 +1166,8 @@ log messages are sent only to the standard output of the process.
 .PP
 This behavior can be controlled by \fB\-\-log\-file\fP, \fB\-\-syslog\fP and \fB\-\-no\-stdout\-log\fP
 \fIoptions\fP.
-.SH =================================
+.PP
-
+=================================
 .SH HTTPS MANAGEMENT INTERFACE
 The \fIturnserver\fP process provides an HTTPS Web access as statistics and basic
@ -1160,8 +1180,8 @@ populated with the admin user \fBaccount\fP(s). An admin user can be a superuser
 (if not assigned to a particular realm) or a restricted user (if assigned to
 a realm). The restricted admin users can perform only limited actions, within
 their corresponding realms.
-.SH =================================
+.PP
-
+=================================
 .SH TELNET CLI
 The \fIturnserver\fP process provides a telnet CLI access as statistics and basic management
@ -1169,8 +1189,8 @@ interface. By default, the \fIturnserver\fP starts a telnet CLI listener on IP 1
 port 5766. That can be changed by the command\-cline \fIoptions\fP of the \fIturnserver\fP process
 (see \fB\-\-cli\-ip\fP and \fB\-\-cli\-port\fP \fIoptions\fP). The full list of telnet CLI commands is provided
 in "help" command output in the telnet CLI.
-.SH =================================
+.PP
-
+=================================
 .SH CLUSTERS
 \fBTURN Server\fP can be a part of the cluster installation. But, to support the "even port" functionality
@ -1179,8 +1199,8 @@ in "help" command output in the telnet CLI.
 the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible
 to design a scheme with the application\-level requests forwarding (and we may do that later) but
 it would affect the performance.
-.SH =================================
+.PP
-
+=================================
 .SH FILES
 /etc/turnserver.conf
@ -1192,8 +1212,8 @@ it would affect the performance.
 /var/lib/turn/turndb
 .PP
 /usr/local/etc/turnserver.conf
-.SH =================================
+.PP
-
+=================================
 .SH DIRECTORIES
 /usr/local/share/\fIturnserver\fP
@ -1201,15 +1221,16 @@ it would affect the performance.
 /usr/local/share/doc/\fIturnserver\fP
 .PP
 /usr/local/share/examples/\fIturnserver\fP
-.SH =================================
+.PP
-
+=================================
 .SH STANDARDS
 obsolete STUN RFC 3489
 .PP
 new STUN RFC 5389
-.SH TURN RFC 5766
+.PP
-
+TURN RFC 5766
 .PP
 TURN\-TCP extension RFC 6062
 .PP
 TURN IPv6 extension RFC 6156
@ -1217,13 +1238,14 @@ TURN IPv6 extension RFC 6156
 STUN/TURN test vectors RFC 5769
 .PP
 STUN NAT behavior discovery RFC 5780
-.SH =================================
+.PP
-
+=================================
 .SH SEE ALSO
 \fIturnadmin\fP, \fIturnutils\fP
-.SH ======================================
+.RE
-
+.PP
 ======================================
 .SS  WEB RESOURCES
 project page:
@ -1237,8 +1259,8 @@ https://github.com/coturn/coturn/wiki
 forum:
 .PP
 https://groups.google.com/forum/?fromgroups=#!forum/turn\-server\-project\-rfc5766\-turn\-server
-.SH ======================================
+.PP
-
+======================================
 .SS  AUTHORS
 Oleg Moskalenko <mom040267@gmail.com>
@ -1266,5 +1288,9 @@ Mutsutoshi Yoshimoto <mutsutoshi.yoshimoto@mixi.co.jp>
 Federico Pinna <fpinna@vivocha.com>
 .PP
 Bradley T. Hughes <bradleythughes@fastmail.fm>
 .RE
 .PP
-Mihaly Meszaros <misi@majd.eu>
+Mihály Mészáros <misi@majd.eu>
 .SS  ACTIVE MAINTAINERS
 Mihály Mészáros <misi@majd.eu>
--- a/man/man1/turnutils.1
+++ b/man/man1/turnutils.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "03 August 2020" "" ""
+.TH TURN 1 "05 January 2021" "" ""
 .SH GENERAL INFORMATION
 A set of turnutils_* programs provides some utility functionality to be used
@ -63,8 +63,8 @@ script in examples/scripts/oauth.sh.
 .RE
 .PP
-.SH =====================================
+.RS
-
+=====================================
 .SS  NAME
 \fB
 \fBturnutils_uclient \fP\- this client emulation application is supplied for the test purposes only.
@ -276,8 +276,8 @@ the ORIGIN STUN attribute value.
 Bandwidth for the bandwidth request in ALLOCATE. The default value is zero.
 .PP
 See the examples in the "examples/scripts" directory.
-.SH ======================================
+.PP
-
+======================================
 .SS  NAME
 \fB
 \fBturnutils_peer \fP\- a simple UDP\-only echo backend server.
@ -314,8 +314,8 @@ If no listener \fBaddress\fP(es) defined, then it listens on all IPv4 and IPv6 a
 .B
 \fB\-v\fP
 Verbose
-.SH ========================================
+.PP
-
+========================================
 .SS  NAME
 \fB
 \fBturnutils_stunclient \fP\- a basic STUN client.
@ -354,8 +354,8 @@ and if it finds that the STUN server supports RFC 5780
 requests with different parameters, to demonstrate the NAT discovery capabilities.
 .PP
 This utility does not support the "old" "classic" STUN protocol (RFC 3489).
-.SH =====================================
+.PP
-
+=====================================
 .SS  NAME
 \fB
 \fBturnutils_rfc5769check \fP\- a utility that tests the correctness of STUN protocol implementation.
@ -380,8 +380,8 @@ check procedure, it is not copied to the installation destination.
 Usage:
 .PP
 $ \fIturnutils_rfc5769check\fP
-.SH =====================================
+.PP
-
+=====================================
 .SS  NAME
 \fB
 \fBturnutils_natdiscovery \fP\- a utility that discovers NAT mapping and filtering
@ -462,8 +462,8 @@ Used by mapping lifetime behavior discovery
 Usage:
 .PP
 $ \fIturnutils_natdiscovery\fP \fB\-m\fP \fB\-f\fP stun.example.com
-.SH =====================================
+.PP
-
+=====================================
 .SS  NAME
 \fB
 \fBturnutils_oauth \fP\- a utility that helps OAuth access_token generation/encryption and validation/decyption
@ -568,8 +568,8 @@ stun client hmac algorithm
 Usage:
 .PP
 $ \fIturnutils_natdiscovery\fP
-.SH ===================================
+.PP
-
+===================================
 .SH DOCS
 After installation, run the command:
@ -581,8 +581,8 @@ or in the project root directory:
 $ man \fB\-M\fP man \fIturnutils\fP
 .PP
 to see the man page.
-.SH =====================================
+.PP
-
+=====================================
 .SH FILES
 /etc/turnserver.conf
@ -594,8 +594,8 @@ to see the man page.
 /var/lib/turn/turndb
 .PP
 /usr/local/etc/turnserver.conf
-.SH =================================
+.PP
-
+=================================
 .SH DIRECTORIES
 /usr/local/share/\fIturnserver\fP
@ -603,13 +603,14 @@ to see the man page.
 /usr/local/share/doc/\fIturnserver\fP
 .PP
 /usr/local/share/examples/\fIturnserver\fP
-.SH ===================================
+.PP
-
+===================================
 .SH STANDARDS
 new STUN RFC 5389
-.SH TURN RFC 5766
+.PP
-
+TURN RFC 5766
 .PP
 TURN\-TCP extension RFC 6062
 .PP
 TURN IPv6 extension RFC 6156
@ -617,13 +618,14 @@ TURN IPv6 extension RFC 6156
 STUN/TURN test vectors RFC 5769
 .PP
 STUN NAT behavior discovery RFC 5780
-.SH ====================================
+.PP
-
+====================================
 .SH SEE ALSO
 \fIturnserver\fP, \fIturnadmin\fP
-.SH ======================================
+.RE
-
+.PP
 ======================================
 .SS  WEB RESOURCES
 project page:
@ -637,8 +639,9 @@ https://github.com/coturn/coturn/wiki
 forum:
 .PP
 https://groups.google.com/forum/?fromgroups=#!forum/turn\-server\-project\-rfc5766\-turn\-server/
-.SH ======================================
+.RE
-
+.PP
 ======================================
 .SS  AUTHORS
 Oleg Moskalenko <mom040267@gmail.com>
@ -667,4 +670,7 @@ Federico Pinna <fpinna@vivocha.com>
 .PP
 Bradley T. Hughes <bradleythughes@fastmail.fm>
 .PP
-Mihaly Meszaros <misi@majd.eu>
+Mihály Mészáros <misi@majd.eu>
 .SS  ACTIVE MAINTAINERS
 Mihály Mészáros <misi@majd.eu>
--- a/rpm/build.settings.sh
+++ b/rpm/build.settings.sh
@ -2,7 +2,7 @@
 # Common settings script.
-TURNVERSION=4.5.1.3
+TURNVERSION=4.5.2
 BUILDDIR=~/rpmbuild
 ARCH=`uname -p`
--- a/rpm/turnserver.spec
+++ b/rpm/turnserver.spec
@ -1,5 +1,5 @@
 Name:		turnserver
-Version:	4.5.1.3
+Version:	4.5.2
 Release:	0%{dist}
 Summary:	Coturn TURN Server
--- a/src/apps/common/ns_turn_openssl.h
+++ b/src/apps/common/ns_turn_openssl.h
@ -42,9 +42,4 @@
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L)
 #undef OPENSSL_VERSION_NUMBER
 #define OPENSSL_VERSION_NUMBER 0x1000107FL
 #endif
 #endif //__NST_OPENSSL_LIB__
--- a/src/apps/common/ns_turn_utils.c
+++ b/src/apps/common/ns_turn_utils.c
@ -158,42 +158,16 @@ void set_no_stdout_log(int val)
 	no_stdout_log = val;
 }
-void turn_log_func_default(TURN_LOG_LEVEL level, const char* format, ...)
+#define MAX_LOG_TIMESTAMP_FORMAT_LEN 48
-{
+static char turn_log_timestamp_format[MAX_LOG_TIMESTAMP_FORMAT_LEN] = "%FT%T%z";
 #if !defined(TURN_LOG_FUNC_IMPL)
 	{
 		va_list args;
 		va_start(args,format);
 		vrtpprintf(level, format, args);
 		va_end(args);
 	}
 #endif
-	{
+void set_turn_log_timestamp_format(char* new_format)
-		va_list args;
+{
-		va_start(args,format);
+	strncpy(turn_log_timestamp_format, new_format, MAX_LOG_TIMESTAMP_FORMAT_LEN-1);
 #if defined(TURN_LOG_FUNC_IMPL)
 		TURN_LOG_FUNC_IMPL(level,format,args);
 #else
 #define MAX_RTPPRINTF_BUFFER_SIZE (1024)
 		char s[MAX_RTPPRINTF_BUFFER_SIZE+1];
 #undef MAX_RTPPRINTF_BUFFER_SIZE
 		if (level == TURN_LOG_LEVEL_ERROR) {
 			snprintf(s,sizeof(s)-100,"%lu: ERROR: ",(unsigned long)log_time());
 			size_t slen = strlen(s);
 			vsnprintf(s+slen,sizeof(s)-slen-1,format, args);
 			fwrite(s,strlen(s),1,stdout);
 		} else if(!no_stdout_log) {
 			snprintf(s,sizeof(s)-100,"%lu: ",(unsigned long)log_time());
 			size_t slen = strlen(s);
 			vsnprintf(s+slen,sizeof(s)-slen-1,format, args);
 			fwrite(s,strlen(s),1,stdout);
 		}
 #endif
 		va_end(args);
 	}
 }
 int use_new_log_timestamp_format = 0;
 void addr_debug_print(int verbose, const ioa_addr *addr, const char* s)
 {
 	if (verbose) {
@ -512,20 +486,29 @@ static int get_syslog_level(TURN_LOG_LEVEL level)
 	return LOG_INFO;
 }
-int vrtpprintf(TURN_LOG_LEVEL level, const char *format, va_list args)
+void turn_log_func_default(TURN_LOG_LEVEL level, const char* format, ...)
 {
 	va_list args;
 	va_start(args,format);
 #if defined(TURN_LOG_FUNC_IMPL)
 	TURN_LOG_FUNC_IMPL(level,format,args);
 #else
 	/* Fix for Issue 24, raised by John Selbie: */
 #define MAX_RTPPRINTF_BUFFER_SIZE (1024)
 	char s[MAX_RTPPRINTF_BUFFER_SIZE+1];
 #undef MAX_RTPPRINTF_BUFFER_SIZE
-
+	size_t so_far = 0;
-	size_t sz;
+	if (use_new_log_timestamp_format) {
-
+		time_t now = time(NULL);
-	snprintf(s, sizeof(s), "%lu: ",(unsigned long)log_time());
+		so_far += strftime(s, sizeof(s), turn_log_timestamp_format, localtime(&now));
-	sz=strlen(s);
+	} else {
-	vsnprintf(s+sz, sizeof(s)-1-sz, format, args);
+		so_far += snprintf(s, sizeof(s), "%lu: ", (unsigned long)log_time());
-	s[sizeof(s)-1]=0;
+	}
-
+	so_far += snprintf(s + so_far, sizeof(s)-100, (level == TURN_LOG_LEVEL_ERROR) ? ": ERROR: " : ": ");
 	so_far += vsnprintf(s + so_far,sizeof(s) - (so_far+1), format, args);
 	/* always write to stdout */
 	fwrite(s, so_far, 1, stdout);
 	/* write to syslog or to log file */
 	if(to_syslog) {
 		syslog(get_syslog_level(level),"%s",s);
 	} else {
@ -538,16 +521,9 @@ int vrtpprintf(TURN_LOG_LEVEL level, const char *format, va_list args)
 		}
 		log_unlock();
 	}
 #endif
 	va_end(args);
 	return 0;
 }
 void rtpprintf(const char *format, ...)
 {
 	va_list args;
 	va_start (args, format);
 	vrtpprintf(TURN_LOG_LEVEL_INFO, format, args);
 	va_end (args);
 }
 ///////////// ORIGIN ///////////////////
--- a/src/apps/common/ns_turn_utils.h
+++ b/src/apps/common/ns_turn_utils.h
@ -61,6 +61,8 @@ void set_no_stdout_log(int val);
 void set_log_to_syslog(int val);
 void set_simple_log(int val);
 void set_turn_log_timestamp_format(char* new_format);
 void turn_log_func_default(TURN_LOG_LEVEL level, const char* format, ...);
 void addr_debug_print(int verbose, const ioa_addr *addr, const char* s);
@ -69,6 +71,7 @@ void addr_debug_print(int verbose, const ioa_addr *addr, const char* s);
 extern volatile int _log_time_value_set;
 extern volatile turn_time_t _log_time_value;
 extern int use_new_log_timestamp_format;
 void rtpprintf(const char *format, ...);
 int vrtpprintf(TURN_LOG_LEVEL level, const char *format, va_list args);
--- a/src/apps/relay/acme.c
+++ b/src/apps/relay/acme.c
@ -0,0 +1,92 @@
 /*
 * Copyright (C) 2020 Jens Elkner.  All rights reserved.
 *
 * License: MIT - see https://opensource.org/licenses/MIT
 */
 #include "acme.h"
 #include "ns_ioalib_impl.h"
 #define GET_ACME_PREFIX "GET /.well-known/acme-challenge/"
 #define GET_ACME_PREFIX_LEN 32
 static int is_acme_req(char *req, size_t len) {
 	static const char *A = "                                             -  0123456789       ABCDEFGHIJKLMNOPQRSTUVWXYZ    _ abcdefghijklmnopqrstuvwxyz     ";
 	int c, i, k;
 	// Check first request line. Should be like: GET path HTTP/1.x
 	if (strncmp(req, GET_ACME_PREFIX, GET_ACME_PREFIX_LEN))
 		return -1;
 	// Usually (for LE) the "method path" is 32 + 43 = 55 chars. But other
 	// implementations may choose longer pathes. We define PATHMAX = 127 chars
 	// to be prepared for "DoS" attacks (STUN msg size max. is ~ 64K).
 	len =- 21;					// min size of trailing headers
 	if (len > 131)
 		len = 131;
 	for (i=GET_ACME_PREFIX_LEN; i < (int) len; i++) {
 		// find the end of the path
 		if (req[i] != ' ')
 			continue;
 		// consider path < 10 chars invalid. Also we wanna see a "trailer".
 		if (i < (GET_ACME_PREFIX_LEN + 10) || strncmp(req + i, " HTTP/1.", 8))
 			return -2;
 		// finally check for allowed chars
 		for (k=GET_ACME_PREFIX_LEN; k < i; k++) {
 			c = req[k];
 			if ((c > 127) || (A[c] == ' '))
 				return -3;
 		}
 		// all checks passed: sufficient for us to answer with a redirect
 		return i;
 	}
 	return -4;		// end of path not found
 }
 int try_acme_redirect(char *req, size_t len, const char *url,
 	ioa_socket_handle s)
 {
 	static const char *HTML = 
 		"<html><head><title>301 Moved Permanently</title></head>\
 		<body><h1>301 Moved Permanently</h1></body></html>";
 	char http_response[1024];
 	size_t plen, rlen;
 	if (url == NULL || url[0] == '\0' || req == NULL || s == 0 )
 		return 1;
 	if (len < (GET_ACME_PREFIX_LEN + 32) || len > (512 - GET_ACME_PREFIX_LEN)
 			|| (plen = is_acme_req(req, len)) < (GET_ACME_PREFIX_LEN + 1))
 		return 2;
 	req[plen] = '\0';
 	snprintf(http_response, sizeof(http_response) - 1,
 		"HTTP/1.1 301 Moved Permanently\r\n"
 		"Content-Type: text/html\r\n"
 		"Content-Length: %ld\r\n"
 		"Connection: close\r\n"
 		"Location: %s%s\r\n"
 		"\r\n%s", strlen(HTML), url, req + GET_ACME_PREFIX_LEN, HTML);
 	rlen = strlen(http_response);
 #ifdef LIBEV_OK
 	ioa_network_buffer_handle nbh_acme = ioa_network_buffer_allocate(s->e);
 	uint8_t *data = ioa_network_buffer_data(nbh_acme);
 	bcopy(http_response, data, rlen);
 	ioa_network_buffer_set_size(nbh_acme, rlen);
 	send_data_from_ioa_socket_nbh(s, NULL, nbh_acme, TTL_IGNORE, TOS_IGNORE, NULL);
 #else
 	if (write(s->fd, http_response, rlen) == -1) {
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING,
 			"Sending redirect to '%s%s' failed",url, req + GET_ACME_PREFIX_LEN);
 	} else if (((turn_turnserver *)s->session->server)->verbose) {
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "ACME redirected to %s%s\n",
 			url, req + GET_ACME_PREFIX_LEN);
 	}
 #endif
 	req[plen] = ' ';
 	return 0;
 }
--- a/src/apps/relay/acme.h
+++ b/src/apps/relay/acme.h
@ -0,0 +1,57 @@
 /*
 * Copyright (C) 2011, 2012, 2013, 2014 Citrix Systems
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 #ifndef __TURN_ACME__
 #define __TURN_ACME__
 #include "ns_turn_utils.h"
 #include "ns_turn_server.h"
 #include "apputils.h"
 #include <stdlib.h>
 #include <stdio.h>
 #ifdef __cplusplus
 extern "C" {
 #endif
 ///////////// ACME /////////////////////
 int try_acme_redirect(char *req, size_t len, const char *url, ioa_socket_handle s);
 ///////////////////////////////////////
 #ifdef __cplusplus
 }
 #endif
 #endif
 /// __TURN_ACME__ ///
--- a/src/apps/relay/dbdrivers/dbd_mongo.c
+++ b/src/apps/relay/dbdrivers/dbd_mongo.c
@ -1124,7 +1124,7 @@ static void mongo_reread_realms(secrets_list_t * realms_list) {
 								ur_string_map_value_type value =
 										(ur_string_map_value_type) (rval);
 								ur_string_map_put(o_to_realm_new,
-										(const ur_string_map_key_type) _origin,
+										(ur_string_map_key_type) _origin,
 										value);
 								free(_origin);
 							}
--- a/src/apps/relay/dbdrivers/dbd_mysql.c
+++ b/src/apps/relay/dbdrivers/dbd_mysql.c
@ -1048,7 +1048,7 @@ static void mysql_reread_realms(secrets_list_t * realms_list) {
 									char *rval=strdup(row[1]);
 									get_realm(rval);
 									ur_string_map_value_type value = (ur_string_map_value_type)rval;
-									ur_string_map_put(o_to_realm_new, (const ur_string_map_key_type) oval, value);
+									ur_string_map_put(o_to_realm_new, (ur_string_map_key_type) oval, value);
 								}
 							}
 						}
--- a/src/apps/relay/dbdrivers/dbd_pgsql.c
+++ b/src/apps/relay/dbdrivers/dbd_pgsql.c
@ -758,7 +758,7 @@ static void pgsql_reread_realms(secrets_list_t * realms_list) {
 						if(rval) {
 							get_realm(rval);
 							ur_string_map_value_type value = strdup(rval);
-							ur_string_map_put(o_to_realm_new, (const ur_string_map_key_type) oval, value);
+							ur_string_map_put(o_to_realm_new, (ur_string_map_key_type) oval, value);
 						}
 					}
 				}
--- a/src/apps/relay/dbdrivers/dbd_redis.c
+++ b/src/apps/relay/dbdrivers/dbd_redis.c
@ -1161,7 +1161,7 @@ static void redis_reread_realms(secrets_list_t * realms_list) {
 					} else {
 						get_realm(rget->str);
 						ur_string_map_value_type value = strdup(rget->str);
-						ur_string_map_put(o_to_realm_new, (const ur_string_map_key_type) origin, value);
+						ur_string_map_put(o_to_realm_new, (ur_string_map_key_type) origin, value);
 					}
 					turnFreeRedisReply(rget);
 				}
--- a/src/apps/relay/dbdrivers/dbd_sqlite.c
+++ b/src/apps/relay/dbdrivers/dbd_sqlite.c
@ -1038,7 +1038,7 @@ static void sqlite_reread_realms(secrets_list_t * realms_list)
 						get_realm(rval);
 						ur_string_map_value_type value = rval;
-						ur_string_map_put(o_to_realm_new, (const ur_string_map_key_type) oval, value);
+						ur_string_map_put(o_to_realm_new, (ur_string_map_key_type) oval, value);
 						free(oval);
--- a/src/apps/relay/dtls_listener.c
+++ b/src/apps/relay/dtls_listener.c
@ -456,7 +456,7 @@ static int handle_udp_packet(dtls_listener_relay_server_type *server,
 		sm->m.sm.s = s;
 		if (s) {
-			if(verbose) {
+			if(verbose && turn_params.log_binding) {
 				uint8_t saddr[129];
 				uint8_t rsaddr[129];
 				addr_to_string(get_local_addr_from_ioa_socket(s),saddr);
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@ -114,7 +114,7 @@ NULL, PTHREAD_MUTEX_INITIALIZER,
 //////////////// Common params ////////////////////
 TURN_VERBOSE_NONE,0,0,0,0,
-"/var/run/turnserver.pid",
+"/var/run/turnserver.pid","",
 DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,0,1,
 0,0,0,0,0,
 "",
@ -168,7 +168,9 @@ DEFAULT_CPUS_NUMBER,
 0,  /* keep_address_family */
 0,  /* no_auth_pings */
 0,  /* no_dynamic_ip_list */
-0   /* no_dynamic_realms */
+0,  /* no_dynamic_realms */
 0   /* log_binding */
 };
 //////////////// OpenSSL Init //////////////////////
@ -603,6 +605,9 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " --simple-log					This flag means that no log file rollover will be used, and the log file\n"
 "						name will be constructed as-is, without PID and date appendage.\n"
 "						This option can be used, for example, together with the logrotate tool.\n"
 " --new-log-timestamp				Enable full ISO-8601 timestamp in all logs.\n"
 " --new-log-timestamp-format    	<format>	Set timestamp format (in strftime(1) format)\n"
 " --log-binding					Log STUN binding request. It is now disabled by default to avoid DoS attacks.\n"
 " --stale-nonce[=<value>]			Use extra security with nonce value having limited lifetime (default 600 secs).\n"
 " --max-allocate-lifetime	<value>		Set the maximum value for the allocation lifetime. Default to 3600 secs.\n"
 " --channel-lifetime		<value>		Set the lifetime for channel binding, default to 600 secs.\n"
@ -627,6 +632,8 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " --pidfile <\"pid-file-name\">			File name to store the pid of the process.\n"
 "						Default is /var/run/turnserver.pid (if superuser account is used) or\n"
 "						/var/tmp/turnserver.pid .\n"
 " --acme-redirect <URL>				Redirect ACME, i.e. HTTP GET requests matching '^/.well-known/acme-challenge/(.*)' to '<URL>$1'.\n"
 "						Default is '', i.e. no special handling for such requests.\n"
 " --secure-stun					Require authentication of the STUN Binding request.\n"
 "						By default, the clients are allowed anonymous access to the STUN Binding functionality.\n"
 " --proc-user <user-name>			User name to run the turnserver process.\n"
@ -662,10 +669,6 @@ static char Usage[] = "Usage: turnserver [options]\n"
 "						This value can be changed on-the-fly in CLI. The default value is 256.\n"
 " --ne=[1|2|3]					Set network engine type for the process (for internal purposes).\n"
 " -h						Help\n"
 "\n"
 " For more information, see the wiki pages:\n"
 "\n"
 "	https://github.com/coturn/coturn/wiki/\n"
 "\n";
 static char AdminUsage[] = "Usage: turnadmin [command] [options]\n"
@ -761,6 +764,8 @@ enum EXTRA_OPTS {
 	NO_STDOUT_LOG_OPT,
 	SYSLOG_OPT,
 	SIMPLE_LOG_OPT,
 	NEW_LOG_TIMESTAMP_OPT,
 	NEW_LOG_TIMESTAMP_FORMAT_OPT,
 	AUX_SERVER_OPT,
 	UDP_SELF_BALANCE_OPT,
 	ALTERNATE_SERVER_OPT,
@ -806,7 +811,9 @@ enum EXTRA_OPTS {
 	OAUTH_OPT,
 	NO_SOFTWARE_ATTRIBUTE_OPT,
 	NO_HTTP_OPT,
-	SECRET_KEY_OPT
+	SECRET_KEY_OPT,
 	ACME_REDIRECT_OPT,
 	LOG_BINDING_OPT
 };
 struct myoption {
@ -899,6 +906,8 @@ static const struct myoption long_options[] = {
 				{ "no-stdout-log", optional_argument, NULL, NO_STDOUT_LOG_OPT },
 				{ "syslog", optional_argument, NULL, SYSLOG_OPT },
 				{ "simple-log", optional_argument, NULL, SIMPLE_LOG_OPT },
 				{ "new-log-timestamp", optional_argument, NULL, NEW_LOG_TIMESTAMP_OPT },
 				{ "new-log-timestamp-format", required_argument, NULL, NEW_LOG_TIMESTAMP_FORMAT_OPT },
 				{ "aux-server", required_argument, NULL, AUX_SERVER_OPT },
 				{ "udp-self-balance", optional_argument, NULL, UDP_SELF_BALANCE_OPT },
 				{ "alternate-server", required_argument, NULL, ALTERNATE_SERVER_OPT },
@ -938,6 +947,9 @@ static const struct myoption long_options[] = {
 				{ "no-tlsv1_2", optional_argument, NULL, NO_TLSV1_2_OPT },
 				{ "secret-key-file", required_argument, NULL, SECRET_KEY_OPT },
 				{ "keep-address-family", optional_argument, NULL, 'K' },
 				{ "acme-redirect", required_argument, NULL, ACME_REDIRECT_OPT },
 				{ "log-binding", optional_argument, NULL, LOG_BINDING_OPT },
 				{ NULL, no_argument, NULL, 0 }
 };
@ -1161,7 +1173,7 @@ static void set_option(int c, char *value)
 	  STRCPY(turn_params.oauth_server_name,value);
 	  break;
  case OAUTH_OPT:
-	  if(!ENC_ALG_NUM) {
+	  if( ENC_ALG_NUM == 0) {
 		  TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: option --oauth is not supported; ignored.\n");
 	  } else {
 		  turn_params.oauth = get_bool_value(value);
@ -1362,6 +1374,8 @@ static void set_option(int c, char *value)
 						TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,"-X : Wrong address format: %s\n",div);
 					} else {
 						ioa_addr_add_mapping(&apub,&apriv);
 						if (add_ip_list_range((const char *)div, NULL, &turn_params.ip_whitelist) == 0)
 							TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Whitelisting external-ip private part: %s\n", div);
 					}
 				}
 				free(nval);
@ -1581,16 +1595,25 @@ static void set_option(int c, char *value)
 	case PIDFILE_OPT:
 		STRCPY(turn_params.pidfile,value);
 		break;
 	case ACME_REDIRECT_OPT:
 		STRCPY(turn_params.acme_redirect,value);
 		break;
 	case 'C':
 		if(value && *value) {
 			turn_params.rest_api_separator=*value;
 		}
 		break;
 	case LOG_BINDING_OPT:
 		turn_params.log_binding = get_bool_value(value);
 		break;
 	/* these options have been already taken care of before: */
 	case 'l':
 	case NO_STDOUT_LOG_OPT:
 	case SYSLOG_OPT:
 	case SIMPLE_LOG_OPT:
 	case NEW_LOG_TIMESTAMP_OPT:
 	case NEW_LOG_TIMESTAMP_FORMAT_OPT:
 	case 'c':
 	case 'n':
 	case 'h':
@ -1717,9 +1740,13 @@ static void read_config_file(int argc, char **argv, int pass)
 						set_log_to_syslog(get_bool_value(value));
 					} else if((pass==0) && (c==SIMPLE_LOG_OPT)) {
 						set_simple_log(get_bool_value(value));
-					} else if((pass == 0) && (c != 'u')) {
+					} else if ((pass==0) && (c==NEW_LOG_TIMESTAMP_OPT)) {
 						use_new_log_timestamp_format=1;
 					} else if ((pass==0) && (c==NEW_LOG_TIMESTAMP_FORMAT_OPT)) {
 						set_turn_log_timestamp_format(value);
 					} else if((pass == 1) && (c != 'u')) {
 						set_option(c, value);
-					} else if((pass > 0) && (c == 'u')) {
+					} else if((pass == 2) && (c == 'u')) {
 						set_option(c, value);
 					}
 					if (s[slen - 1] == 59) {
@ -1997,7 +2024,7 @@ static void print_features(unsigned long mfn)
 	TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "\n\n==== Show him the instruments, Practical Frost: ====\n\n");
-/*
+	/*
 	   Frost stepped forward and opened the polished case with a theatrical
 	   flourish. It was a masterful piece of craftsmanship. As the lid was
 	   pulled back, the many trays inside lifted and fanned out, displaying
@ -2006,7 +2033,7 @@ static void print_features(unsigned long mfn)
 	   nails and screws, clamps and pliers, saws, hammers, chisels. Metal, wood
 	   and glass glittered in the bright lamplight, all polished to mirror
 	   brightness and honed to a murderous sharpness.
-*/
+	   */
 #if !TLS_SUPPORTED
 	TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS is not supported\n");
@ -2031,7 +2058,7 @@ static void print_features(unsigned long mfn)
 	TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TURN/STUN ALPN is not supported\n");
 #endif
-	if(!ENC_ALG_NUM) {
+	if(ENC_ALG_NUM == 0) {
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Third-party authorization (oAuth) is not supported\n");
 	} else {
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Third-party authorization (oAuth) supported\n");
@ -2197,6 +2224,12 @@ int main(int argc, char **argv)
 			case SIMPLE_LOG_OPT:
 				set_simple_log(get_bool_value(optarg));
 				break;
 			case NEW_LOG_TIMESTAMP_OPT:
 				use_new_log_timestamp_format=1;
 				break;
 			case NEW_LOG_TIMESTAMP_FORMAT_OPT:
 				set_turn_log_timestamp_format(optarg);
 				break;
 			default:
 				;
 			}
@ -2233,8 +2266,10 @@ int main(int argc, char **argv)
 	if(strstr(argv[0],"turnadmin"))
 		return adminmain(argc,argv);
-
+	// Zero pass apply the log options.
 	read_config_file(argc,argv,0);
 	// First pass read other config options
 	read_config_file(argc,argv,1);
 	struct uoptions uo;
 	uo.u.m = long_options;
@ -2244,7 +2279,8 @@ int main(int argc, char **argv)
 			set_option(c,optarg);
 	}
-	read_config_file(argc,argv,1);
+	// Second pass read -u options
 	read_config_file(argc,argv,2);
 	{
 		unsigned long mfn = set_system_parameters(1);
@ -2259,6 +2295,9 @@ int main(int argc, char **argv)
 	TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Domain name: %s\n",turn_params.domain);
 	TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Default realm: %s\n",get_realm(NULL)->options.name);
 	if(turn_params.acme_redirect[0]) {
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "ACME redirect URL: %s\n",turn_params.acme_redirect);
 	}
 	if(turn_params.oauth && turn_params.oauth_server_name[0]) {
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "oAuth server name: %s\n",turn_params.oauth_server_name);
 	}
@ -2554,7 +2593,7 @@ static int THREAD_setup(void) {
 	mutex_buf_initialized = 1;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
 	CRYPTO_THREADID_set_callback(coturn_id_function);
 #else
 	CRYPTO_set_id_callback(coturn_id_function);
@ -2576,7 +2615,7 @@ int THREAD_cleanup(void) {
  if (!mutex_buf_initialized)
    return 0;
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER <= OPENSSL_VERSION_1_1_1
 	CRYPTO_THREADID_set_callback(NULL);
 #else
 	CRYPTO_set_id_callback(NULL);
--- a/src/apps/relay/mainrelay.h
+++ b/src/apps/relay/mainrelay.h
@ -219,6 +219,7 @@ typedef struct _turn_params_ {
  int do_not_use_config_file;
  char pidfile[1025];
  char acme_redirect[1025];
  ////////////////  Listener server /////////////////
@ -332,6 +333,8 @@ typedef struct _turn_params_ {
  int no_dynamic_ip_list;
  int no_dynamic_realms;
  vint log_binding;
 } turn_params_t;
 extern turn_params_t turn_params;
--- a/src/apps/relay/netengine.c
+++ b/src/apps/relay/netengine.c
@ -1667,7 +1667,9 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
 			 allocate_bps,
 			 turn_params.oauth,
 			 turn_params.oauth_server_name,
-			 turn_params.keep_address_family);
+			 turn_params.acme_redirect,
 			 turn_params.keep_address_family,
 			 &turn_params.log_binding);
 	if(to_set_rfc5780) {
 		set_rfc5780(&(rs->server), get_alt_addr, send_message_from_listener_to_client);
--- a/src/apps/relay/ns_ioalib_engine_impl.c
+++ b/src/apps/relay/ns_ioalib_engine_impl.c
@ -1833,7 +1833,7 @@ int ssl_read(evutil_socket_t fd, SSL* ssl, ioa_network_buffer_handle nbh, int ve
 	BIO* rbio = BIO_new_mem_buf(buffer, old_buffer_len);
 	BIO_set_mem_eof_return(rbio, -1);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined LIBRESSL_VERSION_NUMBER
 	ssl->rbio = rbio;
 #else
 	SSL_set0_rbio(ssl,rbio);
@ -1928,7 +1928,7 @@ int ssl_read(evutil_socket_t fd, SSL* ssl, ioa_network_buffer_handle nbh, int ve
 	if(ret>0) {
 		ioa_network_buffer_add_offset_size(nbh, (uint16_t)buf_size, 0, (size_t)ret);
 	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined LIBRESSL_VERSION_NUMBER
 	ssl->rbio = NULL;
 	BIO_free(rbio);
 #else
@ -2166,6 +2166,101 @@ static TURN_TLS_TYPE check_tentative_tls(ioa_socket_raw fd)
 }
 #endif
 static size_t proxy_string_field(char *field, size_t max, uint8_t *buf, size_t index, size_t len)
 {
 	size_t count = 0;
 	while((index < len) && (count < max)) {
 		if((0x20 == buf[index]) || (0x0D == buf[index])) {
 			field[count] = 0x00;
 			return ++index;
 		}
 		field[count++] = buf[index++];
 	}
 	return 0;
 }
 static ssize_t socket_parse_proxy_v1(ioa_socket_handle s, uint8_t *buf, size_t len)
 {
 	if(len < 11) {
 		return 0 ;
 	}
 	/* Check for proxy-v1 magic field */
 	char magic[] = {0x50, 0x52, 0x4F, 0x58, 0x59, 0x20};
 	if(memcmp(magic, buf, sizeof(magic))) {
 		return -1;
 	}
 	/* Read family */
 	char tcp4[] = {0x54, 0x43, 0x50, 0x34, 0x20};
 	char tcp6[] = {0x54, 0x43, 0x50, 0x36, 0x20};
 	int family;
 	if(0 == memcmp(tcp4, &buf[6], sizeof(tcp4))) { /* IPv4 */
 		family = AF_INET;
 	} else if(0 == memcmp(tcp6, &buf[6], sizeof(tcp6))) { /* IPv6 */
 		family = AF_INET6;
 	} else {
 		return -1;
 	}
 	char saddr[40];
 	char daddr[40];
 	char sport[6];
 	char dport[6];
 	size_t tlen = 11;
 	/* Read source address */
 	tlen = proxy_string_field(saddr, sizeof(saddr), buf, tlen, len);
 	if(0 == tlen) return -1;
 	/* Read dest address */
 	tlen = proxy_string_field(daddr, sizeof(daddr), buf, tlen, len);
 	if(0 == tlen) return -1;
 	/* Read source port */
 	tlen = proxy_string_field(sport, sizeof(sport), buf, tlen, len);
 	if(0 == tlen) return -1;
 	/* Read dest port */
 	tlen = proxy_string_field(dport, sizeof(dport), buf, tlen, len);
 	if(0 == tlen) return -1;
 	/* Final line feed */
 	if ((len <= tlen) || (0x0A != buf[tlen])) return -1;
 	tlen++;
 	int sport_int = atoi(sport);
 	int dport_int = atoi(dport);
 	if((sport_int < 0) || (0xFFFF < sport_int)) return -1;
 	if((dport_int < 0) || (0xFFFF < dport_int)) return -1;
 	if (AF_INET == family) {
 		struct sockaddr_in remote, local;
 		remote.sin_family = local.sin_family = AF_INET;
 		if(1 != inet_pton(AF_INET, saddr, &remote.sin_addr.s_addr)) return -1;
 		if(1 != inet_pton(AF_INET, daddr, &local.sin_addr.s_addr)) return -1;
 		remote.sin_port = htons((uint16_t)sport_int);
 		local.sin_port = htons((uint16_t)dport_int);
 		addr_cpy4(&(s->local_addr),  &local);
 		addr_cpy4(&(s->remote_addr), &remote);
 	} else {
 		struct sockaddr_in6 remote, local;
 		remote.sin6_family = local.sin6_family = AF_INET6;
 		if(1 != inet_pton(AF_INET6, saddr, &remote.sin6_addr.s6_addr)) return -1;
 		if(1 != inet_pton(AF_INET6, daddr, &local.sin6_addr.s6_addr)) return -1;
 		remote.sin6_port = htons((uint16_t)sport_int);
 		local.sin6_port = htons((uint16_t)dport_int);
 		addr_cpy6(&(s->local_addr),  &local);
 		addr_cpy6(&(s->remote_addr), &remote);
 	}
 	return tlen;
 }
 static ssize_t socket_parse_proxy_v2(ioa_socket_handle s, uint8_t *buf, size_t len)
 {
 	if(len < 16){
@ -2227,6 +2322,16 @@ static ssize_t socket_parse_proxy_v2(ioa_socket_handle s, uint8_t *buf, size_t l
 	return tlen;
 }
 static ssize_t socket_parse_proxy(ioa_socket_handle s, uint8_t *buf, size_t len)
 {
 	ssize_t tlen = socket_parse_proxy_v2(s, buf, len);
 	if(-1 == tlen) {
 		tlen = socket_parse_proxy_v1(s, buf, len);
 	}
 	return tlen;
 }
 static int socket_input_worker(ioa_socket_handle s)
 {
 	int len = 0;
@ -2450,7 +2555,7 @@ static int socket_input_worker(ioa_socket_handle s)
 				  blen=(ev_ssize_t)STUN_BUFFER_SIZE;
 				if(s->st == TCP_SOCKET_PROXY){
-					ssize_t tlen = socket_parse_proxy_v2(s, buf_elem->buf.buf, blen);
+					ssize_t tlen = socket_parse_proxy(s, buf_elem->buf.buf, blen);
 					blen = 0;
 					if (tlen < 0){
 						s->tobeclosed = 1;
@ -3374,7 +3479,7 @@ int register_callback_on_ioa_socket(ioa_engine_handle e, ioa_socket_handle s, in
 						}
 					} else {
 #if TLS_SUPPORTED
-						if(check_tentative_tls(s->fd)) {
+						if((s->sat != TCP_CLIENT_DATA_SOCKET) && (s->sat != TCP_RELAY_DATA_SOCKET) && check_tentative_tls(s->fd)) {
 							s->tobeclosed = 1;
 							return -1;
 						}
--- a/src/client++/TurnMsgLib.h
+++ b/src/client++/TurnMsgLib.h
@ -75,7 +75,7 @@ public:
 	/**
 	 * Iterator constructor: creates iterator on raw messagebuffer.
 	 */
-	StunAttrIterator(uint8_t *buf, size_t sz) throw (WrongStunBufferFormatException) :
+	StunAttrIterator(uint8_t *buf, size_t sz) :
 		_buf(buf), _sz(sz)  {
 		if(!stun_is_command_message_str(_buf, _sz)) {
 			throw WrongStunBufferFormatException();
@ -87,7 +87,7 @@ public:
 	 * Iterator constructor: create iterator over message.
 	 */
 	template<class T>
-	StunAttrIterator(T &msg) throw (WrongStunBufferFormatException) :
+	StunAttrIterator(T &msg) :
 		_buf(msg.getRawBuffer()), _sz(msg.getSize())  {
 		if(!stun_is_command_message_str(_buf, _sz)) {
 			throw WrongStunBufferFormatException();
@ -99,7 +99,7 @@ public:
 	 * Iterator constructor: creates iterator over raw buffer, starting from first
 	 * location of an attribute of particular type.
 	 */
-	StunAttrIterator(uint8_t *buf, size_t sz, uint16_t attr_type) throw (WrongStunBufferFormatException) :
+	StunAttrIterator(uint8_t *buf, size_t sz, uint16_t attr_type) :
 			_buf(buf), _sz(sz)  {
 		if(!stun_is_command_message_str(_buf, _sz)) {
 			throw WrongStunBufferFormatException();
@ -112,7 +112,7 @@ public:
 	 * location of an attribute of particular type.
 	 */
 	template<class T>
-	StunAttrIterator(T &msg, uint16_t attr_type) throw (WrongStunBufferFormatException) :
+	StunAttrIterator(T &msg, uint16_t attr_type) :
 			_buf(msg.getRawBuffer()), _sz(msg.getSize())  {
 		if(!stun_is_command_message_str(_buf, _sz)) {
 			throw WrongStunBufferFormatException();
@ -123,7 +123,7 @@ public:
 	/**
 	 * Moves iterator to next attribute location
 	 */
-	void next() throw(EndOfStunMsgException) {
+	void next() {
 		if(!_sar) {
 			throw EndOfStunMsgException();
 		}
@ -167,7 +167,7 @@ public:
 	 * Return raw memroy field of the attribute value.
 	 * If the attribute value length is zero (0), then return NULL.
 	 */
-	const uint8_t *getRawBuffer(size_t &sz) const throw(WrongStunAttrFormatException) {
+	const uint8_t *getRawBuffer(size_t &sz) const {
 		int len = stun_attr_get_len(_sar);
 		if(len<0)
 			throw WrongStunAttrFormatException();
@ -196,7 +196,7 @@ public:
 	/**
 	 * Constructs attribute from iterator
 	 */
-	StunAttr(const StunAttrIterator &iter) throw(WrongStunAttrFormatException, EndOfStunMsgException) {
+	StunAttr(const StunAttrIterator &iter) {
 		if(iter.eof()) {
 			throw EndOfStunMsgException();
 		}
@ -219,7 +219,7 @@ public:
 	 */
 	virtual ~StunAttr() {
 		if(_value)
-			free(_value,_sz);
+			free(_value);
 	}
 	/**
@ -233,11 +233,11 @@ public:
 	/**
 	 * Set raw data value
 	 */
-	void setRawValue(uint8_t *value, size_t sz) throw(WrongStunAttrFormatException) {
+	void setRawValue(uint8_t *value, size_t sz) {
 		if(sz>0xFFFF)
 			throw WrongStunAttrFormatException();
 		if(_value)
-			free(_value,_sz);
+			free(_value);
 		_sz = sz;
 		_value=(uint8_t*)malloc(_sz);
 		if(value)
@ -262,7 +262,7 @@ public:
 	 * Add attribute to a message
 	 */
 	template<class T>
-	int addToMsg(T &msg) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	int addToMsg(T &msg) {
 		if(!_attr_type)
 			throw WrongStunAttrFormatException();
 		uint8_t *buffer = msg.getRawBuffer();
@ -281,7 +281,7 @@ protected:
 	/**
 	 * Virtual function member to add attribute to a raw buffer
 	 */
-	virtual int addToBuffer(uint8_t *buffer, size_t &sz) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	virtual int addToBuffer(uint8_t *buffer, size_t &sz) {
 		if(buffer) {
 			if(!_value)
 				throw WrongStunAttrFormatException();
@ -313,8 +313,7 @@ public:
 	StunAttrChannelNumber() : _cn(0) {
 		setType(STUN_ATTRIBUTE_CHANNEL_NUMBER);
 	}
-	StunAttrChannelNumber(const StunAttrIterator &iter)
+	StunAttrChannelNumber(const StunAttrIterator &iter) :
 		throw(WrongStunAttrFormatException, EndOfStunMsgException) :
 		StunAttr(iter) {
 		if(iter.eof())
@ -331,7 +330,7 @@ public:
 		_cn = cn;
 	}
 protected:
-	virtual int addToBuffer(uint8_t *buffer, size_t &sz) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	virtual int addToBuffer(uint8_t *buffer, size_t &sz) {
 		return stun_attr_add_channel_number_str(buffer,&sz,_cn);
 	}
 private:
@ -346,8 +345,7 @@ public:
 	StunAttrEvenPort() : _ep(0) {
 		setType(STUN_ATTRIBUTE_EVEN_PORT);
 	}
-	StunAttrEvenPort(const StunAttrIterator &iter)
+	StunAttrEvenPort(const StunAttrIterator &iter) :
 		throw(WrongStunAttrFormatException, EndOfStunMsgException) :
 		StunAttr(iter) {
 		if(iter.eof())
@ -362,7 +360,7 @@ public:
 		_ep = ep;
 	}
 protected:
-	virtual int addToBuffer(uint8_t *buffer, size_t &sz) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	virtual int addToBuffer(uint8_t *buffer, size_t &sz) {
 		return stun_attr_add_str(buffer, &sz, STUN_ATTRIBUTE_EVEN_PORT, &_ep, 1);
 	}
 private:
@ -377,8 +375,7 @@ public:
 	StunAttrReservationToken() : _rt(0) {
 		setType(STUN_ATTRIBUTE_RESERVATION_TOKEN);
 	}
-	StunAttrReservationToken(const StunAttrIterator &iter)
+	StunAttrReservationToken(const StunAttrIterator &iter) :
 		throw(WrongStunAttrFormatException, EndOfStunMsgException) :
 		StunAttr(iter) {
 		if(iter.eof())
@ -393,7 +390,7 @@ public:
 		_rt = rt;
 	}
 protected:
-	virtual int addToBuffer(uint8_t *buffer, size_t &sz) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	virtual int addToBuffer(uint8_t *buffer, size_t &sz) {
 		uint64_t reservation_token = ioa_ntoh64(_rt);
 		return stun_attr_add_str(buffer, &sz, STUN_ATTRIBUTE_RESERVATION_TOKEN, (uint8_t*) (&reservation_token), 8);
 	}
@ -410,8 +407,7 @@ public:
 		addr_set_any(&_addr);
 		setType(attr_type);
 	}
-	StunAttrAddr(const StunAttrIterator &iter)
+	StunAttrAddr(const StunAttrIterator &iter) :
 		throw(WrongStunAttrFormatException, EndOfStunMsgException) :
 		StunAttr(iter) {
 		if(iter.eof())
@ -430,7 +426,7 @@ public:
 		addr_cpy(&_addr,&addr);
 	}
 protected:
-	virtual int addToBuffer(uint8_t *buffer, size_t &sz) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	virtual int addToBuffer(uint8_t *buffer, size_t &sz) {
 		return stun_attr_add_addr_str(buffer, &sz, getType(), &_addr);
 	}
 private:
@ -445,8 +441,7 @@ public:
 	StunAttrChangeRequest() : _changeIp(0), _changePort(0) {
 		setType(STUN_ATTRIBUTE_CHANGE_REQUEST);
 	}
-	StunAttrChangeRequest(const StunAttrIterator &iter)
+	StunAttrChangeRequest(const StunAttrIterator &iter) :
 		throw(WrongStunAttrFormatException, EndOfStunMsgException) :
 		StunAttr(iter) {
 		if(iter.eof())
@ -476,7 +471,7 @@ public:
 			_changePort = 0;
 	}
 protected:
-	virtual int addToBuffer(uint8_t *buffer, size_t &sz) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	virtual int addToBuffer(uint8_t *buffer, size_t &sz) {
 		return stun_attr_add_change_request_str(buffer, &sz, _changeIp, _changePort);
 	}
 private:
@ -492,8 +487,7 @@ public:
 	StunAttrResponsePort() : _rp(0) {
 		setType(STUN_ATTRIBUTE_RESPONSE_PORT);
 	}
-	StunAttrResponsePort(const StunAttrIterator &iter)
+	StunAttrResponsePort(const StunAttrIterator &iter) :
 		throw(WrongStunAttrFormatException, EndOfStunMsgException) :
 		StunAttr(iter) {
 		if(iter.eof())
@ -513,7 +507,7 @@ public:
 		_rp = p;
 	}
 protected:
-	virtual int addToBuffer(uint8_t *buffer, size_t &sz) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	virtual int addToBuffer(uint8_t *buffer, size_t &sz) {
 		return stun_attr_add_response_port_str(buffer, &sz, _rp);
 	}
 private:
@ -528,8 +522,7 @@ public:
 	StunAttrPadding() : _p(0) {
 		setType(STUN_ATTRIBUTE_PADDING);
 	}
-	StunAttrPadding(const StunAttrIterator &iter)
+	StunAttrPadding(const StunAttrIterator &iter) :
 		throw(WrongStunAttrFormatException, EndOfStunMsgException) :
 		StunAttr(iter) {
 		if(iter.eof())
@ -552,7 +545,7 @@ public:
 		_p = p;
 	}
 protected:
-	virtual int addToBuffer(uint8_t *buffer, size_t &sz) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	virtual int addToBuffer(uint8_t *buffer, size_t &sz) {
 		return stun_attr_add_padding_str(buffer, &sz, _p);
 	}
 private:
@ -588,7 +581,7 @@ public:
 	 */
 	virtual ~StunMsg() {
 		if(_deallocate && _buffer) {
-			free(_buffer, _allocated_sz);
+			free(_buffer);
 		}
 	}
@ -623,7 +616,7 @@ public:
 	/**
 	 * Set message size
 	 */
-	void setSize(size_t sz) throw(WrongStunBufferFormatException) {
+	void setSize(size_t sz) {
 		if(sz>_allocated_sz)
 			throw WrongStunBufferFormatException();
 		_sz = sz;
@ -700,14 +693,14 @@ public:
 	/**
 	 * Add attribute to the message
 	 */
-	int addAttr(StunAttr &attr) throw(WrongStunAttrFormatException, WrongStunBufferFormatException) {
+	int addAttr(StunAttr &attr) {
 		return attr.addToMsg(*this);
 	}
 	/**
 	 * Get transaction ID
 	 */
-	virtual stun_tid getTid() const throw(WrongStunBufferFormatException) {
+	virtual stun_tid getTid() const {
 		if(!_constructed || !isCommand())
 			throw WrongStunBufferFormatException();
 		stun_tid tid;
@ -718,7 +711,7 @@ public:
 	/**
 	 * Set transaction ID
 	 */
-	virtual void setTid(stun_tid &tid) throw(WrongStunBufferFormatException) {
+	virtual void setTid(stun_tid &tid) {
 		if(!_constructed || !isCommand())
 			throw WrongStunBufferFormatException();
 		stun_tid_message_cpy(_buffer, &tid);
@ -727,7 +720,7 @@ public:
 	/**
 	 * Add fingerprint to the message
 	 */
-	void addFingerprint() throw(WrongStunBufferFormatException) {
+	void addFingerprint() {
 		if(!_constructed || !isCommand())
 			throw WrongStunBufferFormatException();
 		stun_attr_add_fingerprint_str(_buffer,&_sz);
@ -736,8 +729,7 @@ public:
 	/**
 	 * Check message integrity, in secure communications.
 	 */
-	bool checkMessageIntegrity(turn_credential_type ct, std::string &uname, std::string &realm, std::string &upwd) const
+	bool checkMessageIntegrity(turn_credential_type ct, std::string &uname, std::string &realm, std::string &upwd) const {
 		throw(WrongStunBufferFormatException) {
 		if(!_constructed || !isCommand())
 			throw WrongStunBufferFormatException();
 		uint8_t *suname=(uint8_t*)strdup(uname.c_str());
@ -754,8 +746,7 @@ public:
 	/**
 	 * Adds long-term message integrity data to the message.
 	 */
-	void addLTMessageIntegrity(std::string &uname, std::string &realm, std::string &upwd, std::string &nonce)
+	void addLTMessageIntegrity(std::string &uname, std::string &realm, std::string &upwd, std::string &nonce) {
 		throw(WrongStunBufferFormatException) {
 		if(!_constructed || !isCommand())
 			throw WrongStunBufferFormatException();
@ -776,8 +767,7 @@ public:
 	/**
 	 * Adds short-term message integrity data to the message.
 	 */
-	void addSTMessageIntegrity(std::string &uname, std::string &upwd)
+	void addSTMessageIntegrity(std::string &uname, std::string &upwd) {
 		throw(WrongStunBufferFormatException) {
 		if(!_constructed || !isCommand())
 			throw WrongStunBufferFormatException();
@ -808,8 +798,7 @@ protected:
 class StunMsgRequest : public StunMsg {
 public:
 	StunMsgRequest(uint16_t method) : _method(method) {};
-	StunMsgRequest(uint8_t *buffer, size_t total_sz, size_t sz, bool constructed)
+	StunMsgRequest(uint8_t *buffer, size_t total_sz, size_t sz, bool constructed) :
 		throw(WrongStunBufferFormatException) :
 			StunMsg(buffer,total_sz,sz,constructed),_method(0) {
 		if(constructed) {
@ -893,8 +882,7 @@ public:
 		_method(method), _err(error_code), _reason(reason), _tid(tid) {
 	};
-	StunMsgResponse(uint8_t *buffer, size_t total_sz, size_t sz, bool constructed)
+	StunMsgResponse(uint8_t *buffer, size_t total_sz, size_t sz, bool constructed) :
 		throw(WrongStunBufferFormatException) :
 			StunMsg(buffer,total_sz,sz,constructed),_method(0),_err(0),_reason("") {
 		if(constructed) {
@ -949,14 +937,14 @@ public:
 	/**
 	 * Set transaction ID
 	 */
-	void setTid(stun_tid &tid) throw(WrongStunBufferFormatException) {
+	void setTid(stun_tid &tid) {
 		_tid = tid;
 	}
 	/**
 	 * Get transaction ID
 	 */
-	virtual stun_tid getTid() const throw(WrongStunBufferFormatException) {
+	virtual stun_tid getTid() const {
 		return _tid;
 	}
@ -1074,8 +1062,7 @@ private:
 class StunMsgIndication : public StunMsg {
 public:
 	StunMsgIndication(uint16_t method) : _method(method) {};
-	StunMsgIndication(uint8_t *buffer, size_t total_sz, size_t sz, bool constructed)
+	StunMsgIndication(uint8_t *buffer, size_t total_sz, size_t sz, bool constructed) :
 		throw(WrongStunBufferFormatException) :
 			StunMsg(buffer,total_sz,sz,constructed),_method(0) {
 		if(constructed) {
@ -1123,8 +1110,7 @@ private:
 class StunMsgChannel : public StunMsg {
 public:
 	StunMsgChannel(uint16_t cn, int length) : _cn(cn), _len(length) {};
-	StunMsgChannel(uint8_t *buffer, size_t total_sz, size_t sz, bool constructed)
+	StunMsgChannel(uint8_t *buffer, size_t total_sz, size_t sz, bool constructed) :
 		throw(WrongStunBufferFormatException) :
 			StunMsg(buffer,total_sz,sz,constructed),_cn(0) {
 		if(constructed) {
--- a/src/client/ns_turn_msg.c
+++ b/src/client/ns_turn_msg.c
@ -244,7 +244,7 @@ int stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm, c
 		unsigned int keylen = 0;
 		EVP_MD_CTX ctx;
 		EVP_MD_CTX_init(&ctx);
-#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+#if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER)
 		if (FIPS_mode()) {
 			EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 		}
@ -256,7 +256,7 @@ int stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm, c
 #else
 		unsigned int keylen = 0;
 		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
-#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+#if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && ! defined(LIBRESSL_VERSION_NUMBER)
 		if (FIPS_mode()) {
 			EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 		}
--- a/src/ns_turn_defs.h
+++ b/src/ns_turn_defs.h
@ -31,7 +31,7 @@
 #ifndef __IOADEFS__
 #define __IOADEFS__
-#define TURN_SERVER_VERSION "4.5.1.3"
+#define TURN_SERVER_VERSION "4.5.2"
 #define TURN_SERVER_VERSION_NAME "dan Eider"
 #define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"
@ -39,6 +39,10 @@
 #include <sys/param.h>
 #endif
 #if defined(__APPLE__) || defined(__DARWIN__) || defined(__MACH__)
 #define __APPLE_USE_RFC_3542
 #endif
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
--- a/src/server/ns_turn_ioalib.h
+++ b/src/server/ns_turn_ioalib.h
@ -286,6 +286,14 @@ int get_default_protocol_port(const char* scheme, size_t slen);
 void handle_http_echo(ioa_socket_handle s);
 ///////////// ACME /////////////////////
 int try_acme_redirect(char *req, size_t len, const char *url, ioa_socket_handle s);
 ///////////// ACME /////////////////////
 int try_acme_redirect(char *req, size_t len, const char *url, ioa_socket_handle s);
 ///////////////////////////////////////
 #ifdef __cplusplus
--- a/src/server/ns_turn_server.c
+++ b/src/server/ns_turn_server.c
@ -3832,13 +3832,13 @@ static int handle_turn_command(turn_turnserver *server, ts_ur_super_session *ss,
 							&dest_changed, &response_destination,
 							0, 0);
-				if(server->verbose) {
+				if(server->verbose && server->log_binding) {
 				  log_method(ss, "BINDING", err_code, reason);
 				}
 				if(*resp_constructed && !err_code && (origin_changed || dest_changed)) {
-					if (server->verbose) {
+					if (server->verbose && server->log_binding) {
 						TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "RFC 5780 request successfully processed\n");
 					}
@ -4014,7 +4014,7 @@ static int handle_old_stun_command(turn_turnserver *server, ts_ur_super_session
 						&dest_changed, &response_destination,
 						cookie,1);
-			if(server->verbose) {
+			if(server->verbose && *(server->log_binding)) {
 			  log_method(ss, "OLD BINDING", err_code, reason);
 			}
@ -4624,14 +4624,27 @@ static int read_client_connection(turn_turnserver *server,
 	} else {
 		SOCKET_TYPE st = get_ioa_socket_type(ss->client_socket);
 		if(is_stream_socket(st)) {
-			if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh), ioa_network_buffer_get_size(in_buffer->nbh))) {
+			if(is_http((char*)ioa_network_buffer_data(in_buffer->nbh),
 			ioa_network_buffer_get_size(in_buffer->nbh))) {
 				const char *proto = "HTTP";
-				ioa_network_buffer_data(in_buffer->nbh)[ioa_network_buffer_get_size(in_buffer->nbh)] = 0;
+				if ((st == TCP_SOCKET) &&
-				if (*server->web_admin_listen_on_workers) {
+					(
 						try_acme_redirect(
 							(char*)ioa_network_buffer_data(in_buffer->nbh),
 							ioa_network_buffer_get_size(in_buffer->nbh),
 							server->acme_redirect,
 							ss->client_socket
 						) == 0
 					)
 				) {
 					ss->to_be_closed = 1;
 					return 0;
 				} else if (*server->web_admin_listen_on_workers) {
 					if(st==TLS_SOCKET) {
 						proto = "HTTPS";
 						set_ioa_socket_app_type(ss->client_socket,HTTPS_CLIENT_SOCKET);
-						TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: %s (%s %s) request: %s\n", __FUNCTION__, proto, get_ioa_socket_cipher(ss->client_socket), get_ioa_socket_ssl_method(ss->client_socket), (char*)ioa_network_buffer_data(in_buffer->nbh));
+						TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: %s (%s %s) request: %s\n", __FUNCTION__, proto, get_ioa_socket_cipher(ss->client_socket), get_ioa_socket_ssl_method(ss->client_socket), ioa_network_buffer_get_size(in_buffer->nbh));
 						if(server->send_https_socket) {
 							TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s socket to be detached: 0x%lx, st=%d, sat=%d\n", __FUNCTION__,(long)ss->client_socket, get_ioa_socket_type(ss->client_socket), get_ioa_socket_app_type(ss->client_socket));
 							ioa_socket_handle new_s = detach_ioa_socket(ss->client_socket);
@ -4644,7 +4657,7 @@ static int read_client_connection(turn_turnserver *server,
 					} else {
 						set_ioa_socket_app_type(ss->client_socket,HTTP_CLIENT_SOCKET);
 						if(server->verbose) {
-							TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: %s request: %s\n", __FUNCTION__, proto, (char*)ioa_network_buffer_data(in_buffer->nbh));
+							TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: %s request: %s\n", __FUNCTION__, proto, ioa_network_buffer_get_size(in_buffer->nbh));
 						}
 						handle_http_echo(ss->client_socket);
 					}
@ -4915,7 +4928,9 @@ void init_turn_server(turn_turnserver* server,
 		allocate_bps_cb allocate_bps_func,
 		int oauth,
 		const char* oauth_server_name,
-		int keep_address_family) {
+		const char* acme_redirect,
 		int keep_address_family,
 		vintp log_binding) {
 	if (!server)
 		return;
@ -4944,6 +4959,7 @@ void init_turn_server(turn_turnserver* server,
 		server->oauth_server_name = oauth_server_name;
 	if(mobility)
 		server->mobile_connections_map = ur_map_create();
 	server->acme_redirect = acme_redirect;
 	TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO,"turn server id=%d created\n",(int)id);
@ -4986,6 +5002,8 @@ void init_turn_server(turn_turnserver* server,
 	server->keep_address_family = keep_address_family;
 	set_ioa_timer(server->e, 1, 0, timer_timeout_handler, server, 1, "timer_timeout_handler");
 	server->log_binding = log_binding;
 }
 ioa_engine_handle turn_server_get_engine(turn_turnserver *s) {
--- a/src/server/ns_turn_server.h
+++ b/src/server/ns_turn_server.h
@ -171,8 +171,14 @@ struct _turn_turnserver {
 	int oauth;
 	const char* oauth_server_name;
 	/* ACME redirect URL */
 	const char* acme_redirect;
 	/* Keep Address Family */
 	int keep_address_family;
 	/* Log Binding Requrest */
 	vintp log_binding;
 };
 const char * get_version(turn_turnserver *server);
@ -218,7 +224,9 @@ void init_turn_server(turn_turnserver* server,
 				    allocate_bps_cb allocate_bps_func,
 				    int oauth,
 				    const char* oauth_server_name,
-					int keep_address_family);
+					const char* acme_redirect,
 					int keep_address_family,
 					vintp log_binding);
 ioa_engine_handle turn_server_get_engine(turn_turnserver *s);