mirrors/coturn
1
0
Fork 0
mirror of https://github.com/coturn/coturn.git synced 2025-10-22 19:41:27 +02:00
Code Issues Projects Releases Wiki Activity

Merge remote master

Browse Source
This commit is contained in:
Greg Fodor 2020-04-28 17:18:30 +00:00
commit 38e7daf3d6
56 changed files with 1765 additions and 748 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -4,3 +4,4 @@ build
include
lib
sqlite
examples/ca/CA.pl

7
ChangeLog
View File

@ -51,6 +51,13 @@ Version 4.5.1.2 'dan Eider':
- merge PR #488 Fix typos about INSTALL filenames (by raccoonback)
- fix compiler warning comparison between signed and unsigned integer expressions
- fix compiler warning string truncation
- change Diffie Hellman default key length from 1066 to 2066
- merge PR #522 drop of supplementary group IDs (by weberhofer)
- merge PR #514 Unify spelling of Coturn (by paulmenzel)
- merge PR#506 Rename "prod" config option to "no-software-attribute" (by dbrgn)
- merge PR #519 fix config extension in README.docker (by ooookai)
- merge PR #516 change sql data dir in docker-compose-all.yml (by raghumuppa)
- mergr PR #513 remove trailing spaces from READMEs (by paulmenzel)
02/03/2019 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.1.1 'dan Eider':

64
README.turnadmin
View File

@ -1,51 +1,51 @@
GENERAL INFORMATION
turnadmin is a TURN administration tool. This tool can be used to manage
the user accounts (add/remove users, generate
TURN keys for the users). For security reasons, we do not recommend
storing passwords openly. The better option is to use pre-processed "keys"
which are then used for authentication. These keys are generated by turnadmin.
Turnadmin is a link to turnserver binary, but turnadmin performs different
turnadmin is a TURN administration tool. This tool can be used to manage
the user accounts (add/remove users, generate
TURN keys for the users). For security reasons, we do not recommend
storing passwords openly. The better option is to use pre-processed "keys"
which are then used for authentication. These keys are generated by turnadmin.
Turnadmin is a link to turnserver binary, but turnadmin performs different
functions.
Options note: turnadmin has long and short option names, for most options.
Some options have only long form, some options have only short form. Their syntax
Some options have only long form, some options have only short form. Their syntax
somewhat different, if an argument is required:
The short form must be used as this (for example):
$ turnadmin -u <username> ...
The long form equivalent must use the "=" character:
$ turnadmin --user=<username> ...
If this is a flag option (no argument required) then their usage are the same, for example:
$ turnadmin -k ...
is equivalent to:
$ turnadmin --key ...
You have always the use the -r <realm> option with commands for long term credentials -
You have always the use the -r <realm> option with commands for long term credentials -
because data for multiple realms can be stored in the same database.
=====================================
NAME
turnadmin - a TURN relay administration tool.
SYNOPSIS
turnadmin - a TURN relay administration tool.
SYNOPSIS
$ turnadmin [command] [options]
$ turnadmin [ -h | --help]
DESCRIPTION
Commands:
Commands:
-P, --generate-encrypted-password Generate and print to the standard
output an encrypted form of a password (for web admin user or CLI).
@ -76,7 +76,7 @@ Only sha256 is supported as the hash function.
-X, --delete-secret=<value> Delete a shared secret.
--delete-all_secrets Delete all shared secrets for REST API.
-O, --add-origin Add origin-to-realm relation.
-R, --del-origin Delete origin-to-realm relation.
@ -86,10 +86,10 @@ Only sha256 is supported as the hash function.
-g, --set-realm-option Set realm params: max-bps, total-quota, user-quota.
-G, --list-realm-options List realm params.
-E, --generate-encrypted-password-aes Generate and print to the standard output
-E, --generate-encrypted-password-aes Generate and print to the standard output
an encrypted form of password with AES-128
Options with required values:
Options with required values:
-b, --db, --userdb SQLite user database file name (default - /var/db/turndb or
/usr/local/var/db/turndb or /var/lib/turn/turndb).
@ -111,10 +111,10 @@ Options with required values:
-o, --origin Origin
--max-bps Set value of realm's max-bps parameter.
--total-quota Set value of realm's total-quota parameter.
--user-quota Set value of realm's user-quota parameter.
--user-quota Set value of realm's user-quota parameter.
-h, --help Help.
Command examples:
Command examples:
Generate an encrypted form of a password:
@ -123,11 +123,11 @@ $ turnadmin -P -p <password>
Generate a key:
$ turnadmin -k -u <username> -r <realm> -p <password>
Add/update a user in the in the database:
$ turnadmin -a [-b <userdb-file> | -e <db-connection-string> | -M <db-connection-string> | -N <db-connection-string> ] -u <username> -r <realm> -p <password>
Delete a user from the database:
$ turnadmin -d [-b <userdb-file> | -e <db-connection-string> | -M <db-connection-string> | -N <db-connection-string> ] -u <username> -r <realm>
@ -176,13 +176,13 @@ Verify/decrypt encrypted password:
$ turnadmin --file-key-path <key-file> -v <encrypted>
Help:
Help:
$ turnadmin -h
=======================================
DOCS
After installation, run the command:
@ -258,13 +258,13 @@ to see the man page.
Erik Johnston <erikj@openmarket.com>
Roman Lisagor <roman@demonware.net>
Vladimir Tsanev <tsachev@gmail.com>
Po-sheng Lin <personlin118@gmail.com>
Peter Dunkley <peter.dunkley@acision.com>
Mutsutoshi Yoshimoto <mutsutoshi.yoshimoto@mixi.co.jp>
Federico Pinna <fpinna@vivocha.com>

558
README.turnserver
View File

File diff suppressed because it is too large Load Diff

30
README.turnutils
View File

@ -37,12 +37,12 @@ according RFC5780. This utility discovers the actual NAT Mapping and Filtering
behavior, etc. Be aware that on TURN server side two different listening IP
addresses should be configured to be able to work properly!
6. turnutils_oauth: a utility that provides OAuth access_token
generation(AEAD encryption), validation and decryption. This utility inputs
all the keys and lifetimes and any related information that needed for
creation and validationi of an access_token. It outputs a JSON with all OAuth
PoP parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8.
6. turnutils_oauth: a utility that provides OAuth access_token
generation(AEAD encryption), validation and decryption. This utility inputs
all the keys and lifetimes and any related information that needed for
creation and validationi of an access_token. It outputs a JSON with all OAuth
PoP parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8.
For more details, and for the access_token structure, read rfc7635, and see
script in examples/scripts/oauth.sh.
@ -312,15 +312,15 @@ $ turnutils_oauth [options]
DESCRIPTION
turnutils_oauth utilitiy provides help in OAuth access_token encryption and/or
decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps
for an Auth Server in access_token creation, and also for debugging purposes it
helps the access_token validation and decryption. This utility inputs all the
keys and lifetimes and any related information that are needed for encryption
or decryption of an access_token. It outputs a JSON with all OAuth PoP
parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server
service, but be awere that this utility does not generate "session key" /
turnutils_oauth utilitiy provides help in OAuth access_token encryption and/or
decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps
for an Auth Server in access_token creation, and also for debugging purposes it
helps the access_token validation and decryption. This utility inputs all the
keys and lifetimes and any related information that are needed for encryption
or decryption of an access_token. It outputs a JSON with all OAuth PoP
parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server
service, but be awere that this utility does not generate "session key" /
"mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key".
For more details, and for the access_token structure, read rfc7635, and see
the example in examples/scripts/oauth.sh.

2
docker/README.docker
View File

@ -1,6 +1,6 @@
Before you begin
* copy db schema run ./cp-schema.sh
* edit turnserver/turnserver.cfg according your db selection (mysql or postgresql or redis or mongodb)
* edit turnserver/turnserver.conf according your db selection (mysql or postgresql or redis or mongodb)
# start

4
docker/coturn/Dockerfile
View File

@ -8,11 +8,11 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get install -y build-essential git debhelper dpkg-dev libssl-dev libevent-dev sqlite3 libsqlite3-dev postgresql-client libpq-dev default-mysql-client default-libmysqlclient-dev libhiredis-dev libmongoc-dev libbson-dev
# Clone coTURN
# Clone Coturn
WORKDIR ${BUILD_PREFIX}
RUN git clone https://github.com/coturn/coturn.git
# Build coTURN
# Build Coturn
WORKDIR coturn
RUN ./configure
RUN make

4
docker/coturn/turnserver.conf
View File

@ -582,7 +582,7 @@ syslog
# Implementers SHOULD make usage of the SOFTWARE attribute a
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
#
#prod
#no-software-attribute
# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
@ -640,7 +640,7 @@ no-loopback-peers
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default coTURN works according RFC 6156.)
# (By default Coturn works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
#
#keep-address-family

6
docker/docker-compose-all.yml
View File

@ -7,7 +7,7 @@ services:
context: ./mysql
restart: unless-stopped
volumes:
- mysql-data:/var/lib/mysql/data
- mysql-data:/var/lib/mysql
env_file:
- mysql/mysql.env
networks:
@ -19,7 +19,7 @@ services:
context: ./postgresql
restart: unless-stopped
volumes:
- postgresql-data:/var/lib/postgresql/data
- postgresql-data:/var/lib/postgresql
env_file:
- postgresql/postgresql.env
networks:
@ -49,7 +49,7 @@ services:
- backend
# coTURN
# Coturn
coturn:
build:
context: ./coturn

2
docker/docker-compose-mongodb.yml
View File

@ -13,7 +13,7 @@ services:
- backend
# coTURN
# Coturn
coturn:
build:
context: ./coturn

2
docker/docker-compose-mysql.yml
View File

@ -14,7 +14,7 @@ services:
- backend
# coTURN
# Coturn
coturn:
build:
context: ./coturn

2
docker/docker-compose-postgresql.yml
View File

@ -14,7 +14,7 @@ services:
- backend
# coTURN
# Coturn
coturn:
build:
context: ./coturn

2
docker/docker-compose-redis.yml
View File

@ -14,7 +14,7 @@ services:
- backend
# coTURN
# Coturn
coturn:
build:
context: ./coturn

22
examples/ca/CA.pl.diff Normal file
View File

@ -0,0 +1,22 @@
--- CA.pl 2019-10-12 19:56:43.000000000 +0000
+++ CA.pl 2020-03-05 07:58:41.112690266 +0000
@@ -25,8 +25,8 @@
my $verbose = 1;
my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} || "";
-my $DAYS = "-days 365";
-my $CADAYS = "-days 1095"; # 3 years
+my $DAYS = "-days 36500";
+my $CADAYS = "-days 365000"; # 1000 years
my $REQ = "$openssl req $OPENSSL_CONFIG";
my $CA = "$openssl ca $OPENSSL_CONFIG";
my $VERIFY = "$openssl verify";
@@ -34,7 +34,7 @@
my $PKCS12 = "$openssl pkcs12";
# default openssl.cnf file has setup as per the following
-my $CATOP = "./demoCA";
+my $CATOP = "./CA";
my $CAKEY = "cakey.pem";
my $CAREQ = "careq.pem";
my $CACERT = "cacert.pem";

80
examples/ca/CA/cacert.pem Normal file
View File

@ -0,0 +1,80 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:46
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
Validity
Not Before: Mar 5 09:05:10 2020 GMT
Not After : Jul 7 09:05:10 3019 GMT
Subject: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d8:76:2a:59:44:73:da:25:38:93:54:d8:c5:2b:
11:bd:30:80:21:5f:47:95:7d:eb:5e:3e:98:0d:a7:
a8:30:8c:07:6d:1a:ee:89:c1:4c:cc:64:81:90:b3:
ab:54:1f:9b:72:23:c5:2f:0a:32:52:be:27:ad:2f:
51:ee:62:9e:ed:44:d0:ba:aa:72:67:03:a2:ee:a0:
e3:5d:9e:37:ec:ee:0b:29:59:e8:d8:d5:84:a1:6d:
36:5d:85:6b:0d:73:a0:32:fe:b6:fa:99:ef:8c:78:
a9:02:f4:3a:bd:13:bc:1a:9b:72:55:0b:e7:0c:ed:
68:00:c2:e7:78:4a:df:ce:14:2a:99:f1:de:97:16:
60:44:f1:fc:f8:74:e5:33:31:cc:f9:ff:5d:9e:c1:
c7:c6:21:75:48:08:26:f5:7c:f1:56:ec:15:c5:7f:
24:0f:08:03:74:e0:da:10:bf:3d:90:67:09:1e:b2:
3f:b4:f4:15:df:53:e8:68:e8:d1:28:8e:2d:37:f9:
e0:3a:a3:29:00:3d:0a:66:7c:71:ab:54:e5:da:fe:
44:18:3c:b4:be:c5:ce:49:26:8c:cc:ab:88:8f:b7:
e3:ad:5b:df:b2:d4:a3:f8:a9:06:4f:38:6e:b7:05:
b3:3a:bd:63:cd:f7:26:15:e0:98:fd:30:7e:d3:33:
56:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
X509v3 Authority Key Identifier:
keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
b4:d5:d9:7a:46:1e:1a:95:02:b5:7e:86:45:16:26:d5:8a:11:
b9:34:98:58:df:cd:0c:d5:a5:f2:cc:24:1a:22:f4:c7:3e:50:
39:40:f5:d6:e8:3b:9c:05:e9:f9:95:9b:c2:01:3b:69:d5:ba:
4f:cf:7c:a6:7c:6e:f4:24:a3:d1:88:e2:29:60:ca:6d:b0:ee:
a6:b8:d1:5f:49:d5:08:a6:c2:79:3a:3f:8a:63:ec:53:ef:48:
00:8c:61:d2:0f:38:e0:00:ac:6d:a6:bf:ed:6a:42:c3:cf:4e:
e3:0d:48:c5:a7:6d:5e:af:5a:e4:30:26:ba:19:2a:a5:57:da:
ce:b7:b6:45:24:fb:36:b6:a3:6c:55:ca:9f:91:19:29:db:a4:
22:d4:45:53:b9:79:6a:a7:5e:90:a3:4d:3b:c1:b6:2b:52:41:
97:7d:9e:0c:cf:0a:5f:ce:0e:fe:bf:a9:e5:b7:60:17:f5:93:
4b:b5:6d:2d:51:a6:c1:54:65:f9:e1:5c:21:8d:3d:19:0c:dc:
2c:c9:17:40:65:15:d0:ad:98:06:a0:11:aa:87:b3:2d:03:29:
37:24:f6:42:a8:d5:58:ae:55:20:c3:37:a3:62:33:36:34:73:
98:bc:70:30:aa:33:b0:e4:86:b6:d9:22:79:1f:3f:68:6f:f5:
66:75:e8:70
-----BEGIN CERTIFICATE-----
MIIDlzCCAn+gAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUYwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAg
Fw0yMDAzMDUwOTA1MTBaGA8zMDE5MDcwNzA5MDUxMFowWjELMAkGA1UEBhMCSFUx
EDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNvVFVSTjELMAkGA1UEAwwCQ0Ex
GzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANh2KllEc9olOJNU2MUrEb0wgCFfR5V9614+mA2nqDCMB20a
7onBTMxkgZCzq1Qfm3IjxS8KMlK+J60vUe5inu1E0LqqcmcDou6g412eN+zuCylZ
6NjVhKFtNl2Faw1zoDL+tvqZ74x4qQL0Or0TvBqbclUL5wztaADC53hK384UKpnx
3pcWYETx/Ph05TMxzPn/XZ7Bx8YhdUgIJvV88VbsFcV/JA8IA3Tg2hC/PZBnCR6y
P7T0Fd9T6Gjo0SiOLTf54DqjKQA9CmZ8catU5dr+RBg8tL7FzkkmjMyriI+3461b
37LUo/ipBk84brcFszq9Y833JhXgmP0wftMzVo0CAwEAAaNTMFEwHQYDVR0OBBYE
FBwnXkA5jOxxx+3pKlbJnt9I6oJCMB8GA1UdIwQYMBaAFBwnXkA5jOxxx+3pKlbJ
nt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALTV2XpG
HhqVArV+hkUWJtWKEbk0mFjfzQzVpfLMJBoi9Mc+UDlA9dboO5wF6fmVm8IBO2nV
uk/PfKZ8bvQko9GI4ilgym2w7qa40V9J1Qimwnk6P4pj7FPvSACMYdIPOOAArG2m
v+1qQsPPTuMNSMWnbV6vWuQwJroZKqVX2s63tkUk+za2o2xVyp+RGSnbpCLURVO5
eWqnXpCjTTvBtitSQZd9ngzPCl/ODv6/qeW3YBf1k0u1bS1RpsFUZfnhXCGNPRkM
3CzJF0BlFdCtmAagEaqHsy0DKTck9kKo1ViuVSDDN6NiMzY0c5i8cDCqM7DkhrbZ
InkfP2hv9WZ16HA=
-----END CERTIFICATE-----

17
examples/ca/CA/careq.pem Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxETAP
BgNVBAcMCERlYnJlY2VuMQ8wDQYDVQQKDAZjb1RVUk4xCzAJBgNVBAMMAkNBMRsw
GQYJKoZIhvcNAQkBFgxtaXNpQG1hamQuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDYdipZRHPaJTiTVNjFKxG9MIAhX0eVfetePpgNp6gwjAdtGu6J
wUzMZIGQs6tUH5tyI8UvCjJSvietL1HuYp7tRNC6qnJnA6LuoONdnjfs7gspWejY
1YShbTZdhWsNc6Ay/rb6me+MeKkC9Dq9E7wam3JVC+cM7WgAwud4St/OFCqZ8d6X
FmBE8fz4dOUzMcz5/12ewcfGIXVICCb1fPFW7BXFfyQPCAN04NoQvz2QZwkesj+0
9BXfU+ho6NEoji03+eA6oykAPQpmfHGrVOXa/kQYPLS+xc5JJozMq4iPt+OtW9+y
1KP4qQZPOG63BbM6vWPN9yYV4Jj9MH7TM1aNAgMBAAGgADANBgkqhkiG9w0BAQsF
AAOCAQEAmvXWsoJQneJFFHb+qTNjkA3sHduyB+kQ5qUVlFoT6U6IKyWnVUqAKc9a
eFKw94yq/01cqOBd4MWKTg9k/wjjmkJA9WtXMrVq8HW1rKVRCCJxtzUKTR3pet/z
gs3YwbTlqpljtpn3qEzspMaeyvh391A4IVykDZHGR12+4LqZhoUyGl1QJ7KgQwGM
+Vi2TL3fY8PDxvGFmGvWnUIWYkB31vAuDz1xOqm2JlP0kTHMUPiVBlwJVuHdATy2
sWZEzsNnXBt2vAVwhTdFEajF4ut8guPQWW8XcTiaEOGJUIY8J4Yb2wqHk+4HsIFV
i2vua41jc90Ki3EA0+QDB7BJAvC4yw==
-----END CERTIFICATE REQUEST-----

1
examples/ca/CA/crlnumber Normal file
View File

@ -0,0 +1 @@
01

3
examples/ca/CA/index.txt Normal file
View File

@ -0,0 +1,3 @@
V 30190707090510Z 4C9BEC95D121491D5D65A71A614667DD42186546 unknown /C=HU/ST=Hungary/O=coTURN/CN=CA/emailAddress=misi@majd.eu
V 300303090521Z 4C9BEC95D121491D5D65A71A614667DD42186547 unknown /C=HU/ST=Hungary/L=Debrecen/O=coTURN/CN=Server/emailAddress=misi@majd.eu
V 300303090542Z 4C9BEC95D121491D5D65A71A614667DD42186548 unknown /C=HU/ST=Hungary/L=Debrecen/O=coTURN/CN=Client/emailAddress=misi@majd.eu

1
examples/ca/CA/index.txt.attr Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

1
examples/ca/CA/index.txt.attr.old Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

2
examples/ca/CA/index.txt.old Normal file
View File

@ -0,0 +1,2 @@
V 30190707090510Z 4C9BEC95D121491D5D65A71A614667DD42186546 unknown /C=HU/ST=Hungary/O=coTURN/CN=CA/emailAddress=misi@majd.eu
V 300303090521Z 4C9BEC95D121491D5D65A71A614667DD42186547 unknown /C=HU/ST=Hungary/L=Debrecen/O=coTURN/CN=Server/emailAddress=misi@majd.eu

80
examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186546.pem Normal file
View File

@ -0,0 +1,80 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:46
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
Validity
Not Before: Mar 5 09:05:10 2020 GMT
Not After : Jul 7 09:05:10 3019 GMT
Subject: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d8:76:2a:59:44:73:da:25:38:93:54:d8:c5:2b:
11:bd:30:80:21:5f:47:95:7d:eb:5e:3e:98:0d:a7:
a8:30:8c:07:6d:1a:ee:89:c1:4c:cc:64:81:90:b3:
ab:54:1f:9b:72:23:c5:2f:0a:32:52:be:27:ad:2f:
51:ee:62:9e:ed:44:d0:ba:aa:72:67:03:a2:ee:a0:
e3:5d:9e:37:ec:ee:0b:29:59:e8:d8:d5:84:a1:6d:
36:5d:85:6b:0d:73:a0:32:fe:b6:fa:99:ef:8c:78:
a9:02:f4:3a:bd:13:bc:1a:9b:72:55:0b:e7:0c:ed:
68:00:c2:e7:78:4a:df:ce:14:2a:99:f1:de:97:16:
60:44:f1:fc:f8:74:e5:33:31:cc:f9:ff:5d:9e:c1:
c7:c6:21:75:48:08:26:f5:7c:f1:56:ec:15:c5:7f:
24:0f:08:03:74:e0:da:10:bf:3d:90:67:09:1e:b2:
3f:b4:f4:15:df:53:e8:68:e8:d1:28:8e:2d:37:f9:
e0:3a:a3:29:00:3d:0a:66:7c:71:ab:54:e5:da:fe:
44:18:3c:b4:be:c5:ce:49:26:8c:cc:ab:88:8f:b7:
e3:ad:5b:df:b2:d4:a3:f8:a9:06:4f:38:6e:b7:05:
b3:3a:bd:63:cd:f7:26:15:e0:98:fd:30:7e:d3:33:
56:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
X509v3 Authority Key Identifier:
keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
b4:d5:d9:7a:46:1e:1a:95:02:b5:7e:86:45:16:26:d5:8a:11:
b9:34:98:58:df:cd:0c:d5:a5:f2:cc:24:1a:22:f4:c7:3e:50:
39:40:f5:d6:e8:3b:9c:05:e9:f9:95:9b:c2:01:3b:69:d5:ba:
4f:cf:7c:a6:7c:6e:f4:24:a3:d1:88:e2:29:60:ca:6d:b0:ee:
a6:b8:d1:5f:49:d5:08:a6:c2:79:3a:3f:8a:63:ec:53:ef:48:
00:8c:61:d2:0f:38:e0:00:ac:6d:a6:bf:ed:6a:42:c3:cf:4e:
e3:0d:48:c5:a7:6d:5e:af:5a:e4:30:26:ba:19:2a:a5:57:da:
ce:b7:b6:45:24:fb:36:b6:a3:6c:55:ca:9f:91:19:29:db:a4:
22:d4:45:53:b9:79:6a:a7:5e:90:a3:4d:3b:c1:b6:2b:52:41:
97:7d:9e:0c:cf:0a:5f:ce:0e:fe:bf:a9:e5:b7:60:17:f5:93:
4b:b5:6d:2d:51:a6:c1:54:65:f9:e1:5c:21:8d:3d:19:0c:dc:
2c:c9:17:40:65:15:d0:ad:98:06:a0:11:aa:87:b3:2d:03:29:
37:24:f6:42:a8:d5:58:ae:55:20:c3:37:a3:62:33:36:34:73:
98:bc:70:30:aa:33:b0:e4:86:b6:d9:22:79:1f:3f:68:6f:f5:
66:75:e8:70
-----BEGIN CERTIFICATE-----
MIIDlzCCAn+gAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUYwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAg
Fw0yMDAzMDUwOTA1MTBaGA8zMDE5MDcwNzA5MDUxMFowWjELMAkGA1UEBhMCSFUx
EDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNvVFVSTjELMAkGA1UEAwwCQ0Ex
GzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANh2KllEc9olOJNU2MUrEb0wgCFfR5V9614+mA2nqDCMB20a
7onBTMxkgZCzq1Qfm3IjxS8KMlK+J60vUe5inu1E0LqqcmcDou6g412eN+zuCylZ
6NjVhKFtNl2Faw1zoDL+tvqZ74x4qQL0Or0TvBqbclUL5wztaADC53hK384UKpnx
3pcWYETx/Ph05TMxzPn/XZ7Bx8YhdUgIJvV88VbsFcV/JA8IA3Tg2hC/PZBnCR6y
P7T0Fd9T6Gjo0SiOLTf54DqjKQA9CmZ8catU5dr+RBg8tL7FzkkmjMyriI+3461b
37LUo/ipBk84brcFszq9Y833JhXgmP0wftMzVo0CAwEAAaNTMFEwHQYDVR0OBBYE
FBwnXkA5jOxxx+3pKlbJnt9I6oJCMB8GA1UdIwQYMBaAFBwnXkA5jOxxx+3pKlbJ
nt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALTV2XpG
HhqVArV+hkUWJtWKEbk0mFjfzQzVpfLMJBoi9Mc+UDlA9dboO5wF6fmVm8IBO2nV
uk/PfKZ8bvQko9GI4ilgym2w7qa40V9J1Qimwnk6P4pj7FPvSACMYdIPOOAArG2m
v+1qQsPPTuMNSMWnbV6vWuQwJroZKqVX2s63tkUk+za2o2xVyp+RGSnbpCLURVO5
eWqnXpCjTTvBtitSQZd9ngzPCl/ODv6/qeW3YBf1k0u1bS1RpsFUZfnhXCGNPRkM
3CzJF0BlFdCtmAagEaqHsy0DKTck9kKo1ViuVSDDN6NiMzY0c5i8cDCqM7DkhrbZ
InkfP2hv9WZ16HA=
-----END CERTIFICATE-----

80
examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186547.pem Normal file
View File

@ -0,0 +1,80 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:47
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
Validity
Not Before: Mar 5 09:05:21 2020 GMT
Not After : Mar 3 09:05:21 2030 GMT
Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Server/emailAddress=misi@majd.eu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bc:db:f7:17:35:17:7c:46:79:64:89:61:5f:ac:
cf:8f:6d:97:13:87:8a:d6:f1:ab:df:f6:69:4e:04:
57:c1:4d:6c:3d:77:c9:50:0d:3d:b6:89:cd:ac:00:
b5:02:45:e4:4c:78:ef:6f:18:7e:57:4e:bc:62:4d:
f6:de:6c:c8:77:ea:c5:b2:b4:65:2d:46:76:bf:5e:
5f:f8:45:78:55:f4:4d:20:ac:91:f0:4f:23:cb:5d:
40:29:44:de:9c:f7:0a:e6:48:a4:80:35:dd:cb:e8:
02:90:59:f7:31:f9:4c:50:fe:98:ef:dd:7f:60:51:
2d:44:0a:14:a2:57:96:51:36:3f:73:66:db:45:5f:
bd:9d:f4:82:3a:ce:ab:75:4f:d0:90:6d:43:d1:7b:
2f:77:31:88:db:2f:4a:a9:4e:62:39:c7:14:7f:39:
ef:e2:08:b7:18:a7:6c:f8:d9:35:d5:a3:f8:64:f5:
02:51:22:1b:8e:7a:c5:44:ae:df:b1:17:0b:71:df:
09:82:89:49:70:c5:9b:a0:f3:3c:02:48:75:e7:81:
f9:24:51:56:24:3b:ff:b8:68:d3:13:2e:a2:f4:d1:
70:33:a9:7a:d6:17:fd:ca:a5:6b:13:74:c9:ce:b6:
26:4f:01:ff:eb:ba:b5:f9:a1:70:80:da:11:df:a3:
7b:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
38:C1:E5:77:D3:01:6B:7A:A7:D8:18:6B:50:D6:FA:0E:D6:D9:B4:4F
X509v3 Authority Key Identifier:
keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a3:37:55:68:68:02:9f:af:d6:b1:38:b3:d8:bf:30:27:33:6f:
21:4c:09:ee:cf:24:d2:eb:cf:1c:7a:15:98:6d:10:94:e0:4a:
1f:88:5c:43:90:09:78:c1:a6:82:06:16:f2:8c:d1:3a:c5:3b:
99:67:35:3c:00:bf:9f:a2:6a:e7:33:85:83:88:72:88:e4:d2:
83:1c:6c:49:92:5f:51:80:0d:92:0f:99:4d:cb:2a:18:4d:68:
b7:b6:d1:de:54:22:71:88:8d:04:45:c5:13:34:8d:52:7a:f7:
2a:e7:cb:b2:41:20:7b:ef:aa:d0:58:93:b5:e6:b5:fa:8b:22:
a3:ed:a7:81:9b:ca:50:f7:d0:bd:5f:f2:52:6d:8b:af:af:64:
36:9d:6d:81:ce:50:29:b7:db:d0:ac:a3:1d:78:77:90:29:a3:
84:10:69:13:e9:47:fc:e1:1e:c2:74:55:61:11:65:2d:77:e1:
ca:9f:2d:6f:2f:76:f6:69:bc:09:50:9a:b0:48:05:a2:53:e6:
93:46:81:0d:04:8b:cd:fb:a4:a7:82:08:78:f9:87:dc:0a:07:
91:1f:de:09:fa:00:5a:16:1a:2b:5c:83:10:03:33:2f:ad:8c:
9a:eb:94:0f:77:b1:9b:ec:e6:0e:dc:84:dd:35:3f:b5:8a:d2:
06:0e:88:d7
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUcwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe
Fw0yMDAzMDUwOTA1MjFaFw0zMDAzMDMwOTA1MjFaMHExCzAJBgNVBAYTAkhVMRAw
DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U
VVJOMQ8wDQYDVQQDDAZTZXJ2ZXIxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l
dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzb9xc1F3xGeWSJYV+s
z49tlxOHitbxq9/2aU4EV8FNbD13yVANPbaJzawAtQJF5Ex4728YfldOvGJN9t5s
yHfqxbK0ZS1Gdr9eX/hFeFX0TSCskfBPI8tdQClE3pz3CuZIpIA13cvoApBZ9zH5
TFD+mO/df2BRLUQKFKJXllE2P3Nm20VfvZ30gjrOq3VP0JBtQ9F7L3cxiNsvSqlO
YjnHFH857+IItxinbPjZNdWj+GT1AlEiG456xUSu37EXC3HfCYKJSXDFm6DzPAJI
deeB+SRRViQ7/7ho0xMuovTRcDOpetYX/cqlaxN0yc62Jk8B/+u6tfmhcIDaEd+j
e08CAwEAAaNTMFEwHQYDVR0OBBYEFDjB5XfTAWt6p9gYa1DW+g7W2bRPMB8GA1Ud
IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggEBAKM3VWhoAp+v1rE4s9i/MCczbyFMCe7PJNLrzxx6FZht
EJTgSh+IXEOQCXjBpoIGFvKM0TrFO5lnNTwAv5+iauczhYOIcojk0oMcbEmSX1GA
DZIPmU3LKhhNaLe20d5UInGIjQRFxRM0jVJ69yrny7JBIHvvqtBYk7XmtfqLIqPt
p4GbylD30L1f8lJti6+vZDadbYHOUCm329Csox14d5Apo4QQaRPpR/zhHsJ0VWER
ZS134cqfLW8vdvZpvAlQmrBIBaJT5pNGgQ0Ei837pKeCCHj5h9wKB5Ef3gn6AFoW
GitcgxADMy+tjJrrlA93sZvs5g7chN01P7WK0gYOiNc=
-----END CERTIFICATE-----

80
examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186548.pem Normal file
View File

@ -0,0 +1,80 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:48
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
Validity
Not Before: Mar 5 09:05:42 2020 GMT
Not After : Mar 3 09:05:42 2030 GMT
Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Client/emailAddress=misi@majd.eu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:6d:38:31:23:12:12:e7:5a:8d:ed:1c:02:7e:
bf:c2:ef:7a:d1:c0:b2:4b:b4:38:9b:a7:5d:dd:01:
2c:a0:e7:7c:5b:7a:4d:71:4b:c9:5b:77:e8:b3:4c:
92:5b:8c:43:57:b6:c9:8c:44:66:6a:9e:8c:f2:76:
58:a2:f5:38:a3:4f:ef:af:5a:c7:bf:e5:72:98:c0:
b8:2e:a1:75:cc:16:8b:bf:a3:6a:e6:fd:c9:25:35:
92:31:b2:78:2a:42:7b:a1:ce:25:be:32:45:6e:0b:
36:22:f8:6c:9c:f3:8f:bf:c8:8c:79:d5:59:02:f5:
de:1f:67:fc:ef:c7:27:88:a7:35:b1:d7:ee:dc:1c:
74:11:fc:3c:56:33:b5:e7:88:ce:f3:ce:db:b9:3c:
e0:eb:15:bc:00:5f:29:f4:9c:8e:4d:61:df:da:aa:
f4:fc:fb:e7:4b:75:dc:dc:cf:f0:4b:3b:67:cf:bf:
35:b8:0f:5b:20:94:60:dd:3b:e5:7a:ec:0e:30:2c:
c1:fb:f6:21:5b:ed:80:34:9d:59:5c:95:39:a2:61:
a4:13:fa:57:b9:f5:85:d4:a1:bf:91:cf:d7:dc:ac:
fa:32:47:ee:d2:86:9b:14:d1:35:88:1e:2d:9f:39:
74:86:de:f1:04:de:e1:39:2f:a8:91:bf:8b:f7:4f:
7c:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
32:BA:14:26:42:B6:5B:9E:3C:F1:53:1A:FD:DB:CB:FE:B1:A2:74:6C
X509v3 Authority Key Identifier:
keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
6b:93:56:56:81:fb:34:9e:15:2e:3e:b2:2c:73:72:60:f2:1a:
a8:bf:c3:f0:c7:57:00:48:37:2a:1c:63:71:1b:29:f4:2b:dc:
64:07:f8:72:80:65:18:c7:74:23:c1:02:00:d8:93:1d:4f:2b:
8c:46:34:1e:d2:6a:5c:ab:8d:ff:a7:fe:e5:c2:bf:33:55:ea:
2b:e2:70:e9:24:4c:4d:31:d4:dd:10:55:f5:bb:2c:a5:ec:f6:
8f:7a:05:1c:6c:7d:cf:85:6b:29:a7:bd:fe:a2:bc:00:45:b8:
ac:70:c7:c9:67:93:0a:5c:d7:52:a3:c9:fc:6c:ef:52:b2:6b:
bc:5b:f9:e1:9b:27:07:39:28:28:7f:a0:70:62:af:4f:42:82:
dd:ec:23:4d:fc:8e:19:51:87:cc:d0:29:d5:27:44:9c:fa:b5:
51:ea:31:eb:51:84:3f:07:5b:c0:57:5d:2a:c7:15:ed:9c:46:
ac:8e:14:8b:4d:82:0e:b4:6a:47:db:37:f3:03:08:86:b6:25:
0b:92:6d:99:a9:99:45:4e:38:45:e0:a2:4e:e7:34:50:51:ab:
f8:c8:ef:26:3d:7f:9f:8f:45:20:cf:f5:31:27:b6:00:3a:e0:
4a:d5:62:9a:29:27:9b:aa:3a:95:56:1c:d7:65:15:ce:35:10:
2a:7e:cc:b6
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUgwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe
Fw0yMDAzMDUwOTA1NDJaFw0zMDAzMDMwOTA1NDJaMHExCzAJBgNVBAYTAkhVMRAw
DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U
VVJOMQ8wDQYDVQQDDAZDbGllbnQxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l
dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9tODEjEhLnWo3tHAJ+
v8LvetHAsku0OJunXd0BLKDnfFt6TXFLyVt36LNMkluMQ1e2yYxEZmqejPJ2WKL1
OKNP769ax7/lcpjAuC6hdcwWi7+jaub9ySU1kjGyeCpCe6HOJb4yRW4LNiL4bJzz
j7/IjHnVWQL13h9n/O/HJ4inNbHX7twcdBH8PFYzteeIzvPO27k84OsVvABfKfSc
jk1h39qq9Pz750t13NzP8Es7Z8+/NbgPWyCUYN075XrsDjAswfv2IVvtgDSdWVyV
OaJhpBP6V7n1hdShv5HP19ys+jJH7tKGmxTRNYgeLZ85dIbe8QTe4TkvqJG/i/dP
fOUCAwEAAaNTMFEwHQYDVR0OBBYEFDK6FCZCtluePPFTGv3by/6xonRsMB8GA1Ud
IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggEBAGuTVlaB+zSeFS4+sixzcmDyGqi/w/DHVwBINyocY3Eb
KfQr3GQH+HKAZRjHdCPBAgDYkx1PK4xGNB7Salyrjf+n/uXCvzNV6ivicOkkTE0x
1N0QVfW7LKXs9o96BRxsfc+Faymnvf6ivABFuKxwx8lnkwpc11Kjyfxs71Kya7xb
+eGbJwc5KCh/oHBir09Cgt3sI038jhlRh8zQKdUnRJz6tVHqMetRhD8HW8BXXSrH
Fe2cRqyOFItNgg60akfbN/MDCIa2JQuSbZmpmUVOOEXgok7nNFBRq/jI7yY9f5+P
RSDP9TEntgA64ErVYpopJ5uqOpVWHNdlFc41ECp+zLY=
-----END CERTIFICATE-----

30
examples/ca/CA/private/cakey.pem Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIeK2OY7PJbzYCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECKP+q72oc4q7BIIEyHkaZfqjSX9W
HIHqbQtHOMlAtqSxmAyV6C3pXLwNuEpo4cYwyPUdJwMNxm8OjsxuH708daZu5QWl
7EVNV4WY9ff4/4geJAp9ZrqJN5TsgFIUyss5NzHjTMPUz/yunr0Hk5OOVLusTCqF
Ys0Qdo2Gy33NZCK53U22pa0S/szppN4DIDujSOuUAiyxJdz12cCUyw/OlAXvDLJb
I9oObKWpbYBtJSLk5aWblZDUTVmFWngkTIc76wchBXu7WntLjXdMG2lv4Gy/ozUb
vsYvEADNRJFOpYyfWvmEFNKvEcVxfzshnms9TdzhDCmYhmYR+NfamYq5Om+81Pv3
h+z1Zd7x3uYs8NM+DbRKhwHS6jkQCxelWdQbeSJj/Fz9VpWSrJlkmhXI+7qkBCsv
DVoz017Y2zK/iM5JRPTH65tnNMeH61Zj4EOHBEzMBE6EvugJcSqPXfBKtVMwVAzV
Mva8gtOlMN0Ce9dmG+HZKDek6S++5AbkxuOwRb+YOVXjUrNXXf0YqglM9Nb/RCr4
Z+gkuTCwARJZqjebZnUw1mSZp2R89X774wNDHAlw96tSW2OZlfPmbvXBnwT7QwPm
YBZT6CrLL7LEIs0G5zFh1L/PCQi7EyNaE9Ixw52nqc5Ej2M6Rj6XcdCRdw5IKmh/
BbTzD0LxfNh+XKpAIzkuNfGkwUVtfldmfpW3xRKzI1o+rbgDGMA/eEFYWmyE9326
/vsv7daE4zWAG4O5OdGKMKBABCqM92X2YU7bZoNQS25dy7uZsQ8zvkcI1Q1GKMW0
Lg2oDTSTSrPRVgLAcb0o06Frvler5F277OBfBm1+6+7aL3hct4TZjb+0pp5SuxrS
7PpRXMFYzbQ+Z7YrRv6uwrrxVl99Ok/jBGLYT+CllZ+PNvRbcgsy0xUIz6KTbQQZ
H4qqkObdKFHQLqfP9+YUwjE2akR/prOR2Dfoq648L/eEF4qpGCADaXFoHODWfiqz
VQHvLP4FN4ppYn3jB4lSTIl+7s92XznK5aN5AERRdUIfjPnZB8lQkDP/qwwCI0Ki
SRxUtsrMef1biTKL5HI3On2wPLFQCGVEmiQoD8uEqaB/vAdJy5ZdQ3HA547TxLmy
TJ6je8QMFUcO3n1pJWeUHuL+WyGrcstOEkZiFQyVpAFFeS7h6u2UI7HyNXGaP1mk
+vWulewlMjWHw05qG9wLqEiDkpZgmx4garfWbR2rggBu1Jlg4svS2jdmytuKQ735
E1e5g7TCSzv6sHzdHfQ2WaVvfM5YfxqWpgPhNH2t7rScoLTvI2txyhpIIEIMn+ip
tBM15Ai+L92gr4wLJlsBOcKOWSN46ucqQsGla3so0PZAtU4hVPEJ+PzaR2czStUk
MzrKfG1qox+JW8BBiW2zV2idKy2440Sn/NSqMyvZgEFn7GDaAcTsZi2FhRLT1Fg+
2c5viBTaCRdh20QDQQu3skEhbFU5GjeZEqCO25hX5L3BZPnQtwQujc2RU9aGWwPm
o/nrp8ilBRI18qFdxfqFEV6ftdVNXlrV+cMgtuwPNX6vnmKWjN67/cDIUML3ab+e
9cx0rBvCBvMn7Q0AvY/RcsVP0DaLmov7ciuvih0ptCgYThov7FJ2V+q+2LbNLwSc
qpi/6R+l6bIjP0UITKZlug==
-----END ENCRYPTED PRIVATE KEY-----

1
examples/ca/CA/serial Normal file
View File

@ -0,0 +1 @@
4C9BEC95D121491D5D65A71A614667DD42186549

1
examples/ca/CA/serial.old Normal file
View File

@ -0,0 +1 @@
4C9BEC95D121491D5D65A71A614667DD42186548

364
examples/ca/openssl.conf Normal file
View File

@ -0,0 +1,364 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# System default
openssl_conf = default_conf
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = HU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Hungary
localityName = Locality Name (eg, city)
localityName_default = Debrecen
0.organizationName = Organization Name (eg, company)
0.organizationName_default = coTURN
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
#organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = misi@majd.eu
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
#challengePassword = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./CA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

16
examples/ca/run.sh Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
#set -x
# key passwd: coTURN
cp /usr/lib/ssl/misc/CA.pl ./CA.pl
patch < CA.pl.diff
export OPENSSL_CONFIG="-config openssl.conf"
./CA.pl -newca
for i in "server" "client";
do
./CA.pl -newreq-nodes
./CA.pl -signCA
mv newcert.pem turn_${i}_cert.pem
mv newkey.pem turn_${i}_pkey.pem
rm newreq.pem
done;

80
examples/ca/turn_client_cert.pem Normal file
View File

@ -0,0 +1,80 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:48
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
Validity
Not Before: Mar 5 09:05:42 2020 GMT
Not After : Mar 3 09:05:42 2030 GMT
Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Client/emailAddress=misi@majd.eu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:6d:38:31:23:12:12:e7:5a:8d:ed:1c:02:7e:
bf:c2:ef:7a:d1:c0:b2:4b:b4:38:9b:a7:5d:dd:01:
2c:a0:e7:7c:5b:7a:4d:71:4b:c9:5b:77:e8:b3:4c:
92:5b:8c:43:57:b6:c9:8c:44:66:6a:9e:8c:f2:76:
58:a2:f5:38:a3:4f:ef:af:5a:c7:bf:e5:72:98:c0:
b8:2e:a1:75:cc:16:8b:bf:a3:6a:e6:fd:c9:25:35:
92:31:b2:78:2a:42:7b:a1:ce:25:be:32:45:6e:0b:
36:22:f8:6c:9c:f3:8f:bf:c8:8c:79:d5:59:02:f5:
de:1f:67:fc:ef:c7:27:88:a7:35:b1:d7:ee:dc:1c:
74:11:fc:3c:56:33:b5:e7:88:ce:f3:ce:db:b9:3c:
e0:eb:15:bc:00:5f:29:f4:9c:8e:4d:61:df:da:aa:
f4:fc:fb:e7:4b:75:dc:dc:cf:f0:4b:3b:67:cf:bf:
35:b8:0f:5b:20:94:60:dd:3b:e5:7a:ec:0e:30:2c:
c1:fb:f6:21:5b:ed:80:34:9d:59:5c:95:39:a2:61:
a4:13:fa:57:b9:f5:85:d4:a1:bf:91:cf:d7:dc:ac:
fa:32:47:ee:d2:86:9b:14:d1:35:88:1e:2d:9f:39:
74:86:de:f1:04:de:e1:39:2f:a8:91:bf:8b:f7:4f:
7c:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
32:BA:14:26:42:B6:5B:9E:3C:F1:53:1A:FD:DB:CB:FE:B1:A2:74:6C
X509v3 Authority Key Identifier:
keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
6b:93:56:56:81:fb:34:9e:15:2e:3e:b2:2c:73:72:60:f2:1a:
a8:bf:c3:f0:c7:57:00:48:37:2a:1c:63:71:1b:29:f4:2b:dc:
64:07:f8:72:80:65:18:c7:74:23:c1:02:00:d8:93:1d:4f:2b:
8c:46:34:1e:d2:6a:5c:ab:8d:ff:a7:fe:e5:c2:bf:33:55:ea:
2b:e2:70:e9:24:4c:4d:31:d4:dd:10:55:f5:bb:2c:a5:ec:f6:
8f:7a:05:1c:6c:7d:cf:85:6b:29:a7:bd:fe:a2:bc:00:45:b8:
ac:70:c7:c9:67:93:0a:5c:d7:52:a3:c9:fc:6c:ef:52:b2:6b:
bc:5b:f9:e1:9b:27:07:39:28:28:7f:a0:70:62:af:4f:42:82:
dd:ec:23:4d:fc:8e:19:51:87:cc:d0:29:d5:27:44:9c:fa:b5:
51:ea:31:eb:51:84:3f:07:5b:c0:57:5d:2a:c7:15:ed:9c:46:
ac:8e:14:8b:4d:82:0e:b4:6a:47:db:37:f3:03:08:86:b6:25:
0b:92:6d:99:a9:99:45:4e:38:45:e0:a2:4e:e7:34:50:51:ab:
f8:c8:ef:26:3d:7f:9f:8f:45:20:cf:f5:31:27:b6:00:3a:e0:
4a:d5:62:9a:29:27:9b:aa:3a:95:56:1c:d7:65:15:ce:35:10:
2a:7e:cc:b6
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUgwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe
Fw0yMDAzMDUwOTA1NDJaFw0zMDAzMDMwOTA1NDJaMHExCzAJBgNVBAYTAkhVMRAw
DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U
VVJOMQ8wDQYDVQQDDAZDbGllbnQxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l
dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9tODEjEhLnWo3tHAJ+
v8LvetHAsku0OJunXd0BLKDnfFt6TXFLyVt36LNMkluMQ1e2yYxEZmqejPJ2WKL1
OKNP769ax7/lcpjAuC6hdcwWi7+jaub9ySU1kjGyeCpCe6HOJb4yRW4LNiL4bJzz
j7/IjHnVWQL13h9n/O/HJ4inNbHX7twcdBH8PFYzteeIzvPO27k84OsVvABfKfSc
jk1h39qq9Pz750t13NzP8Es7Z8+/NbgPWyCUYN075XrsDjAswfv2IVvtgDSdWVyV
OaJhpBP6V7n1hdShv5HP19ys+jJH7tKGmxTRNYgeLZ85dIbe8QTe4TkvqJG/i/dP
fOUCAwEAAaNTMFEwHQYDVR0OBBYEFDK6FCZCtluePPFTGv3by/6xonRsMB8GA1Ud
IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggEBAGuTVlaB+zSeFS4+sixzcmDyGqi/w/DHVwBINyocY3Eb
KfQr3GQH+HKAZRjHdCPBAgDYkx1PK4xGNB7Salyrjf+n/uXCvzNV6ivicOkkTE0x
1N0QVfW7LKXs9o96BRxsfc+Faymnvf6ivABFuKxwx8lnkwpc11Kjyfxs71Kya7xb
+eGbJwc5KCh/oHBir09Cgt3sI038jhlRh8zQKdUnRJz6tVHqMetRhD8HW8BXXSrH
Fe2cRqyOFItNgg60akfbN/MDCIa2JQuSbZmpmUVOOEXgok7nNFBRq/jI7yY9f5+P
RSDP9TEntgA64ErVYpopJ5uqOpVWHNdlFc41ECp+zLY=
-----END CERTIFICATE-----

28
examples/ca/turn_client_pkey.pem Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCvbTgxIxIS51qN
7RwCfr/C73rRwLJLtDibp13dASyg53xbek1xS8lbd+izTJJbjENXtsmMRGZqnozy
dlii9TijT++vWse/5XKYwLguoXXMFou/o2rm/cklNZIxsngqQnuhziW+MkVuCzYi
+Gyc84+/yIx51VkC9d4fZ/zvxyeIpzWx1+7cHHQR/DxWM7XniM7zztu5PODrFbwA
Xyn0nI5NYd/aqvT8++dLddzcz/BLO2fPvzW4D1sglGDdO+V67A4wLMH79iFb7YA0
nVlclTmiYaQT+le59YXUob+Rz9fcrPoyR+7ShpsU0TWIHi2fOXSG3vEE3uE5L6iR
v4v3T3zlAgMBAAECggEBAINzP+vx75UirwQybA6ik2aqtEmALxnzDYf1PaxhOOPJ
EbIqTuVaeKOFkmToN7NJwxxy50un5WZ3L/5vF7PkNHCLcXrgd1UfxWMY5eprKi2n
p0gOWAiGmra7EbUTml9wOdvg8P84BDaVSBekNx7Ukx6OVFTmvTAutCascSfq/4Cx
K71zaW/I9hrU8oNDBDzolVW4gW8ObNLGhoDqmvkoXrlrGEBNqkuErbbYZA1k/001
lurEh7Zp7Kp6jjHcRm83a7bWiRYGtv1K9kR9MKKLW7au8zyjYcesTvS2QjY+k20W
vE2kmyAosbJShFzTmZn8kwgh6c0BPyFDEI5XleMeefECgYEA6ZhgG87wyU4RDU1N
PxLV9ufbSYpW91KP1iuZ5Z6QdLGWZeWKjvxtoLAa3z9ceIBVvFqCGDn4DfwIaNLe
tGsjeyXre1R3/B0S/oAJbmbRV4pWl/jSzgbzCTGW7x1mpqgpJdHFmTbqTxkNB6cM
fpzTPfM012KfRglD9D+2DTOCyEsCgYEAwECXQRIe7/657J68GHSBCaQ+rzDL3nRe
exe4duHyXok0yohk7OiPepKQ1hdYq2PHhGEj6b5OgFppWeA66M/ndjX4S10oCtN0
oEb7honFz4ZmHmqQ6UotAuBx7tq06v+KI/eTvefTVh9mujdwMW4sAowhx9Dw6PkR
ipFCdi458Y8CgYEAhJ//ySoYKaMKKWw/NFVkZ9fB+CH0OF2GzslYijcZuzdstZO6
tG37bCUwTJozzTLH+rXEcS7QeFglCibXTMYbkfq4lQAjU1/KffaB5E26A6LGgWhD
f7gQWqLuF/qwYmTNX+yW7ONx6tDFRhgBDw3JHb4svTEATwpJq65UlXAui7sCgYBD
krBXO8JKApNg+s4MHm74b5VkyFbv4qEOzOCWUIZ6+ejnQxeOOZOstnVX+q681v5a
pjYUQ0KeVKjw4SJzkBe/8epKuvyHCZnVd/2SZTx0271q9XPnu52khDUnihHLA3SP
fcadGi2q+LCHxVKW3S1028JH1EXI7TpgJPxiQ480OwKBgQDmi0BiSFaxNVcJm+pq
rbmK2pRPl49VOlc7px89ilZgoIeU8jwWQyqXRooarFhV1H0SA6oh52jYljiIIFVn
qwKfS3Sjo6iW3ytjGcRLeNS0Sk8D2XMky7Mw120ZxatTsKw3ztmYFAlSYdxRMnue
zkYzcxL3N2LvHeY8SOwyxayfxg==
-----END PRIVATE KEY-----

80
examples/ca/turn_server_cert.pem Normal file
View File

@ -0,0 +1,80 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:47
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
Validity
Not Before: Mar 5 09:05:21 2020 GMT
Not After : Mar 3 09:05:21 2030 GMT
Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Server/emailAddress=misi@majd.eu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bc:db:f7:17:35:17:7c:46:79:64:89:61:5f:ac:
cf:8f:6d:97:13:87:8a:d6:f1:ab:df:f6:69:4e:04:
57:c1:4d:6c:3d:77:c9:50:0d:3d:b6:89:cd:ac:00:
b5:02:45:e4:4c:78:ef:6f:18:7e:57:4e:bc:62:4d:
f6:de:6c:c8:77:ea:c5:b2:b4:65:2d:46:76:bf:5e:
5f:f8:45:78:55:f4:4d:20:ac:91:f0:4f:23:cb:5d:
40:29:44:de:9c:f7:0a:e6:48:a4:80:35:dd:cb:e8:
02:90:59:f7:31:f9:4c:50:fe:98:ef:dd:7f:60:51:
2d:44:0a:14:a2:57:96:51:36:3f:73:66:db:45:5f:
bd:9d:f4:82:3a:ce:ab:75:4f:d0:90:6d:43:d1:7b:
2f:77:31:88:db:2f:4a:a9:4e:62:39:c7:14:7f:39:
ef:e2:08:b7:18:a7:6c:f8:d9:35:d5:a3:f8:64:f5:
02:51:22:1b:8e:7a:c5:44:ae:df:b1:17:0b:71:df:
09:82:89:49:70:c5:9b:a0:f3:3c:02:48:75:e7:81:
f9:24:51:56:24:3b:ff:b8:68:d3:13:2e:a2:f4:d1:
70:33:a9:7a:d6:17:fd:ca:a5:6b:13:74:c9:ce:b6:
26:4f:01:ff:eb:ba:b5:f9:a1:70:80:da:11:df:a3:
7b:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
38:C1:E5:77:D3:01:6B:7A:A7:D8:18:6B:50:D6:FA:0E:D6:D9:B4:4F
X509v3 Authority Key Identifier:
keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a3:37:55:68:68:02:9f:af:d6:b1:38:b3:d8:bf:30:27:33:6f:
21:4c:09:ee:cf:24:d2:eb:cf:1c:7a:15:98:6d:10:94:e0:4a:
1f:88:5c:43:90:09:78:c1:a6:82:06:16:f2:8c:d1:3a:c5:3b:
99:67:35:3c:00:bf:9f:a2:6a:e7:33:85:83:88:72:88:e4:d2:
83:1c:6c:49:92:5f:51:80:0d:92:0f:99:4d:cb:2a:18:4d:68:
b7:b6:d1:de:54:22:71:88:8d:04:45:c5:13:34:8d:52:7a:f7:
2a:e7:cb:b2:41:20:7b:ef:aa:d0:58:93:b5:e6:b5:fa:8b:22:
a3:ed:a7:81:9b:ca:50:f7:d0:bd:5f:f2:52:6d:8b:af:af:64:
36:9d:6d:81:ce:50:29:b7:db:d0:ac:a3:1d:78:77:90:29:a3:
84:10:69:13:e9:47:fc:e1:1e:c2:74:55:61:11:65:2d:77:e1:
ca:9f:2d:6f:2f:76:f6:69:bc:09:50:9a:b0:48:05:a2:53:e6:
93:46:81:0d:04:8b:cd:fb:a4:a7:82:08:78:f9:87:dc:0a:07:
91:1f:de:09:fa:00:5a:16:1a:2b:5c:83:10:03:33:2f:ad:8c:
9a:eb:94:0f:77:b1:9b:ec:e6:0e:dc:84:dd:35:3f:b5:8a:d2:
06:0e:88:d7
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUcwDQYJKoZIhvcNAQEL
BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe
Fw0yMDAzMDUwOTA1MjFaFw0zMDAzMDMwOTA1MjFaMHExCzAJBgNVBAYTAkhVMRAw
DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U
VVJOMQ8wDQYDVQQDDAZTZXJ2ZXIxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l
dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzb9xc1F3xGeWSJYV+s
z49tlxOHitbxq9/2aU4EV8FNbD13yVANPbaJzawAtQJF5Ex4728YfldOvGJN9t5s
yHfqxbK0ZS1Gdr9eX/hFeFX0TSCskfBPI8tdQClE3pz3CuZIpIA13cvoApBZ9zH5
TFD+mO/df2BRLUQKFKJXllE2P3Nm20VfvZ30gjrOq3VP0JBtQ9F7L3cxiNsvSqlO
YjnHFH857+IItxinbPjZNdWj+GT1AlEiG456xUSu37EXC3HfCYKJSXDFm6DzPAJI
deeB+SRRViQ7/7ho0xMuovTRcDOpetYX/cqlaxN0yc62Jk8B/+u6tfmhcIDaEd+j
e08CAwEAAaNTMFEwHQYDVR0OBBYEFDjB5XfTAWt6p9gYa1DW+g7W2bRPMB8GA1Ud
IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggEBAKM3VWhoAp+v1rE4s9i/MCczbyFMCe7PJNLrzxx6FZht
EJTgSh+IXEOQCXjBpoIGFvKM0TrFO5lnNTwAv5+iauczhYOIcojk0oMcbEmSX1GA
DZIPmU3LKhhNaLe20d5UInGIjQRFxRM0jVJ69yrny7JBIHvvqtBYk7XmtfqLIqPt
p4GbylD30L1f8lJti6+vZDadbYHOUCm329Csox14d5Apo4QQaRPpR/zhHsJ0VWER
ZS134cqfLW8vdvZpvAlQmrBIBaJT5pNGgQ0Ei837pKeCCHj5h9wKB5Ef3gn6AFoW
GitcgxADMy+tjJrrlA93sZvs5g7chN01P7WK0gYOiNc=
-----END CERTIFICATE-----

28
examples/ca/turn_server_pkey.pem Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC82/cXNRd8Rnlk
iWFfrM+PbZcTh4rW8avf9mlOBFfBTWw9d8lQDT22ic2sALUCReRMeO9vGH5XTrxi
TfbebMh36sWytGUtRna/Xl/4RXhV9E0grJHwTyPLXUApRN6c9wrmSKSANd3L6AKQ
Wfcx+UxQ/pjv3X9gUS1EChSiV5ZRNj9zZttFX72d9II6zqt1T9CQbUPRey93MYjb
L0qpTmI5xxR/Oe/iCLcYp2z42TXVo/hk9QJRIhuOesVErt+xFwtx3wmCiUlwxZug
8zwCSHXngfkkUVYkO/+4aNMTLqL00XAzqXrWF/3KpWsTdMnOtiZPAf/rurX5oXCA
2hHfo3tPAgMBAAECggEALGPXVBEakA9QgRz5Ui+gKaoslF6Ld7IeH+ofHkNPDRRR
mLELFFHIa5tASGlyIjKjUoYqYQZ0y7ip9sE0gVs4U1dPWI2mKlohlyFrlUNe4XUm
m8N0GfPAChDE/+48FNDMMwxn/eqrUz4ZPCypOYnLMk5lTBvX0J/D7/Yem3nSzwt1
qkZoijxZH5IvJAJkBWvucRuJ8XxHzOAo2V2Y+wTdilcJhfCvqGC0rkydjaN6TtRW
HWKvAOa7hEegNBbZhHhKfw5ovQwj9Cnr2+8gaTSw5gVaZNnhCO+TlUfQHIBH9rmt
82SHu1QoYSGMvkjlrrKhRYHrx+4P4TXoZ6eB1hl3QQKBgQDmwUOkh6qwL2dtcrF1
bVdRZjb1bw6L8qZAgUkcA1IaLVUlhjEJZGXAoPbLn6Vq+jfOvaYLmzEaLcpn3pfx
Hwcb1vnNW7dlXC1vpIWXPZP4IPJV4XsL1AgoEj6mgETHxvC+4cLc2gaMY5o5TzUv
VdV/A7SIqxAyPccXt1u/eITfNwKBgQDRhVTTJiBsGGjOetfgNqNGxpkKB6W4cET9
EyC1c7Lh40lioA2G8lzhFCdK9VZ+cAT51Bmkr5jq29EyMafSy3e4+PG8ZLHVL0ll
qBY4vSzHQNcGvUgh+15g6ISgCbM0eSsAea3LY+fmchz6mBS6DhyMkYPSbV+7YvHJ
PSnfTkTgqQKBgQCO+SQOJzjs3RI6UBv/4/V8K9bVjy/2Kiw0P2arAqu2KGxfSZvM
c/ZPuevwEkSN2ecGI59kBY4Q6FpGrTZ7YXwoFbTFNpSVKt3EFK3pHXA3B0LfT0vL
8l3zZgqHY2Y6WdsEiiEQcc4o4fXGmHsdjxMvFX6gR01Ls9dNrIAeTHAXVQKBgGoL
Q72C5JIRYKpw/mYbAVTHG5o5+KR7Hk/AqKNuJbGyqefi/jW44U2CN8j2l4pzA/G2
aiwyPAFStHTlMP29waC7Tw59IIy33Dw5cNXS2aEXrj1Y+/NHGKOPy+B8SFlcomkh
LNduf2bhhs1Gv+bTUZvL4p5UgUmEcL/b1x+Qq8fRAoGBAIpNCp4W+TsPUJcQKoWm
L61RVr5GaHv7/qxQvYaXIVCq8/gZAbJi3/A9ieTrF72uuOZ+ajzFHDUiiDs19y67
mCvCchPgqzLy9iSs6mm8fmS6kJnWn04I+7DOfe7kScUnD5WkyNaTYAeOqvdWzl/i
B1hQJJ9GzZG5Rztlotm5m/JY
-----END PRIVATE KEY-----

1
examples/etc/cacert.pem Symbolic link
View File

@ -0,0 +1 @@
../ca/CA/cacert.pem

2
examples/etc/coturn.service
View File

@ -1,5 +1,5 @@
[Unit]
Description=coTURN STUN/TURN Server
Description=Coturn STUN/TURN Server
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
After=network.target
After=network-online.target

23
examples/etc/turn_client_cert.pem
View File

@ -1,23 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDzjCCArYCCQD3YHhln4EqhDANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3JlZWsxKzApBgNVBAoT
IlJGQzU3NjYgVFVSTiBTZXJ2ZXIgcHVibGljIHByb2plY3QxFDASBgNVBAsTC2Rl
dmVsb3BtZW50MQ0wCwYDVQQDEwRPbGVnMSIwIAYJKoZIhvcNAQkBFhNtb20wNDAy
NjdAZ21haWwuY29tMCAXDTEyMTEyNzAwNDEwNVoYDzIxMTIxMTAzMDA0MTA1WjCB
pzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3Jl
ZWsxKzApBgNVBAoTIlJGQzU3NjYgVFVSTiBTZXJ2ZXIgcHVibGljIHByb2plY3Qx
FDASBgNVBAsTC2RldmVsb3BtZW50MQ0wCwYDVQQDEwRPbGVnMSIwIAYJKoZIhvcN
AQkBFhNtb20wNDAyNjdAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA3huHvPYyvNZBK91bP3O1dBdOj93YQ3812BTcRMjEYnvSyyEosxFd
dEnILgDiFK//pFnDtwm7FxOCtVwRQ0+8qGTH4vH0EIpKTBsaafKH3L9CYe40pwcm
BJHvclOa4vl2Ghi09+M0UEHdokkM77K9rpXx7aZILoICkqnoAuBe0TY8D5PBXinM
gtk7HlrvANxSmPHAAaGQ5t/+jfTWVH1UYCpogTgCKYPbNi+joKu6oEz+qRKAqDYd
FY6/Qpiv7reYiNiVhM7HGNY27FkKDJDBhsmZRmtTIEdYFfcWPZvv69L7Rf1skOXF
Vm5/to3HArJJF+lz6YGj0C3pE6dZt6sUmQIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
AQAhXgGdXXf0dMPdkfl4jv4dqFNSmax6wmeNc+oJC9qIFVDLsdAaAWXZ+pZHYIMR
UN8mQobsIZdfPQ0gs8CgUwrKziAjA92y2Q/I7vsg83qRLhysGC5etYMD/wlySDDS
AJKraevDPTEdmfNstCblubNG2PIeqV1isWtPMqB2dMsCeyzJXVyfD0QcABzFv4Fs
MMy7JI7MsctNh1tjV/0TsddDMeMLs22rix5fS8MZ6uunFzIuJ0MshFNehXFuvz0B
uNmn0k7djUm3h+2Avs3YGCo/8GtqHapc/lva/9gT+iEW0e7i0Ru5Jhar66VMzJqv
+wEhQafC77d3vWHtXQU8dYmM
-----END CERTIFICATE-----

1
examples/etc/turn_client_cert.pem Symbolic link
View File

@ -0,0 +1 @@
../ca/turn_client_cert.pem

27
examples/etc/turn_client_pkey.pem
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA3huHvPYyvNZBK91bP3O1dBdOj93YQ3812BTcRMjEYnvSyyEo
sxFddEnILgDiFK//pFnDtwm7FxOCtVwRQ0+8qGTH4vH0EIpKTBsaafKH3L9CYe40
pwcmBJHvclOa4vl2Ghi09+M0UEHdokkM77K9rpXx7aZILoICkqnoAuBe0TY8D5PB
XinMgtk7HlrvANxSmPHAAaGQ5t/+jfTWVH1UYCpogTgCKYPbNi+joKu6oEz+qRKA
qDYdFY6/Qpiv7reYiNiVhM7HGNY27FkKDJDBhsmZRmtTIEdYFfcWPZvv69L7Rf1s
kOXFVm5/to3HArJJF+lz6YGj0C3pE6dZt6sUmQIDAQABAoIBAH5ITN8FZEe10gws
qUrkcRD2h3aI/gMyetzGz45UUERmfq17xvY5M1eA884kNmbowoMhfoO9hqBSOYkA
Ndh9p5he5L+GLeyRlDi9WEFQ4iqCnC2uEEW/bMBAcVIhcvkGOT4ROiOPDRlsuaUh
v7cxe2OeYZVra7L1vJzC+eVYyNBN5CgK8w08MPEkupQS9+Jvr0QWCikRz187cG45
EiDMrBKyJNE9lY6u4P8gJ+/NgaASWP/D3kbsjiQ2OwSGLrwDAvWC7Bx2GK3/0goA
btp7YGaWvp+mE5V91cOW+PfweC5Do4MjOr4ToNkczW0AxKE5o94yo56h+II5bX6N
z65VvtkCgYEA/Sq/3S2yup/Oodzj003KG4skWYFrj7KXeXgm7RZcpNwkd8JaFXJ/
Cwl7/3bkRv6RHLmXX/2hcNWlxq3u6Efs1EjtycdArU68kO01vLdExJYIzHKmHikV
n+T4hukxGDzObxn3lH1KcOodh/x572Uufn79dewoZCPzH8t/jiMOWGcCgYEA4JfN
66Kq/oDookqenM9Ij5l6zeeNwzMjIlkU2eG0DAH0KdsBN/hTGGGRQVBk03YREQmK
crEhGAZxzfrX5fK11UVG3C2pqAtrVe6FuD32vFUpP1MO0ftSA889NoEwGdNZV4pV
Mk0+6xVCNOatj2inMXlQq5s68WfCzkiWD7uLCv8CgYBcwuYsF4tuYBGpMzNzAAS2
1OPLu+T6cPiZdFHm+xOVAGiITPkO9LXiCGabsydvb+UhvkrdzCP0IQQt6RsplvkK
y3H9RfnHxprHC3NuI0SaN1Mf/j4pvOoEfTQm0pi/hcAp6zzQ9ptpBg8t/W98LPm9
NbCPHamrD5UMqFajcOrXrwKBgD8D2M8IcRm/aYY/kYlFz4Ia+g3Trj7alj0I6YTI
gw/rbGph/FGL5ySsG2lL+T4rnlY9aw8LC9IF3OCCRRlLpCEWsu8MENIJgjA2IGa1
XAkzi8MstrfL4BMZjn9AeBKG7kZVldnrOoATEuRs5L2cC20iMLQ1dbBOAKaITzJS
2IxZAoGBAKqwr/uennxJrnMtpjLBgcphoU3aXJZvzzDqlOaqzJp6Xmbese4sDEe0
hvVHreigDzOnGnqL/vSjTDWaLqS/O1iE7p+UrGIkZj/Zl6Jk54OX6AHmWE2LhdlU
FYgIQKX7fuocpF1Dpe7xEeVwvdp+UqbDzHQg1CWGe1cBPYDYIkSH
-----END RSA PRIVATE KEY-----

1
examples/etc/turn_client_pkey.pem Symbolic link
View File

@ -0,0 +1 @@
../ca/turn_client_pkey.pem

22
examples/etc/turn_server_cert.pem
View File

@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDsDCCApgCCQCmgrJCiQlGOTANBgkqhkiG9w0BAQUFADCBmDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3JlZWsxHDAaBgNVBAoT
E1RVUk4gU2VydmVyIHByb2plY3QxFDASBgNVBAsTC0RldmVsb3BtZW50MQ0wCwYD
VQQDEwRPbGVnMSIwIAYJKoZIhvcNAQkBFhNtb20wNDAyNjdAZ21haWwuY29tMCAX
DTEyMTEyNTA4MjAxNloYDzIxMTIxMTAxMDgyMDE2WjCBmDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3JlZWsxHDAaBgNVBAoTE1RV
Uk4gU2VydmVyIHByb2plY3QxFDASBgNVBAsTC0RldmVsb3BtZW50MQ0wCwYDVQQD
EwRPbGVnMSIwIAYJKoZIhvcNAQkBFhNtb20wNDAyNjdAZ21haWwuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv6bYkERhZ43RjW4EuqCaTq5g+D+l
JI/GwlVzdzQ3+F4clMQDR1kp1nX+9AvwjCXz3AYwY1H9CqjmjGM4R9uNJJseK/aJ
d2DUFADkF+7I674XwX8U2Fy5on9jqWq3jdbb8eg/awcTBdrNLWNPquwfS2KVdooj
9yPkqnO0c3ko1/OzIQCcs09O3l/MPt+aOsHk3B9l79ZRs3zWkylI+we0Fnc+7tZE
psCztA+KCCoiJf7NenOvVhdKg7D1AXuzJ/P/Euvc3+CIiS9HI4pWLopY1k+HydLe
IcopqSbg9CRIKe1HOL8YTvCm2ZoTqgijwWUlGtwEDf2xxUQX/TLYiW8JFQIDAQAB
MA0GCSqGSIb3DQEBBQUAA4IBAQATbrBOLV4e8Qmsby9+srxXsdbNc60PmDZ4WiZ1
IElfWmzM7wGXm9sJg1PX/7T24R1tbwZGLIhZnkhecG372GChULZJ9Pdjh0Ab2nK5
LRKHXTpjp/xOJvx0JMCIIyRnGZT1nABPOk8uEjNW8PaU6yhQ4f5nKaSOgYGRCln6
dcy5vylCsyD9Q7GXs0KOC38XD+Ycv6VLX4zKJ2Yum50Wt643nLjG9RlGT3FXWJ1K
HUbPC5TO6bcYLdiTjaYr+X8xC/x6h/Ngdo/16w7fRmQQ4uS+TVXrg8ITmI71KX/I
m7C9jbsubwzrhW84oZXYf+o/0ATtEAhiVLnHifKCCYikqfVj
-----END CERTIFICATE-----

1
examples/etc/turn_server_cert.pem Symbolic link
View File

@ -0,0 +1 @@
../ca/turn_server_cert.pem

27
examples/etc/turn_server_pkey.pem
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAv6bYkERhZ43RjW4EuqCaTq5g+D+lJI/GwlVzdzQ3+F4clMQD
R1kp1nX+9AvwjCXz3AYwY1H9CqjmjGM4R9uNJJseK/aJd2DUFADkF+7I674XwX8U
2Fy5on9jqWq3jdbb8eg/awcTBdrNLWNPquwfS2KVdooj9yPkqnO0c3ko1/OzIQCc
s09O3l/MPt+aOsHk3B9l79ZRs3zWkylI+we0Fnc+7tZEpsCztA+KCCoiJf7NenOv
VhdKg7D1AXuzJ/P/Euvc3+CIiS9HI4pWLopY1k+HydLeIcopqSbg9CRIKe1HOL8Y
TvCm2ZoTqgijwWUlGtwEDf2xxUQX/TLYiW8JFQIDAQABAoIBADUPHCXUyKLCwKFH
NEf27sGZxX71H+NfaseioLT/3/8DDyagncfDB7I4OL2YEKC8YScpD3xv1n59BFcZ
oRtDzW+1AkVpm+VRCWYAWSXHFhkuJ6WKaVr9UOeMHStqQCcktP/kLKqU6s9UJDnM
pOHNPVzBjl+jHxHs/gGyxuKxSH2Anwkrzpiv5j0obKFnw3QtAqeZRs1NlvPtYt2S
eihZWr8r8LqylPk9ga9MYmO79Yr+EPVaqd6bmz4MpZJ4/7LEjx03Q6azdMCPhFNY
cYzPIDZFEj81Zj/tqA2MU/uTTUUrcXint4dHRJs34m5N68PV1Y1XhhH6FG0+X711
ZymudoECgYEA/ChS5zmmOoLoaq2441+PzQbDP45qR6+G4slHwC8RDZhsYw0hQnp9
n44Qagpt74J4FjxT20BdE714DZP32IqagUwatWRQ+z3UoGafkJSNc5JSEogwZ65C
nC8RI1pPHLEvE8IzBJiqUA1kbMOMfTYW694wdN9JVZang05/AXaJzm8CgYEAwpJ8
nJRR9JFweHRrRgnrVk0Qi+ABbN9T/nhPXYab2vjBfeBOTA1Mob0M3zMJDCnL2i+D
K1GzE6WaYHElr45j2Wfphd/rRTk74WR4BaPpTCGaAhBQNn0ufqUkKsCPEAlTU+nG
iyXP4OvdMPjEBckjbKm/mlX7m0njSHAY6SWNorsCgYEAi8Yubk3efwChpMC3hBIs
vBHLmSdwclwyAPRh+X4djdO4AQ/+J8OObytond86IVHJD0pRkW+UKKUWLzCeakIq
cxGknHgHC72yZ1d7i8FMx4uMQwmLC23lLn5ImbgtslHlLqavcRTPE6DY0hFzhtS8
z/JSGfbLx83C/V49uKnkqbECgYA6h1oYt70XdpCAi3ShcuZp5XCuwslq+JsJlyM4
nP9RFTcPKGQlGHMOzBGNKor0L7Z0gYpRg5f8tvoDPMX7UzfR9CIY9UyOXDMZD+HS
wIWzMwBi0olueqV7zy1b9uSSDFwWh+IDhXJM1GaLDqnYm7KeQ0mxoV+4TLej2KSF
rZg3dQKBgQCVrVxFV8jHBsRsH5PzMx6pUSAollmuyte9mGU1MIE7EZf+LEQIAjGZ
9jvtAILYVJXwVZv1/zNxldUfBNuWc95ft+Gg7FEN0p0uLpdYNXQUcXuJaJ9tJ1td
ZfvRcrUXdFNKYt9/yaGeHVaIQfp4W1faZD7OnII7EOVkUKyv/qNGAA==
-----END RSA PRIVATE KEY-----

1
examples/etc/turn_server_pkey.pem Symbolic link
View File

@ -0,0 +1 @@
../ca/turn_server_pkey.pem

12
examples/etc/turnserver.conf
View File

@ -44,6 +44,14 @@
# Default (or zero) value means "TLS listening port plus one".
#
#alt-tls-listening-port=0
# Some network setups will require using a TCP reverse proxy in front
# of the STUN server. If the proxy port option is set a single listener
# is started on the given port that accepts connections using the
# haproxy proxy protocol v2.
# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
#
#tcp-proxy-port=5555
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
@ -566,7 +574,7 @@
# Implementers SHOULD make usage of the SOFTWARE attribute a
# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
#
#prod
#no-software-attribute
# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
@ -631,7 +639,7 @@
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default coTURN works according RFC 6156.)
# (By default Coturn works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
#
#keep-address-family

2
examples/scripts/longtermsecure/secure_dtls_client_cert.sh
View File

@ -32,5 +32,5 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/
PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -S -i turn_server_cert.pem -k turn_server_pkey.pem -E turn_server_cert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -g -u bolt -w kwyjibo -s -X $@ 127.0.0.1
PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -S -i turn_server_cert.pem -k turn_server_pkey.pem -E cacert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -g -u bolt -w kwyjibo -s -X $@ 127.0.0.1

2
examples/scripts/longtermsecure/secure_relay_cert.sh
View File

@ -36,4 +36,4 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --cli-password=secret --db=var/db/turndb $@
PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=cacert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --cli-password=secret --db=var/db/turndb $@

2
examples/scripts/longtermsecure/secure_tls_client_cert.sh
View File

@ -32,5 +32,5 @@ fi
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/
PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -t -S -i turn_server_cert.pem -k turn_server_pkey.pem -E turn_server_cert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -X -g -u bolt -w kwyjibo -s $@ 127.0.0.1
PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -t -S -i turn_server_cert.pem -k turn_server_pkey.pem -E cacert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -X -g -u bolt -w kwyjibo -s $@ 127.0.0.1

47
man/man1/turnadmin.1
View File

@ -2,16 +2,16 @@
.TH TURN 1 "28 April 2020" "" ""
.SH GENERAL INFORMATION
\fIturnadmin\fP is a TURN administration tool. This tool can be used to manage
the user accounts (add/remove users, generate
TURN keys for the users). For security reasons, we do not recommend
storing passwords openly. The better option is to use pre\-processed "keys"
which are then used for authentication. These keys are generated by \fIturnadmin\fP.
Turnadmin is a link to \fIturnserver\fP binary, but \fIturnadmin\fP performs different
\fIturnadmin\fP is a TURN administration tool. This tool can be used to manage
the user accounts (add/remove users, generate
TURN keys for the users). For security reasons, we do not recommend
storing passwords openly. The better option is to use pre\-processed "keys"
which are then used for authentication. These keys are generated by \fIturnadmin\fP.
Turnadmin is a link to \fIturnserver\fP binary, but \fIturnadmin\fP performs different
functions.
.PP
Options note: \fIturnadmin\fP has long and short option names, for most options.
Some options have only long form, some options have only short form. Their syntax
Some options have only long form, some options have only short form. Their syntax
somewhat different, if an argument is required:
.PP
The short form must be used as this (for example):
@ -46,7 +46,7 @@ is equivalent to:
.fam T
.fi
You have always the use the \fB\-r\fP <realm> option with commands for long term credentials \-
You have always the use the \fB\-r\fP <realm> option with commands for long term credentials \-
because data for multiple realms can be stored in the same database.
.PP
=====================================
@ -54,15 +54,20 @@ because data for multiple realms can be stored in the same database.
\fB
\fBturnadmin \fP\- a TURN relay administration tool.
\fB
.SS SYNOPSIS
.SS SYNOPSIS
.nf
.fam C
$ \fIturnadmin\fP [\fIcommand\fP] [\fIoptions\fP]
$ \fIturnadmin\fP [command] [options]
.PP
$ \fIturnadmin\fP [ \fB\-h\fP | \fB\-\-help\fP]
.fam T
.fi
.fam T
.fi
.SS DESCRIPTION
.TP
.B
Commands:
.TP
.B
@ -135,15 +140,14 @@ List origin\-to\-realm relations.
Set realm params: max\-bps, total\-quota, user\-quota.
.TP
.B
\fB\-G\fP, \fB\-\-list\-realm\-options\fP
\fB\-G\fP, \fB\-\-list\-realm\fP\-\fIoptions\fP
List realm params.
.TP
.B
\fB\-E\fP, \fB\-\-generate\-encrypted\-password\-aes\fP
Generate and print to the standard output
Generate and print to the standard output
an encrypted form of password with AES\-128
.TP
.B
.PP
Options with required values:
.TP
.B
@ -210,13 +214,12 @@ Set value of realm's total\-quota parameter.
.TP
.B
\fB\-\-user\-quota\fP
Set value of realm's user\-quota parameter.
Set value of realm's user\-quota parameter.
.TP
.B
\fB\-h\fP, \fB\-\-help\fP
Help.
.TP
.B
.PP
Command examples:
.PP
Generate an encrypted form of a password:
@ -282,8 +285,6 @@ $ \fIturnadmin\fP \fB\-\-file\-key\-path\fP <key\-file> \fB\-v\fP <encrypted>
.PP
.RS
.TP
.B
Help:
.PP
$ \fIturnadmin\fP \fB\-h\fP
@ -291,7 +292,7 @@ $ \fIturnadmin\fP \fB\-h\fP
=======================================
.SS DOCS
After installation, run the command:
After installation, run the \fIcommand\fP:
.PP
$ man \fIturnadmin\fP
.PP

427
man/man1/turnserver.1
View File

@ -2,9 +2,9 @@
.TH TURN 1 "28 April 2020" "" ""
.SH GENERAL INFORMATION
The \fBTURN Server\fP project contains the source code of a TURN server and TURN client
messaging library. Also, some extra programs provided, for testing\-only
purposes.
The \fBTURN Server\fP project contains the source code of a TURN server and TURN client
messaging library. Also, some extra programs provided, for testing\-only
purposes.
.PP
See the INSTALL file for the building instructions.
.PP
@ -12,7 +12,7 @@ After the build, you will have the following binary images:
.TP
.B
1.
\fIturnserver\fP: \fBTURN Server\fP relay.
\fIturnserver\fP: \fBTURN Server\fP relay.
The compiled binary image of the \fBTURN Server\fP program is located in bin/ sub\-directory.
.TP
.B
@ -35,7 +35,7 @@ turnutils_stunclient. See README.turnutils and \fIturnutils\fP man page.
6.
turnutils_rfc5769check. See README.turnutils and \fIturnutils\fP man page.
.PP
In the "examples/scripts" sub\-directory, you will find the examples of command lines to be used
In the "examples/scripts" sub\-directory, you will find the examples of command lines to be used
to run the programs. The scripts are meant to be run from examples/ sub\-directory, for example:
.PP
$ cd examples
@ -43,7 +43,7 @@ $ ./scripts/secure_relay.sh
.SH RUNNING THE TURN SERVER
Options note: \fIturnserver\fP has long and short option names, for most options.
Some options have only long form, some options have only short form. Their syntax
Some options have only long form, some options have only short form. Their syntax
somewhat different, if an argument is required:
.PP
The short form must be used as this (for example):
@ -94,10 +94,8 @@ $ \fIturnserver\fP \fB\-h\fP
.fi
.fam T
.fi
.SS DESCRIPTION
.SS DESCRIPTION
.TP
.B
Config file settings:
.TP
.B
@ -108,10 +106,10 @@ Do not use configuration file, use only command line parameters.
\fB\-c\fP
Configuration file name (default \- turnserver.conf).
The format of config file can be seen in
the supplied examples/etc/turnserver.conf example file. Long
names of the \fIoptions\fP are used as the configuration
items names in the file. If not an absolute path is supplied,
then the file is searched in the following directories:
the supplied examples/etc/turnserver.conf example file. Long
names of the \fIoptions\fP are used as the configuration
items names in the file. If not an absolute path is supplied,
then the file is searched in the following directories:
.RS
.IP \(bu 3
current directory
@ -126,8 +124,7 @@ upper directory level etc/
.IP \(bu 3
installation directory /etc
.RE
.TP
.B
.PP
User database settings:
.TP
.B
@ -139,18 +136,18 @@ SQLite user database file name (default \- /var/db/turndb or
\fB\-e\fP, \fB\-\-psql\-userdb\fP
User database connection string for PostgreSQL.
This database can be used for long\-term credentials mechanism,
and it can store the secret value
and it can store the secret value
for secret\-based timed authentication in TURN REST API.
The connection string format is like that:
.RS
.PP
"host=<host> dbname=<dbname> user=<db\-user> password=<db\-user\-password> connect_timeout=<seconds>"
"host=<host> dbname=<dbname> user=<db\-user> password=<db\-user\-password> connect_timeout=<seconds>"
(for 8.x or newer Postgres).
.PP
Or:
.PP
"postgresql://username:password@hostname:port/databasename"
(for 9.x or newer Postgres).
"postgresql://username:password@hostname:port/databasename"
(for 9.x or newer Postgres).
.PP
See the INSTALL file for more explanations and examples.
.PP
@ -159,9 +156,9 @@ Also, see http://www.PostgreSQL.org for full PostgreSQL documentation.
.TP
.B
\fB\-M\fP, \fB\-\-mysql\-userdb\fP
User database connection string for MySQL or MariaDB.
User database connection string for MySQL or MariaDB.
This database can be used for long\-term credentials mechanism,
and it can store the secret value for
and it can store the secret value for
secret\-based timed authentication in TURN REST API.
The connection string format is like that:
.RS
@ -170,12 +167,12 @@ The connection string format is like that:
.PP
See the INSTALL file for more explanations and examples.
.PP
Also, see http://www.mysql.org or http://mariadb.org
Also, see http://www.mysql.org or http://mariadb.org
for full MySQL documentation.
.PP
Optional connection string parameters for the secure communications (SSL):
ca, capath, cert, key, cipher
(see http://dev.mysql.com/doc/refman/5.1/en/ssl\-options.html for the
Optional connection string parameters for the secure communications (SSL):
ca, capath, cert, key, cipher
(see http://dev.mysql.com/doc/refman/5.1/en/ssl\-options.html for the
command \fIoptions\fP description).
.RE
.TP
@ -184,14 +181,14 @@ command \fIoptions\fP description).
This is the file path which contain secret key of aes encryption while using MySQL password encryption.
If you want to use in the MySQL connection string the password in encrypted format,
then set in this option the file path of the secret key. The key which is used to encrypt MySQL password.
Warning: If this option is set, then MySQL password must be set in "mysql\-userdb" option in encrypted format!
Warning: If this option is set, then MySQL password must be set in "mysql\-userdb" option in encrypted format!
If you want to use cleartext password then do not set this option!
.TP
.B
\fB\-J\fP, \fB\-\-mongo\-userdb\fP
User database connection string for MongoDB.
User database connection string for MongoDB.
This database can be used for long\-term credentials mechanism,
and it can store the secret value
and it can store the secret value
for secret\-based timed authentication in TURN REST API.
The connection string format is like that:
.RS
@ -206,9 +203,9 @@ for full MongoDB documentation.
.TP
.B
\fB\-N\fP, \fB\-\-redis\-userdb\fP
User database connection string for Redis.
User database connection string for Redis.
This database can be used for long\-term credentials mechanism,
and it can store the secret
and it can store the secret
value for secret\-based timed authentication in TURN REST API.
The connection string format is like that:
.RS
@ -219,8 +216,7 @@ See the INSTALL file for more explanations and examples.
.PP
Also, see http://redis.io for full Redis documentation.
.RE
.TP
.B
.PP
Flags:
.TP
.B
@ -234,15 +230,13 @@ Extra verbose mode, very annoying and not recommended.
.B
\fB\-o\fP, \fB\-\-daemon\fP
Run server as daemon.
.TP
.B
\fB\-\-prod\fP
Production mode: hide the software version.
.PP
\fB\-\-no\-software\-attribute\fP Production mode: hide the software version.
.TP
.B
\fB\-f\fP, \fB\-\-fingerprint\fP
Use fingerprints in the TURN messages. If an incoming request
contains a fingerprint, then TURN server will always add
contains a fingerprint, then TURN server will always add
fingerprints to the messages in this session, regardless of the
per\-server setting.
.TP
@ -252,8 +246,8 @@ Use long\-term credentials mechanism (this one you need for WebRTC usage).
.TP
.B
\fB\-z\fP, \fB\-\-no\-auth\fP
Do not use any credentials mechanism, allow anonymous access.
Opposite to \fB\-a\fP and \fB\-A\fP \fIoptions\fP. This is default option when no
Do not use any credentials mechanism, allow anonymous access.
Opposite to \fB\-a\fP and \fB\-A\fP \fIoptions\fP. This is default option when no
authentication\-related \fIoptions\fP are set.
By default, no credential mechanism is used \-
any user is allowed.
@ -261,8 +255,8 @@ any user is allowed.
.B
\fB\-\-use\-auth\-secret\fP
TURN REST API flag.
Flag that sets a special WebRTC authorization option
that is based upon authentication secret. The feature purpose
Flag that sets a special WebRTC authorization option
that is based upon authentication secret. The feature purpose
is to support "\fBTURN Server\fP REST API" as described in
the TURN REST API section below.
This option uses timestamp as part of combined username:
@ -281,11 +275,11 @@ Support oAuth authentication, as in the third\-party STUN/TURN RFC 7635.
.TP
.B
\fB\-\-dh566\fP
Use 566 bits predefined DH TLS key. Default size of the key is 1066.
Use 566 bits predefined DH TLS key. Default size of the key is 2066.
.TP
.B
\fB\-\-dh2066\fP
Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
\fB\-\-dh1066\fP
Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
.TP
.B
\fB\-\-no\-tlsv1\fP
@ -317,19 +311,19 @@ Do not start DTLS client listeners.
.TP
.B
\fB\-\-no\-udp\-relay\fP
Do not allow UDP relay endpoints defined in RFC 5766,
Do not allow UDP relay endpoints defined in RFC 5766,
use only TCP relay endpoints as defined in RFC 6062.
.TP
.B
\fB\-\-no\-tcp\-relay\fP
Do not allow TCP relay endpoints defined in RFC 6062,
use only UDP relay endpoints as defined in RFC 5766.
Do not allow TCP relay endpoints defined in RFC 6062,
use only UDP relay endpoints as defined in RFC 5766.
.TP
.B
\fB\-\-no\-stdout\-log\fP
Flag to prevent stdout log messages.
By default, all log messages are going to both stdout and to
the configured log file. With this option everything will be going to
the configured log file. With this option everything will be going to
the log file only (unless the log file itself is stdout).
.TP
.B
@ -349,25 +343,25 @@ By default, the clients are allowed anonymous access to the STUN Binding functio
.TP
.B
\fB\-S\fP, \fB\-\-stun\-only\fP
Run as STUN server only, all TURN requests will be ignored.
Run as STUN server only, all TURN requests will be ignored.
Option to suppress TURN functionality, only STUN requests will be processed.
.TP
.B
\fB\-\-no\-stun\fP
Run as TURN server only, all STUN requests will be ignored.
Run as TURN server only, all STUN requests will be ignored.
Option to suppress STUN functionality, only TURN requests will be processed.
.TP
.B
\fB\-\-allow\-loopback\-peers\fP
Allow peers on the loopback addresses (127.x.x.x and ::1).
Allow it only for testing in a development environment!
In production it adds a possible security vulnerability,
and so due to security reasons, it is not allowed
Allow it only for testing in a development environment!
In production it adds a possible security vulnerability,
and so due to security reasons, it is not allowed
using it together with empty cli\-password.
.TP
.B
\fB\-\-no\-multicast\-peers\fP
Disallow peers on well\-known broadcast addresses
Disallow peers on well\-known broadcast addresses
(224.0.0.0 and above, and FFXX:*).
.TP
.B
@ -381,10 +375,10 @@ See also \fIoptions\fP \fB\-\-cli\-ip\fP and \fB\-\-cli\-port\fP.
.TP
.B
\fB\-\-server\-relay\fP
Server relay. NON\-STANDARD AND DANGEROUS OPTION.
Only for those applications when we want to run
Server relay. NON\-STANDARD AND DANGEROUS OPTION.
Only for those applications when we want to run
server applications on the relay endpoints.
This option eliminates the IP permissions check
This option eliminates the IP permissions check
on the packets incoming to the relay endpoints.
See http://tools.ietf.org/search/rfc5766#section\-17.2.3 .
.TP
@ -392,13 +386,13 @@ See http://tools.ietf.org/search/rfc5766#section\-17.2.3 .
\fB\-\-udp\-self\-balance\fP
(recommended for older Linuxes only)
Automatically balance UDP traffic over auxiliary servers
(if configured). The load balancing is using the
ALTERNATE\-SERVER mechanism. The TURN client must support
(if configured). The load balancing is using the
ALTERNATE\-SERVER mechanism. The TURN client must support
300 ALTERNATE\-SERVER response for this functionality.
.TP
.B
\fB\-\-check\-origin\-consistency\fP
The flag that sets the origin consistency
The flag that sets the origin consistency
check: across the session, all requests must have the same
main ORIGIN attribute value (if the ORIGIN was
initially used by the session).
@ -406,8 +400,7 @@ initially used by the session).
.B
\fB\-h\fP
Help.
.TP
.B
.PP
Options with values:
.TP
.B
@ -434,17 +427,17 @@ This MUST not be changed for production purposes.
.B
\fB\-d\fP, \fB\-\-listening\-device\fP
Listener interface device.
(NOT RECOMMENDED. Optional functionality, Linux only).
The \fIturnserver\fP process must have root privileges to bind the
listening endpoint to a device. If \fIturnserver\fP must run as a
(NOT RECOMMENDED. Optional functionality, Linux only).
The \fIturnserver\fP process must have root privileges to bind the
listening endpoint to a device. If \fIturnserver\fP must run as a
process without root privileges, then just do not use this setting.
.TP
.B
\fB\-L\fP, \fB\-\-listening\-ip\fP
Listener IP address of relay server.
Listener IP address of relay server.
Multiple listeners can be specified, for example:
\fB\-L\fP ip1 \fB\-L\fP ip2 \fB\-L\fP ip3
If no \fBIP\fP(s) specified, then all IPv4 and
If no \fBIP\fP(s) specified, then all IPv4 and
IPv6 system IPs will be used for listening.
The same \fBip\fP(s) can be used as both listening and relay \fBip\fP(s).
.TP
@ -458,11 +451,11 @@ Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP
\fB\-\-tls\-listening\-port\fP
TURN listener port for TLS and DTLS listeners (Default: 5349).
Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
\fBport\fP(s), too \- if allowed by configuration. The TURN server
\fBport\fP(s), too \- if allowed by configuration. The TURN server
"automatically" recognizes the type of traffic. Actually, two listening
endpoints (the "plain" one and the "tls" one) are equivalent in terms of
functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
For secure TCP connections, we currently support SSL version 3 and
For secure TCP connections, we currently support SSL version 3 and
TLS versions 1.0, 1.1, 1.2.
For secure UDP connections, we support DTLS version 1.
.TP
@ -483,6 +476,12 @@ Alternative listening port for TLS and DTLS protocols.
Default (or zero) value means "TLS listening port plus one".
.TP
.B
\fB\-\-tcp\-proxy\-port\fP
Support connections from TCP loadbalancer on this port. The loadbalancer
should use the binary proxy protocol.
(https://www.haproxy.org/download/1.8/doc/proxy\-protocol.txt)
.TP
.B
\fB\-\-aux\-server\fP
Auxiliary STUN/TURN server listening endpoint.
Aux servers have almost full TURN and STUN functionality.
@ -501,20 +500,20 @@ to client requests.
.TP
.B
\fB\-i\fP, \fB\-\-relay\-device\fP
Relay interface device for relay sockets
Relay interface device for relay sockets
(NOT RECOMMENDED. Optional, Linux only).
.TP
.B
\fB\-E\fP, \fB\-\-relay\-ip\fP
Relay address (the local IP address that
will be used to relay the packets to the
Relay address (the local IP address that
will be used to relay the packets to the
peer). Multiple relay addresses may be used:
\fB\-E\fP ip1 \fB\-E\fP ip2 \fB\-E\fP ip3
The same \fBIP\fP(s) can be used as both listening \fBIP\fP(s) and relay \fBIP\fP(s).
If no relay \fBIP\fP(s) specified, then the \fIturnserver\fP will apply the
default policy: it will decide itself which relay addresses to be
used, and it will always be using the client socket IP address as
the relay IP address of the TURN session (if the requested relay
If no relay \fBIP\fP(s) specified, then the \fIturnserver\fP will apply the
default policy: it will decide itself which relay addresses to be
used, and it will always be using the client socket IP address as
the relay IP address of the TURN session (if the requested relay
address family is the same as the family of the client socket).
.TP
.B
@ -522,7 +521,7 @@ address family is the same as the family of the client socket).
\fBTURN Server\fP public/private address mapping, if the server is behind NAT.
In that situation, if a \fB\-X\fP is used in form "\fB\-X\fP <ip>" then that ip will be reported
as relay IP address of all allocations. This scenario works only in a simple case
when one single relay address is be used, and no CHANGE_REQUEST functionality is
when one single relay address is be used, and no CHANGE_REQUEST functionality is
required. That single relay address must be mapped by NAT to the 'external' IP.
The "external\-ip" value, if not empty, is returned in XOR\-RELAYED\-ADDRESS field.
For that 'external' IP, NAT must forward ports directly (relayed port 12345
@ -530,8 +529,8 @@ must be always mapped to the same 'external' port 12345).
In more complex case when more than one IP address is involved,
that option must be used several times, each entry must
have form "\fB\-X\fP <public\-ip/private\-ip>", to map all involved addresses.
CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work
correctly, if the addresses are mapped properly, even when the TURN server itself
CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work
correctly, if the addresses are mapped properly, even when the TURN server itself
is behind A NAT.
By default, this value is empty, and no address mapping is used.
.TP
@ -540,54 +539,54 @@ By default, this value is empty, and no address mapping is used.
Number of the relay threads to handle the established connections
(in addition to authentication thread and the listener thread).
If explicitly set to 0 then application runs relay process in a single thread,
in the same thread with the listener process (the authentication thread will
still be a separate thread). If not set, then a default optimal algorithm
in the same thread with the listener process (the authentication thread will
still be a separate thread). If not set, then a default optimal algorithm
will be employed (OS\-dependent). In the older Linux systems
(before Linux kernel 3.9), the number of UDP threads is always one threads
(before Linux kernel 3.9), the number of UDP threads is always one threads
per network listening endpoint \- unless "\fB\-m\fP 0" or "\fB\-m\fP 1" is set.
.TP
.B
\fB\-\-min\-port\fP
Lower bound of the UDP port range for relay
Lower bound of the UDP port range for relay
endpoints allocation.
Default value is 49152, according to RFC 5766.
.TP
.B
\fB\-\-max\-port\fP
Upper bound of the UDP port range for relay
Upper bound of the UDP port range for relay
endpoints allocation.
Default value is 65535, according to RFC 5766.
.TP
.B
\fB\-u\fP, \fB\-\-user\fP
Long\-term security mechanism credentials user account,
in the column\-separated form username:key.
Long\-term security mechanism credentials user account,
in the column\-separated form username:key.
Multiple user accounts may be used in the command line.
The key is either the user password, or
the key is generated
by \fIturnadmin\fP command. In the second case,
the key must be prepended with 0x symbols.
The key is calculated over the user name,
The key is calculated over the user name,
the user realm, and the user password.
This setting may not be used with TURN REST API.
.TP
.B
\fB\-r\fP, \fB\-\-realm\fP
The default realm to be used for the users when no explicit
The default realm to be used for the users when no explicit
origin/realm relationship was found in the database, or if the TURN
server is not using any database (just the commands\-line settings
and the userdb file). Must be used with long\-term credentials
and the userdb file). Must be used with long\-term credentials
mechanism or with TURN REST API.
.TP
.B
\fB\-C\fP, \fB\-\-rest\-api\-separator\fP
This is the timestamp/username separator symbol
This is the timestamp/username separator symbol
(character) in TURN REST API. The default value is :.
.TP
.B
\fB\-q\fP, \fB\-\-user\-quota\fP
Per\-user allocations quota: how many concurrent
allocations a user can create. This option can also be set
Per\-user allocations quota: how many concurrent
allocations a user can create. This option can also be set
through the database, for a particular realm.
.TP
.B
@ -598,9 +597,9 @@ This option can also be set through the database, for a particular realm.
.B
\fB\-s\fP, \fB\-\-max\-bps\fP
Max bytes\-per\-second bandwidth a TURN session is allowed to handle
(input and output network streams are treated separately). Anything above
(input and output network streams are treated separately). Anything above
that limit will be dropped or temporary suppressed (within the
available buffer limits). This option can also be set through the
available buffer limits). This option can also be set through the
database, for a particular realm.
.TP
.B
@ -613,7 +612,7 @@ separately).
.B
\fB\-\-static\-auth\-secret\fP
Static authentication secret value (a string) for TURN REST API only.
If not set, then the turn server will try to use the dynamic value
If not set, then the turn server will try to use the dynamic value
in turn_secret table in user database (if present). The database\-stored
value can be changed on\-the\-fly by a separate program, so this is why
that other mode is dynamic. Multiple shared secrets can be used
@ -641,17 +640,17 @@ The default value is the realm name.
.TP
.B
\fB\-\-cert\fP
Certificate file, PEM format. Same file
search rules applied as for the configuration
file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP
Certificate file, PEM format. Same file
search rules applied as for the configuration
file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP
are specified, then this parameter is not needed.
Default value is turn_server_cert.pem.
.TP
.B
\fB\-\-pkey\fP
Private key file, PEM format. Same file
search rules applied as for the configuration
file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP
Private key file, PEM format. Same file
search rules applied as for the configuration
file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP
are specified, then this parameter is not needed.
Default value is turn_server_pkey.pem.
.TP
@ -666,14 +665,14 @@ Default value is "DEFAULT".
.TP
.B
\fB\-\-CA\-file\fP
CA file in OpenSSL format.
CA file in OpenSSL format.
Forces TURN server to verify the client SSL certificates.
By default, no CA is set and no client certificate check is performed.
.TP
.B
\fB\-\-ec\-curve\-name\fP
Curve name for EC ciphers, if supported by OpenSSL
library (TLS and DTLS). The default value is prime256v1,
Curve name for EC ciphers, if supported by OpenSSL
library (TLS and DTLS). The default value is prime256v1,
if pre\-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
an optimal curve will be automatically calculated, if not defined
by this option.
@ -681,79 +680,79 @@ by this option.
.B
\fB\-\-dh\-file\fP
Use custom DH TLS key, stored in PEM format in the file.
Flags \fB\-\-dh566\fP and \fB\-\-dh2066\fP are ignored when the DH key is taken from a file.
Flags \fB\-\-dh566\fP and \fB\-\-dh1066\fP are ignored when the DH key is taken from a file.
.TP
.B
\fB\-l\fP, \fB\-\-log\-file\fP
Option to set the full path name of the log file.
By default, the \fIturnserver\fP tries to open a log file in
/var/log/\fIturnserver\fP, /var/log, /var/tmp, /tmp and . (current)
directories (which file open operation succeeds
first that file will be used). With this option you can set the
By default, the \fIturnserver\fP tries to open a log file in
/var/log/\fIturnserver\fP, /var/log, /var/tmp, /tmp and . (current)
directories (which file open operation succeeds
first that file will be used). With this option you can set the
definite log file name.
The special names are "stdout" and "\-" \- they will force everything
The special names are "stdout" and "\-" \- they will force everything
to the stdout. Also, "syslog" name will redirect everything into
the system log (syslog), as if the option "\fB\-\-syslog\fP" was set.
In the runtime, the logfile can be reset with the SIGHUP signal
the system log (syslog), as if the option "\fB\-\-syslog\fP" was set.
In the runtime, the logfile can be reset with the SIGHUP signal
to the \fIturnserver\fP process.
.TP
.B
\fB\-\-alternate\-server\fP
Option to set the "redirection" mode. The value of this option
will be the address of the alternate server for UDP & TCP service in form of
will be the address of the alternate server for UDP & TCP service in form of
<ip>[:<port>]. The server will send this value in the attribute
ALTERNATE\-SERVER, with error 300, on ALLOCATE request, to the client.
Client will receive only values with the same address family
as the client network endpoint address family.
See RFC 5389 and RFC 5766 for ALTERNATE\-SERVER functionality description.
as the client network endpoint address family.
See RFC 5389 and RFC 5766 for ALTERNATE\-SERVER functionality description.
The client must use the obtained value for subsequent TURN communications.
If more than one \fB\-\-alternate\-server\fP \fIoptions\fP are provided, then the functionality
can be more accurately described as "load\-balancing" than a mere "redirection".
If the port number is omitted, then the default port
can be more accurately described as "load\-balancing" than a mere "redirection".
If the port number is omitted, then the default port
number 3478 for the UDP/TCP protocols will be used.
Colon (:) characters in IPv6 addresses may conflict with the syntax of
the option. To alleviate this conflict, literal IPv6 addresses are enclosed
in square brackets in such resource identifiers, for example:
[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
Colon (:) characters in IPv6 addresses may conflict with the syntax of
the option. To alleviate this conflict, literal IPv6 addresses are enclosed
in square brackets in such resource identifiers, for example:
[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
Multiple alternate servers can be set. They will be used in the
round\-robin manner. All servers in the pool are considered of equal weight and
the load will be distributed equally. For example, if we have 4 alternate servers,
then each server will receive 25% of ALLOCATE requests. An alternate TURN server
address can be used more than one time with the alternate\-server option, so this
can emulate "weighting" of the servers.
round\-robin manner. All servers in the pool are considered of equal weight and
the load will be distributed equally. For example, if we have 4 alternate servers,
then each server will receive 25% of ALLOCATE requests. An alternate TURN server
address can be used more than one time with the alternate\-server option, so this
can emulate "weighting" of the servers.
.TP
.B
\fB\-\-tls\-alternate\-server\fP
Option to set alternative server for TLS & DTLS services in form of
<ip>:<port>. If the port number is omitted, then the default port
number 5349 for the TLS/DTLS protocols will be used. See the
Option to set alternative server for TLS & DTLS services in form of
<ip>:<port>. If the port number is omitted, then the default port
number 5349 for the TLS/DTLS protocols will be used. See the
previous option for the functionality description.
.TP
.B
\fB\-O\fP, \fB\-\-redis\-statsdb\fP
Redis status and statistics database connection string, if used (default \- empty,
no Redis stats DB used). This database keeps allocations status information, and it can
Redis status and statistics database connection string, if used (default \- empty,
no Redis stats DB used). This database keeps allocations status information, and it can
be also used for publishing and delivering traffic and allocation event notifications.
This database option can be used independently of \fB\-\-redis\-userdb\fP option,
and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or
and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or
PostgreSQL can be used for the user database.
The connection string has the same parameters as redis\-userdb connection string.
.TP
.B
\fB\-\-max\-allocate\-timeout\fP
Max time, in seconds, allowed for full allocation establishment.
Max time, in seconds, allowed for full allocation establishment.
Default is 60 seconds.
.PP
\fB\-\-denied\-peer\-ip\fP=<IPaddr[\fB\-IPaddr\fP]>
.PP
\fB\-\-allowed\-peer\-ip\fP=<IPaddr[\fB\-IPaddr\fP]> Options to ban or allow specific ip addresses or ranges
of ip addresses. If an ip address is specified as both allowed and denied, then
\fB\-\-allowed\-peer\-ip\fP=<IPaddr[\fB\-IPaddr\fP]> Options to ban or allow specific ip addresses or ranges
of ip addresses. If an ip address is specified as both allowed and denied, then
the ip address is considered to be allowed. This is useful when you wish to ban
a range of ip addresses, except for a few specific ips within that range.
This can be used when you do not want users of the turn server to be able to access
machines reachable by the turn server, but would otherwise be unreachable from the
internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer
IP ranges can also be dynamically changed in the database.
machines reachable by the turn server, but would otherwise be unreachable from the
internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer
IP ranges can also be dynamically changed in the database.
The allowed/denied addresses (white/black lists) rules are very simple:
.RS
.IP 1) 4
@ -791,9 +790,9 @@ Client <=> Server communication address family.
\fB\-\-cli\-ip\fP
Local system IP address to be used for CLI management interface.
The \fIturnserver\fP process can be accessed for management with telnet,
at this IP address and on the CLI port (see the next parameter).
at this IP address and on the CLI port (see the next parameter).
Default value is 127.0.0.1. You can use telnet or putty (in telnet mode)
to access the CLI management interface.
to access the CLI management interface.
.TP
.B
\fB\-\-cli\-port\fP
@ -847,24 +846,24 @@ This is a set of notes for the WebRTC users:
.IP 1) 4
WebRTC uses long\-term authentication mechanism, so you have to use \fB\-a\fP
option (or \fB\-\-lt\-cred\-mech\fP). WebRTC relaying will not work with anonymous
access. With \fB\-a\fP option, do not forget to set the
default realm (\fB\-r\fP option). You will also have to set up the user accounts,
access. With \fB\-a\fP option, do not forget to set the
default realm (\fB\-r\fP option). You will also have to set up the user accounts,
for that you have a number of \fIoptions\fP:
.PP
.nf
.fam C
a) command\-line options (\-u).
b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to
set keys with turnadmin utility (see docs and wiki for turnadmin).
b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to
set keys with turnadmin utility (see docs and wiki for turnadmin).
You cannot use open passwords in the database.
c) Redis key/value pair(s), if Redis is used. You key use either keys or
open passwords with Redis; see turndb/testredisdbsetup.sh file.
c) Redis key/value pair(s), if Redis is used. You key use either keys or
open passwords with Redis; see turndb/testredisdbsetup.sh file.
d) You also can use the TURN REST API. You will need shared secret(s) set
either through the command line option, or through the config file, or through
the database table or Redis key/value pairs.
the database table or Redis key/value pairs.
.fam T
.fi
@ -882,19 +881,19 @@ number range.
.SH TURN REST API
In WebRTC, the browser obtains the TURN connection information from the web
server. This information is a secure information \- because it contains the
necessary TURN credentials. As these credentials are transmitted over the
server. This information is a secure information \- because it contains the
necessary TURN credentials. As these credentials are transmitted over the
public networks, we have a potential security breach.
.PP
If we have to transmit a valuable information over the public network,
then this information has to have a limited lifetime. Then the guy who
obtains this information without permission will be able to perform
If we have to transmit a valuable information over the public network,
then this information has to have a limited lifetime. Then the guy who
obtains this information without permission will be able to perform
only limited damage.
.PP
This is how the idea of TURN REST API \- time\-limited TURN credentials \-
appeared. This security mechanism is based upon the long\-term credentials
mechanism. The main idea of the REST API is that the web server provides
the credentials to the client, but those credentials can be used only
This is how the idea of TURN REST API \- time\-limited TURN credentials \-
appeared. This security mechanism is based upon the long\-term credentials
mechanism. The main idea of the REST API is that the web server provides
the credentials to the client, but those credentials can be used only
limited time by an application that has to create a TURN server connection.
.PP
The "classic" long\-term credentials mechanism (LTCM) is described here:
@ -905,22 +904,22 @@ http://tools.ietf.org/html/rfc5389#section\-15.4
.PP
For authentication, each user must know two things: the username and the
password. Optionally, the user must supply the ORIGIN value, so that the
server can figure out the realm to be used for the user. The nonce and
the realm values are supplied by the TURN server. But LTCM is not saying
anything about the nature and about the persistence of the username and
server can figure out the realm to be used for the user. The nonce and
the realm values are supplied by the TURN server. But LTCM is not saying
anything about the nature and about the persistence of the username and
of the password; and this is used by the REST API.
.PP
In the TURN REST API, there is no persistent passwords for users. A user has
just the username. The password is always temporary, and it is generated by
the web server on\-demand, when the user accesses the WebRTC page. And,
actually, a temporary one\-time session only, username is provided to the user,
too.
In the TURN REST API, there is no persistent passwords for users. A user has
just the username. The password is always temporary, and it is generated by
the web server on\-demand, when the user accesses the WebRTC page. And,
actually, a temporary one\-time session only, username is provided to the user,
too.
.PP
The temporary user is generated as:
.PP
temporary\-username="timestamp" + ":" + "username"
.PP
where username is the persistent user name, and the timestamp format is just
where username is the persistent user name, and the timestamp format is just
seconds since 1970 \- the same value as \fBtime\fP(NULL) function returns.
.PP
The temporary password is obtained as HMAC\-SHA1 function over the temporary
@ -932,7 +931,7 @@ Both the TURN server and the web server know the same shared secret. How the
shared secret is distributed among the involved entities is left to the WebRTC
deployment details \- this is beyond the scope of the TURN REST API.
.PP
So, a timestamp is used for the temporary password calculation, and this
So, a timestamp is used for the temporary password calculation, and this
timestamp can be retrieved from the temporary username. This information
is valuable, but only temporary, while the timestamp is not expired. Without
knowledge of the shared secret, a new temporary password cannot be generated.
@ -947,7 +946,7 @@ For developers, we are going to describe it step\-by\-step below:
.RS
.IP \(bu 3
a new TURN client sends a request command to the TURN server. Optionally,
it adds the ORIGIN field to it.
it adds the ORIGIN field to it.
.IP \(bu 3
TURN server sees that this is a new client and the message is not
authenticated.
@ -970,13 +969,13 @@ the client uses username, realm and password to produce a key:
(SASLprep is described here: http://tools.ietf.org/html/rfc4013)
.IP \(bu 3
the client forms a new request, adds username, realm and nonce to the
request. Then, the client calculates and adds the integrity field to
request. Then, the client calculates and adds the integrity field to
the request. This is the trickiest part of the process, and it is
described in the end of section 15.4:
described in the end of section 15.4:
http://tools.ietf.org/html/rfc5389#section\-15.4
.IP \(bu 3
the client, optionally, adds the fingerprint field. This may be also
a tricky procedure, described in section 15.5 of the same document.
a tricky procedure, described in section 15.5 of the same document.
WebRTC usually uses fingerprinted TURN messages.
.IP \(bu 3
the TURN server receives the request, reads the username.
@ -989,33 +988,33 @@ then the TURN server calculates the key.
then the TURN server calculates the integrity field.
.IP \(bu 3
then the TURN server compares the calculated integrity field with the
received one \- they must be the same. If the integrity fields differ,
received one \- they must be the same. If the integrity fields differ,
then the request is rejected.
.RE
.PP
In subsequent communications, the client may go with exactly the same
sequence, but for optimization usually the client, having already
information about realm and nonce, pre\-calculates the integrity string
for each request, so that the 401 error response becomes unnecessary.
The TURN server may use "\fB\-\-stale\-nonce\fP" option for extra security: in
In subsequent communications, the client may go with exactly the same
sequence, but for optimization usually the client, having already
information about realm and nonce, pre\-calculates the integrity string
for each request, so that the 401 error response becomes unnecessary.
The TURN server may use "\fB\-\-stale\-nonce\fP" option for extra security: in
some time, the nonce expires and the client will obtain 438 error response
with the new nonce, and the client will have to start using the new nonce.
.PP
In subsequent communications, the server and the client will always assume
the same password \- the original password becomes the session parameter and
In subsequent communications, the server and the client will always assume
the same password \- the original password becomes the session parameter and
is never expiring. So the password is not changing while the session is valid
and unexpired. So, if the session is properly maintained, it may go forever,
even if the user password has been already changed (in the database). The
session simply is using the old password. Once the session got disconnected,
the client will have to use the new password to re\-connect (if the password
and unexpired. So, if the session is properly maintained, it may go forever,
even if the user password has been already changed (in the database). The
session simply is using the old password. Once the session got disconnected,
the client will have to use the new password to re\-connect (if the password
has been changed).
.PP
An example when a new shared secret is generated every hour by the TURN server
box and then supplied to the web server, remotely, is provided in the script
examples/scripts/restapi/shared_secret_maintainer.pl .
.PP
A very important thing is that the nonce must be totally random and it must be
different for different clients and different sessions.
A very important thing is that the nonce must be totally random and it must be
different for different clients and different sessions.
.PP
===================================
.SH DATABASES
@ -1023,7 +1022,7 @@ different for different clients and different sessions.
For the user database, the \fIturnserver\fP has the following \fIoptions\fP:
.IP 1) 4
Users can be set in the command line, with multiple \fB\-u\fP or \fB\-\-user\fP \fIoptions\fP.
Obviously, only a few users can be set that way, and their credentials are fixed
Obviously, only a few users can be set that way, and their credentials are fixed
for the \fIturnserver\fP process lifetime.
.IP 2) 4
Users can be stored in SQLite DB. The default SQLite database file is /var/db/turndb
@ -1031,23 +1030,23 @@ or /usr/local/var/db/turndb or /var/lib/turn/turndb.
.IP 3) 4
Users can be stored in PostgreSQL database, if the \fIturnserver\fP was compiled with PostgreSQL
support. Each time \fIturnserver\fP checks user credentials, it reads the database (asynchronously,
of course, so that the current flow of packets is not delayed in any way), so any change in the
database content is immediately visible by the \fIturnserver\fP. This is the way if you need the
of course, so that the current flow of packets is not delayed in any way), so any change in the
database content is immediately visible by the \fIturnserver\fP. This is the way if you need the
best scalability. The schema for the database can be found in schema.sql file.
For long\-term credentials, you have to set the "keys" for the users; the "keys" are generated
by the \fIturnadmin\fP utility. For the key generation, you need username, password and the realm.
All users in the database must use the same realm value; if down the road you will decide
to change the realm name, then you will have to re\-generate all user keys (that can be done
For long\-term credentials, you have to set the "keys" for the users; the "keys" are generated
by the \fIturnadmin\fP utility. For the key generation, you need username, password and the realm.
All users in the database must use the same realm value; if down the road you will decide
to change the realm name, then you will have to re\-generate all user keys (that can be done
in a batch script). See the file turndb/testsqldbsetup.sql as an example.
.IP 4) 4
The same is true for MySQL database. The same schema file is applicable.
The same considerations are applicable.
The same considerations are applicable.
.IP 5) 4
The same is true for the Redis database, but the Redis database has aa different schema \-
it can be found (in the form of explanation) in schema.userdb.redis.
Also, in Redis you can store both "keys" and open passwords (for long term credentials) \-
the "open password" option is less secure but more convenient for low\-security environments.
See the file turndb/testredisdbsetup.sh as an example.
it can be found (in the form of explanation) in schema.userdb.redis.
Also, in Redis you can store both "keys" and open passwords (for long term credentials) \-
the "open password" option is less secure but more convenient for low\-security environments.
See the file turndb/testredisdbsetup.sh as an example.
.IP 6) 4
If a database is used, then users can be divided into multiple independent realms. Each realm
can be administered separately, and each realm can have its own set of users and its own
@ -1064,21 +1063,21 @@ The simplest choice is not to use it. Do not set \fB\-\-redis\-statsdb\fP option
will be simply ignored.
.IP 2) 4
If you choose to use it, then set the \fB\-\-redis\-statsdb\fP option. This may be the same database
as in \fB\-\-redis\-userdb\fP option, or it may be a different database. You may want to use different
as in \fB\-\-redis\-userdb\fP option, or it may be a different database. You may want to use different
database for security or convenience reasons. Also, you can use different database management
systems for the user database and for the ststus and statistics database. For example, you can use
systems for the user database and for the ststus and statistics database. For example, you can use
MySQL as the user database, and you can use redis for the statistics. Or you can use Redis for both.
.PP
So, we have 6 choices for the user management, and 2 choices for the statistics management. These
two are totally independent. So, you have overall 6*2=12 ways to handle persistent information,
two are totally independent. So, you have overall 6*2=12 ways to handle persistent information,
choose any for your convenience.
.PP
You do not have to handle the database information "manually" \- the \fIturnadmin\fP program can handle
You do not have to handle the database information "manually" \- the \fIturnadmin\fP program can handle
everything for you. For PostgreSQL and MySQL you will just have to create an empty database
with schema.sql SQL script. With Redis, you do not have to do even that \- just run \fIturnadmin\fP and
it will set the users for you (see the \fIturnadmin\fP manuals). If you are using SQLite, then the
\fIturnserver\fP or \fIturnadmin\fP will initialize the empty database, for you, when started. The
TURN server installation process creates an empty initialized SQLite database in the default
with schema.sql SQL script. With Redis, you do not have to do even that \- just run \fIturnadmin\fP and
it will set the users for you (see the \fIturnadmin\fP manuals). If you are using SQLite, then the
\fIturnserver\fP or \fIturnadmin\fP will initialize the empty database, for you, when started. The
TURN server installation process creates an empty initialized SQLite database in the default
location (/var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb, depending on the system).
.PP
=================================
@ -1097,7 +1096,7 @@ does not include the ALPN information into the ServerHello.
In the lib/ sub\-directory the build process will create TURN client messaging library.
In the include/ sub\-directory, the necessary include files will be placed.
The C++ wrapper for the messaging functionality is located in TurnMsgLib.h header.
An example of C++ code can be found in stunclient.c file.
An example of C++ code can be found in stunclient.c file.
.PP
=================================
.SH DOCS
@ -1112,13 +1111,13 @@ $ man \fB\-M\fP man \fIturnserver\fP
.PP
to see the man page.
.PP
In the docs/html subdirectory of the original archive tree, you will find the client library
In the docs/html subdirectory of the original archive tree, you will find the client library
reference. After the installation, it will be placed in PREFIX/share/doc/\fIturnserver\fP/html.
.PP
=================================
.SH LOGS
When the \fBTURN Server\fP starts, it makes efforts to create a log file turn_<pid>.log
When the \fBTURN Server\fP starts, it makes efforts to create a log file turn_<pid>.log
in the following directories:
.RS
.IP \(bu 3
@ -1133,7 +1132,7 @@ in the following directories:
current directory
.RE
.PP
If all efforts failed (due to the system permission settings) then all
If all efforts failed (due to the system permission settings) then all
log messages are sent only to the standard output of the process.
.PP
This behavior can be controlled by \fB\-\-log\-file\fP, \fB\-\-syslog\fP and \fB\-\-no\-stdout\-log\fP
@ -1143,7 +1142,7 @@ This behavior can be controlled by \fB\-\-log\-file\fP, \fB\-\-syslog\fP and \fB
.SH HTTPS MANAGEMENT INTERFACE
The \fIturnserver\fP process provides an HTTPS Web access as statistics and basic
management interface. The \fIturnserver\fP listens to incoming HTTPS admin
management interface. The \fIturnserver\fP listens to incoming HTTPS admin
connections on the same ports as the main TURN/STUN listener. The Web admin
pages are basic and self\-explanatory.
.PP
@ -1165,11 +1164,11 @@ in "help" command output in the telnet CLI.
=================================
.SH CLUSTERS
\fBTURN Server\fP can be a part of the cluster installation. But, to support the "even port" functionality
(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same
\fBTURN Server\fP instance, so it requires some networking setup massaging for the cluster. The reason is that
the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible
to design a scheme with the application\-level requests forwarding (and we may do that later) but
\fBTURN Server\fP can be a part of the cluster installation. But, to support the "even port" functionality
(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same
\fBTURN Server\fP instance, so it requires some networking setup massaging for the cluster. The reason is that
the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible
to design a scheme with the application\-level requests forwarding (and we may do that later) but
it would affect the performance.
.PP
=================================

30
man/man1/turnutils.1
View File

@ -51,12 +51,12 @@ addresses should be configured to be able to work properly!
.TP
.B
6.
\fIturnutils_oauth\fP: a utility that provides OAuth access_token
\fBgeneration\fP(AEAD encryption), validation and decryption. This utility inputs
all the keys and lifetimes and any related information that needed for
creation and validationi of an access_token. It outputs a JSON with all OAuth
PoP parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8.
\fIturnutils_oauth\fP: a utility that provides OAuth access_token
\fBgeneration\fP(AEAD encryption), validation and decryption. This utility inputs
all the keys and lifetimes and any related information that needed for
creation and validationi of an access_token. It outputs a JSON with all OAuth
PoP parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8.
.PP
For more details, and for the access_token structure, read rfc7635, and see
script in examples/scripts/oauth.sh.
@ -480,15 +480,15 @@ $ \fIturnutils_oauth\fP [\fIoptions\fP]
.fi
.SS DESCRIPTION
\fIturnutils_oauth\fP utilitiy provides help in OAuth access_token encryption and/or
decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps
for an Auth Server in access_token creation, and also for debugging purposes it
helps the access_token validation and decryption. This utility inputs all the
keys and lifetimes and any related information that are needed for encryption
or decryption of an access_token. It outputs a JSON with all OAuth PoP
parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server
service, but be awere that this utility does not generate "session key" /
\fIturnutils_oauth\fP utilitiy provides help in OAuth access_token encryption and/or
decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps
for an Auth Server in access_token creation, and also for debugging purposes it
helps the access_token validation and decryption. This utility inputs all the
keys and lifetimes and any related information that are needed for encryption
or decryption of an access_token. It outputs a JSON with all OAuth PoP
parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server
service, but be awere that this utility does not generate "session key" /
"mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key".
For more details, and for the access_token structure, read rfc7635, and see
the example in examples/scripts/oauth.sh.

1
src/apps/common/apputils.c
View File

@ -439,6 +439,7 @@ int set_raw_socket_tos(evutil_socket_t fd, int family, int tos)
int is_stream_socket(int st) {
switch(st) {
case TCP_SOCKET:
case TCP_SOCKET_PROXY:
case TLS_SOCKET:
case TENTATIVE_TCP_SOCKET:
case SCTP_SOCKET:

50
src/apps/relay/mainrelay.c
View File

@ -90,7 +90,7 @@ NULL,
NULL,
#endif
DH_1066, "", "", "",
DH_2066, "", "", "",
"turn_server_cert.pem","turn_server_pkey.pem", "", "",
0,0,0,
#if !TLS_SUPPORTED
@ -110,8 +110,8 @@ NULL, PTHREAD_MUTEX_INITIALIZER,
//////////////// Common params ////////////////////
TURN_VERBOSE_NONE,0,0,0,0,
"/var/run/turnserver.pid",
DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,1,
0,0,0,0,
DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,0,1,
0,0,0,0,0,
"",
"",0,
{
@ -405,6 +405,8 @@ static char Usage[] = "Usage: turnserver [options]\n"
" or in old RFC 3489 sense, default is \"listening port plus one\").\n"
" --alt-tls-listening-port <port> Alternative listening port for TLS and DTLS,\n"
" the default is \"TLS/DTLS port plus one\".\n"
" --tcp-proxy-port <port> Support connections from TCP loadbalancer on this port. The loadbalancer should\n"
" use the binary proxy protocol (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)\n"
" -L, --listening-ip <ip> Listener IP address of relay server. Multiple listeners can be specified.\n"
" --aux-server <ip:port> Auxiliary STUN/TURN server listening endpoint.\n"
" Auxiliary servers do not have alternative ports and\n"
@ -451,7 +453,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
" -v, --verbose 'Moderate' verbose mode.\n"
" -V, --Verbose Extra verbose mode, very annoying (for debug purposes only).\n"
" -o, --daemon Start process as daemon (detach from current shell).\n"
" --prod Production mode: hide the software version.\n"
" --no-software-attribute Production mode: hide the software version (formerly --prod).\n"
" -f, --fingerprint Use fingerprints in the TURN messages.\n"
" -a, --lt-cred-mech Use the long-term credential mechanism.\n"
" -z, --no-auth Do not use any credential mechanism, allow anonymous access.\n"
@ -561,10 +563,10 @@ static char Usage[] = "Usage: turnserver [options]\n"
" if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,\n"
" an optimal curve will be automatically calculated, if not defined\n"
" by this option.\n"
" --dh566 Use 566 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
" --dh2066 Use 2066 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
" --dh566 Use 566 bits predefined DH TLS key. Default size of the predefined key is 2066.\n"
" --dh1066 Use 1066 bits predefined DH TLS key. Default size of the predefined key is 2066.\n"
" --dh-file <dh-file-name> Use custom DH TLS key, stored in PEM format in the file.\n"
" Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.\n"
" Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file.\n"
" --no-tlsv1 Do not allow TLSv1/DTLSv1 protocol.\n"
" --no-tlsv1_1 Do not allow TLSv1.1 protocol.\n"
" --no-tlsv1_2 Do not allow TLSv1.2/DTLSv1.2 protocol.\n"
@ -719,6 +721,7 @@ static char AdminUsage[] = "Usage: turnadmin [command] [options]\n"
enum EXTRA_OPTS {
NO_UDP_OPT=256,
NO_TCP_OPT,
TCP_PROXY_PORT_OPT,
NO_TLS_OPT,
NO_DTLS_OPT,
NO_UDP_RELAY_OPT,
@ -775,7 +778,7 @@ enum EXTRA_OPTS {
CLI_MAX_SESSIONS_OPT,
EC_CURVE_NAME_OPT,
DH566_OPT,
DH2066_OPT,
DH1066_OPT,
NE_TYPE_OPT,
NO_SSLV2_OPT, /*deprecated*/
NO_SSLV3_OPT, /*deprecated*/
@ -788,7 +791,7 @@ enum EXTRA_OPTS {
ADMIN_USER_QUOTA_OPT,
SERVER_NAME_OPT,
OAUTH_OPT,
PROD_OPT,
NO_SOFTWARE_ATTRIBUTE_OPT,
NO_HTTP_OPT,
SECRET_KEY_OPT
};
@ -814,6 +817,7 @@ static const struct myoption long_options[] = {
{ "tls-listening-port", required_argument, NULL, TLS_PORT_OPT },
{ "alt-listening-port", required_argument, NULL, ALT_PORT_OPT },
{ "alt-tls-listening-port", required_argument, NULL, ALT_TLS_PORT_OPT },
{ "tcp-proxy-port", required_argument, NULL, TCP_PROXY_PORT_OPT },
{ "listening-ip", required_argument, NULL, 'L' },
{ "relay-device", required_argument, NULL, 'i' },
{ "relay-ip", required_argument, NULL, 'E' },
@ -856,7 +860,8 @@ static const struct myoption long_options[] = {
{ "verbose", optional_argument, NULL, 'v' },
{ "Verbose", optional_argument, NULL, 'V' },
{ "daemon", optional_argument, NULL, 'o' },
{ "prod", optional_argument, NULL, PROD_OPT },
/* deprecated: */ { "prod", optional_argument, NULL, NO_SOFTWARE_ATTRIBUTE_OPT },
{ "no-software-attribute", optional_argument, NULL, NO_SOFTWARE_ATTRIBUTE_OPT },
{ "fingerprint", optional_argument, NULL, 'f' },
{ "check-origin-consistency", optional_argument, NULL, CHECK_ORIGIN_CONSISTENCY_OPT },
{ "no-udp", optional_argument, NULL, NO_UDP_OPT },
@ -908,7 +913,7 @@ static const struct myoption long_options[] = {
{ "cli-max-output-sessions", required_argument, NULL, CLI_MAX_SESSIONS_OPT },
{ "ec-curve-name", required_argument, NULL, EC_CURVE_NAME_OPT },
{ "dh566", optional_argument, NULL, DH566_OPT },
{ "dh2066", optional_argument, NULL, DH2066_OPT },
{ "dh1066", optional_argument, NULL, DH1066_OPT },
{ "ne", required_argument, NULL, NE_TYPE_OPT },
{ "no-sslv2", optional_argument, NULL, NO_SSLV2_OPT }, /* deprecated */
{ "no-sslv3", optional_argument, NULL, NO_SSLV3_OPT }, /* deprecated */
@ -1174,9 +1179,9 @@ static void set_option(int c, char *value)
if(get_bool_value(value))
turn_params.dh_key_size = DH_566;
break;
case DH2066_OPT:
case DH1066_OPT:
if(get_bool_value(value))
turn_params.dh_key_size = DH_2066;
turn_params.dh_key_size = DH_1066;
break;
case EC_CURVE_NAME_OPT:
STRCPY(turn_params.ec_curve_name,value);
@ -1278,6 +1283,10 @@ static void set_option(int c, char *value)
case ALT_TLS_PORT_OPT:
turn_params.alt_tls_listener_port = atoi(value);
break;
case TCP_PROXY_PORT_OPT:
turn_params.tcp_proxy_port = atoi(value);
turn_params.tcp_use_proxy = 1;
break;
case MIN_PORT_OPT:
turn_params.min_port = atoi(value);
break;
@ -1390,8 +1399,8 @@ static void set_option(int c, char *value)
anon_credentials = 1;
}
break;
case PROD_OPT:
turn_params.prod = get_bool_value(value);
case NO_SOFTWARE_ATTRIBUTE_OPT:
turn_params.no_software_attribute = get_bool_value(value);
break;
case 'f':
turn_params.fingerprint = get_bool_value(value);
@ -2082,6 +2091,7 @@ static void set_network_engine(void)
static void drop_privileges(void)
{
setgroups(0, NULL);
if(procgroupid_set) {
if(getgid() != procgroupid) {
if (setgid(procgroupid) != 0) {
@ -2287,13 +2297,13 @@ int main(int argc, char **argv)
if(turn_params.allow_loopback_peers) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "CONFIG WARNING: allow_loopback_peers opens a possible security vulnerability. Do not use in production!!\n");
if(cli_password[0]==0) {
if(cli_password[0]==0 && use_cli) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: allow_loopback_peers and empty cli password cannot be used together.\n");
exit(-1);
}
}
if(use_cli && cli_password[0]==0) {
if(use_cli && cli_password[0]==0 && use_cli) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!\n");
use_cli = 0;
}
@ -2920,10 +2930,10 @@ static void set_ctx(SSL_CTX** out, const char *protocol, const SSL_METHOD* metho
if(!dh) {
if(turn_params.dh_key_size == DH_566)
dh = get_dh566();
else if(turn_params.dh_key_size == DH_2066)
dh = get_dh2066();
else
else if(turn_params.dh_key_size == DH_1066)
dh = get_dh1066();
else
dh = get_dh2066();
}
/*

4
src/apps/relay/mainrelay.h
View File

@ -213,7 +213,7 @@ typedef struct _turn_params_ {
int verbose;
int turn_daemon;
int prod;
int no_software_attribute;
int web_admin_listen_on_workers;
int do_not_use_config_file;
@ -226,10 +226,12 @@ typedef struct _turn_params_ {
int tls_listener_port;
int alt_listener_port;
int alt_tls_listener_port;
int tcp_proxy_port;
int rfc5780;
int no_udp;
int no_tcp;
int tcp_use_proxy;
vint no_tcp_relay;
vint no_udp_relay;

10
src/apps/relay/netengine.c
View File

@ -1473,7 +1473,7 @@ static void setup_tcp_listener_servers(ioa_engine_handle e, struct relay_server
/* Create listeners */
/* Aux TCP servers */
if(!turn_params.no_tls || !turn_params.no_tcp) {
if(!turn_params.tcp_use_proxy && (!turn_params.no_tls || !turn_params.no_tcp)) {
for(i=0; i<turn_params.aux_servers_list.size; i++) {
@ -1494,15 +1494,15 @@ static void setup_tcp_listener_servers(ioa_engine_handle e, struct relay_server
/* TCP: */
if(!turn_params.no_tcp) {
tcp_services[index] = create_tls_listener_server(turn_params.listener_ifname, turn_params.listener.addrs[i], turn_params.listener_port, turn_params.verbose, e, send_socket_to_general_relay, relay_server);
tcp_services[index] = create_tls_listener_server(turn_params.listener_ifname, turn_params.listener.addrs[i], turn_params.tcp_use_proxy?turn_params.tcp_proxy_port:turn_params.listener_port, turn_params.verbose, e, send_socket_to_general_relay, relay_server);
if(turn_params.rfc5780)
tcp_services[index+1] = create_tls_listener_server(turn_params.listener_ifname, turn_params.listener.addrs[i], get_alt_listener_port(), turn_params.verbose, e, send_socket_to_general_relay, relay_server);
tcp_services[index+1] = turn_params.tcp_use_proxy?NULL:create_tls_listener_server(turn_params.listener_ifname, turn_params.listener.addrs[i], get_alt_listener_port(), turn_params.verbose, e, send_socket_to_general_relay, relay_server);
} else {
tcp_services[index] = NULL;
if(turn_params.rfc5780)
tcp_services[index+1] = NULL;
}
if(!turn_params.no_tls && (turn_params.no_tcp || (turn_params.listener_port != turn_params.tls_listener_port))) {
if(!turn_params.no_tls && !turn_params.tcp_use_proxy && (turn_params.no_tcp || (turn_params.listener_port != turn_params.tls_listener_port))) {
tls_services[index] = create_tls_listener_server(turn_params.listener_ifname, turn_params.listener.addrs[i], turn_params.tls_listener_port, turn_params.verbose, e, send_socket_to_general_relay, relay_server);
if(turn_params.rfc5780)
tls_services[index+1] = create_tls_listener_server(turn_params.listener_ifname, turn_params.listener.addrs[i], get_alt_tls_listener_port(), turn_params.verbose, e, send_socket_to_general_relay, relay_server);
@ -1651,7 +1651,7 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
&turn_params.permission_lifetime,
&turn_params.stun_only,
&turn_params.no_stun,
&turn_params.prod,
&turn_params.no_software_attribute,
&turn_params.web_admin_listen_on_workers,
&turn_params.alternate_servers_list,
&turn_params.tls_alternate_servers_list,

124
src/apps/relay/ns_ioalib_engine_impl.c
View File

@ -2157,6 +2157,67 @@ static TURN_TLS_TYPE check_tentative_tls(ioa_socket_raw fd)
}
#endif
static ssize_t socket_parse_proxy_v2(ioa_socket_handle s, uint8_t *buf, size_t len)
{
if(len < 16){
return 0 ;
}
/* Check for proxy-v2 magic field */
char magic[] = {0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, 0x55, 0x49, 0x54, 0x0A};
if(memcmp(magic, buf, sizeof(magic))){
return -1;
}
/* Check version */
uint8_t version = buf[12] >> 4;
if(version != 2) return -1;
/* Read data */
uint8_t command = buf[12] & 0xF;
uint8_t family = buf[13] >> 4;
uint8_t proto = buf[13] & 0xF;
size_t plen = ((size_t)buf[14] << 8) | buf[15];
size_t tlen = 16 + plen;
if(len < tlen) return 0;
/* A local connection is used by the proxy itself and does not carry a valid address */
if(command == 0) return tlen;
/* Accept only proxied TCP connections */
if(command != 1 || proto != 1) return -1;
/* Read the address */
if(family == 1 && plen >= 12){ /* IPv4 */
struct sockaddr_in remote, local;
remote.sin_family = local.sin_family = AF_INET;
memcpy(&remote.sin_addr.s_addr, &buf[16], 4);
memcpy(&local.sin_addr.s_addr, &buf[20], 4);
memcpy(&remote.sin_port, &buf[24], 2);
memcpy(&local.sin_port, &buf[26], 2);
addr_cpy4(&(s->local_addr), &local);
addr_cpy4(&(s->remote_addr), &remote);
}else if(family == 2 && plen >= 36){ /* IPv6 */
struct sockaddr_in6 remote, local;
remote.sin6_family = local.sin6_family = AF_INET6;
memcpy(&remote.sin6_addr.s6_addr, &buf[16], 16);
memcpy(&local.sin6_addr.s6_addr, &buf[32], 16);
memcpy(&remote.sin6_port, &buf[48], 2);
memcpy(&local.sin6_port, &buf[50], 2);
addr_cpy6(&(s->local_addr), &local);
addr_cpy6(&(s->remote_addr), &remote);
}else{
return -1;
}
return tlen;
}
static int socket_input_worker(ioa_socket_handle s)
{
int len = 0;
@ -2372,39 +2433,57 @@ static int socket_input_worker(ioa_socket_handle s)
struct evbuffer *inbuf = bufferevent_get_input(s->bev);
if(inbuf) {
ev_ssize_t blen = evbuffer_copyout(inbuf, buf_elem->buf.buf, STUN_BUFFER_SIZE);
if(blen>0) {
int mlen = 0;
if(blen>(ev_ssize_t)STUN_BUFFER_SIZE)
blen=(ev_ssize_t)STUN_BUFFER_SIZE;
if(is_stream_socket(s->st) && ((s->sat == TCP_CLIENT_DATA_SOCKET)||(s->sat==TCP_RELAY_DATA_SOCKET))) {
mlen = blen;
} else {
mlen = stun_get_message_len_str(buf_elem->buf.buf, blen, 1, &app_msg_len);
}
if(mlen>0 && mlen<=(int)blen) {
len = (int)bufferevent_read(s->bev, buf_elem->buf.buf, mlen);
if(len < 0) {
ret = -1;
if(s->st == TCP_SOCKET_PROXY){
ssize_t tlen = socket_parse_proxy_v2(s, buf_elem->buf.buf, blen);
blen = 0;
if (tlen < 0){
s->tobeclosed = 1;
s->broken = 1;
log_socket_event(s, "socket read failed, to be closed",1);
} else if((s->st == TLS_SOCKET)||(s->st == TLS_SCTP_SOCKET)) {
#if TLS_SUPPORTED
SSL *ctx = bufferevent_openssl_get_ssl(s->bev);
if(!ctx || SSL_get_shutdown(ctx)) {
ret = -1;
s->tobeclosed = 1;
}
#endif
}
if(ret != -1) {
ret = len;
ret = -1;
log_socket_event(s, "proxy protocol violated",1);
}else if(tlen > 0){
bufferevent_read(s->bev, buf_elem->buf.buf, tlen);
blen = evbuffer_copyout(inbuf, buf_elem->buf.buf, STUN_BUFFER_SIZE);
s->st = TCP_SOCKET;
}
}
if(blen){
if(is_stream_socket(s->st) && ((s->sat == TCP_CLIENT_DATA_SOCKET)||(s->sat==TCP_RELAY_DATA_SOCKET))) {
mlen = blen;
} else {
mlen = stun_get_message_len_str(buf_elem->buf.buf, blen, 1, &app_msg_len);
}
if(mlen>0 && mlen<=(int)blen) {
len = (int)bufferevent_read(s->bev, buf_elem->buf.buf, mlen);
if(len < 0) {
ret = -1;
s->tobeclosed = 1;
s->broken = 1;
log_socket_event(s, "socket read failed, to be closed",1);
} else if((s->st == TLS_SOCKET)||(s->st == TLS_SCTP_SOCKET)) {
#if TLS_SUPPORTED
SSL *ctx = bufferevent_openssl_get_ssl(s->bev);
if(!ctx || SSL_get_shutdown(ctx)) {
ret = -1;
s->tobeclosed = 1;
}
#endif
}
if(ret != -1) {
ret = len;
}
}
}
} else if(blen<0) {
s->tobeclosed = 1;
s->broken = 1;
@ -3277,6 +3356,7 @@ int register_callback_on_ioa_socket(ioa_engine_handle e, ioa_socket_handle s, in
break;
case SCTP_SOCKET:
case TCP_SOCKET:
case TCP_SOCKET_PROXY:
if(s->bev) {
if(!clean_preexisting) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,

4
src/apps/relay/tls_listener.c
View File

@ -82,7 +82,9 @@ static void server_input_handler(struct evconnlistener *l, evutil_socket_t fd,
SOCKET_TYPE st = TENTATIVE_TCP_SOCKET;
if(turn_params.no_tls)
if(turn_params.tcp_use_proxy)
st = TCP_SOCKET_PROXY;
else if(turn_params.no_tls)
st = TCP_SOCKET;
else if(turn_params.no_tcp)
st = TLS_SOCKET;

2
src/apps/relay/turn_admin_server.c
View File

@ -1659,7 +1659,7 @@ static void https_finish_page(struct str_buffer *sb, ioa_socket_handle s, int cc
str_buffer_append(sb,"</body>\r\n</html>\r\n");
send_str_from_ioa_socket_tcp(s,"HTTP/1.1 200 OK\r\nServer: ");
if(!turn_params.prod) {
if(!turn_params.no_software_attribute) {
send_str_from_ioa_socket_tcp(s,TURN_SOFTWARE);
}
send_str_from_ioa_socket_tcp(s,"\r\n");

1
src/server/ns_turn_ioalib.h
View File

@ -90,6 +90,7 @@ enum _SOCKET_TYPE {
SCTP_SOCKET=132,
TLS_SCTP_SOCKET=133,
DTLS_SOCKET=250,
TCP_SOCKET_PROXY=253,
TENTATIVE_SCTP_SOCKET=254,
TENTATIVE_TCP_SOCKET=255
};

6
src/server/ns_turn_server.c
View File

@ -64,7 +64,7 @@ static inline int get_family(int stun_family, ioa_engine_handle e, ioa_socket_ha
////////////////////////////////////////////////
const char * get_version(turn_turnserver *server) {
if(server && !*server->prod) {
if(server && !*server->no_software_attribute) {
return (const char *) TURN_SOFTWARE;
} else {
return (const char *) "None";
@ -4900,7 +4900,7 @@ void init_turn_server(turn_turnserver* server,
vintp permission_lifetime,
vintp stun_only,
vintp no_stun,
vintp prod,
vintp no_software_attribute,
vintp web_admin_listen_on_workers,
turn_server_addrs_list_t *alternate_servers_list,
turn_server_addrs_list_t *tls_alternate_servers_list,
@ -4962,7 +4962,7 @@ void init_turn_server(turn_turnserver* server,
server->permission_lifetime = permission_lifetime;
server->stun_only = stun_only;
server->no_stun = no_stun;
server->prod = prod;
server->no_software_attribute = no_software_attribute;
server-> web_admin_listen_on_workers = web_admin_listen_on_workers;
server->dont_fragment = dont_fragment;

4
src/server/ns_turn_server.h
View File

@ -120,7 +120,7 @@ struct _turn_turnserver {
vintp permission_lifetime;
vintp stun_only;
vintp no_stun;
vintp prod;
vintp no_software_attribute;
vintp web_admin_listen_on_workers;
vintp secure_stun;
turn_credential_type ct;
@ -199,7 +199,7 @@ void init_turn_server(turn_turnserver* server,
vintp permission_lifetime,
vintp stun_only,
vintp no_stun,
vintp prod,
vintp no_software_attribute,
vintp web_admin_listen_on_workers,
turn_server_addrs_list_t *alternate_servers_list,
turn_server_addrs_list_t *tls_alternate_servers_list,