From ace903fd070c32a8c84e370775f718dc8038b5e9 Mon Sep 17 00:00:00 2001 From: Bertold Van den Bergh Date: Wed, 18 Dec 2019 23:41:33 +0100 Subject: [PATCH 01/17] Add support for loadbalanced TCP connections (haproxy protocol v2) --- README.turnserver | 4 + examples/etc/turnserver.conf | 8 ++ man/man1/turnserver.1 | 8 +- src/apps/common/apputils.c | 1 + src/apps/relay/mainrelay.c | 12 ++- src/apps/relay/mainrelay.h | 2 + src/apps/relay/netengine.c | 8 +- src/apps/relay/ns_ioalib_engine_impl.c | 124 ++++++++++++++++++++----- src/apps/relay/tls_listener.c | 4 +- src/server/ns_turn_ioalib.h | 1 + 10 files changed, 142 insertions(+), 30 deletions(-) diff --git a/README.turnserver b/README.turnserver index 4f2b28d0..21ef455d 100644 --- a/README.turnserver +++ b/README.turnserver @@ -321,6 +321,10 @@ Options with values: --alt-tls-listening-port Alternative listening port for TLS and DTLS protocols. Default (or zero) value means "TLS listening port plus one". + +--tcp-proxy-port Support connections from TCP loadbalancer on this port. The loadbalancer + should use the binary proxy protocol. + (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) --aux-server Auxiliary STUN/TURN server listening endpoint. Aux servers have almost full TURN and STUN functionality. diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index d8189f53..0855be8b 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -44,6 +44,14 @@ # Default (or zero) value means "TLS listening port plus one". # #alt-tls-listening-port=0 + +# Some network setups will require using a TCP reverse proxy in front +# of the STUN server. If the proxy port option is set a single listener +# is started on the given port that accepts connections using the +# haproxy proxy protocol v2. +# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) +# +#tcp-proxy-port=5555 # Listener IP address of relay server. Multiple listeners can be specified. # If no IP(s) specified in the config file or in the command line options, diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 4cbac6d3..8d59028c 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "29 January 2019" "" "" +.TH TURN 1 "12 February 2020" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client @@ -483,6 +483,12 @@ Alternative listening port for TLS and DTLS protocols. Default (or zero) value means "TLS listening port plus one". .TP .B +\fB\-\-tcp\-proxy\-port\fP +Support connections from TCP loadbalancer on this port. The loadbalancer +should use the binary proxy protocol. +(https://www.haproxy.org/download/1.8/doc/proxy\-protocol.txt) +.TP +.B \fB\-\-aux\-server\fP Auxiliary STUN/TURN server listening endpoint. Aux servers have almost full TURN and STUN functionality. diff --git a/src/apps/common/apputils.c b/src/apps/common/apputils.c index 2dbb923e..13c1f9b2 100644 --- a/src/apps/common/apputils.c +++ b/src/apps/common/apputils.c @@ -439,6 +439,7 @@ int set_raw_socket_tos(evutil_socket_t fd, int family, int tos) int is_stream_socket(int st) { switch(st) { case TCP_SOCKET: + case TCP_SOCKET_PROXY: case TLS_SOCKET: case TENTATIVE_TCP_SOCKET: case SCTP_SOCKET: diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 6710da6d..c5941ef6 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -110,8 +110,8 @@ NULL, PTHREAD_MUTEX_INITIALIZER, //////////////// Common params //////////////////// TURN_VERBOSE_NONE,0,0,0,0, "/var/run/turnserver.pid", -DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,1, -0,0,0,0, +DEFAULT_STUN_PORT,DEFAULT_STUN_TLS_PORT,0,0,0,1, +0,0,0,0,0, "", "",0, { @@ -402,6 +402,8 @@ static char Usage[] = "Usage: turnserver [options]\n" " or in old RFC 3489 sense, default is \"listening port plus one\").\n" " --alt-tls-listening-port Alternative listening port for TLS and DTLS,\n" " the default is \"TLS/DTLS port plus one\".\n" +" --tcp-proxy-port Support connections from TCP loadbalancer on this port. The loadbalancer should\n" +" use the binary proxy protocol (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)\n" " -L, --listening-ip Listener IP address of relay server. Multiple listeners can be specified.\n" " --aux-server Auxiliary STUN/TURN server listening endpoint.\n" " Auxiliary servers do not have alternative ports and\n" @@ -713,6 +715,7 @@ static char AdminUsage[] = "Usage: turnadmin [command] [options]\n" enum EXTRA_OPTS { NO_UDP_OPT=256, NO_TCP_OPT, + TCP_PROXY_PORT_OPT, NO_TLS_OPT, NO_DTLS_OPT, NO_UDP_RELAY_OPT, @@ -805,6 +808,7 @@ static const struct myoption long_options[] = { { "tls-listening-port", required_argument, NULL, TLS_PORT_OPT }, { "alt-listening-port", required_argument, NULL, ALT_PORT_OPT }, { "alt-tls-listening-port", required_argument, NULL, ALT_TLS_PORT_OPT }, + { "tcp-proxy-port", required_argument, NULL, TCP_PROXY_PORT_OPT }, { "listening-ip", required_argument, NULL, 'L' }, { "relay-device", required_argument, NULL, 'i' }, { "relay-ip", required_argument, NULL, 'E' }, @@ -1266,6 +1270,10 @@ static void set_option(int c, char *value) case ALT_TLS_PORT_OPT: turn_params.alt_tls_listener_port = atoi(value); break; + case TCP_PROXY_PORT_OPT: + turn_params.tcp_proxy_port = atoi(value); + turn_params.tcp_use_proxy = 1; + break; case MIN_PORT_OPT: turn_params.min_port = atoi(value); break; diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index ea139846..779c09fd 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -226,10 +226,12 @@ typedef struct _turn_params_ { int tls_listener_port; int alt_listener_port; int alt_tls_listener_port; + int tcp_proxy_port; int rfc5780; int no_udp; int no_tcp; + int tcp_use_proxy; vint no_tcp_relay; vint no_udp_relay; diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index 1a69dcd8..82139c2c 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -1473,7 +1473,7 @@ static void setup_tcp_listener_servers(ioa_engine_handle e, struct relay_server /* Create listeners */ /* Aux TCP servers */ - if(!turn_params.no_tls || !turn_params.no_tcp) { + if(!turn_params.tcp_use_proxy && (!turn_params.no_tls || !turn_params.no_tcp)) { for(i=0; i> 4; + if(version != 2) return -1; + + /* Read data */ + uint8_t command = buf[12] & 0xF; + uint8_t family = buf[13] >> 4; + uint8_t proto = buf[13] & 0xF; + size_t plen = ((size_t)buf[14] << 8) | buf[15]; + + size_t tlen = 16 + plen; + if(len < tlen) return 0; + + /* A local connection is used by the proxy itself and does not carry a valid address */ + if(command == 0) return tlen; + + /* Accept only proxied TCP connections */ + if(command != 1 || proto != 1) return -1; + + /* Read the address */ + if(family == 1 && plen >= 12){ /* IPv4 */ + struct sockaddr_in remote, local; + remote.sin_family = local.sin_family = AF_INET; + memcpy(&remote.sin_addr.s_addr, &buf[16], 4); + memcpy(&local.sin_addr.s_addr, &buf[20], 4); + memcpy(&remote.sin_port, &buf[24], 2); + memcpy(&local.sin_port, &buf[26], 2); + + addr_cpy4(&(s->local_addr), &local); + addr_cpy4(&(s->remote_addr), &remote); + + }else if(family == 2 && plen >= 36){ /* IPv6 */ + struct sockaddr_in6 remote, local; + remote.sin6_family = local.sin6_family = AF_INET6; + memcpy(&remote.sin6_addr.s6_addr, &buf[16], 16); + memcpy(&local.sin6_addr.s6_addr, &buf[32], 16); + memcpy(&remote.sin6_port, &buf[48], 2); + memcpy(&local.sin6_port, &buf[50], 2); + + addr_cpy6(&(s->local_addr), &local); + addr_cpy6(&(s->remote_addr), &remote); + + }else{ + return -1; + } + + return tlen; +} + static int socket_input_worker(ioa_socket_handle s) { int len = 0; @@ -2372,39 +2433,57 @@ static int socket_input_worker(ioa_socket_handle s) struct evbuffer *inbuf = bufferevent_get_input(s->bev); if(inbuf) { ev_ssize_t blen = evbuffer_copyout(inbuf, buf_elem->buf.buf, STUN_BUFFER_SIZE); + if(blen>0) { int mlen = 0; if(blen>(ev_ssize_t)STUN_BUFFER_SIZE) blen=(ev_ssize_t)STUN_BUFFER_SIZE; - if(is_stream_socket(s->st) && ((s->sat == TCP_CLIENT_DATA_SOCKET)||(s->sat==TCP_RELAY_DATA_SOCKET))) { - mlen = blen; - } else { - mlen = stun_get_message_len_str(buf_elem->buf.buf, blen, 1, &app_msg_len); - } - - if(mlen>0 && mlen<=(int)blen) { - len = (int)bufferevent_read(s->bev, buf_elem->buf.buf, mlen); - if(len < 0) { - ret = -1; + if(s->st == TCP_SOCKET_PROXY){ + ssize_t tlen = socket_parse_proxy_v2(s, buf_elem->buf.buf, blen); + blen = 0; + if (tlen < 0){ s->tobeclosed = 1; s->broken = 1; - log_socket_event(s, "socket read failed, to be closed",1); - } else if((s->st == TLS_SOCKET)||(s->st == TLS_SCTP_SOCKET)) { -#if TLS_SUPPORTED - SSL *ctx = bufferevent_openssl_get_ssl(s->bev); - if(!ctx || SSL_get_shutdown(ctx)) { - ret = -1; - s->tobeclosed = 1; - } -#endif - } - if(ret != -1) { - ret = len; + ret = -1; + log_socket_event(s, "proxy protocol violated",1); + }else if(tlen > 0){ + bufferevent_read(s->bev, buf_elem->buf.buf, tlen); + + blen = evbuffer_copyout(inbuf, buf_elem->buf.buf, STUN_BUFFER_SIZE); + s->st = TCP_SOCKET; } } + if(blen){ + if(is_stream_socket(s->st) && ((s->sat == TCP_CLIENT_DATA_SOCKET)||(s->sat==TCP_RELAY_DATA_SOCKET))) { + mlen = blen; + } else { + mlen = stun_get_message_len_str(buf_elem->buf.buf, blen, 1, &app_msg_len); + } + + if(mlen>0 && mlen<=(int)blen) { + len = (int)bufferevent_read(s->bev, buf_elem->buf.buf, mlen); + if(len < 0) { + ret = -1; + s->tobeclosed = 1; + s->broken = 1; + log_socket_event(s, "socket read failed, to be closed",1); + } else if((s->st == TLS_SOCKET)||(s->st == TLS_SCTP_SOCKET)) { +#if TLS_SUPPORTED + SSL *ctx = bufferevent_openssl_get_ssl(s->bev); + if(!ctx || SSL_get_shutdown(ctx)) { + ret = -1; + s->tobeclosed = 1; + } +#endif + } + if(ret != -1) { + ret = len; + } + } + } } else if(blen<0) { s->tobeclosed = 1; s->broken = 1; @@ -3277,6 +3356,7 @@ int register_callback_on_ioa_socket(ioa_engine_handle e, ioa_socket_handle s, in break; case SCTP_SOCKET: case TCP_SOCKET: + case TCP_SOCKET_PROXY: if(s->bev) { if(!clean_preexisting) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, diff --git a/src/apps/relay/tls_listener.c b/src/apps/relay/tls_listener.c index a75c1875..689c2f66 100644 --- a/src/apps/relay/tls_listener.c +++ b/src/apps/relay/tls_listener.c @@ -82,7 +82,9 @@ static void server_input_handler(struct evconnlistener *l, evutil_socket_t fd, SOCKET_TYPE st = TENTATIVE_TCP_SOCKET; - if(turn_params.no_tls) + if(turn_params.tcp_use_proxy) + st = TCP_SOCKET_PROXY; + else if(turn_params.no_tls) st = TCP_SOCKET; else if(turn_params.no_tcp) st = TLS_SOCKET; diff --git a/src/server/ns_turn_ioalib.h b/src/server/ns_turn_ioalib.h index 074e618e..6737711d 100644 --- a/src/server/ns_turn_ioalib.h +++ b/src/server/ns_turn_ioalib.h @@ -90,6 +90,7 @@ enum _SOCKET_TYPE { SCTP_SOCKET=132, TLS_SCTP_SOCKET=133, DTLS_SOCKET=250, + TCP_SOCKET_PROXY=253, TENTATIVE_SCTP_SOCKET=254, TENTATIVE_TCP_SOCKET=255 }; From 520e172b22c7b35fd8e90ed113f2464281b15ad6 Mon Sep 17 00:00:00 2001 From: Danilo Bargen Date: Fri, 13 Mar 2020 11:01:15 +0100 Subject: [PATCH 02/17] Rename "prod" config option to "no-software-attribute" As discussed in https://github.com/coturn/coturn/pull/478, if the parameter only controls whether or not to send the software attribute and not other production-relevant configurations, it should be named accordingly. The old --prod configuration option still works, but is now deprecated and undocumented. --- README.turnserver | 2 +- docker/coturn/turnserver.conf | 2 +- examples/etc/turnserver.conf | 2 +- man/man1/turnserver.1 | 4 ++-- src/apps/relay/mainrelay.c | 11 ++++++----- src/apps/relay/mainrelay.h | 2 +- src/apps/relay/netengine.c | 2 +- src/apps/relay/turn_admin_server.c | 2 +- src/server/ns_turn_server.c | 6 +++--- src/server/ns_turn_server.h | 4 ++-- 10 files changed, 19 insertions(+), 18 deletions(-) diff --git a/README.turnserver b/README.turnserver index 4f2b28d0..bdb5ebe8 100644 --- a/README.turnserver +++ b/README.turnserver @@ -158,7 +158,7 @@ Flags: -o, --daemon Run server as daemon. ---prod Production mode: hide the software version. +--no-software-attribute Production mode: hide the software version. -f, --fingerprint Use fingerprints in the TURN messages. If an incoming request contains a fingerprint, then TURN server will always add diff --git a/docker/coturn/turnserver.conf b/docker/coturn/turnserver.conf index d455dd3f..0389f726 100644 --- a/docker/coturn/turnserver.conf +++ b/docker/coturn/turnserver.conf @@ -582,7 +582,7 @@ syslog # Implementers SHOULD make usage of the SOFTWARE attribute a # configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2) # -#prod +#no-software-attribute # Option to suppress STUN functionality, only TURN requests will be processed. # Run as TURN server only, all STUN requests will be ignored. diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index e9174077..0d0417ad 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -566,7 +566,7 @@ # Implementers SHOULD make usage of the SOFTWARE attribute a # configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2) # -#prod +#no-software-attribute # Option to suppress STUN functionality, only TURN requests will be processed. # Run as TURN server only, all STUN requests will be ignored. diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 6c7e96a4..2bfbcf13 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -236,8 +236,8 @@ Extra verbose mode, very annoying and not recommended. Run server as daemon. .TP .B -\fB\-\-prod\fP -Production mode: hide the software version. +\fB\-\-no-software-attribute\fP +Do not send the software version. Should be used in production. .TP .B \fB\-f\fP, \fB\-\-fingerprint\fP diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 6710da6d..8ff7733f 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -448,7 +448,7 @@ static char Usage[] = "Usage: turnserver [options]\n" " -v, --verbose 'Moderate' verbose mode.\n" " -V, --Verbose Extra verbose mode, very annoying (for debug purposes only).\n" " -o, --daemon Start process as daemon (detach from current shell).\n" -" --prod Production mode: hide the software version.\n" +" --no-software-attribute Production mode: hide the software version (formerly --prod).\n" " -f, --fingerprint Use fingerprints in the TURN messages.\n" " -a, --lt-cred-mech Use the long-term credential mechanism.\n" " -z, --no-auth Do not use any credential mechanism, allow anonymous access.\n" @@ -779,7 +779,7 @@ enum EXTRA_OPTS { ADMIN_USER_QUOTA_OPT, SERVER_NAME_OPT, OAUTH_OPT, - PROD_OPT, + NO_SOFTWARE_ATTRIBUTE_OPT, NO_HTTP_OPT, SECRET_KEY_OPT }; @@ -844,7 +844,8 @@ static const struct myoption long_options[] = { { "verbose", optional_argument, NULL, 'v' }, { "Verbose", optional_argument, NULL, 'V' }, { "daemon", optional_argument, NULL, 'o' }, - { "prod", optional_argument, NULL, PROD_OPT }, +/* deprecated: */ { "prod", optional_argument, NULL, NO_SOFTWARE_ATTRIBUTE_OPT }, + { "no-software-attribute", optional_argument, NULL, NO_SOFTWARE_ATTRIBUTE_OPT }, { "fingerprint", optional_argument, NULL, 'f' }, { "check-origin-consistency", optional_argument, NULL, CHECK_ORIGIN_CONSISTENCY_OPT }, { "no-udp", optional_argument, NULL, NO_UDP_OPT }, @@ -1378,8 +1379,8 @@ static void set_option(int c, char *value) anon_credentials = 1; } break; - case PROD_OPT: - turn_params.prod = get_bool_value(value); + case NO_SOFTWARE_ATTRIBUTE_OPT: + turn_params.no_software_attribute = get_bool_value(value); break; case 'f': turn_params.fingerprint = get_bool_value(value); diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index ea139846..4394c33a 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -213,7 +213,7 @@ typedef struct _turn_params_ { int verbose; int turn_daemon; - int prod; + int no_software_attribute; int web_admin_listen_on_workers; int do_not_use_config_file; diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index 1a69dcd8..acf42082 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -1651,7 +1651,7 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int &turn_params.permission_lifetime, &turn_params.stun_only, &turn_params.no_stun, - &turn_params.prod, + &turn_params.no_software_attribute, &turn_params.web_admin_listen_on_workers, &turn_params.alternate_servers_list, &turn_params.tls_alternate_servers_list, diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c index dade1615..7ad2ab15 100644 --- a/src/apps/relay/turn_admin_server.c +++ b/src/apps/relay/turn_admin_server.c @@ -1659,7 +1659,7 @@ static void https_finish_page(struct str_buffer *sb, ioa_socket_handle s, int cc str_buffer_append(sb,"\r\n\r\n"); send_str_from_ioa_socket_tcp(s,"HTTP/1.1 200 OK\r\nServer: "); - if(!turn_params.prod) { + if(!turn_params.no_software_attribute) { send_str_from_ioa_socket_tcp(s,TURN_SOFTWARE); } send_str_from_ioa_socket_tcp(s,"\r\n"); diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c index 16a6511f..38a15134 100644 --- a/src/server/ns_turn_server.c +++ b/src/server/ns_turn_server.c @@ -64,7 +64,7 @@ static inline int get_family(int stun_family, ioa_engine_handle e, ioa_socket_ha //////////////////////////////////////////////// const char * get_version(turn_turnserver *server) { - if(server && !*server->prod) { + if(server && !*server->no_software_attribute) { return (const char *) TURN_SOFTWARE; } else { return (const char *) "None"; @@ -4900,7 +4900,7 @@ void init_turn_server(turn_turnserver* server, vintp permission_lifetime, vintp stun_only, vintp no_stun, - vintp prod, + vintp no_software_attribute, vintp web_admin_listen_on_workers, turn_server_addrs_list_t *alternate_servers_list, turn_server_addrs_list_t *tls_alternate_servers_list, @@ -4962,7 +4962,7 @@ void init_turn_server(turn_turnserver* server, server->permission_lifetime = permission_lifetime; server->stun_only = stun_only; server->no_stun = no_stun; - server->prod = prod; + server->no_software_attribute = no_software_attribute; server-> web_admin_listen_on_workers = web_admin_listen_on_workers; server->dont_fragment = dont_fragment; diff --git a/src/server/ns_turn_server.h b/src/server/ns_turn_server.h index 628457f3..924a507a 100644 --- a/src/server/ns_turn_server.h +++ b/src/server/ns_turn_server.h @@ -120,7 +120,7 @@ struct _turn_turnserver { vintp permission_lifetime; vintp stun_only; vintp no_stun; - vintp prod; + vintp no_software_attribute; vintp web_admin_listen_on_workers; vintp secure_stun; turn_credential_type ct; @@ -199,7 +199,7 @@ void init_turn_server(turn_turnserver* server, vintp permission_lifetime, vintp stun_only, vintp no_stun, - vintp prod, + vintp no_software_attribute, vintp web_admin_listen_on_workers, turn_server_addrs_list_t *alternate_servers_list, turn_server_addrs_list_t *tls_alternate_servers_list, From fa3f2797c2e71fe069c166cb358fbef6092a9d1e Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Mon, 30 Mar 2020 19:04:21 +0200 Subject: [PATCH 03/17] README.*: Strip trailing spaces --- README.turnadmin | 64 +++--- README.turnserver | 548 +++++++++++++++++++++++----------------------- README.turnutils | 30 +-- 3 files changed, 321 insertions(+), 321 deletions(-) diff --git a/README.turnadmin b/README.turnadmin index e022f002..4b64583d 100644 --- a/README.turnadmin +++ b/README.turnadmin @@ -1,51 +1,51 @@ GENERAL INFORMATION -turnadmin is a TURN administration tool. This tool can be used to manage -the user accounts (add/remove users, generate -TURN keys for the users). For security reasons, we do not recommend -storing passwords openly. The better option is to use pre-processed "keys" -which are then used for authentication. These keys are generated by turnadmin. -Turnadmin is a link to turnserver binary, but turnadmin performs different +turnadmin is a TURN administration tool. This tool can be used to manage +the user accounts (add/remove users, generate +TURN keys for the users). For security reasons, we do not recommend +storing passwords openly. The better option is to use pre-processed "keys" +which are then used for authentication. These keys are generated by turnadmin. +Turnadmin is a link to turnserver binary, but turnadmin performs different functions. Options note: turnadmin has long and short option names, for most options. -Some options have only long form, some options have only short form. Their syntax +Some options have only long form, some options have only short form. Their syntax somewhat different, if an argument is required: The short form must be used as this (for example): $ turnadmin -u ... - + The long form equivalent must use the "=" character: $ turnadmin --user= ... - + If this is a flag option (no argument required) then their usage are the same, for example: $ turnadmin -k ... - + is equivalent to: $ turnadmin --key ... -You have always the use the -r option with commands for long term credentials - +You have always the use the -r option with commands for long term credentials - because data for multiple realms can be stored in the same database. - + ===================================== NAME -turnadmin - a TURN relay administration tool. - - SYNOPSIS +turnadmin - a TURN relay administration tool. + + SYNOPSIS $ turnadmin [command] [options] $ turnadmin [ -h | --help] DESCRIPTION - -Commands: + +Commands: -P, --generate-encrypted-password Generate and print to the standard output an encrypted form of a password (for web admin user or CLI). @@ -76,7 +76,7 @@ Only sha256 is supported as the hash function. -X, --delete-secret= Delete a shared secret. --delete-all_secrets Delete all shared secrets for REST API. - + -O, --add-origin Add origin-to-realm relation. -R, --del-origin Delete origin-to-realm relation. @@ -86,10 +86,10 @@ Only sha256 is supported as the hash function. -g, --set-realm-option Set realm params: max-bps, total-quota, user-quota. -G, --list-realm-options List realm params. --E, --generate-encrypted-password-aes Generate and print to the standard output +-E, --generate-encrypted-password-aes Generate and print to the standard output an encrypted form of password with AES-128 - -Options with required values: + +Options with required values: -b, --db, --userdb SQLite user database file name (default - /var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb). @@ -111,10 +111,10 @@ Options with required values: -o, --origin Origin --max-bps Set value of realm's max-bps parameter. --total-quota Set value of realm's total-quota parameter. ---user-quota Set value of realm's user-quota parameter. +--user-quota Set value of realm's user-quota parameter. -h, --help Help. -Command examples: +Command examples: Generate an encrypted form of a password: @@ -123,11 +123,11 @@ $ turnadmin -P -p Generate a key: $ turnadmin -k -u -r -p - + Add/update a user in the in the database: $ turnadmin -a [-b | -e | -M | -N ] -u -r -p - + Delete a user from the database: $ turnadmin -d [-b | -e | -M | -N ] -u -r @@ -176,13 +176,13 @@ Verify/decrypt encrypted password: $ turnadmin --file-key-path -v - -Help: + +Help: $ turnadmin -h ======================================= - + DOCS After installation, run the command: @@ -258,13 +258,13 @@ to see the man page. Erik Johnston Roman Lisagor - + Vladimir Tsanev - + Po-sheng Lin - + Peter Dunkley - + Mutsutoshi Yoshimoto Federico Pinna diff --git a/README.turnserver b/README.turnserver index 4f2b28d0..77304ab0 100644 --- a/README.turnserver +++ b/README.turnserver @@ -1,156 +1,156 @@ GENERAL INFORMATION -The TURN Server project contains the source code of a TURN server and TURN client -messaging library. Also, some extra programs provided, for testing-only -purposes. +The TURN Server project contains the source code of a TURN server and TURN client +messaging library. Also, some extra programs provided, for testing-only +purposes. See the INSTALL file for the building instructions. After the build, you will have the following binary images: -1. turnserver: TURN Server relay. +1. turnserver: TURN Server relay. The compiled binary image of the TURN Server program is located in bin/ sub-directory. 2. turnadmin: TURN administration tool. See README.turnadmin and turnadmin man page. - + 3. turnutils_uclient. See README.turnutils and turnutils man page. 4. turnutils_peer. See README.turnutils and turnutils man page. - + 5. turnutils_stunclient. See README.turnutils and turnutils man page. - + 6. turnutils_rfc5769check. See README.turnutils and turnutils man page. -In the "examples/scripts" sub-directory, you will find the examples of command lines to be used +In the "examples/scripts" sub-directory, you will find the examples of command lines to be used to run the programs. The scripts are meant to be run from examples/ sub-directory, for example: $ cd examples $ ./scripts/secure_relay.sh - + RUNNING THE TURN SERVER Options note: turnserver has long and short option names, for most options. -Some options have only long form, some options have only short form. Their syntax +Some options have only long form, some options have only short form. Their syntax somewhat different, if an argument is required: The short form must be used as this (for example): $ turnserver -L 12.34.56.78 - + The long form equivalent must use the "=" character: $ turnserver --listening-ip=12.34.56.78 - + If this is a flag option (no argument required) then their usage are the same, for example: $ turnserver -a - + is equivalent to: $ turnserver --lt-cred-mech - + ===================================== NAME - + turnserver - a TURN relay server implementation. - + SYNOPSIS - + $ turnserver [-n | -c ] [flags] [ --userdb= | --psql-userdb= | --mysql-userdb= | --mongo-userdb= | --redis-userdb= ] [-z | --no-auth | -a | --lt-cred-mech ] [options] $ turnserver -h - - DESCRIPTION - -Config file settings: + + DESCRIPTION + +Config file settings: -n Do not use configuration file, use only command line parameters. -c Configuration file name (default - turnserver.conf). The format of config file can be seen in - the supplied examples/etc/turnserver.conf example file. Long - names of the options are used as the configuration - items names in the file. If not an absolute path is supplied, - then the file is searched in the following directories: + the supplied examples/etc/turnserver.conf example file. Long + names of the options are used as the configuration + items names in the file. If not an absolute path is supplied, + then the file is searched in the following directories: * current directory * current directory etc/ sub-directory * upper directory level etc/ - * /etc/ + * /etc/ * /usr/local/etc/ * installation directory /etc -User database settings: +User database settings: -b, --db, --userdb SQLite user database file name (default - /var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb). - + -e, --psql-userdb User database connection string for PostgreSQL. This database can be used for long-term credentials mechanism, - and it can store the secret value + and it can store the secret value for secret-based timed authentication in TURN REST API. The connection string format is like that: - - "host= dbname= user= password= connect_timeout=" + + "host= dbname= user= password= connect_timeout=" (for 8.x or newer Postgres). - + Or: - - "postgresql://username:password@hostname:port/databasename" - (for 9.x or newer Postgres). + + "postgresql://username:password@hostname:port/databasename" + (for 9.x or newer Postgres). See the INSTALL file for more explanations and examples. - + Also, see http://www.PostgreSQL.org for full PostgreSQL documentation. - --M, --mysql-userdb User database connection string for MySQL or MariaDB. + +-M, --mysql-userdb User database connection string for MySQL or MariaDB. This database can be used for long-term credentials mechanism, - and it can store the secret value for + and it can store the secret value for secret-based timed authentication in TURN REST API. The connection string format is like that: - + "host= dbname= user= password= connect_timeout= read_timeout=" See the INSTALL file for more explanations and examples. - - Also, see http://www.mysql.org or http://mariadb.org + + Also, see http://www.mysql.org or http://mariadb.org for full MySQL documentation. - - Optional connection string parameters for the secure communications (SSL): - ca, capath, cert, key, cipher - (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the + + Optional connection string parameters for the secure communications (SSL): + ca, capath, cert, key, cipher + (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the command options description). - + --secret-key-file This is the file path which contain secret key of aes encryption while using MySQL password encryption. If you want to use in the MySQL connection string the password in encrypted format, then set in this option the file path of the secret key. The key which is used to encrypt MySQL password. - Warning: If this option is set, then MySQL password must be set in "mysql-userdb" option in encrypted format! + Warning: If this option is set, then MySQL password must be set in "mysql-userdb" option in encrypted format! If you want to use cleartext password then do not set this option! --J, --mongo-userdb User database connection string for MongoDB. +-J, --mongo-userdb User database connection string for MongoDB. This database can be used for long-term credentials mechanism, - and it can store the secret value + and it can store the secret value for secret-based timed authentication in TURN REST API. The connection string format is like that: - + "mongodb://username:password@host:port/database?options" See the INSTALL file for more explanations and examples. - + Also, see http://docs.mongodb.org/manual/ for full MongoDB documentation. - --N, --redis-userdb User database connection string for Redis. + +-N, --redis-userdb User database connection string for Redis. This database can be used for long-term credentials mechanism, - and it can store the secret + and it can store the secret value for secret-based timed authentication in TURN REST API. The connection string format is like that: - + "ip= dbname= password= connect_timeout=" See the INSTALL file for more explanations and examples. - + Also, see http://redis.io for full Redis documentation. -Flags: +Flags: -v, --verbose Moderate verbose mode. @@ -161,21 +161,21 @@ Flags: --prod Production mode: hide the software version. -f, --fingerprint Use fingerprints in the TURN messages. If an incoming request - contains a fingerprint, then TURN server will always add + contains a fingerprint, then TURN server will always add fingerprints to the messages in this session, regardless of the per-server setting. -a, --lt-cred-mech Use long-term credentials mechanism (this one you need for WebRTC usage). --z, --no-auth Do not use any credentials mechanism, allow anonymous access. - Opposite to -a and -A options. This is default option when no +-z, --no-auth Do not use any credentials mechanism, allow anonymous access. + Opposite to -a and -A options. This is default option when no authentication-related options are set. By default, no credential mechanism is used - any user is allowed. --use-auth-secret TURN REST API flag. - Flag that sets a special WebRTC authorization option - that is based upon authentication secret. The feature purpose + Flag that sets a special WebRTC authorization option + that is based upon authentication secret. The feature purpose is to support "TURN Server REST API" as described in the TURN REST API section below. This option uses timestamp as part of combined username: @@ -187,9 +187,9 @@ Flags: This option is just turns on secret-based authentication. The actual value of the secret is defined either by option static-auth-secret, or can be found in the turn_secret table in the database. - + --oauth Support oAuth authentication, as in the third-party STUN/TURN RFC 7635. - + --dh566 Use 566 bits predefined DH TLS key. Default size of the key is 1066. --dh2066 Use 2066 bits predefined DH TLS key. Default size of the key is 1066. @@ -208,67 +208,67 @@ Flags: --no-dtls Do not start DTLS client listeners. ---no-udp-relay Do not allow UDP relay endpoints defined in RFC 5766, +--no-udp-relay Do not allow UDP relay endpoints defined in RFC 5766, use only TCP relay endpoints as defined in RFC 6062. ---no-tcp-relay Do not allow TCP relay endpoints defined in RFC 6062, - use only UDP relay endpoints as defined in RFC 5766. +--no-tcp-relay Do not allow TCP relay endpoints defined in RFC 6062, + use only UDP relay endpoints as defined in RFC 5766. --no-stdout-log Flag to prevent stdout log messages. By default, all log messages are going to both stdout and to - the configured log file. With this option everything will be going to + the configured log file. With this option everything will be going to the log file only (unless the log file itself is stdout). - + --syslog With this flag, all log will be redirected to the system log (syslog). --simple-log This flag means that no log file rollover will be used, and the log file name will be constructed as-is, without PID and date appendage. This option can be used, for example, together with the logrotate tool. - + --secure-stun Require authentication of the STUN Binding request. By default, the clients are allowed anonymous access to the STUN Binding functionality. --S, --stun-only Run as STUN server only, all TURN requests will be ignored. +-S, --stun-only Run as STUN server only, all TURN requests will be ignored. Option to suppress TURN functionality, only STUN requests will be processed. ---no-stun Run as TURN server only, all STUN requests will be ignored. +--no-stun Run as TURN server only, all STUN requests will be ignored. Option to suppress STUN functionality, only TURN requests will be processed. --allow-loopback-peers Allow peers on the loopback addresses (127.x.x.x and ::1). - Allow it only for testing in a development environment! - In production it adds a possible security vulnerability, - and so due to security reasons, it is not allowed + Allow it only for testing in a development environment! + In production it adds a possible security vulnerability, + and so due to security reasons, it is not allowed using it together with empty cli-password. ---no-multicast-peers Disallow peers on well-known broadcast addresses +--no-multicast-peers Disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*). --mobility Mobility with ICE (MICE) specs support. --no-cli Turn OFF the CLI support. By default it is always ON. See also options --cli-ip and --cli-port. - ---server-relay Server relay. NON-STANDARD AND DANGEROUS OPTION. - Only for those applications when we want to run + +--server-relay Server relay. NON-STANDARD AND DANGEROUS OPTION. + Only for those applications when we want to run server applications on the relay endpoints. - This option eliminates the IP permissions check + This option eliminates the IP permissions check on the packets incoming to the relay endpoints. See http://tools.ietf.org/search/rfc5766#section-17.2.3 . - + --udp-self-balance (recommended for older Linuxes only) Automatically balance UDP traffic over auxiliary servers - (if configured). The load balancing is using the - ALTERNATE-SERVER mechanism. The TURN client must support + (if configured). The load balancing is using the + ALTERNATE-SERVER mechanism. The TURN client must support 300 ALTERNATE-SERVER response for this functionality. - ---check-origin-consistency The flag that sets the origin consistency + +--check-origin-consistency The flag that sets the origin consistency check: across the session, all requests must have the same main ORIGIN attribute value (if the ORIGIN was initially used by the session). -h Help. - -Options with values: + +Options with values: --stale-nonce[=] Use extra security with nonce value having limited lifetime, in seconds (default 600 secs). @@ -284,15 +284,15 @@ Options with values: This MUST not be changed for production purposes. -d, --listening-device Listener interface device. - (NOT RECOMMENDED. Optional functionality, Linux only). - The turnserver process must have root privileges to bind the - listening endpoint to a device. If turnserver must run as a + (NOT RECOMMENDED. Optional functionality, Linux only). + The turnserver process must have root privileges to bind the + listening endpoint to a device. If turnserver must run as a process without root privileges, then just do not use this setting. --L, --listening-ip Listener IP address of relay server. +-L, --listening-ip Listener IP address of relay server. Multiple listeners can be specified, for example: -L ip1 -L ip2 -L ip3 - If no IP(s) specified, then all IPv4 and + If no IP(s) specified, then all IPv4 and IPv6 system IPs will be used for listening. The same ip(s) can be used as both listening and relay ip(s). @@ -302,11 +302,11 @@ Options with values: --tls-listening-port TURN listener port for TLS and DTLS listeners (Default: 5349). Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS - port(s), too - if allowed by configuration. The TURN server + port(s), too - if allowed by configuration. The TURN server "automatically" recognizes the type of traffic. Actually, two listening endpoints (the "plain" one and the "tls" one) are equivalent in terms of functionality; but we keep both endpoints to satisfy the RFC 5766 specs. - For secure TCP connections, we currently support SSL version 3 and + For secure TCP connections, we currently support SSL version 3 and TLS versions 1.0, 1.1, 1.2. For secure UDP connections, we support DTLS version 1. @@ -321,36 +321,36 @@ Options with values: --alt-tls-listening-port Alternative listening port for TLS and DTLS protocols. Default (or zero) value means "TLS listening port plus one". - + --aux-server Auxiliary STUN/TURN server listening endpoint. Aux servers have almost full TURN and STUN functionality. The (minor) limitations are: 1) Auxiliary servers do not have alternative ports and they do not support STUN RFC 5780 functionality (CHANGE REQUEST). 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply. - + Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6. There may be multiple aux-server options, each will be used for listening to client requests. --i, --relay-device Relay interface device for relay sockets +-i, --relay-device Relay interface device for relay sockets (NOT RECOMMENDED. Optional, Linux only). --E, --relay-ip Relay address (the local IP address that - will be used to relay the packets to the +-E, --relay-ip Relay address (the local IP address that + will be used to relay the packets to the peer). Multiple relay addresses may be used: -E ip1 -E ip2 -E ip3 The same IP(s) can be used as both listening IP(s) and relay IP(s). - If no relay IP(s) specified, then the turnserver will apply the - default policy: it will decide itself which relay addresses to be - used, and it will always be using the client socket IP address as - the relay IP address of the TURN session (if the requested relay + If no relay IP(s) specified, then the turnserver will apply the + default policy: it will decide itself which relay addresses to be + used, and it will always be using the client socket IP address as + the relay IP address of the TURN session (if the requested relay address family is the same as the family of the client socket). -X, --external-ip TURN Server public/private address mapping, if the server is behind NAT. In that situation, if a -X is used in form "-X " then that ip will be reported as relay IP address of all allocations. This scenario works only in a simple case - when one single relay address is be used, and no CHANGE_REQUEST functionality is + when one single relay address is be used, and no CHANGE_REQUEST functionality is required. That single relay address must be mapped by NAT to the 'external' IP. The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field. For that 'external' IP, NAT must forward ports directly (relayed port 12345 @@ -358,100 +358,100 @@ Options with values: In more complex case when more than one IP address is involved, that option must be used several times, each entry must have form "-X ", to map all involved addresses. - CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work - correctly, if the addresses are mapped properly, even when the TURN server itself + CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work + correctly, if the addresses are mapped properly, even when the TURN server itself is behind A NAT. By default, this value is empty, and no address mapping is used. - + -m, --relay-threads Number of the relay threads to handle the established connections (in addition to authentication thread and the listener thread). If explicitly set to 0 then application runs relay process in a single thread, - in the same thread with the listener process (the authentication thread will - still be a separate thread). If not set, then a default optimal algorithm + in the same thread with the listener process (the authentication thread will + still be a separate thread). If not set, then a default optimal algorithm will be employed (OS-dependent). In the older Linux systems - (before Linux kernel 3.9), the number of UDP threads is always one threads + (before Linux kernel 3.9), the number of UDP threads is always one threads per network listening endpoint - unless "-m 0" or "-m 1" is set. ---min-port Lower bound of the UDP port range for relay +--min-port Lower bound of the UDP port range for relay endpoints allocation. Default value is 49152, according to RFC 5766. ---max-port Upper bound of the UDP port range for relay +--max-port Upper bound of the UDP port range for relay endpoints allocation. Default value is 65535, according to RFC 5766. --u, --user Long-term security mechanism credentials user account, - in the column-separated form username:key. +-u, --user Long-term security mechanism credentials user account, + in the column-separated form username:key. Multiple user accounts may be used in the command line. The key is either the user password, or the key is generated by turnadmin command. In the second case, the key must be prepended with 0x symbols. - The key is calculated over the user name, + The key is calculated over the user name, the user realm, and the user password. This setting may not be used with TURN REST API. --r, --realm The default realm to be used for the users when no explicit +-r, --realm The default realm to be used for the users when no explicit origin/realm relationship was found in the database, or if the TURN server is not using any database (just the commands-line settings - and the userdb file). Must be used with long-term credentials + and the userdb file). Must be used with long-term credentials mechanism or with TURN REST API. --C, --rest-api-separator This is the timestamp/username separator symbol +-C, --rest-api-separator This is the timestamp/username separator symbol (character) in TURN REST API. The default value is :. --q, --user-quota Per-user allocations quota: how many concurrent - allocations a user can create. This option can also be set +-q, --user-quota Per-user allocations quota: how many concurrent + allocations a user can create. This option can also be set through the database, for a particular realm. -Q, --total-quota Total allocations quota: global limit on concurrent allocations. This option can also be set through the database, for a particular realm. -s, --max-bps Max bytes-per-second bandwidth a TURN session is allowed to handle - (input and output network streams are treated separately). Anything above + (input and output network streams are treated separately). Anything above that limit will be dropped or temporary suppressed (within the - available buffer limits). This option can also be set through the + available buffer limits). This option can also be set through the database, for a particular realm. - + -B, --bps-capacity Maximum server capacity. Total bytes-per-second bandwidth the TURN server is allowed to allocate for the sessions, combined (input and output network streams are treated separately). --static-auth-secret Static authentication secret value (a string) for TURN REST API only. - If not set, then the turn server will try to use the dynamic value + If not set, then the turn server will try to use the dynamic value in turn_secret table in user database (if present). The database-stored value can be changed on-the-fly by a separate program, so this is why that other mode is dynamic. Multiple shared secrets can be used (both in the database and in the "static" fashion). - + --server-name Server name used for the oAuth authentication purposes. The default value is the realm name. ---cert Certificate file, PEM format. Same file - search rules applied as for the configuration - file. If both --no-tls and --no-dtls options +--cert Certificate file, PEM format. Same file + search rules applied as for the configuration + file. If both --no-tls and --no-dtls options are specified, then this parameter is not needed. Default value is turn_server_cert.pem. ---pkey Private key file, PEM format. Same file - search rules applied as for the configuration - file. If both --no-tls and --no-dtls options +--pkey Private key file, PEM format. Same file + search rules applied as for the configuration + file. If both --no-tls and --no-dtls options are specified, then this parameter is not needed. Default value is turn_server_pkey.pem. - + --pkey-pwd If the private key file is encrypted, then this password to be used. --cipher-list Allowed OpenSSL cipher list for TLS/DTLS connections. Default value is "DEFAULT". - ---CA-file CA file in OpenSSL format. + +--CA-file CA file in OpenSSL format. Forces TURN server to verify the client SSL certificates. By default, no CA is set and no client certificate check is performed. ---ec-curve-name Curve name for EC ciphers, if supported by OpenSSL - library (TLS and DTLS). The default value is prime256v1, +--ec-curve-name Curve name for EC ciphers, if supported by OpenSSL + library (TLS and DTLS). The default value is prime256v1, if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+, an optimal curve will be automatically calculated, if not defined by this option. @@ -460,68 +460,68 @@ Options with values: Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file. -l, --log-file Option to set the full path name of the log file. - By default, the turnserver tries to open a log file in - /var/log/turnserver, /var/log, /var/tmp, /tmp and . (current) - directories (which file open operation succeeds - first that file will be used). With this option you can set the + By default, the turnserver tries to open a log file in + /var/log/turnserver, /var/log, /var/tmp, /tmp and . (current) + directories (which file open operation succeeds + first that file will be used). With this option you can set the definite log file name. - The special names are "stdout" and "-" - they will force everything + The special names are "stdout" and "-" - they will force everything to the stdout. Also, "syslog" name will redirect everything into - the system log (syslog), as if the option "--syslog" was set. - In the runtime, the logfile can be reset with the SIGHUP signal + the system log (syslog), as if the option "--syslog" was set. + In the runtime, the logfile can be reset with the SIGHUP signal to the turnserver process. - + --alternate-server Option to set the "redirection" mode. The value of this option - will be the address of the alternate server for UDP & TCP service in form of + will be the address of the alternate server for UDP & TCP service in form of [:]. The server will send this value in the attribute ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client. Client will receive only values with the same address family - as the client network endpoint address family. - See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description. + as the client network endpoint address family. + See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description. The client must use the obtained value for subsequent TURN communications. If more than one --alternate-server options are provided, then the functionality - can be more accurately described as "load-balancing" than a mere "redirection". - If the port number is omitted, then the default port + can be more accurately described as "load-balancing" than a mere "redirection". + If the port number is omitted, then the default port number 3478 for the UDP/TCP protocols will be used. - Colon (:) characters in IPv6 addresses may conflict with the syntax of - the option. To alleviate this conflict, literal IPv6 addresses are enclosed - in square brackets in such resource identifiers, for example: - [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . + Colon (:) characters in IPv6 addresses may conflict with the syntax of + the option. To alleviate this conflict, literal IPv6 addresses are enclosed + in square brackets in such resource identifiers, for example: + [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . Multiple alternate servers can be set. They will be used in the - round-robin manner. All servers in the pool are considered of equal weight and - the load will be distributed equally. For example, if we have 4 alternate servers, - then each server will receive 25% of ALLOCATE requests. An alternate TURN server - address can be used more than one time with the alternate-server option, so this - can emulate "weighting" of the servers. + round-robin manner. All servers in the pool are considered of equal weight and + the load will be distributed equally. For example, if we have 4 alternate servers, + then each server will receive 25% of ALLOCATE requests. An alternate TURN server + address can be used more than one time with the alternate-server option, so this + can emulate "weighting" of the servers. ---tls-alternate-server Option to set alternative server for TLS & DTLS services in form of - :. If the port number is omitted, then the default port - number 5349 for the TLS/DTLS protocols will be used. See the +--tls-alternate-server Option to set alternative server for TLS & DTLS services in form of + :. If the port number is omitted, then the default port + number 5349 for the TLS/DTLS protocols will be used. See the previous option for the functionality description. --O, --redis-statsdb Redis status and statistics database connection string, if used (default - empty, - no Redis stats DB used). This database keeps allocations status information, and it can +-O, --redis-statsdb Redis status and statistics database connection string, if used (default - empty, + no Redis stats DB used). This database keeps allocations status information, and it can be also used for publishing and delivering traffic and allocation event notifications. This database option can be used independently of --redis-userdb option, - and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or + and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or PostgreSQL can be used for the user database. The connection string has the same parameters as redis-userdb connection string. ---max-allocate-timeout Max time, in seconds, allowed for full allocation establishment. +--max-allocate-timeout Max time, in seconds, allowed for full allocation establishment. Default is 60 seconds. --denied-peer-ip= ---allowed-peer-ip= Options to ban or allow specific ip addresses or ranges - of ip addresses. If an ip address is specified as both allowed and denied, then +--allowed-peer-ip= Options to ban or allow specific ip addresses or ranges + of ip addresses. If an ip address is specified as both allowed and denied, then the ip address is considered to be allowed. This is useful when you wish to ban a range of ip addresses, except for a few specific ips within that range. This can be used when you do not want users of the turn server to be able to access - machines reachable by the turn server, but would otherwise be unreachable from the - internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer - IP ranges can also be dynamically changed in the database. + machines reachable by the turn server, but would otherwise be unreachable from the + internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer + IP ranges can also be dynamically changed in the database. The allowed/denied addresses (white/black lists) rules are very simple: - 1) If there is no rule for an address, then it is allowed; + 1) If there is no rule for an address, then it is allowed; 2) If there is an "allowed" rule that fits the address then it is allowed - no matter what; 3) If there is no "allowed" rule that fits the address, and if there is a "denied" rule that fits the address, then it is denied. @@ -529,10 +529,10 @@ Options with values: --pidfile File name to store the pid of the process. Default is /var/run/turnserver.pid (if superuser account is used) or /var/tmp/turnserver.pid . - + --proc-user User name to run the process. After the initialization, the turnserver process will make an attempt to change the current user ID to that user. - + --proc-group Group name to run the process. After the initialization, the turnserver process will make an attempt to change the current group ID to that group. @@ -542,10 +542,10 @@ Options with values: --cli-ip Local system IP address to be used for CLI management interface. The turnserver process can be accessed for management with telnet, - at this IP address and on the CLI port (see the next parameter). + at this IP address and on the CLI port (see the next parameter). Default value is 127.0.0.1. You can use telnet or putty (in telnet mode) - to access the CLI management interface. - + to access the CLI management interface. + --cli-port CLI management interface listening port. Default is 5766. --cli-password CLI access password. Default is empty (no password). @@ -574,31 +574,31 @@ LOAD BALANCE AND PERFORMANCE TUNING This topic is covered in the wiki page: https://github.com/coturn/coturn/wiki/turn_performance_and_load_balance - + =================================== WEBRTC USAGE This is a set of notes for the WebRTC users: -1) WebRTC uses long-term authentication mechanism, so you have to use -a +1) WebRTC uses long-term authentication mechanism, so you have to use -a option (or --lt-cred-mech). WebRTC relaying will not work with anonymous -access. With -a option, do not forget to set the -default realm (-r option). You will also have to set up the user accounts, +access. With -a option, do not forget to set the +default realm (-r option). You will also have to set up the user accounts, for that you have a number of options: a) command-line options (-u). - - b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to - set keys with turnadmin utility (see docs and wiki for turnadmin). + + b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to + set keys with turnadmin utility (see docs and wiki for turnadmin). You cannot use open passwords in the database. - c) Redis key/value pair(s), if Redis is used. You key use either keys or - open passwords with Redis; see turndb/testredisdbsetup.sh file. - + c) Redis key/value pair(s), if Redis is used. You key use either keys or + open passwords with Redis; see turndb/testredisdbsetup.sh file. + d) You also can use the TURN REST API. You will need shared secret(s) set either through the command line option, or through the config file, or through - the database table or Redis key/value pairs. + the database table or Redis key/value pairs. 2) Usually WebRTC uses fingerprinting (-f). @@ -606,7 +606,7 @@ for that you have a number of options: 4) -X is needed if you are running your TURN server behind a NAT. -5) --min-port and --max-port may be needed if you want to limit the relay endpoints ports +5) --min-port and --max-port may be needed if you want to limit the relay endpoints ports number range. =================================== @@ -614,19 +614,19 @@ number range. TURN REST API In WebRTC, the browser obtains the TURN connection information from the web -server. This information is a secure information - because it contains the -necessary TURN credentials. As these credentials are transmitted over the +server. This information is a secure information - because it contains the +necessary TURN credentials. As these credentials are transmitted over the public networks, we have a potential security breach. -If we have to transmit a valuable information over the public network, -then this information has to have a limited lifetime. Then the guy who -obtains this information without permission will be able to perform +If we have to transmit a valuable information over the public network, +then this information has to have a limited lifetime. Then the guy who +obtains this information without permission will be able to perform only limited damage. -This is how the idea of TURN REST API - time-limited TURN credentials - -appeared. This security mechanism is based upon the long-term credentials -mechanism. The main idea of the REST API is that the web server provides -the credentials to the client, but those credentials can be used only +This is how the idea of TURN REST API - time-limited TURN credentials - +appeared. This security mechanism is based upon the long-term credentials +mechanism. The main idea of the REST API is that the web server provides +the credentials to the client, but those credentials can be used only limited time by an application that has to create a TURN server connection. The "classic" long-term credentials mechanism (LTCM) is described here: @@ -637,22 +637,22 @@ http://tools.ietf.org/html/rfc5389#section-15.4 For authentication, each user must know two things: the username and the password. Optionally, the user must supply the ORIGIN value, so that the -server can figure out the realm to be used for the user. The nonce and -the realm values are supplied by the TURN server. But LTCM is not saying -anything about the nature and about the persistence of the username and +server can figure out the realm to be used for the user. The nonce and +the realm values are supplied by the TURN server. But LTCM is not saying +anything about the nature and about the persistence of the username and of the password; and this is used by the REST API. -In the TURN REST API, there is no persistent passwords for users. A user has -just the username. The password is always temporary, and it is generated by -the web server on-demand, when the user accesses the WebRTC page. And, -actually, a temporary one-time session only, username is provided to the user, -too. +In the TURN REST API, there is no persistent passwords for users. A user has +just the username. The password is always temporary, and it is generated by +the web server on-demand, when the user accesses the WebRTC page. And, +actually, a temporary one-time session only, username is provided to the user, +too. The temporary user is generated as: temporary-username="timestamp" + ":" + "username" -where username is the persistent user name, and the timestamp format is just +where username is the persistent user name, and the timestamp format is just seconds since 1970 - the same value as time(NULL) function returns. The temporary password is obtained as HMAC-SHA1 function over the temporary @@ -664,7 +664,7 @@ Both the TURN server and the web server know the same shared secret. How the shared secret is distributed among the involved entities is left to the WebRTC deployment details - this is beyond the scope of the TURN REST API. -So, a timestamp is used for the temporary password calculation, and this +So, a timestamp is used for the temporary password calculation, and this timestamp can be retrieved from the temporary username. This information is valuable, but only temporary, while the timestamp is not expired. Without knowledge of the shared secret, a new temporary password cannot be generated. @@ -677,70 +677,70 @@ Once the temporary username and password are obtained by the client (browser) application, then the rest is just 'classic" long-term credentials mechanism. For developers, we are going to describe it step-by-step below: - - a new TURN client sends a request command to the TURN server. Optionally, - it adds the ORIGIN field to it. - - TURN server sees that this is a new client and the message is not + - a new TURN client sends a request command to the TURN server. Optionally, + it adds the ORIGIN field to it. + - TURN server sees that this is a new client and the message is not authenticated. - - the TURN server generates a random nonce string, and return the + - the TURN server generates a random nonce string, and return the error 401 to the client, with nonce and realm included. If the ORIGIN field was present in the client request, it may affect the realm value that the server chooses for the client. - - the client sees the 401 error and it extracts two values from + - the client sees the 401 error and it extracts two values from the error response: the nonce and the realm. - the client uses username, realm and password to produce a key: key = MD5(username ":" realm ":" SASLprep(password)) (SASLprep is described here: http://tools.ietf.org/html/rfc4013) - - - the client forms a new request, adds username, realm and nonce to the - request. Then, the client calculates and adds the integrity field to + + - the client forms a new request, adds username, realm and nonce to the + request. Then, the client calculates and adds the integrity field to the request. This is the trickiest part of the process, and it is - described in the end of section 15.4: + described in the end of section 15.4: http://tools.ietf.org/html/rfc5389#section-15.4 - - the client, optionally, adds the fingerprint field. This may be also - a tricky procedure, described in section 15.5 of the same document. + - the client, optionally, adds the fingerprint field. This may be also + a tricky procedure, described in section 15.5 of the same document. WebRTC usually uses fingerprinted TURN messages. - the TURN server receives the request, reads the username. - - then the TURN server checks that the nonce and the realm in the request + - then the TURN server checks that the nonce and the realm in the request are the valid ones. - then the TURN server calculates the key. - then the TURN server calculates the integrity field. - - then the TURN server compares the calculated integrity field with the - received one - they must be the same. If the integrity fields differ, + - then the TURN server compares the calculated integrity field with the + received one - they must be the same. If the integrity fields differ, then the request is rejected. -In subsequent communications, the client may go with exactly the same -sequence, but for optimization usually the client, having already -information about realm and nonce, pre-calculates the integrity string -for each request, so that the 401 error response becomes unnecessary. -The TURN server may use "--stale-nonce" option for extra security: in +In subsequent communications, the client may go with exactly the same +sequence, but for optimization usually the client, having already +information about realm and nonce, pre-calculates the integrity string +for each request, so that the 401 error response becomes unnecessary. +The TURN server may use "--stale-nonce" option for extra security: in some time, the nonce expires and the client will obtain 438 error response with the new nonce, and the client will have to start using the new nonce. -In subsequent communications, the server and the client will always assume -the same password - the original password becomes the session parameter and +In subsequent communications, the server and the client will always assume +the same password - the original password becomes the session parameter and is never expiring. So the password is not changing while the session is valid -and unexpired. So, if the session is properly maintained, it may go forever, -even if the user password has been already changed (in the database). The -session simply is using the old password. Once the session got disconnected, -the client will have to use the new password to re-connect (if the password +and unexpired. So, if the session is properly maintained, it may go forever, +even if the user password has been already changed (in the database). The +session simply is using the old password. Once the session got disconnected, +the client will have to use the new password to re-connect (if the password has been changed). An example when a new shared secret is generated every hour by the TURN server box and then supplied to the web server, remotely, is provided in the script examples/scripts/restapi/shared_secret_maintainer.pl . -A very important thing is that the nonce must be totally random and it must be -different for different clients and different sessions. - +A very important thing is that the nonce must be totally random and it must be +different for different clients and different sessions. + =================================== DATABASES For the user database, the turnserver has the following options: -1) Users can be set in the command line, with multiple -u or --user options. -Obviously, only a few users can be set that way, and their credentials are fixed +1) Users can be set in the command line, with multiple -u or --user options. +Obviously, only a few users can be set that way, and their credentials are fixed for the turnserver process lifetime. 2) Users can be stored in SQLite DB. The default SQLite database file is /var/db/turndb @@ -748,23 +748,23 @@ or /usr/local/var/db/turndb or /var/lib/turn/turndb. 3) Users can be stored in PostgreSQL database, if the turnserver was compiled with PostgreSQL support. Each time turnserver checks user credentials, it reads the database (asynchronously, -of course, so that the current flow of packets is not delayed in any way), so any change in the -database content is immediately visible by the turnserver. This is the way if you need the +of course, so that the current flow of packets is not delayed in any way), so any change in the +database content is immediately visible by the turnserver. This is the way if you need the best scalability. The schema for the database can be found in schema.sql file. -For long-term credentials, you have to set the "keys" for the users; the "keys" are generated -by the turnadmin utility. For the key generation, you need username, password and the realm. -All users in the database must use the same realm value; if down the road you will decide -to change the realm name, then you will have to re-generate all user keys (that can be done +For long-term credentials, you have to set the "keys" for the users; the "keys" are generated +by the turnadmin utility. For the key generation, you need username, password and the realm. +All users in the database must use the same realm value; if down the road you will decide +to change the realm name, then you will have to re-generate all user keys (that can be done in a batch script). See the file turndb/testsqldbsetup.sql as an example. -4) The same is true for MySQL database. The same schema file is applicable. -The same considerations are applicable. +4) The same is true for MySQL database. The same schema file is applicable. +The same considerations are applicable. 5) The same is true for the Redis database, but the Redis database has aa different schema - -it can be found (in the form of explanation) in schema.userdb.redis. -Also, in Redis you can store both "keys" and open passwords (for long term credentials) - -the "open password" option is less secure but more convenient for low-security environments. -See the file turndb/testredisdbsetup.sh as an example. +it can be found (in the form of explanation) in schema.userdb.redis. +Also, in Redis you can store both "keys" and open passwords (for long term credentials) - +the "open password" option is less secure but more convenient for low-security environments. +See the file turndb/testredisdbsetup.sh as an example. 6) If a database is used, then users can be divided into multiple independent realms. Each realm can be administered separately, and each realm can have its own set of users and its own @@ -777,25 +777,25 @@ sessions anonymously. But in most cases (like WebRTC) that will not work. For the status and statistics database, there are two choices: -1) The simplest choice is not to use it. Do not set --redis-statsdb option, and this functionality +1) The simplest choice is not to use it. Do not set --redis-statsdb option, and this functionality will be simply ignored. 2) If you choose to use it, then set the --redis-statsdb option. This may be the same database -as in --redis-userdb option, or it may be a different database. You may want to use different +as in --redis-userdb option, or it may be a different database. You may want to use different database for security or convenience reasons. Also, you can use different database management -systems for the user database and for the ststus and statistics database. For example, you can use +systems for the user database and for the ststus and statistics database. For example, you can use MySQL as the user database, and you can use redis for the statistics. Or you can use Redis for both. So, we have 6 choices for the user management, and 2 choices for the statistics management. These -two are totally independent. So, you have overall 6*2=12 ways to handle persistent information, +two are totally independent. So, you have overall 6*2=12 ways to handle persistent information, choose any for your convenience. -You do not have to handle the database information "manually" - the turnadmin program can handle +You do not have to handle the database information "manually" - the turnadmin program can handle everything for you. For PostgreSQL and MySQL you will just have to create an empty database -with schema.sql SQL script. With Redis, you do not have to do even that - just run turnadmin and -it will set the users for you (see the turnadmin manuals). If you are using SQLite, then the -turnserver or turnadmin will initialize the empty database, for you, when started. The -TURN server installation process creates an empty initialized SQLite database in the default +with schema.sql SQL script. With Redis, you do not have to do even that - just run turnadmin and +it will set the users for you (see the turnadmin manuals). If you are using SQLite, then the +turnserver or turnadmin will initialize the empty database, for you, when started. The +TURN server installation process creates an empty initialized SQLite database in the default location (/var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb, depending on the system). ================================= @@ -816,7 +816,7 @@ LIBRARIES In the lib/ sub-directory the build process will create TURN client messaging library. In the include/ sub-directory, the necessary include files will be placed. The C++ wrapper for the messaging functionality is located in TurnMsgLib.h header. -An example of C++ code can be found in stunclient.c file. +An example of C++ code can be found in stunclient.c file. ================================= @@ -832,14 +832,14 @@ $ man -M man turnserver to see the man page. -In the docs/html subdirectory of the original archive tree, you will find the client library +In the docs/html subdirectory of the original archive tree, you will find the client library reference. After the installation, it will be placed in PREFIX/share/doc/turnserver/html. ================================= LOGS -When the TURN Server starts, it makes efforts to create a log file turn_.log +When the TURN Server starts, it makes efforts to create a log file turn_.log in the following directories: * /var/log @@ -848,7 +848,7 @@ in the following directories: * /tmp * current directory -If all efforts failed (due to the system permission settings) then all +If all efforts failed (due to the system permission settings) then all log messages are sent only to the standard output of the process. This behavior can be controlled by --log-file, --syslog and --no-stdout-log @@ -859,7 +859,7 @@ options. HTTPS MANAGEMENT INTERFACE The turnserver process provides an HTTPS Web access as statistics and basic -management interface. The turnserver listens to incoming HTTPS admin +management interface. The turnserver listens to incoming HTTPS admin connections on the same ports as the main TURN/STUN listener. The Web admin pages are basic and self-explanatory. @@ -883,11 +883,11 @@ in "help" command output in the telnet CLI. CLUSTERS -TURN Server can be a part of the cluster installation. But, to support the "even port" functionality -(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same -TURN Server instance, so it requires some networking setup massaging for the cluster. The reason is that -the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible -to design a scheme with the application-level requests forwarding (and we may do that later) but +TURN Server can be a part of the cluster installation. But, to support the "even port" functionality +(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same +TURN Server instance, so it requires some networking setup massaging for the cluster. The reason is that +the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible +to design a scheme with the application-level requests forwarding (and we may do that later) but it would affect the performance. ================================= @@ -925,7 +925,7 @@ new STUN RFC 5389 TURN RFC 5766 TURN-TCP extension RFC 6062 - + TURN IPv6 extension RFC 6156 STUN/TURN test vectors RFC 5769 @@ -971,13 +971,13 @@ https://groups.google.com/forum/?fromgroups=#!forum/turn-server-project-rfc5766- Erik Johnston Roman Lisagor - + Vladimir Tsanev - + Po-sheng Lin - + Peter Dunkley - + Mutsutoshi Yoshimoto Federico Pinna diff --git a/README.turnutils b/README.turnutils index 39fda214..ab2dd832 100644 --- a/README.turnutils +++ b/README.turnutils @@ -37,12 +37,12 @@ according RFC5780. This utility discovers the actual NAT Mapping and Filtering behavior, etc. Be aware that on TURN server side two different listening IP addresses should be configured to be able to work properly! -6. turnutils_oauth: a utility that provides OAuth access_token -generation(AEAD encryption), validation and decryption. This utility inputs -all the keys and lifetimes and any related information that needed for -creation and validationi of an access_token. It outputs a JSON with all OAuth -PoP parameters that need to pass to the client. Output is generated accoriding -RFC7635 Appendix B, Figure 8. +6. turnutils_oauth: a utility that provides OAuth access_token +generation(AEAD encryption), validation and decryption. This utility inputs +all the keys and lifetimes and any related information that needed for +creation and validationi of an access_token. It outputs a JSON with all OAuth +PoP parameters that need to pass to the client. Output is generated accoriding +RFC7635 Appendix B, Figure 8. For more details, and for the access_token structure, read rfc7635, and see script in examples/scripts/oauth.sh. @@ -312,15 +312,15 @@ $ turnutils_oauth [options] DESCRIPTION -turnutils_oauth utilitiy provides help in OAuth access_token encryption and/or -decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps -for an Auth Server in access_token creation, and also for debugging purposes it -helps the access_token validation and decryption. This utility inputs all the -keys and lifetimes and any related information that are needed for encryption -or decryption of an access_token. It outputs a JSON with all OAuth PoP -parameters that need to pass to the client. Output is generated accoriding -RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server -service, but be awere that this utility does not generate "session key" / +turnutils_oauth utilitiy provides help in OAuth access_token encryption and/or +decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps +for an Auth Server in access_token creation, and also for debugging purposes it +helps the access_token validation and decryption. This utility inputs all the +keys and lifetimes and any related information that are needed for encryption +or decryption of an access_token. It outputs a JSON with all OAuth PoP +parameters that need to pass to the client. Output is generated accoriding +RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server +service, but be awere that this utility does not generate "session key" / "mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key". For more details, and for the access_token structure, read rfc7635, and see the example in examples/scripts/oauth.sh. From 801832e94ff5843653b297a8e6e09154372ca6c5 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Mon, 30 Mar 2020 19:24:14 +0200 Subject: [PATCH 04/17] Replace coTURN by Coturn The official spelling of *Coturn* seems to be just with a capital starting letter, replace all occurrences of *coTURN* with the command below. git grep -l coTURN | xargs sed -i 's/coTURN/Coturn/g' --- docker/coturn/Dockerfile | 4 ++-- docker/coturn/turnserver.conf | 2 +- docker/docker-compose-all.yml | 2 +- docker/docker-compose-mongodb.yml | 2 +- docker/docker-compose-mysql.yml | 2 +- docker/docker-compose-postgresql.yml | 2 +- docker/docker-compose-redis.yml | 2 +- examples/etc/coturn.service | 2 +- examples/etc/turnserver.conf | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docker/coturn/Dockerfile b/docker/coturn/Dockerfile index 00722eeb..b8fd207f 100644 --- a/docker/coturn/Dockerfile +++ b/docker/coturn/Dockerfile @@ -8,11 +8,11 @@ RUN export DEBIAN_FRONTEND=noninteractive && \ apt-get update && \ apt-get install -y build-essential git debhelper dpkg-dev libssl-dev libevent-dev sqlite3 libsqlite3-dev postgresql-client libpq-dev default-mysql-client default-libmysqlclient-dev libhiredis-dev libmongoc-dev libbson-dev -# Clone coTURN +# Clone Coturn WORKDIR ${BUILD_PREFIX} RUN git clone https://github.com/coturn/coturn.git -# Build coTURN +# Build Coturn WORKDIR coturn RUN ./configure RUN make diff --git a/docker/coturn/turnserver.conf b/docker/coturn/turnserver.conf index d455dd3f..88583e0a 100644 --- a/docker/coturn/turnserver.conf +++ b/docker/coturn/turnserver.conf @@ -640,7 +640,7 @@ no-loopback-peers # Allocate Address Family according # If enabled then TURN server allocates address family according the TURN # Client <=> Server communication address family. -# (By default coTURN works according RFC 6156.) +# (By default Coturn works according RFC 6156.) # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!! # #keep-address-family diff --git a/docker/docker-compose-all.yml b/docker/docker-compose-all.yml index d3e06be8..c1e4778a 100644 --- a/docker/docker-compose-all.yml +++ b/docker/docker-compose-all.yml @@ -49,7 +49,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/docker/docker-compose-mongodb.yml b/docker/docker-compose-mongodb.yml index c4c675ff..a163d237 100644 --- a/docker/docker-compose-mongodb.yml +++ b/docker/docker-compose-mongodb.yml @@ -13,7 +13,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/docker/docker-compose-mysql.yml b/docker/docker-compose-mysql.yml index 2a682668..06001551 100644 --- a/docker/docker-compose-mysql.yml +++ b/docker/docker-compose-mysql.yml @@ -14,7 +14,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/docker/docker-compose-postgresql.yml b/docker/docker-compose-postgresql.yml index 514a00e3..b0376cea 100644 --- a/docker/docker-compose-postgresql.yml +++ b/docker/docker-compose-postgresql.yml @@ -14,7 +14,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/docker/docker-compose-redis.yml b/docker/docker-compose-redis.yml index 4ae6f07a..32d41096 100644 --- a/docker/docker-compose-redis.yml +++ b/docker/docker-compose-redis.yml @@ -14,7 +14,7 @@ services: - backend -# coTURN +# Coturn coturn: build: context: ./coturn diff --git a/examples/etc/coturn.service b/examples/etc/coturn.service index 45fb9a2f..c3831f80 100644 --- a/examples/etc/coturn.service +++ b/examples/etc/coturn.service @@ -1,5 +1,5 @@ [Unit] -Description=coTURN STUN/TURN Server +Description=Coturn STUN/TURN Server Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1) After=network.target After=network-online.target diff --git a/examples/etc/turnserver.conf b/examples/etc/turnserver.conf index e9174077..8eeaace0 100644 --- a/examples/etc/turnserver.conf +++ b/examples/etc/turnserver.conf @@ -631,7 +631,7 @@ # Allocate Address Family according # If enabled then TURN server allocates address family according the TURN # Client <=> Server communication address family. -# (By default coTURN works according RFC 6156.) +# (By default Coturn works according RFC 6156.) # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!! # #keep-address-family From abac263ca9f7271701c872346661acf4d7b1ebde Mon Sep 17 00:00:00 2001 From: raghumuppa Date: Thu, 2 Apr 2020 09:12:08 +0300 Subject: [PATCH 05/17] Update docker-compose-all.yml --- docker/docker-compose-all.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/docker-compose-all.yml b/docker/docker-compose-all.yml index d3e06be8..57c47b8c 100644 --- a/docker/docker-compose-all.yml +++ b/docker/docker-compose-all.yml @@ -7,7 +7,7 @@ services: context: ./mysql restart: unless-stopped volumes: - - mysql-data:/var/lib/mysql/data + - mysql-data:/var/lib/mysql env_file: - mysql/mysql.env networks: @@ -19,7 +19,7 @@ services: context: ./postgresql restart: unless-stopped volumes: - - postgresql-data:/var/lib/postgresql/data + - postgresql-data:/var/lib/postgresql env_file: - postgresql/postgresql.env networks: From aabfce8709e098d2f052318ac0f4839c407380b6 Mon Sep 17 00:00:00 2001 From: ooookai Date: Mon, 6 Apr 2020 01:48:53 +0800 Subject: [PATCH 06/17] Update README.docker --- docker/README.docker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/README.docker b/docker/README.docker index 0f88e580..3e7d6dca 100644 --- a/docker/README.docker +++ b/docker/README.docker @@ -1,6 +1,6 @@ Before you begin * copy db schema run ./cp-schema.sh - * edit turnserver/turnserver.cfg according your db selection (mysql or postgresql or redis or mongodb) + * edit turnserver/turnserver.conf according your db selection (mysql or postgresql or redis or mongodb) # start From acbf7e15c9290e0891a6b6b5ce6e81bbaa77ce5a Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Sat, 11 Apr 2020 10:33:55 +0200 Subject: [PATCH 07/17] Drop of supplementary group IDs Fix related to POS36-C and rpmlint error "missing-call-to-setgroups-before-setuid". --- src/apps/relay/mainrelay.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 6710da6d..5a21cfaa 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -2061,6 +2061,7 @@ static void set_network_engine(void) static void drop_privileges(void) { + setgroups(0, NULL); if(procgroupid_set) { if(getgid() != procgroupid) { if (setgid(procgroupid) != 0) { From fb8dc8a7362ad00334819e86ff374bfdde46c91b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 15 Apr 2020 22:07:26 +0200 Subject: [PATCH 08/17] Change DH key size default from 1066 to 2066 --- README.turnserver | 6 +++--- man/man1/turnadmin.1 | 2 +- man/man1/turnserver.1 | 10 +++++----- man/man1/turnutils.1 | 2 +- src/apps/relay/mainrelay.c | 22 +++++++++++----------- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/README.turnserver b/README.turnserver index 4f2b28d0..0d14a8fa 100644 --- a/README.turnserver +++ b/README.turnserver @@ -190,9 +190,9 @@ Flags: --oauth Support oAuth authentication, as in the third-party STUN/TURN RFC 7635. ---dh566 Use 566 bits predefined DH TLS key. Default size of the key is 1066. +--dh566 Use 566 bits predefined DH TLS key. Default size of the key is 2066. ---dh2066 Use 2066 bits predefined DH TLS key. Default size of the key is 1066. +--dh1066 Use 1066 bits predefined DH TLS key. Default size of the key is 2066. --no-tlsv1 Do not allow TLSv1/DTLSv1 protocol. @@ -457,7 +457,7 @@ Options with values: by this option. --dh-file Use custom DH TLS key, stored in PEM format in the file. - Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file. + Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file. -l, --log-file Option to set the full path name of the log file. By default, the turnserver tries to open a log file in diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index 92b16624..328b53ce 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "12 February 2020" "" "" +.TH TURN 1 "15 April 2020" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 6c7e96a4..24f45b96 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "12 February 2020" "" "" +.TH TURN 1 "15 April 2020" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client @@ -281,11 +281,11 @@ Support oAuth authentication, as in the third\-party STUN/TURN RFC 7635. .TP .B \fB\-\-dh566\fP -Use 566 bits predefined DH TLS key. Default size of the key is 1066. +Use 566 bits predefined DH TLS key. Default size of the key is 2066. .TP .B -\fB\-\-dh2066\fP -Use 2066 bits predefined DH TLS key. Default size of the key is 1066. +\fB\-\-dh1066\fP +Use 1066 bits predefined DH TLS key. Default size of the key is 2066. .TP .B \fB\-\-no\-tlsv1\fP @@ -667,7 +667,7 @@ by this option. .B \fB\-\-dh\-file\fP Use custom DH TLS key, stored in PEM format in the file. -Flags \fB\-\-dh566\fP and \fB\-\-dh2066\fP are ignored when the DH key is taken from a file. +Flags \fB\-\-dh566\fP and \fB\-\-dh1066\fP are ignored when the DH key is taken from a file. .TP .B \fB\-l\fP, \fB\-\-log\-file\fP diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index 7da65528..9a0778c8 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "12 February 2020" "" "" +.TH TURN 1 "15 April 2020" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 6710da6d..82be5457 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -90,7 +90,7 @@ NULL, NULL, #endif -DH_1066, "", "", "", +DH_2066, "", "", "", "turn_server_cert.pem","turn_server_pkey.pem", "", "", 0,0,0, #if !TLS_SUPPORTED @@ -555,10 +555,10 @@ static char Usage[] = "Usage: turnserver [options]\n" " if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,\n" " an optimal curve will be automatically calculated, if not defined\n" " by this option.\n" -" --dh566 Use 566 bits predefined DH TLS key. Default size of the predefined key is 1066.\n" -" --dh2066 Use 2066 bits predefined DH TLS key. Default size of the predefined key is 1066.\n" +" --dh566 Use 566 bits predefined DH TLS key. Default size of the predefined key is 2066.\n" +" --dh1066 Use 1066 bits predefined DH TLS key. Default size of the predefined key is 2066.\n" " --dh-file Use custom DH TLS key, stored in PEM format in the file.\n" -" Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.\n" +" Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file.\n" " --no-tlsv1 Do not allow TLSv1/DTLSv1 protocol.\n" " --no-tlsv1_1 Do not allow TLSv1.1 protocol.\n" " --no-tlsv1_2 Do not allow TLSv1.2/DTLSv1.2 protocol.\n" @@ -766,7 +766,7 @@ enum EXTRA_OPTS { CLI_MAX_SESSIONS_OPT, EC_CURVE_NAME_OPT, DH566_OPT, - DH2066_OPT, + DH1066_OPT, NE_TYPE_OPT, NO_SSLV2_OPT, /*deprecated*/ NO_SSLV3_OPT, /*deprecated*/ @@ -896,7 +896,7 @@ static const struct myoption long_options[] = { { "cli-max-output-sessions", required_argument, NULL, CLI_MAX_SESSIONS_OPT }, { "ec-curve-name", required_argument, NULL, EC_CURVE_NAME_OPT }, { "dh566", optional_argument, NULL, DH566_OPT }, - { "dh2066", optional_argument, NULL, DH2066_OPT }, + { "dh1066", optional_argument, NULL, DH1066_OPT }, { "ne", required_argument, NULL, NE_TYPE_OPT }, { "no-sslv2", optional_argument, NULL, NO_SSLV2_OPT }, /* deprecated */ { "no-sslv3", optional_argument, NULL, NO_SSLV3_OPT }, /* deprecated */ @@ -1162,9 +1162,9 @@ static void set_option(int c, char *value) if(get_bool_value(value)) turn_params.dh_key_size = DH_566; break; - case DH2066_OPT: + case DH1066_OPT: if(get_bool_value(value)) - turn_params.dh_key_size = DH_2066; + turn_params.dh_key_size = DH_1066; break; case EC_CURVE_NAME_OPT: STRCPY(turn_params.ec_curve_name,value); @@ -2899,10 +2899,10 @@ static void set_ctx(SSL_CTX** out, const char *protocol, const SSL_METHOD* metho if(!dh) { if(turn_params.dh_key_size == DH_566) dh = get_dh566(); - else if(turn_params.dh_key_size == DH_2066) - dh = get_dh2066(); - else + else if(turn_params.dh_key_size == DH_1066) dh = get_dh1066(); + else + dh = get_dh2066(); } /* From 86dcad0e0fec7a97a6dd1045a85deb7b0774f6f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 15 Apr 2020 22:15:48 +0200 Subject: [PATCH 09/17] Update --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index a5a43eb0..e3aba5bb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -51,6 +51,7 @@ Version 4.5.1.2 'dan Eider': - merge PR #488 Fix typos about INSTALL filenames (by raccoonback) - fix compiler warning comparison between signed and unsigned integer expressions - fix compiler warning string truncation + - change Diffie Hellman default key length from 1066 to 2066 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': From b8bf7c7c2ee08e3110cba4905996462624b97e62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 09:09:02 +0200 Subject: [PATCH 10/17] Update Changelog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index e3aba5bb..33120a82 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,6 +52,7 @@ Version 4.5.1.2 'dan Eider': - fix compiler warning comparison between signed and unsigned integer expressions - fix compiler warning string truncation - change Diffie Hellman default key length from 1066 to 2066 + - merge PR #522 Drop of supplementary group IDs (by weberhofer) 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': From a0de5483577d6795065224b155829d021af889a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 09:16:30 +0200 Subject: [PATCH 11/17] Update man and Changelog --- ChangeLog | 3 ++- man/man1/turnadmin.1 | 2 +- man/man1/turnserver.1 | 2 +- man/man1/turnutils.1 | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 33120a82..bc8fd7fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,7 +52,8 @@ Version 4.5.1.2 'dan Eider': - fix compiler warning comparison between signed and unsigned integer expressions - fix compiler warning string truncation - change Diffie Hellman default key length from 1066 to 2066 - - merge PR #522 Drop of supplementary group IDs (by weberhofer) + - merge PR #522 drop of supplementary group IDs (by weberhofer) + - merge PR #514 Unify spelling of Coturn (by paulmenzel) 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index 328b53ce..6373ea00 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "15 April 2020" "" "" +.TH TURN 1 "28 April 2020" "" "" .SH GENERAL INFORMATION \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 24f45b96..184e4ff6 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "15 April 2020" "" "" +.TH TURN 1 "28 April 2020" "" "" .SH GENERAL INFORMATION The \fBTURN Server\fP project contains the source code of a TURN server and TURN client diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index 9a0778c8..fbe7cff3 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH TURN 1 "15 April 2020" "" "" +.TH TURN 1 "28 April 2020" "" "" .SH GENERAL INFORMATION A set of turnutils_* programs provides some utility functionality to be used From 70a93345e4a27edb8d388bb49ae91f692d580be2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 09:21:33 +0200 Subject: [PATCH 12/17] Update changelog, update man --- ChangeLog | 1 + man/man1/turnserver.1 | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index bc8fd7fd..4fac0b47 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,7 @@ Version 4.5.1.2 'dan Eider': - change Diffie Hellman default key length from 1066 to 2066 - merge PR #522 drop of supplementary group IDs (by weberhofer) - merge PR #514 Unify spelling of Coturn (by paulmenzel) + - merge PR#506 Rename "prod" config option to "no-software-attribute" 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index a10562e5..edbbcbd6 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -234,10 +234,8 @@ Extra verbose mode, very annoying and not recommended. .B \fB\-o\fP, \fB\-\-daemon\fP Run server as daemon. -.TP -.B -\fB\-\-no-software-attribute\fP -Do not send the software version. Should be used in production. +.PP +\fB\-\-no\-software\-attribute\fP Production mode: hide the software version. .TP .B \fB\-f\fP, \fB\-\-fingerprint\fP From 656d38d04a9f219a688fde26694d0c5c644d70c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 09:41:26 +0200 Subject: [PATCH 13/17] Update changelog --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4fac0b47..906827ed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,7 +54,8 @@ Version 4.5.1.2 'dan Eider': - change Diffie Hellman default key length from 1066 to 2066 - merge PR #522 drop of supplementary group IDs (by weberhofer) - merge PR #514 Unify spelling of Coturn (by paulmenzel) - - merge PR#506 Rename "prod" config option to "no-software-attribute" + - merge PR#506 Rename "prod" config option to "no-software-attribute" (by dbrgn) + - merge PR #519 fix config extension in README.docker (by ooookai) 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': From ea2c6b6f3091aed4bd4c193ca3462d9f2dc8a165 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 10:07:51 +0200 Subject: [PATCH 14/17] Update Changelog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 906827ed..6e6506d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -56,6 +56,7 @@ Version 4.5.1.2 'dan Eider': - merge PR #514 Unify spelling of Coturn (by paulmenzel) - merge PR#506 Rename "prod" config option to "no-software-attribute" (by dbrgn) - merge PR #519 fix config extension in README.docker (by ooookai) + - merge PR #516 change sql data dir in docker-compose-all.yml (by raghumuppa) 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': From 5b65099678b37a44bc8ef82811e7024646fe4a79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 10:15:43 +0200 Subject: [PATCH 15/17] update Changelog and update man --- ChangeLog | 3 +- man/man1/turnadmin.1 | 47 ++--- man/man1/turnserver.1 | 407 +++++++++++++++++++++--------------------- man/man1/turnutils.1 | 30 ++-- 4 files changed, 242 insertions(+), 245 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6e6506d6..b3629abb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -56,7 +56,8 @@ Version 4.5.1.2 'dan Eider': - merge PR #514 Unify spelling of Coturn (by paulmenzel) - merge PR#506 Rename "prod" config option to "no-software-attribute" (by dbrgn) - merge PR #519 fix config extension in README.docker (by ooookai) - - merge PR #516 change sql data dir in docker-compose-all.yml (by raghumuppa) + - merge PR #516 change sql data dir in docker-compose-all.yml (by raghumuppa) + - mergr PR #513 remove trailing spaces from READMEs (by paulmenzel) 02/03/2019 Oleg Moskalenko Mihály Mészáros Version 4.5.1.1 'dan Eider': diff --git a/man/man1/turnadmin.1 b/man/man1/turnadmin.1 index 6373ea00..25dbb6a5 100644 --- a/man/man1/turnadmin.1 +++ b/man/man1/turnadmin.1 @@ -2,16 +2,16 @@ .TH TURN 1 "28 April 2020" "" "" .SH GENERAL INFORMATION -\fIturnadmin\fP is a TURN administration tool. This tool can be used to manage -the user accounts (add/remove users, generate -TURN keys for the users). For security reasons, we do not recommend -storing passwords openly. The better option is to use pre\-processed "keys" -which are then used for authentication. These keys are generated by \fIturnadmin\fP. -Turnadmin is a link to \fIturnserver\fP binary, but \fIturnadmin\fP performs different +\fIturnadmin\fP is a TURN administration tool. This tool can be used to manage +the user accounts (add/remove users, generate +TURN keys for the users). For security reasons, we do not recommend +storing passwords openly. The better option is to use pre\-processed "keys" +which are then used for authentication. These keys are generated by \fIturnadmin\fP. +Turnadmin is a link to \fIturnserver\fP binary, but \fIturnadmin\fP performs different functions. .PP Options note: \fIturnadmin\fP has long and short option names, for most options. -Some options have only long form, some options have only short form. Their syntax +Some options have only long form, some options have only short form. Their syntax somewhat different, if an argument is required: .PP The short form must be used as this (for example): @@ -46,7 +46,7 @@ is equivalent to: .fam T .fi -You have always the use the \fB\-r\fP option with commands for long term credentials \- +You have always the use the \fB\-r\fP option with commands for long term credentials \- because data for multiple realms can be stored in the same database. .PP ===================================== @@ -54,15 +54,20 @@ because data for multiple realms can be stored in the same database. \fB \fBturnadmin \fP\- a TURN relay administration tool. \fB -.SS SYNOPSIS +.SS SYNOPSIS +.nf +.fam C + +$ \fIturnadmin\fP [\fIcommand\fP] [\fIoptions\fP] -$ \fIturnadmin\fP [command] [options] -.PP $ \fIturnadmin\fP [ \fB\-h\fP | \fB\-\-help\fP] + +.fam T +.fi +.fam T +.fi .SS DESCRIPTION -.TP -.B Commands: .TP .B @@ -135,15 +140,14 @@ List origin\-to\-realm relations. Set realm params: max\-bps, total\-quota, user\-quota. .TP .B -\fB\-G\fP, \fB\-\-list\-realm\-options\fP +\fB\-G\fP, \fB\-\-list\-realm\fP\-\fIoptions\fP List realm params. .TP .B \fB\-E\fP, \fB\-\-generate\-encrypted\-password\-aes\fP -Generate and print to the standard output +Generate and print to the standard output an encrypted form of password with AES\-128 -.TP -.B +.PP Options with required values: .TP .B @@ -210,13 +214,12 @@ Set value of realm's total\-quota parameter. .TP .B \fB\-\-user\-quota\fP -Set value of realm's user\-quota parameter. +Set value of realm's user\-quota parameter. .TP .B \fB\-h\fP, \fB\-\-help\fP Help. -.TP -.B +.PP Command examples: .PP Generate an encrypted form of a password: @@ -282,8 +285,6 @@ $ \fIturnadmin\fP \fB\-\-file\-key\-path\fP \fB\-v\fP .PP .RS -.TP -.B Help: .PP $ \fIturnadmin\fP \fB\-h\fP @@ -291,7 +292,7 @@ $ \fIturnadmin\fP \fB\-h\fP ======================================= .SS DOCS -After installation, run the command: +After installation, run the \fIcommand\fP: .PP $ man \fIturnadmin\fP .PP diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 0ddd73be..001403ca 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -2,9 +2,9 @@ .TH TURN 1 "28 April 2020" "" "" .SH GENERAL INFORMATION -The \fBTURN Server\fP project contains the source code of a TURN server and TURN client -messaging library. Also, some extra programs provided, for testing\-only -purposes. +The \fBTURN Server\fP project contains the source code of a TURN server and TURN client +messaging library. Also, some extra programs provided, for testing\-only +purposes. .PP See the INSTALL file for the building instructions. .PP @@ -12,7 +12,7 @@ After the build, you will have the following binary images: .TP .B 1. -\fIturnserver\fP: \fBTURN Server\fP relay. +\fIturnserver\fP: \fBTURN Server\fP relay. The compiled binary image of the \fBTURN Server\fP program is located in bin/ sub\-directory. .TP .B @@ -35,7 +35,7 @@ turnutils_stunclient. See README.turnutils and \fIturnutils\fP man page. 6. turnutils_rfc5769check. See README.turnutils and \fIturnutils\fP man page. .PP -In the "examples/scripts" sub\-directory, you will find the examples of command lines to be used +In the "examples/scripts" sub\-directory, you will find the examples of command lines to be used to run the programs. The scripts are meant to be run from examples/ sub\-directory, for example: .PP $ cd examples @@ -43,7 +43,7 @@ $ ./scripts/secure_relay.sh .SH RUNNING THE TURN SERVER Options note: \fIturnserver\fP has long and short option names, for most options. -Some options have only long form, some options have only short form. Their syntax +Some options have only long form, some options have only short form. Their syntax somewhat different, if an argument is required: .PP The short form must be used as this (for example): @@ -94,10 +94,8 @@ $ \fIturnserver\fP \fB\-h\fP .fi .fam T .fi -.SS DESCRIPTION +.SS DESCRIPTION -.TP -.B Config file settings: .TP .B @@ -108,10 +106,10 @@ Do not use configuration file, use only command line parameters. \fB\-c\fP Configuration file name (default \- turnserver.conf). The format of config file can be seen in -the supplied examples/etc/turnserver.conf example file. Long -names of the \fIoptions\fP are used as the configuration -items names in the file. If not an absolute path is supplied, -then the file is searched in the following directories: +the supplied examples/etc/turnserver.conf example file. Long +names of the \fIoptions\fP are used as the configuration +items names in the file. If not an absolute path is supplied, +then the file is searched in the following directories: .RS .IP \(bu 3 current directory @@ -126,8 +124,7 @@ upper directory level etc/ .IP \(bu 3 installation directory /etc .RE -.TP -.B +.PP User database settings: .TP .B @@ -139,18 +136,18 @@ SQLite user database file name (default \- /var/db/turndb or \fB\-e\fP, \fB\-\-psql\-userdb\fP User database connection string for PostgreSQL. This database can be used for long\-term credentials mechanism, -and it can store the secret value +and it can store the secret value for secret\-based timed authentication in TURN REST API. The connection string format is like that: .RS .PP -"host= dbname= user= password= connect_timeout=" +"host= dbname= user= password= connect_timeout=" (for 8.x or newer Postgres). .PP Or: .PP -"postgresql://username:password@hostname:port/databasename" -(for 9.x or newer Postgres). +"postgresql://username:password@hostname:port/databasename" +(for 9.x or newer Postgres). .PP See the INSTALL file for more explanations and examples. .PP @@ -159,9 +156,9 @@ Also, see http://www.PostgreSQL.org for full PostgreSQL documentation. .TP .B \fB\-M\fP, \fB\-\-mysql\-userdb\fP -User database connection string for MySQL or MariaDB. +User database connection string for MySQL or MariaDB. This database can be used for long\-term credentials mechanism, -and it can store the secret value for +and it can store the secret value for secret\-based timed authentication in TURN REST API. The connection string format is like that: .RS @@ -170,12 +167,12 @@ The connection string format is like that: .PP See the INSTALL file for more explanations and examples. .PP -Also, see http://www.mysql.org or http://mariadb.org +Also, see http://www.mysql.org or http://mariadb.org for full MySQL documentation. .PP -Optional connection string parameters for the secure communications (SSL): -ca, capath, cert, key, cipher -(see http://dev.mysql.com/doc/refman/5.1/en/ssl\-options.html for the +Optional connection string parameters for the secure communications (SSL): +ca, capath, cert, key, cipher +(see http://dev.mysql.com/doc/refman/5.1/en/ssl\-options.html for the command \fIoptions\fP description). .RE .TP @@ -184,14 +181,14 @@ command \fIoptions\fP description). This is the file path which contain secret key of aes encryption while using MySQL password encryption. If you want to use in the MySQL connection string the password in encrypted format, then set in this option the file path of the secret key. The key which is used to encrypt MySQL password. -Warning: If this option is set, then MySQL password must be set in "mysql\-userdb" option in encrypted format! +Warning: If this option is set, then MySQL password must be set in "mysql\-userdb" option in encrypted format! If you want to use cleartext password then do not set this option! .TP .B \fB\-J\fP, \fB\-\-mongo\-userdb\fP -User database connection string for MongoDB. +User database connection string for MongoDB. This database can be used for long\-term credentials mechanism, -and it can store the secret value +and it can store the secret value for secret\-based timed authentication in TURN REST API. The connection string format is like that: .RS @@ -206,9 +203,9 @@ for full MongoDB documentation. .TP .B \fB\-N\fP, \fB\-\-redis\-userdb\fP -User database connection string for Redis. +User database connection string for Redis. This database can be used for long\-term credentials mechanism, -and it can store the secret +and it can store the secret value for secret\-based timed authentication in TURN REST API. The connection string format is like that: .RS @@ -219,8 +216,7 @@ See the INSTALL file for more explanations and examples. .PP Also, see http://redis.io for full Redis documentation. .RE -.TP -.B +.PP Flags: .TP .B @@ -240,7 +236,7 @@ Run server as daemon. .B \fB\-f\fP, \fB\-\-fingerprint\fP Use fingerprints in the TURN messages. If an incoming request -contains a fingerprint, then TURN server will always add +contains a fingerprint, then TURN server will always add fingerprints to the messages in this session, regardless of the per\-server setting. .TP @@ -250,8 +246,8 @@ Use long\-term credentials mechanism (this one you need for WebRTC usage). .TP .B \fB\-z\fP, \fB\-\-no\-auth\fP -Do not use any credentials mechanism, allow anonymous access. -Opposite to \fB\-a\fP and \fB\-A\fP \fIoptions\fP. This is default option when no +Do not use any credentials mechanism, allow anonymous access. +Opposite to \fB\-a\fP and \fB\-A\fP \fIoptions\fP. This is default option when no authentication\-related \fIoptions\fP are set. By default, no credential mechanism is used \- any user is allowed. @@ -259,8 +255,8 @@ any user is allowed. .B \fB\-\-use\-auth\-secret\fP TURN REST API flag. -Flag that sets a special WebRTC authorization option -that is based upon authentication secret. The feature purpose +Flag that sets a special WebRTC authorization option +that is based upon authentication secret. The feature purpose is to support "\fBTURN Server\fP REST API" as described in the TURN REST API section below. This option uses timestamp as part of combined username: @@ -315,19 +311,19 @@ Do not start DTLS client listeners. .TP .B \fB\-\-no\-udp\-relay\fP -Do not allow UDP relay endpoints defined in RFC 5766, +Do not allow UDP relay endpoints defined in RFC 5766, use only TCP relay endpoints as defined in RFC 6062. .TP .B \fB\-\-no\-tcp\-relay\fP -Do not allow TCP relay endpoints defined in RFC 6062, -use only UDP relay endpoints as defined in RFC 5766. +Do not allow TCP relay endpoints defined in RFC 6062, +use only UDP relay endpoints as defined in RFC 5766. .TP .B \fB\-\-no\-stdout\-log\fP Flag to prevent stdout log messages. By default, all log messages are going to both stdout and to -the configured log file. With this option everything will be going to +the configured log file. With this option everything will be going to the log file only (unless the log file itself is stdout). .TP .B @@ -347,25 +343,25 @@ By default, the clients are allowed anonymous access to the STUN Binding functio .TP .B \fB\-S\fP, \fB\-\-stun\-only\fP -Run as STUN server only, all TURN requests will be ignored. +Run as STUN server only, all TURN requests will be ignored. Option to suppress TURN functionality, only STUN requests will be processed. .TP .B \fB\-\-no\-stun\fP -Run as TURN server only, all STUN requests will be ignored. +Run as TURN server only, all STUN requests will be ignored. Option to suppress STUN functionality, only TURN requests will be processed. .TP .B \fB\-\-allow\-loopback\-peers\fP Allow peers on the loopback addresses (127.x.x.x and ::1). -Allow it only for testing in a development environment! -In production it adds a possible security vulnerability, -and so due to security reasons, it is not allowed +Allow it only for testing in a development environment! +In production it adds a possible security vulnerability, +and so due to security reasons, it is not allowed using it together with empty cli\-password. .TP .B \fB\-\-no\-multicast\-peers\fP -Disallow peers on well\-known broadcast addresses +Disallow peers on well\-known broadcast addresses (224.0.0.0 and above, and FFXX:*). .TP .B @@ -379,10 +375,10 @@ See also \fIoptions\fP \fB\-\-cli\-ip\fP and \fB\-\-cli\-port\fP. .TP .B \fB\-\-server\-relay\fP -Server relay. NON\-STANDARD AND DANGEROUS OPTION. -Only for those applications when we want to run +Server relay. NON\-STANDARD AND DANGEROUS OPTION. +Only for those applications when we want to run server applications on the relay endpoints. -This option eliminates the IP permissions check +This option eliminates the IP permissions check on the packets incoming to the relay endpoints. See http://tools.ietf.org/search/rfc5766#section\-17.2.3 . .TP @@ -390,13 +386,13 @@ See http://tools.ietf.org/search/rfc5766#section\-17.2.3 . \fB\-\-udp\-self\-balance\fP (recommended for older Linuxes only) Automatically balance UDP traffic over auxiliary servers -(if configured). The load balancing is using the -ALTERNATE\-SERVER mechanism. The TURN client must support +(if configured). The load balancing is using the +ALTERNATE\-SERVER mechanism. The TURN client must support 300 ALTERNATE\-SERVER response for this functionality. .TP .B \fB\-\-check\-origin\-consistency\fP -The flag that sets the origin consistency +The flag that sets the origin consistency check: across the session, all requests must have the same main ORIGIN attribute value (if the ORIGIN was initially used by the session). @@ -404,8 +400,7 @@ initially used by the session). .B \fB\-h\fP Help. -.TP -.B +.PP Options with values: .TP .B @@ -432,17 +427,17 @@ This MUST not be changed for production purposes. .B \fB\-d\fP, \fB\-\-listening\-device\fP Listener interface device. -(NOT RECOMMENDED. Optional functionality, Linux only). -The \fIturnserver\fP process must have root privileges to bind the -listening endpoint to a device. If \fIturnserver\fP must run as a +(NOT RECOMMENDED. Optional functionality, Linux only). +The \fIturnserver\fP process must have root privileges to bind the +listening endpoint to a device. If \fIturnserver\fP must run as a process without root privileges, then just do not use this setting. .TP .B \fB\-L\fP, \fB\-\-listening\-ip\fP -Listener IP address of relay server. +Listener IP address of relay server. Multiple listeners can be specified, for example: \fB\-L\fP ip1 \fB\-L\fP ip2 \fB\-L\fP ip3 -If no \fBIP\fP(s) specified, then all IPv4 and +If no \fBIP\fP(s) specified, then all IPv4 and IPv6 system IPs will be used for listening. The same \fBip\fP(s) can be used as both listening and relay \fBip\fP(s). .TP @@ -456,11 +451,11 @@ Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP \fB\-\-tls\-listening\-port\fP TURN listener port for TLS and DTLS listeners (Default: 5349). Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS -\fBport\fP(s), too \- if allowed by configuration. The TURN server +\fBport\fP(s), too \- if allowed by configuration. The TURN server "automatically" recognizes the type of traffic. Actually, two listening endpoints (the "plain" one and the "tls" one) are equivalent in terms of functionality; but we keep both endpoints to satisfy the RFC 5766 specs. -For secure TCP connections, we currently support SSL version 3 and +For secure TCP connections, we currently support SSL version 3 and TLS versions 1.0, 1.1, 1.2. For secure UDP connections, we support DTLS version 1. .TP @@ -505,20 +500,20 @@ to client requests. .TP .B \fB\-i\fP, \fB\-\-relay\-device\fP -Relay interface device for relay sockets +Relay interface device for relay sockets (NOT RECOMMENDED. Optional, Linux only). .TP .B \fB\-E\fP, \fB\-\-relay\-ip\fP -Relay address (the local IP address that -will be used to relay the packets to the +Relay address (the local IP address that +will be used to relay the packets to the peer). Multiple relay addresses may be used: \fB\-E\fP ip1 \fB\-E\fP ip2 \fB\-E\fP ip3 The same \fBIP\fP(s) can be used as both listening \fBIP\fP(s) and relay \fBIP\fP(s). -If no relay \fBIP\fP(s) specified, then the \fIturnserver\fP will apply the -default policy: it will decide itself which relay addresses to be -used, and it will always be using the client socket IP address as -the relay IP address of the TURN session (if the requested relay +If no relay \fBIP\fP(s) specified, then the \fIturnserver\fP will apply the +default policy: it will decide itself which relay addresses to be +used, and it will always be using the client socket IP address as +the relay IP address of the TURN session (if the requested relay address family is the same as the family of the client socket). .TP .B @@ -526,7 +521,7 @@ address family is the same as the family of the client socket). \fBTURN Server\fP public/private address mapping, if the server is behind NAT. In that situation, if a \fB\-X\fP is used in form "\fB\-X\fP " then that ip will be reported as relay IP address of all allocations. This scenario works only in a simple case -when one single relay address is be used, and no CHANGE_REQUEST functionality is +when one single relay address is be used, and no CHANGE_REQUEST functionality is required. That single relay address must be mapped by NAT to the 'external' IP. The "external\-ip" value, if not empty, is returned in XOR\-RELAYED\-ADDRESS field. For that 'external' IP, NAT must forward ports directly (relayed port 12345 @@ -534,8 +529,8 @@ must be always mapped to the same 'external' port 12345). In more complex case when more than one IP address is involved, that option must be used several times, each entry must have form "\fB\-X\fP ", to map all involved addresses. -CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work -correctly, if the addresses are mapped properly, even when the TURN server itself +CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work +correctly, if the addresses are mapped properly, even when the TURN server itself is behind A NAT. By default, this value is empty, and no address mapping is used. .TP @@ -544,54 +539,54 @@ By default, this value is empty, and no address mapping is used. Number of the relay threads to handle the established connections (in addition to authentication thread and the listener thread). If explicitly set to 0 then application runs relay process in a single thread, -in the same thread with the listener process (the authentication thread will -still be a separate thread). If not set, then a default optimal algorithm +in the same thread with the listener process (the authentication thread will +still be a separate thread). If not set, then a default optimal algorithm will be employed (OS\-dependent). In the older Linux systems -(before Linux kernel 3.9), the number of UDP threads is always one threads +(before Linux kernel 3.9), the number of UDP threads is always one threads per network listening endpoint \- unless "\fB\-m\fP 0" or "\fB\-m\fP 1" is set. .TP .B \fB\-\-min\-port\fP -Lower bound of the UDP port range for relay +Lower bound of the UDP port range for relay endpoints allocation. Default value is 49152, according to RFC 5766. .TP .B \fB\-\-max\-port\fP -Upper bound of the UDP port range for relay +Upper bound of the UDP port range for relay endpoints allocation. Default value is 65535, according to RFC 5766. .TP .B \fB\-u\fP, \fB\-\-user\fP -Long\-term security mechanism credentials user account, -in the column\-separated form username:key. +Long\-term security mechanism credentials user account, +in the column\-separated form username:key. Multiple user accounts may be used in the command line. The key is either the user password, or the key is generated by \fIturnadmin\fP command. In the second case, the key must be prepended with 0x symbols. -The key is calculated over the user name, +The key is calculated over the user name, the user realm, and the user password. This setting may not be used with TURN REST API. .TP .B \fB\-r\fP, \fB\-\-realm\fP -The default realm to be used for the users when no explicit +The default realm to be used for the users when no explicit origin/realm relationship was found in the database, or if the TURN server is not using any database (just the commands\-line settings -and the userdb file). Must be used with long\-term credentials +and the userdb file). Must be used with long\-term credentials mechanism or with TURN REST API. .TP .B \fB\-C\fP, \fB\-\-rest\-api\-separator\fP -This is the timestamp/username separator symbol +This is the timestamp/username separator symbol (character) in TURN REST API. The default value is :. .TP .B \fB\-q\fP, \fB\-\-user\-quota\fP -Per\-user allocations quota: how many concurrent -allocations a user can create. This option can also be set +Per\-user allocations quota: how many concurrent +allocations a user can create. This option can also be set through the database, for a particular realm. .TP .B @@ -602,9 +597,9 @@ This option can also be set through the database, for a particular realm. .B \fB\-s\fP, \fB\-\-max\-bps\fP Max bytes\-per\-second bandwidth a TURN session is allowed to handle -(input and output network streams are treated separately). Anything above +(input and output network streams are treated separately). Anything above that limit will be dropped or temporary suppressed (within the -available buffer limits). This option can also be set through the +available buffer limits). This option can also be set through the database, for a particular realm. .TP .B @@ -617,7 +612,7 @@ separately). .B \fB\-\-static\-auth\-secret\fP Static authentication secret value (a string) for TURN REST API only. -If not set, then the turn server will try to use the dynamic value +If not set, then the turn server will try to use the dynamic value in turn_secret table in user database (if present). The database\-stored value can be changed on\-the\-fly by a separate program, so this is why that other mode is dynamic. Multiple shared secrets can be used @@ -631,17 +626,17 @@ The default value is the realm name. .TP .B \fB\-\-cert\fP -Certificate file, PEM format. Same file -search rules applied as for the configuration -file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP +Certificate file, PEM format. Same file +search rules applied as for the configuration +file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP are specified, then this parameter is not needed. Default value is turn_server_cert.pem. .TP .B \fB\-\-pkey\fP -Private key file, PEM format. Same file -search rules applied as for the configuration -file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP +Private key file, PEM format. Same file +search rules applied as for the configuration +file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP are specified, then this parameter is not needed. Default value is turn_server_pkey.pem. .TP @@ -656,14 +651,14 @@ Default value is "DEFAULT". .TP .B \fB\-\-CA\-file\fP -CA file in OpenSSL format. +CA file in OpenSSL format. Forces TURN server to verify the client SSL certificates. By default, no CA is set and no client certificate check is performed. .TP .B \fB\-\-ec\-curve\-name\fP -Curve name for EC ciphers, if supported by OpenSSL -library (TLS and DTLS). The default value is prime256v1, +Curve name for EC ciphers, if supported by OpenSSL +library (TLS and DTLS). The default value is prime256v1, if pre\-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+, an optimal curve will be automatically calculated, if not defined by this option. @@ -676,74 +671,74 @@ Flags \fB\-\-dh566\fP and \fB\-\-dh1066\fP are ignored when the DH key is taken .B \fB\-l\fP, \fB\-\-log\-file\fP Option to set the full path name of the log file. -By default, the \fIturnserver\fP tries to open a log file in -/var/log/\fIturnserver\fP, /var/log, /var/tmp, /tmp and . (current) -directories (which file open operation succeeds -first that file will be used). With this option you can set the +By default, the \fIturnserver\fP tries to open a log file in +/var/log/\fIturnserver\fP, /var/log, /var/tmp, /tmp and . (current) +directories (which file open operation succeeds +first that file will be used). With this option you can set the definite log file name. -The special names are "stdout" and "\-" \- they will force everything +The special names are "stdout" and "\-" \- they will force everything to the stdout. Also, "syslog" name will redirect everything into -the system log (syslog), as if the option "\fB\-\-syslog\fP" was set. -In the runtime, the logfile can be reset with the SIGHUP signal +the system log (syslog), as if the option "\fB\-\-syslog\fP" was set. +In the runtime, the logfile can be reset with the SIGHUP signal to the \fIturnserver\fP process. .TP .B \fB\-\-alternate\-server\fP Option to set the "redirection" mode. The value of this option -will be the address of the alternate server for UDP & TCP service in form of +will be the address of the alternate server for UDP & TCP service in form of [:]. The server will send this value in the attribute ALTERNATE\-SERVER, with error 300, on ALLOCATE request, to the client. Client will receive only values with the same address family -as the client network endpoint address family. -See RFC 5389 and RFC 5766 for ALTERNATE\-SERVER functionality description. +as the client network endpoint address family. +See RFC 5389 and RFC 5766 for ALTERNATE\-SERVER functionality description. The client must use the obtained value for subsequent TURN communications. If more than one \fB\-\-alternate\-server\fP \fIoptions\fP are provided, then the functionality -can be more accurately described as "load\-balancing" than a mere "redirection". -If the port number is omitted, then the default port +can be more accurately described as "load\-balancing" than a mere "redirection". +If the port number is omitted, then the default port number 3478 for the UDP/TCP protocols will be used. -Colon (:) characters in IPv6 addresses may conflict with the syntax of -the option. To alleviate this conflict, literal IPv6 addresses are enclosed -in square brackets in such resource identifiers, for example: -[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . +Colon (:) characters in IPv6 addresses may conflict with the syntax of +the option. To alleviate this conflict, literal IPv6 addresses are enclosed +in square brackets in such resource identifiers, for example: +[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . Multiple alternate servers can be set. They will be used in the -round\-robin manner. All servers in the pool are considered of equal weight and -the load will be distributed equally. For example, if we have 4 alternate servers, -then each server will receive 25% of ALLOCATE requests. An alternate TURN server -address can be used more than one time with the alternate\-server option, so this -can emulate "weighting" of the servers. +round\-robin manner. All servers in the pool are considered of equal weight and +the load will be distributed equally. For example, if we have 4 alternate servers, +then each server will receive 25% of ALLOCATE requests. An alternate TURN server +address can be used more than one time with the alternate\-server option, so this +can emulate "weighting" of the servers. .TP .B \fB\-\-tls\-alternate\-server\fP -Option to set alternative server for TLS & DTLS services in form of -:. If the port number is omitted, then the default port -number 5349 for the TLS/DTLS protocols will be used. See the +Option to set alternative server for TLS & DTLS services in form of +:. If the port number is omitted, then the default port +number 5349 for the TLS/DTLS protocols will be used. See the previous option for the functionality description. .TP .B \fB\-O\fP, \fB\-\-redis\-statsdb\fP -Redis status and statistics database connection string, if used (default \- empty, -no Redis stats DB used). This database keeps allocations status information, and it can +Redis status and statistics database connection string, if used (default \- empty, +no Redis stats DB used). This database keeps allocations status information, and it can be also used for publishing and delivering traffic and allocation event notifications. This database option can be used independently of \fB\-\-redis\-userdb\fP option, -and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or +and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or PostgreSQL can be used for the user database. The connection string has the same parameters as redis\-userdb connection string. .TP .B \fB\-\-max\-allocate\-timeout\fP -Max time, in seconds, allowed for full allocation establishment. +Max time, in seconds, allowed for full allocation establishment. Default is 60 seconds. .PP \fB\-\-denied\-peer\-ip\fP= .PP -\fB\-\-allowed\-peer\-ip\fP= Options to ban or allow specific ip addresses or ranges -of ip addresses. If an ip address is specified as both allowed and denied, then +\fB\-\-allowed\-peer\-ip\fP= Options to ban or allow specific ip addresses or ranges +of ip addresses. If an ip address is specified as both allowed and denied, then the ip address is considered to be allowed. This is useful when you wish to ban a range of ip addresses, except for a few specific ips within that range. This can be used when you do not want users of the turn server to be able to access -machines reachable by the turn server, but would otherwise be unreachable from the -internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer -IP ranges can also be dynamically changed in the database. +machines reachable by the turn server, but would otherwise be unreachable from the +internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer +IP ranges can also be dynamically changed in the database. The allowed/denied addresses (white/black lists) rules are very simple: .RS .IP 1) 4 @@ -781,9 +776,9 @@ Client <=> Server communication address family. \fB\-\-cli\-ip\fP Local system IP address to be used for CLI management interface. The \fIturnserver\fP process can be accessed for management with telnet, -at this IP address and on the CLI port (see the next parameter). +at this IP address and on the CLI port (see the next parameter). Default value is 127.0.0.1. You can use telnet or putty (in telnet mode) -to access the CLI management interface. +to access the CLI management interface. .TP .B \fB\-\-cli\-port\fP @@ -837,24 +832,24 @@ This is a set of notes for the WebRTC users: .IP 1) 4 WebRTC uses long\-term authentication mechanism, so you have to use \fB\-a\fP option (or \fB\-\-lt\-cred\-mech\fP). WebRTC relaying will not work with anonymous -access. With \fB\-a\fP option, do not forget to set the -default realm (\fB\-r\fP option). You will also have to set up the user accounts, +access. With \fB\-a\fP option, do not forget to set the +default realm (\fB\-r\fP option). You will also have to set up the user accounts, for that you have a number of \fIoptions\fP: .PP .nf .fam C a) command\-line options (\-u). - b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to - set keys with turnadmin utility (see docs and wiki for turnadmin). + b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to + set keys with turnadmin utility (see docs and wiki for turnadmin). You cannot use open passwords in the database. - c) Redis key/value pair(s), if Redis is used. You key use either keys or - open passwords with Redis; see turndb/testredisdbsetup.sh file. + c) Redis key/value pair(s), if Redis is used. You key use either keys or + open passwords with Redis; see turndb/testredisdbsetup.sh file. d) You also can use the TURN REST API. You will need shared secret(s) set either through the command line option, or through the config file, or through - the database table or Redis key/value pairs. + the database table or Redis key/value pairs. .fam T .fi @@ -872,19 +867,19 @@ number range. .SH TURN REST API In WebRTC, the browser obtains the TURN connection information from the web -server. This information is a secure information \- because it contains the -necessary TURN credentials. As these credentials are transmitted over the +server. This information is a secure information \- because it contains the +necessary TURN credentials. As these credentials are transmitted over the public networks, we have a potential security breach. .PP -If we have to transmit a valuable information over the public network, -then this information has to have a limited lifetime. Then the guy who -obtains this information without permission will be able to perform +If we have to transmit a valuable information over the public network, +then this information has to have a limited lifetime. Then the guy who +obtains this information without permission will be able to perform only limited damage. .PP -This is how the idea of TURN REST API \- time\-limited TURN credentials \- -appeared. This security mechanism is based upon the long\-term credentials -mechanism. The main idea of the REST API is that the web server provides -the credentials to the client, but those credentials can be used only +This is how the idea of TURN REST API \- time\-limited TURN credentials \- +appeared. This security mechanism is based upon the long\-term credentials +mechanism. The main idea of the REST API is that the web server provides +the credentials to the client, but those credentials can be used only limited time by an application that has to create a TURN server connection. .PP The "classic" long\-term credentials mechanism (LTCM) is described here: @@ -895,22 +890,22 @@ http://tools.ietf.org/html/rfc5389#section\-15.4 .PP For authentication, each user must know two things: the username and the password. Optionally, the user must supply the ORIGIN value, so that the -server can figure out the realm to be used for the user. The nonce and -the realm values are supplied by the TURN server. But LTCM is not saying -anything about the nature and about the persistence of the username and +server can figure out the realm to be used for the user. The nonce and +the realm values are supplied by the TURN server. But LTCM is not saying +anything about the nature and about the persistence of the username and of the password; and this is used by the REST API. .PP -In the TURN REST API, there is no persistent passwords for users. A user has -just the username. The password is always temporary, and it is generated by -the web server on\-demand, when the user accesses the WebRTC page. And, -actually, a temporary one\-time session only, username is provided to the user, -too. +In the TURN REST API, there is no persistent passwords for users. A user has +just the username. The password is always temporary, and it is generated by +the web server on\-demand, when the user accesses the WebRTC page. And, +actually, a temporary one\-time session only, username is provided to the user, +too. .PP The temporary user is generated as: .PP temporary\-username="timestamp" + ":" + "username" .PP -where username is the persistent user name, and the timestamp format is just +where username is the persistent user name, and the timestamp format is just seconds since 1970 \- the same value as \fBtime\fP(NULL) function returns. .PP The temporary password is obtained as HMAC\-SHA1 function over the temporary @@ -922,7 +917,7 @@ Both the TURN server and the web server know the same shared secret. How the shared secret is distributed among the involved entities is left to the WebRTC deployment details \- this is beyond the scope of the TURN REST API. .PP -So, a timestamp is used for the temporary password calculation, and this +So, a timestamp is used for the temporary password calculation, and this timestamp can be retrieved from the temporary username. This information is valuable, but only temporary, while the timestamp is not expired. Without knowledge of the shared secret, a new temporary password cannot be generated. @@ -937,7 +932,7 @@ For developers, we are going to describe it step\-by\-step below: .RS .IP \(bu 3 a new TURN client sends a request command to the TURN server. Optionally, -it adds the ORIGIN field to it. +it adds the ORIGIN field to it. .IP \(bu 3 TURN server sees that this is a new client and the message is not authenticated. @@ -960,13 +955,13 @@ the client uses username, realm and password to produce a key: (SASLprep is described here: http://tools.ietf.org/html/rfc4013) .IP \(bu 3 the client forms a new request, adds username, realm and nonce to the -request. Then, the client calculates and adds the integrity field to +request. Then, the client calculates and adds the integrity field to the request. This is the trickiest part of the process, and it is -described in the end of section 15.4: +described in the end of section 15.4: http://tools.ietf.org/html/rfc5389#section\-15.4 .IP \(bu 3 the client, optionally, adds the fingerprint field. This may be also -a tricky procedure, described in section 15.5 of the same document. +a tricky procedure, described in section 15.5 of the same document. WebRTC usually uses fingerprinted TURN messages. .IP \(bu 3 the TURN server receives the request, reads the username. @@ -979,33 +974,33 @@ then the TURN server calculates the key. then the TURN server calculates the integrity field. .IP \(bu 3 then the TURN server compares the calculated integrity field with the -received one \- they must be the same. If the integrity fields differ, +received one \- they must be the same. If the integrity fields differ, then the request is rejected. .RE .PP -In subsequent communications, the client may go with exactly the same -sequence, but for optimization usually the client, having already -information about realm and nonce, pre\-calculates the integrity string -for each request, so that the 401 error response becomes unnecessary. -The TURN server may use "\fB\-\-stale\-nonce\fP" option for extra security: in +In subsequent communications, the client may go with exactly the same +sequence, but for optimization usually the client, having already +information about realm and nonce, pre\-calculates the integrity string +for each request, so that the 401 error response becomes unnecessary. +The TURN server may use "\fB\-\-stale\-nonce\fP" option for extra security: in some time, the nonce expires and the client will obtain 438 error response with the new nonce, and the client will have to start using the new nonce. .PP -In subsequent communications, the server and the client will always assume -the same password \- the original password becomes the session parameter and +In subsequent communications, the server and the client will always assume +the same password \- the original password becomes the session parameter and is never expiring. So the password is not changing while the session is valid -and unexpired. So, if the session is properly maintained, it may go forever, -even if the user password has been already changed (in the database). The -session simply is using the old password. Once the session got disconnected, -the client will have to use the new password to re\-connect (if the password +and unexpired. So, if the session is properly maintained, it may go forever, +even if the user password has been already changed (in the database). The +session simply is using the old password. Once the session got disconnected, +the client will have to use the new password to re\-connect (if the password has been changed). .PP An example when a new shared secret is generated every hour by the TURN server box and then supplied to the web server, remotely, is provided in the script examples/scripts/restapi/shared_secret_maintainer.pl . .PP -A very important thing is that the nonce must be totally random and it must be -different for different clients and different sessions. +A very important thing is that the nonce must be totally random and it must be +different for different clients and different sessions. .PP =================================== .SH DATABASES @@ -1013,7 +1008,7 @@ different for different clients and different sessions. For the user database, the \fIturnserver\fP has the following \fIoptions\fP: .IP 1) 4 Users can be set in the command line, with multiple \fB\-u\fP or \fB\-\-user\fP \fIoptions\fP. -Obviously, only a few users can be set that way, and their credentials are fixed +Obviously, only a few users can be set that way, and their credentials are fixed for the \fIturnserver\fP process lifetime. .IP 2) 4 Users can be stored in SQLite DB. The default SQLite database file is /var/db/turndb @@ -1021,23 +1016,23 @@ or /usr/local/var/db/turndb or /var/lib/turn/turndb. .IP 3) 4 Users can be stored in PostgreSQL database, if the \fIturnserver\fP was compiled with PostgreSQL support. Each time \fIturnserver\fP checks user credentials, it reads the database (asynchronously, -of course, so that the current flow of packets is not delayed in any way), so any change in the -database content is immediately visible by the \fIturnserver\fP. This is the way if you need the +of course, so that the current flow of packets is not delayed in any way), so any change in the +database content is immediately visible by the \fIturnserver\fP. This is the way if you need the best scalability. The schema for the database can be found in schema.sql file. -For long\-term credentials, you have to set the "keys" for the users; the "keys" are generated -by the \fIturnadmin\fP utility. For the key generation, you need username, password and the realm. -All users in the database must use the same realm value; if down the road you will decide -to change the realm name, then you will have to re\-generate all user keys (that can be done +For long\-term credentials, you have to set the "keys" for the users; the "keys" are generated +by the \fIturnadmin\fP utility. For the key generation, you need username, password and the realm. +All users in the database must use the same realm value; if down the road you will decide +to change the realm name, then you will have to re\-generate all user keys (that can be done in a batch script). See the file turndb/testsqldbsetup.sql as an example. .IP 4) 4 The same is true for MySQL database. The same schema file is applicable. -The same considerations are applicable. +The same considerations are applicable. .IP 5) 4 The same is true for the Redis database, but the Redis database has aa different schema \- -it can be found (in the form of explanation) in schema.userdb.redis. -Also, in Redis you can store both "keys" and open passwords (for long term credentials) \- -the "open password" option is less secure but more convenient for low\-security environments. -See the file turndb/testredisdbsetup.sh as an example. +it can be found (in the form of explanation) in schema.userdb.redis. +Also, in Redis you can store both "keys" and open passwords (for long term credentials) \- +the "open password" option is less secure but more convenient for low\-security environments. +See the file turndb/testredisdbsetup.sh as an example. .IP 6) 4 If a database is used, then users can be divided into multiple independent realms. Each realm can be administered separately, and each realm can have its own set of users and its own @@ -1054,21 +1049,21 @@ The simplest choice is not to use it. Do not set \fB\-\-redis\-statsdb\fP option will be simply ignored. .IP 2) 4 If you choose to use it, then set the \fB\-\-redis\-statsdb\fP option. This may be the same database -as in \fB\-\-redis\-userdb\fP option, or it may be a different database. You may want to use different +as in \fB\-\-redis\-userdb\fP option, or it may be a different database. You may want to use different database for security or convenience reasons. Also, you can use different database management -systems for the user database and for the ststus and statistics database. For example, you can use +systems for the user database and for the ststus and statistics database. For example, you can use MySQL as the user database, and you can use redis for the statistics. Or you can use Redis for both. .PP So, we have 6 choices for the user management, and 2 choices for the statistics management. These -two are totally independent. So, you have overall 6*2=12 ways to handle persistent information, +two are totally independent. So, you have overall 6*2=12 ways to handle persistent information, choose any for your convenience. .PP -You do not have to handle the database information "manually" \- the \fIturnadmin\fP program can handle +You do not have to handle the database information "manually" \- the \fIturnadmin\fP program can handle everything for you. For PostgreSQL and MySQL you will just have to create an empty database -with schema.sql SQL script. With Redis, you do not have to do even that \- just run \fIturnadmin\fP and -it will set the users for you (see the \fIturnadmin\fP manuals). If you are using SQLite, then the -\fIturnserver\fP or \fIturnadmin\fP will initialize the empty database, for you, when started. The -TURN server installation process creates an empty initialized SQLite database in the default +with schema.sql SQL script. With Redis, you do not have to do even that \- just run \fIturnadmin\fP and +it will set the users for you (see the \fIturnadmin\fP manuals). If you are using SQLite, then the +\fIturnserver\fP or \fIturnadmin\fP will initialize the empty database, for you, when started. The +TURN server installation process creates an empty initialized SQLite database in the default location (/var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb, depending on the system). .PP ================================= @@ -1087,7 +1082,7 @@ does not include the ALPN information into the ServerHello. In the lib/ sub\-directory the build process will create TURN client messaging library. In the include/ sub\-directory, the necessary include files will be placed. The C++ wrapper for the messaging functionality is located in TurnMsgLib.h header. -An example of C++ code can be found in stunclient.c file. +An example of C++ code can be found in stunclient.c file. .PP ================================= .SH DOCS @@ -1102,13 +1097,13 @@ $ man \fB\-M\fP man \fIturnserver\fP .PP to see the man page. .PP -In the docs/html subdirectory of the original archive tree, you will find the client library +In the docs/html subdirectory of the original archive tree, you will find the client library reference. After the installation, it will be placed in PREFIX/share/doc/\fIturnserver\fP/html. .PP ================================= .SH LOGS -When the \fBTURN Server\fP starts, it makes efforts to create a log file turn_.log +When the \fBTURN Server\fP starts, it makes efforts to create a log file turn_.log in the following directories: .RS .IP \(bu 3 @@ -1123,7 +1118,7 @@ in the following directories: current directory .RE .PP -If all efforts failed (due to the system permission settings) then all +If all efforts failed (due to the system permission settings) then all log messages are sent only to the standard output of the process. .PP This behavior can be controlled by \fB\-\-log\-file\fP, \fB\-\-syslog\fP and \fB\-\-no\-stdout\-log\fP @@ -1133,7 +1128,7 @@ This behavior can be controlled by \fB\-\-log\-file\fP, \fB\-\-syslog\fP and \fB .SH HTTPS MANAGEMENT INTERFACE The \fIturnserver\fP process provides an HTTPS Web access as statistics and basic -management interface. The \fIturnserver\fP listens to incoming HTTPS admin +management interface. The \fIturnserver\fP listens to incoming HTTPS admin connections on the same ports as the main TURN/STUN listener. The Web admin pages are basic and self\-explanatory. .PP @@ -1155,11 +1150,11 @@ in "help" command output in the telnet CLI. ================================= .SH CLUSTERS -\fBTURN Server\fP can be a part of the cluster installation. But, to support the "even port" functionality -(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same -\fBTURN Server\fP instance, so it requires some networking setup massaging for the cluster. The reason is that -the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible -to design a scheme with the application\-level requests forwarding (and we may do that later) but +\fBTURN Server\fP can be a part of the cluster installation. But, to support the "even port" functionality +(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same +\fBTURN Server\fP instance, so it requires some networking setup massaging for the cluster. The reason is that +the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible +to design a scheme with the application\-level requests forwarding (and we may do that later) but it would affect the performance. .PP ================================= diff --git a/man/man1/turnutils.1 b/man/man1/turnutils.1 index fbe7cff3..67103adc 100644 --- a/man/man1/turnutils.1 +++ b/man/man1/turnutils.1 @@ -51,12 +51,12 @@ addresses should be configured to be able to work properly! .TP .B 6. -\fIturnutils_oauth\fP: a utility that provides OAuth access_token -\fBgeneration\fP(AEAD encryption), validation and decryption. This utility inputs -all the keys and lifetimes and any related information that needed for -creation and validationi of an access_token. It outputs a JSON with all OAuth -PoP parameters that need to pass to the client. Output is generated accoriding -RFC7635 Appendix B, Figure 8. +\fIturnutils_oauth\fP: a utility that provides OAuth access_token +\fBgeneration\fP(AEAD encryption), validation and decryption. This utility inputs +all the keys and lifetimes and any related information that needed for +creation and validationi of an access_token. It outputs a JSON with all OAuth +PoP parameters that need to pass to the client. Output is generated accoriding +RFC7635 Appendix B, Figure 8. .PP For more details, and for the access_token structure, read rfc7635, and see script in examples/scripts/oauth.sh. @@ -480,15 +480,15 @@ $ \fIturnutils_oauth\fP [\fIoptions\fP] .fi .SS DESCRIPTION -\fIturnutils_oauth\fP utilitiy provides help in OAuth access_token encryption and/or -decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps -for an Auth Server in access_token creation, and also for debugging purposes it -helps the access_token validation and decryption. This utility inputs all the -keys and lifetimes and any related information that are needed for encryption -or decryption of an access_token. It outputs a JSON with all OAuth PoP -parameters that need to pass to the client. Output is generated accoriding -RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server -service, but be awere that this utility does not generate "session key" / +\fIturnutils_oauth\fP utilitiy provides help in OAuth access_token encryption and/or +decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps +for an Auth Server in access_token creation, and also for debugging purposes it +helps the access_token validation and decryption. This utility inputs all the +keys and lifetimes and any related information that are needed for encryption +or decryption of an access_token. It outputs a JSON with all OAuth PoP +parameters that need to pass to the client. Output is generated accoriding +RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server +service, but be awere that this utility does not generate "session key" / "mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key". For more details, and for the access_token structure, read rfc7635, and see the example in examples/scripts/oauth.sh. From ded19f58c8631c74ade4861c9a82c1e1c82e5345 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Tue, 28 Apr 2020 11:12:09 +0200 Subject: [PATCH 16/17] do not require to set cli password if no-cli --- src/apps/relay/mainrelay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 5fc77a46..83fe7ae8 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -2276,13 +2276,13 @@ int main(int argc, char **argv) if(turn_params.allow_loopback_peers) { TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "CONFIG WARNING: allow_loopback_peers opens a possible security vulnerability. Do not use in production!!\n"); - if(cli_password[0]==0) { + if(cli_password[0]==0 && use_cli) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: allow_loopback_peers and empty cli password cannot be used together.\n"); exit(-1); } } - if(use_cli && cli_password[0]==0) { + if(use_cli && cli_password[0]==0 && use_cli) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "\nCONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!\n"); use_cli = 0; } From 7d1c1e0f89f6a4687995a84da4a708188d113f67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 15 Apr 2020 20:35:53 +0000 Subject: [PATCH 17/17] Add new test certs --- .gitignore | 1 + examples/ca/CA.pl.diff | 22 ++ examples/ca/CA/cacert.pem | 80 ++++ examples/ca/CA/careq.pem | 17 + examples/ca/CA/crlnumber | 1 + examples/ca/CA/index.txt | 3 + examples/ca/CA/index.txt.attr | 1 + examples/ca/CA/index.txt.attr.old | 1 + examples/ca/CA/index.txt.old | 2 + ...9BEC95D121491D5D65A71A614667DD42186546.pem | 80 ++++ ...9BEC95D121491D5D65A71A614667DD42186547.pem | 80 ++++ ...9BEC95D121491D5D65A71A614667DD42186548.pem | 80 ++++ examples/ca/CA/private/cakey.pem | 30 ++ examples/ca/CA/serial | 1 + examples/ca/CA/serial.old | 1 + examples/ca/openssl.conf | 364 ++++++++++++++++++ examples/ca/run.sh | 16 + examples/ca/turn_client_cert.pem | 80 ++++ examples/ca/turn_client_pkey.pem | 28 ++ examples/ca/turn_server_cert.pem | 80 ++++ examples/ca/turn_server_pkey.pem | 28 ++ examples/etc/cacert.pem | 1 + examples/etc/turn_client_cert.pem | 24 +- examples/etc/turn_client_pkey.pem | 28 +- examples/etc/turn_server_cert.pem | 23 +- examples/etc/turn_server_pkey.pem | 28 +- .../longtermsecure/secure_dtls_client_cert.sh | 2 +- .../longtermsecure/secure_relay_cert.sh | 2 +- .../longtermsecure/secure_tls_client_cert.sh | 2 +- 29 files changed, 1004 insertions(+), 102 deletions(-) create mode 100644 examples/ca/CA.pl.diff create mode 100644 examples/ca/CA/cacert.pem create mode 100644 examples/ca/CA/careq.pem create mode 100644 examples/ca/CA/crlnumber create mode 100644 examples/ca/CA/index.txt create mode 100644 examples/ca/CA/index.txt.attr create mode 100644 examples/ca/CA/index.txt.attr.old create mode 100644 examples/ca/CA/index.txt.old create mode 100644 examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186546.pem create mode 100644 examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186547.pem create mode 100644 examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186548.pem create mode 100644 examples/ca/CA/private/cakey.pem create mode 100644 examples/ca/CA/serial create mode 100644 examples/ca/CA/serial.old create mode 100644 examples/ca/openssl.conf create mode 100755 examples/ca/run.sh create mode 100644 examples/ca/turn_client_cert.pem create mode 100644 examples/ca/turn_client_pkey.pem create mode 100644 examples/ca/turn_server_cert.pem create mode 100644 examples/ca/turn_server_pkey.pem create mode 120000 examples/etc/cacert.pem mode change 100644 => 120000 examples/etc/turn_client_cert.pem mode change 100644 => 120000 examples/etc/turn_client_pkey.pem mode change 100644 => 120000 examples/etc/turn_server_cert.pem mode change 100644 => 120000 examples/etc/turn_server_pkey.pem diff --git a/.gitignore b/.gitignore index fcc5638e..9a74f5b0 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ build include lib sqlite +examples/ca/CA.pl diff --git a/examples/ca/CA.pl.diff b/examples/ca/CA.pl.diff new file mode 100644 index 00000000..366b67ff --- /dev/null +++ b/examples/ca/CA.pl.diff @@ -0,0 +1,22 @@ +--- CA.pl 2019-10-12 19:56:43.000000000 +0000 ++++ CA.pl 2020-03-05 07:58:41.112690266 +0000 +@@ -25,8 +25,8 @@ + my $verbose = 1; + + my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} || ""; +-my $DAYS = "-days 365"; +-my $CADAYS = "-days 1095"; # 3 years ++my $DAYS = "-days 36500"; ++my $CADAYS = "-days 365000"; # 1000 years + my $REQ = "$openssl req $OPENSSL_CONFIG"; + my $CA = "$openssl ca $OPENSSL_CONFIG"; + my $VERIFY = "$openssl verify"; +@@ -34,7 +34,7 @@ + my $PKCS12 = "$openssl pkcs12"; + + # default openssl.cnf file has setup as per the following +-my $CATOP = "./demoCA"; ++my $CATOP = "./CA"; + my $CAKEY = "cakey.pem"; + my $CAREQ = "careq.pem"; + my $CACERT = "cacert.pem"; diff --git a/examples/ca/CA/cacert.pem b/examples/ca/CA/cacert.pem new file mode 100644 index 00000000..a537cac7 --- /dev/null +++ b/examples/ca/CA/cacert.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:46 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu + Validity + Not Before: Mar 5 09:05:10 2020 GMT + Not After : Jul 7 09:05:10 3019 GMT + Subject: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d8:76:2a:59:44:73:da:25:38:93:54:d8:c5:2b: + 11:bd:30:80:21:5f:47:95:7d:eb:5e:3e:98:0d:a7: + a8:30:8c:07:6d:1a:ee:89:c1:4c:cc:64:81:90:b3: + ab:54:1f:9b:72:23:c5:2f:0a:32:52:be:27:ad:2f: + 51:ee:62:9e:ed:44:d0:ba:aa:72:67:03:a2:ee:a0: + e3:5d:9e:37:ec:ee:0b:29:59:e8:d8:d5:84:a1:6d: + 36:5d:85:6b:0d:73:a0:32:fe:b6:fa:99:ef:8c:78: + a9:02:f4:3a:bd:13:bc:1a:9b:72:55:0b:e7:0c:ed: + 68:00:c2:e7:78:4a:df:ce:14:2a:99:f1:de:97:16: + 60:44:f1:fc:f8:74:e5:33:31:cc:f9:ff:5d:9e:c1: + c7:c6:21:75:48:08:26:f5:7c:f1:56:ec:15:c5:7f: + 24:0f:08:03:74:e0:da:10:bf:3d:90:67:09:1e:b2: + 3f:b4:f4:15:df:53:e8:68:e8:d1:28:8e:2d:37:f9: + e0:3a:a3:29:00:3d:0a:66:7c:71:ab:54:e5:da:fe: + 44:18:3c:b4:be:c5:ce:49:26:8c:cc:ab:88:8f:b7: + e3:ad:5b:df:b2:d4:a3:f8:a9:06:4f:38:6e:b7:05: + b3:3a:bd:63:cd:f7:26:15:e0:98:fd:30:7e:d3:33: + 56:8d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42 + X509v3 Authority Key Identifier: + keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + b4:d5:d9:7a:46:1e:1a:95:02:b5:7e:86:45:16:26:d5:8a:11: + b9:34:98:58:df:cd:0c:d5:a5:f2:cc:24:1a:22:f4:c7:3e:50: + 39:40:f5:d6:e8:3b:9c:05:e9:f9:95:9b:c2:01:3b:69:d5:ba: + 4f:cf:7c:a6:7c:6e:f4:24:a3:d1:88:e2:29:60:ca:6d:b0:ee: + a6:b8:d1:5f:49:d5:08:a6:c2:79:3a:3f:8a:63:ec:53:ef:48: + 00:8c:61:d2:0f:38:e0:00:ac:6d:a6:bf:ed:6a:42:c3:cf:4e: + e3:0d:48:c5:a7:6d:5e:af:5a:e4:30:26:ba:19:2a:a5:57:da: + ce:b7:b6:45:24:fb:36:b6:a3:6c:55:ca:9f:91:19:29:db:a4: + 22:d4:45:53:b9:79:6a:a7:5e:90:a3:4d:3b:c1:b6:2b:52:41: + 97:7d:9e:0c:cf:0a:5f:ce:0e:fe:bf:a9:e5:b7:60:17:f5:93: + 4b:b5:6d:2d:51:a6:c1:54:65:f9:e1:5c:21:8d:3d:19:0c:dc: + 2c:c9:17:40:65:15:d0:ad:98:06:a0:11:aa:87:b3:2d:03:29: + 37:24:f6:42:a8:d5:58:ae:55:20:c3:37:a3:62:33:36:34:73: + 98:bc:70:30:aa:33:b0:e4:86:b6:d9:22:79:1f:3f:68:6f:f5: + 66:75:e8:70 +-----BEGIN CERTIFICATE----- +MIIDlzCCAn+gAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUYwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv +VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAg +Fw0yMDAzMDUwOTA1MTBaGA8zMDE5MDcwNzA5MDUxMFowWjELMAkGA1UEBhMCSFUx +EDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNvVFVSTjELMAkGA1UEAwwCQ0Ex +GzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANh2KllEc9olOJNU2MUrEb0wgCFfR5V9614+mA2nqDCMB20a +7onBTMxkgZCzq1Qfm3IjxS8KMlK+J60vUe5inu1E0LqqcmcDou6g412eN+zuCylZ +6NjVhKFtNl2Faw1zoDL+tvqZ74x4qQL0Or0TvBqbclUL5wztaADC53hK384UKpnx +3pcWYETx/Ph05TMxzPn/XZ7Bx8YhdUgIJvV88VbsFcV/JA8IA3Tg2hC/PZBnCR6y +P7T0Fd9T6Gjo0SiOLTf54DqjKQA9CmZ8catU5dr+RBg8tL7FzkkmjMyriI+3461b +37LUo/ipBk84brcFszq9Y833JhXgmP0wftMzVo0CAwEAAaNTMFEwHQYDVR0OBBYE +FBwnXkA5jOxxx+3pKlbJnt9I6oJCMB8GA1UdIwQYMBaAFBwnXkA5jOxxx+3pKlbJ +nt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALTV2XpG +HhqVArV+hkUWJtWKEbk0mFjfzQzVpfLMJBoi9Mc+UDlA9dboO5wF6fmVm8IBO2nV +uk/PfKZ8bvQko9GI4ilgym2w7qa40V9J1Qimwnk6P4pj7FPvSACMYdIPOOAArG2m +v+1qQsPPTuMNSMWnbV6vWuQwJroZKqVX2s63tkUk+za2o2xVyp+RGSnbpCLURVO5 +eWqnXpCjTTvBtitSQZd9ngzPCl/ODv6/qeW3YBf1k0u1bS1RpsFUZfnhXCGNPRkM +3CzJF0BlFdCtmAagEaqHsy0DKTck9kKo1ViuVSDDN6NiMzY0c5i8cDCqM7DkhrbZ +InkfP2hv9WZ16HA= +-----END CERTIFICATE----- diff --git a/examples/ca/CA/careq.pem b/examples/ca/CA/careq.pem new file mode 100644 index 00000000..af1cf15c --- /dev/null +++ b/examples/ca/CA/careq.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxETAP +BgNVBAcMCERlYnJlY2VuMQ8wDQYDVQQKDAZjb1RVUk4xCzAJBgNVBAMMAkNBMRsw +GQYJKoZIhvcNAQkBFgxtaXNpQG1hamQuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDYdipZRHPaJTiTVNjFKxG9MIAhX0eVfetePpgNp6gwjAdtGu6J +wUzMZIGQs6tUH5tyI8UvCjJSvietL1HuYp7tRNC6qnJnA6LuoONdnjfs7gspWejY +1YShbTZdhWsNc6Ay/rb6me+MeKkC9Dq9E7wam3JVC+cM7WgAwud4St/OFCqZ8d6X +FmBE8fz4dOUzMcz5/12ewcfGIXVICCb1fPFW7BXFfyQPCAN04NoQvz2QZwkesj+0 +9BXfU+ho6NEoji03+eA6oykAPQpmfHGrVOXa/kQYPLS+xc5JJozMq4iPt+OtW9+y +1KP4qQZPOG63BbM6vWPN9yYV4Jj9MH7TM1aNAgMBAAGgADANBgkqhkiG9w0BAQsF +AAOCAQEAmvXWsoJQneJFFHb+qTNjkA3sHduyB+kQ5qUVlFoT6U6IKyWnVUqAKc9a +eFKw94yq/01cqOBd4MWKTg9k/wjjmkJA9WtXMrVq8HW1rKVRCCJxtzUKTR3pet/z +gs3YwbTlqpljtpn3qEzspMaeyvh391A4IVykDZHGR12+4LqZhoUyGl1QJ7KgQwGM ++Vi2TL3fY8PDxvGFmGvWnUIWYkB31vAuDz1xOqm2JlP0kTHMUPiVBlwJVuHdATy2 +sWZEzsNnXBt2vAVwhTdFEajF4ut8guPQWW8XcTiaEOGJUIY8J4Yb2wqHk+4HsIFV +i2vua41jc90Ki3EA0+QDB7BJAvC4yw== +-----END CERTIFICATE REQUEST----- diff --git a/examples/ca/CA/crlnumber b/examples/ca/CA/crlnumber new file mode 100644 index 00000000..8a0f05e1 --- /dev/null +++ b/examples/ca/CA/crlnumber @@ -0,0 +1 @@ +01 diff --git a/examples/ca/CA/index.txt b/examples/ca/CA/index.txt new file mode 100644 index 00000000..bc5700a1 --- /dev/null +++ b/examples/ca/CA/index.txt @@ -0,0 +1,3 @@ +V 30190707090510Z 4C9BEC95D121491D5D65A71A614667DD42186546 unknown /C=HU/ST=Hungary/O=coTURN/CN=CA/emailAddress=misi@majd.eu +V 300303090521Z 4C9BEC95D121491D5D65A71A614667DD42186547 unknown /C=HU/ST=Hungary/L=Debrecen/O=coTURN/CN=Server/emailAddress=misi@majd.eu +V 300303090542Z 4C9BEC95D121491D5D65A71A614667DD42186548 unknown /C=HU/ST=Hungary/L=Debrecen/O=coTURN/CN=Client/emailAddress=misi@majd.eu diff --git a/examples/ca/CA/index.txt.attr b/examples/ca/CA/index.txt.attr new file mode 100644 index 00000000..8f7e63a3 --- /dev/null +++ b/examples/ca/CA/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/examples/ca/CA/index.txt.attr.old b/examples/ca/CA/index.txt.attr.old new file mode 100644 index 00000000..8f7e63a3 --- /dev/null +++ b/examples/ca/CA/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/examples/ca/CA/index.txt.old b/examples/ca/CA/index.txt.old new file mode 100644 index 00000000..46b0a92b --- /dev/null +++ b/examples/ca/CA/index.txt.old @@ -0,0 +1,2 @@ +V 30190707090510Z 4C9BEC95D121491D5D65A71A614667DD42186546 unknown /C=HU/ST=Hungary/O=coTURN/CN=CA/emailAddress=misi@majd.eu +V 300303090521Z 4C9BEC95D121491D5D65A71A614667DD42186547 unknown /C=HU/ST=Hungary/L=Debrecen/O=coTURN/CN=Server/emailAddress=misi@majd.eu diff --git a/examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186546.pem b/examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186546.pem new file mode 100644 index 00000000..a537cac7 --- /dev/null +++ b/examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186546.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:46 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu + Validity + Not Before: Mar 5 09:05:10 2020 GMT + Not After : Jul 7 09:05:10 3019 GMT + Subject: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d8:76:2a:59:44:73:da:25:38:93:54:d8:c5:2b: + 11:bd:30:80:21:5f:47:95:7d:eb:5e:3e:98:0d:a7: + a8:30:8c:07:6d:1a:ee:89:c1:4c:cc:64:81:90:b3: + ab:54:1f:9b:72:23:c5:2f:0a:32:52:be:27:ad:2f: + 51:ee:62:9e:ed:44:d0:ba:aa:72:67:03:a2:ee:a0: + e3:5d:9e:37:ec:ee:0b:29:59:e8:d8:d5:84:a1:6d: + 36:5d:85:6b:0d:73:a0:32:fe:b6:fa:99:ef:8c:78: + a9:02:f4:3a:bd:13:bc:1a:9b:72:55:0b:e7:0c:ed: + 68:00:c2:e7:78:4a:df:ce:14:2a:99:f1:de:97:16: + 60:44:f1:fc:f8:74:e5:33:31:cc:f9:ff:5d:9e:c1: + c7:c6:21:75:48:08:26:f5:7c:f1:56:ec:15:c5:7f: + 24:0f:08:03:74:e0:da:10:bf:3d:90:67:09:1e:b2: + 3f:b4:f4:15:df:53:e8:68:e8:d1:28:8e:2d:37:f9: + e0:3a:a3:29:00:3d:0a:66:7c:71:ab:54:e5:da:fe: + 44:18:3c:b4:be:c5:ce:49:26:8c:cc:ab:88:8f:b7: + e3:ad:5b:df:b2:d4:a3:f8:a9:06:4f:38:6e:b7:05: + b3:3a:bd:63:cd:f7:26:15:e0:98:fd:30:7e:d3:33: + 56:8d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42 + X509v3 Authority Key Identifier: + keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + b4:d5:d9:7a:46:1e:1a:95:02:b5:7e:86:45:16:26:d5:8a:11: + b9:34:98:58:df:cd:0c:d5:a5:f2:cc:24:1a:22:f4:c7:3e:50: + 39:40:f5:d6:e8:3b:9c:05:e9:f9:95:9b:c2:01:3b:69:d5:ba: + 4f:cf:7c:a6:7c:6e:f4:24:a3:d1:88:e2:29:60:ca:6d:b0:ee: + a6:b8:d1:5f:49:d5:08:a6:c2:79:3a:3f:8a:63:ec:53:ef:48: + 00:8c:61:d2:0f:38:e0:00:ac:6d:a6:bf:ed:6a:42:c3:cf:4e: + e3:0d:48:c5:a7:6d:5e:af:5a:e4:30:26:ba:19:2a:a5:57:da: + ce:b7:b6:45:24:fb:36:b6:a3:6c:55:ca:9f:91:19:29:db:a4: + 22:d4:45:53:b9:79:6a:a7:5e:90:a3:4d:3b:c1:b6:2b:52:41: + 97:7d:9e:0c:cf:0a:5f:ce:0e:fe:bf:a9:e5:b7:60:17:f5:93: + 4b:b5:6d:2d:51:a6:c1:54:65:f9:e1:5c:21:8d:3d:19:0c:dc: + 2c:c9:17:40:65:15:d0:ad:98:06:a0:11:aa:87:b3:2d:03:29: + 37:24:f6:42:a8:d5:58:ae:55:20:c3:37:a3:62:33:36:34:73: + 98:bc:70:30:aa:33:b0:e4:86:b6:d9:22:79:1f:3f:68:6f:f5: + 66:75:e8:70 +-----BEGIN CERTIFICATE----- +MIIDlzCCAn+gAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUYwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv +VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAg +Fw0yMDAzMDUwOTA1MTBaGA8zMDE5MDcwNzA5MDUxMFowWjELMAkGA1UEBhMCSFUx +EDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNvVFVSTjELMAkGA1UEAwwCQ0Ex +GzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANh2KllEc9olOJNU2MUrEb0wgCFfR5V9614+mA2nqDCMB20a +7onBTMxkgZCzq1Qfm3IjxS8KMlK+J60vUe5inu1E0LqqcmcDou6g412eN+zuCylZ +6NjVhKFtNl2Faw1zoDL+tvqZ74x4qQL0Or0TvBqbclUL5wztaADC53hK384UKpnx +3pcWYETx/Ph05TMxzPn/XZ7Bx8YhdUgIJvV88VbsFcV/JA8IA3Tg2hC/PZBnCR6y +P7T0Fd9T6Gjo0SiOLTf54DqjKQA9CmZ8catU5dr+RBg8tL7FzkkmjMyriI+3461b +37LUo/ipBk84brcFszq9Y833JhXgmP0wftMzVo0CAwEAAaNTMFEwHQYDVR0OBBYE +FBwnXkA5jOxxx+3pKlbJnt9I6oJCMB8GA1UdIwQYMBaAFBwnXkA5jOxxx+3pKlbJ +nt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALTV2XpG +HhqVArV+hkUWJtWKEbk0mFjfzQzVpfLMJBoi9Mc+UDlA9dboO5wF6fmVm8IBO2nV +uk/PfKZ8bvQko9GI4ilgym2w7qa40V9J1Qimwnk6P4pj7FPvSACMYdIPOOAArG2m +v+1qQsPPTuMNSMWnbV6vWuQwJroZKqVX2s63tkUk+za2o2xVyp+RGSnbpCLURVO5 +eWqnXpCjTTvBtitSQZd9ngzPCl/ODv6/qeW3YBf1k0u1bS1RpsFUZfnhXCGNPRkM +3CzJF0BlFdCtmAagEaqHsy0DKTck9kKo1ViuVSDDN6NiMzY0c5i8cDCqM7DkhrbZ +InkfP2hv9WZ16HA= +-----END CERTIFICATE----- diff --git a/examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186547.pem b/examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186547.pem new file mode 100644 index 00000000..2a1fea87 --- /dev/null +++ b/examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186547.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:47 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu + Validity + Not Before: Mar 5 09:05:21 2020 GMT + Not After : Mar 3 09:05:21 2030 GMT + Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Server/emailAddress=misi@majd.eu + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:db:f7:17:35:17:7c:46:79:64:89:61:5f:ac: + cf:8f:6d:97:13:87:8a:d6:f1:ab:df:f6:69:4e:04: + 57:c1:4d:6c:3d:77:c9:50:0d:3d:b6:89:cd:ac:00: + b5:02:45:e4:4c:78:ef:6f:18:7e:57:4e:bc:62:4d: + f6:de:6c:c8:77:ea:c5:b2:b4:65:2d:46:76:bf:5e: + 5f:f8:45:78:55:f4:4d:20:ac:91:f0:4f:23:cb:5d: + 40:29:44:de:9c:f7:0a:e6:48:a4:80:35:dd:cb:e8: + 02:90:59:f7:31:f9:4c:50:fe:98:ef:dd:7f:60:51: + 2d:44:0a:14:a2:57:96:51:36:3f:73:66:db:45:5f: + bd:9d:f4:82:3a:ce:ab:75:4f:d0:90:6d:43:d1:7b: + 2f:77:31:88:db:2f:4a:a9:4e:62:39:c7:14:7f:39: + ef:e2:08:b7:18:a7:6c:f8:d9:35:d5:a3:f8:64:f5: + 02:51:22:1b:8e:7a:c5:44:ae:df:b1:17:0b:71:df: + 09:82:89:49:70:c5:9b:a0:f3:3c:02:48:75:e7:81: + f9:24:51:56:24:3b:ff:b8:68:d3:13:2e:a2:f4:d1: + 70:33:a9:7a:d6:17:fd:ca:a5:6b:13:74:c9:ce:b6: + 26:4f:01:ff:eb:ba:b5:f9:a1:70:80:da:11:df:a3: + 7b:4f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 38:C1:E5:77:D3:01:6B:7A:A7:D8:18:6B:50:D6:FA:0E:D6:D9:B4:4F + X509v3 Authority Key Identifier: + keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + a3:37:55:68:68:02:9f:af:d6:b1:38:b3:d8:bf:30:27:33:6f: + 21:4c:09:ee:cf:24:d2:eb:cf:1c:7a:15:98:6d:10:94:e0:4a: + 1f:88:5c:43:90:09:78:c1:a6:82:06:16:f2:8c:d1:3a:c5:3b: + 99:67:35:3c:00:bf:9f:a2:6a:e7:33:85:83:88:72:88:e4:d2: + 83:1c:6c:49:92:5f:51:80:0d:92:0f:99:4d:cb:2a:18:4d:68: + b7:b6:d1:de:54:22:71:88:8d:04:45:c5:13:34:8d:52:7a:f7: + 2a:e7:cb:b2:41:20:7b:ef:aa:d0:58:93:b5:e6:b5:fa:8b:22: + a3:ed:a7:81:9b:ca:50:f7:d0:bd:5f:f2:52:6d:8b:af:af:64: + 36:9d:6d:81:ce:50:29:b7:db:d0:ac:a3:1d:78:77:90:29:a3: + 84:10:69:13:e9:47:fc:e1:1e:c2:74:55:61:11:65:2d:77:e1: + ca:9f:2d:6f:2f:76:f6:69:bc:09:50:9a:b0:48:05:a2:53:e6: + 93:46:81:0d:04:8b:cd:fb:a4:a7:82:08:78:f9:87:dc:0a:07: + 91:1f:de:09:fa:00:5a:16:1a:2b:5c:83:10:03:33:2f:ad:8c: + 9a:eb:94:0f:77:b1:9b:ec:e6:0e:dc:84:dd:35:3f:b5:8a:d2: + 06:0e:88:d7 +-----BEGIN CERTIFICATE----- +MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUcwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv +VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe +Fw0yMDAzMDUwOTA1MjFaFw0zMDAzMDMwOTA1MjFaMHExCzAJBgNVBAYTAkhVMRAw +DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U +VVJOMQ8wDQYDVQQDDAZTZXJ2ZXIxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l +dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzb9xc1F3xGeWSJYV+s +z49tlxOHitbxq9/2aU4EV8FNbD13yVANPbaJzawAtQJF5Ex4728YfldOvGJN9t5s +yHfqxbK0ZS1Gdr9eX/hFeFX0TSCskfBPI8tdQClE3pz3CuZIpIA13cvoApBZ9zH5 +TFD+mO/df2BRLUQKFKJXllE2P3Nm20VfvZ30gjrOq3VP0JBtQ9F7L3cxiNsvSqlO +YjnHFH857+IItxinbPjZNdWj+GT1AlEiG456xUSu37EXC3HfCYKJSXDFm6DzPAJI +deeB+SRRViQ7/7ho0xMuovTRcDOpetYX/cqlaxN0yc62Jk8B/+u6tfmhcIDaEd+j +e08CAwEAAaNTMFEwHQYDVR0OBBYEFDjB5XfTAWt6p9gYa1DW+g7W2bRPMB8GA1Ud +IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAKM3VWhoAp+v1rE4s9i/MCczbyFMCe7PJNLrzxx6FZht +EJTgSh+IXEOQCXjBpoIGFvKM0TrFO5lnNTwAv5+iauczhYOIcojk0oMcbEmSX1GA +DZIPmU3LKhhNaLe20d5UInGIjQRFxRM0jVJ69yrny7JBIHvvqtBYk7XmtfqLIqPt +p4GbylD30L1f8lJti6+vZDadbYHOUCm329Csox14d5Apo4QQaRPpR/zhHsJ0VWER +ZS134cqfLW8vdvZpvAlQmrBIBaJT5pNGgQ0Ei837pKeCCHj5h9wKB5Ef3gn6AFoW +GitcgxADMy+tjJrrlA93sZvs5g7chN01P7WK0gYOiNc= +-----END CERTIFICATE----- diff --git a/examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186548.pem b/examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186548.pem new file mode 100644 index 00000000..22cb0b19 --- /dev/null +++ b/examples/ca/CA/newcerts/4C9BEC95D121491D5D65A71A614667DD42186548.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:48 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu + Validity + Not Before: Mar 5 09:05:42 2020 GMT + Not After : Mar 3 09:05:42 2030 GMT + Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Client/emailAddress=misi@majd.eu + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:af:6d:38:31:23:12:12:e7:5a:8d:ed:1c:02:7e: + bf:c2:ef:7a:d1:c0:b2:4b:b4:38:9b:a7:5d:dd:01: + 2c:a0:e7:7c:5b:7a:4d:71:4b:c9:5b:77:e8:b3:4c: + 92:5b:8c:43:57:b6:c9:8c:44:66:6a:9e:8c:f2:76: + 58:a2:f5:38:a3:4f:ef:af:5a:c7:bf:e5:72:98:c0: + b8:2e:a1:75:cc:16:8b:bf:a3:6a:e6:fd:c9:25:35: + 92:31:b2:78:2a:42:7b:a1:ce:25:be:32:45:6e:0b: + 36:22:f8:6c:9c:f3:8f:bf:c8:8c:79:d5:59:02:f5: + de:1f:67:fc:ef:c7:27:88:a7:35:b1:d7:ee:dc:1c: + 74:11:fc:3c:56:33:b5:e7:88:ce:f3:ce:db:b9:3c: + e0:eb:15:bc:00:5f:29:f4:9c:8e:4d:61:df:da:aa: + f4:fc:fb:e7:4b:75:dc:dc:cf:f0:4b:3b:67:cf:bf: + 35:b8:0f:5b:20:94:60:dd:3b:e5:7a:ec:0e:30:2c: + c1:fb:f6:21:5b:ed:80:34:9d:59:5c:95:39:a2:61: + a4:13:fa:57:b9:f5:85:d4:a1:bf:91:cf:d7:dc:ac: + fa:32:47:ee:d2:86:9b:14:d1:35:88:1e:2d:9f:39: + 74:86:de:f1:04:de:e1:39:2f:a8:91:bf:8b:f7:4f: + 7c:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 32:BA:14:26:42:B6:5B:9E:3C:F1:53:1A:FD:DB:CB:FE:B1:A2:74:6C + X509v3 Authority Key Identifier: + keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 6b:93:56:56:81:fb:34:9e:15:2e:3e:b2:2c:73:72:60:f2:1a: + a8:bf:c3:f0:c7:57:00:48:37:2a:1c:63:71:1b:29:f4:2b:dc: + 64:07:f8:72:80:65:18:c7:74:23:c1:02:00:d8:93:1d:4f:2b: + 8c:46:34:1e:d2:6a:5c:ab:8d:ff:a7:fe:e5:c2:bf:33:55:ea: + 2b:e2:70:e9:24:4c:4d:31:d4:dd:10:55:f5:bb:2c:a5:ec:f6: + 8f:7a:05:1c:6c:7d:cf:85:6b:29:a7:bd:fe:a2:bc:00:45:b8: + ac:70:c7:c9:67:93:0a:5c:d7:52:a3:c9:fc:6c:ef:52:b2:6b: + bc:5b:f9:e1:9b:27:07:39:28:28:7f:a0:70:62:af:4f:42:82: + dd:ec:23:4d:fc:8e:19:51:87:cc:d0:29:d5:27:44:9c:fa:b5: + 51:ea:31:eb:51:84:3f:07:5b:c0:57:5d:2a:c7:15:ed:9c:46: + ac:8e:14:8b:4d:82:0e:b4:6a:47:db:37:f3:03:08:86:b6:25: + 0b:92:6d:99:a9:99:45:4e:38:45:e0:a2:4e:e7:34:50:51:ab: + f8:c8:ef:26:3d:7f:9f:8f:45:20:cf:f5:31:27:b6:00:3a:e0: + 4a:d5:62:9a:29:27:9b:aa:3a:95:56:1c:d7:65:15:ce:35:10: + 2a:7e:cc:b6 +-----BEGIN CERTIFICATE----- +MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUgwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv +VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe +Fw0yMDAzMDUwOTA1NDJaFw0zMDAzMDMwOTA1NDJaMHExCzAJBgNVBAYTAkhVMRAw +DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U +VVJOMQ8wDQYDVQQDDAZDbGllbnQxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l +dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9tODEjEhLnWo3tHAJ+ +v8LvetHAsku0OJunXd0BLKDnfFt6TXFLyVt36LNMkluMQ1e2yYxEZmqejPJ2WKL1 +OKNP769ax7/lcpjAuC6hdcwWi7+jaub9ySU1kjGyeCpCe6HOJb4yRW4LNiL4bJzz +j7/IjHnVWQL13h9n/O/HJ4inNbHX7twcdBH8PFYzteeIzvPO27k84OsVvABfKfSc +jk1h39qq9Pz750t13NzP8Es7Z8+/NbgPWyCUYN075XrsDjAswfv2IVvtgDSdWVyV +OaJhpBP6V7n1hdShv5HP19ys+jJH7tKGmxTRNYgeLZ85dIbe8QTe4TkvqJG/i/dP +fOUCAwEAAaNTMFEwHQYDVR0OBBYEFDK6FCZCtluePPFTGv3by/6xonRsMB8GA1Ud +IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAGuTVlaB+zSeFS4+sixzcmDyGqi/w/DHVwBINyocY3Eb +KfQr3GQH+HKAZRjHdCPBAgDYkx1PK4xGNB7Salyrjf+n/uXCvzNV6ivicOkkTE0x +1N0QVfW7LKXs9o96BRxsfc+Faymnvf6ivABFuKxwx8lnkwpc11Kjyfxs71Kya7xb ++eGbJwc5KCh/oHBir09Cgt3sI038jhlRh8zQKdUnRJz6tVHqMetRhD8HW8BXXSrH +Fe2cRqyOFItNgg60akfbN/MDCIa2JQuSbZmpmUVOOEXgok7nNFBRq/jI7yY9f5+P +RSDP9TEntgA64ErVYpopJ5uqOpVWHNdlFc41ECp+zLY= +-----END CERTIFICATE----- diff --git a/examples/ca/CA/private/cakey.pem b/examples/ca/CA/private/cakey.pem new file mode 100644 index 00000000..8b102d39 --- /dev/null +++ b/examples/ca/CA/private/cakey.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIeK2OY7PJbzYCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECKP+q72oc4q7BIIEyHkaZfqjSX9W +HIHqbQtHOMlAtqSxmAyV6C3pXLwNuEpo4cYwyPUdJwMNxm8OjsxuH708daZu5QWl +7EVNV4WY9ff4/4geJAp9ZrqJN5TsgFIUyss5NzHjTMPUz/yunr0Hk5OOVLusTCqF +Ys0Qdo2Gy33NZCK53U22pa0S/szppN4DIDujSOuUAiyxJdz12cCUyw/OlAXvDLJb +I9oObKWpbYBtJSLk5aWblZDUTVmFWngkTIc76wchBXu7WntLjXdMG2lv4Gy/ozUb +vsYvEADNRJFOpYyfWvmEFNKvEcVxfzshnms9TdzhDCmYhmYR+NfamYq5Om+81Pv3 +h+z1Zd7x3uYs8NM+DbRKhwHS6jkQCxelWdQbeSJj/Fz9VpWSrJlkmhXI+7qkBCsv +DVoz017Y2zK/iM5JRPTH65tnNMeH61Zj4EOHBEzMBE6EvugJcSqPXfBKtVMwVAzV +Mva8gtOlMN0Ce9dmG+HZKDek6S++5AbkxuOwRb+YOVXjUrNXXf0YqglM9Nb/RCr4 +Z+gkuTCwARJZqjebZnUw1mSZp2R89X774wNDHAlw96tSW2OZlfPmbvXBnwT7QwPm +YBZT6CrLL7LEIs0G5zFh1L/PCQi7EyNaE9Ixw52nqc5Ej2M6Rj6XcdCRdw5IKmh/ +BbTzD0LxfNh+XKpAIzkuNfGkwUVtfldmfpW3xRKzI1o+rbgDGMA/eEFYWmyE9326 +/vsv7daE4zWAG4O5OdGKMKBABCqM92X2YU7bZoNQS25dy7uZsQ8zvkcI1Q1GKMW0 +Lg2oDTSTSrPRVgLAcb0o06Frvler5F277OBfBm1+6+7aL3hct4TZjb+0pp5SuxrS +7PpRXMFYzbQ+Z7YrRv6uwrrxVl99Ok/jBGLYT+CllZ+PNvRbcgsy0xUIz6KTbQQZ +H4qqkObdKFHQLqfP9+YUwjE2akR/prOR2Dfoq648L/eEF4qpGCADaXFoHODWfiqz +VQHvLP4FN4ppYn3jB4lSTIl+7s92XznK5aN5AERRdUIfjPnZB8lQkDP/qwwCI0Ki +SRxUtsrMef1biTKL5HI3On2wPLFQCGVEmiQoD8uEqaB/vAdJy5ZdQ3HA547TxLmy +TJ6je8QMFUcO3n1pJWeUHuL+WyGrcstOEkZiFQyVpAFFeS7h6u2UI7HyNXGaP1mk ++vWulewlMjWHw05qG9wLqEiDkpZgmx4garfWbR2rggBu1Jlg4svS2jdmytuKQ735 +E1e5g7TCSzv6sHzdHfQ2WaVvfM5YfxqWpgPhNH2t7rScoLTvI2txyhpIIEIMn+ip +tBM15Ai+L92gr4wLJlsBOcKOWSN46ucqQsGla3so0PZAtU4hVPEJ+PzaR2czStUk +MzrKfG1qox+JW8BBiW2zV2idKy2440Sn/NSqMyvZgEFn7GDaAcTsZi2FhRLT1Fg+ +2c5viBTaCRdh20QDQQu3skEhbFU5GjeZEqCO25hX5L3BZPnQtwQujc2RU9aGWwPm +o/nrp8ilBRI18qFdxfqFEV6ftdVNXlrV+cMgtuwPNX6vnmKWjN67/cDIUML3ab+e +9cx0rBvCBvMn7Q0AvY/RcsVP0DaLmov7ciuvih0ptCgYThov7FJ2V+q+2LbNLwSc +qpi/6R+l6bIjP0UITKZlug== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/examples/ca/CA/serial b/examples/ca/CA/serial new file mode 100644 index 00000000..a0942577 --- /dev/null +++ b/examples/ca/CA/serial @@ -0,0 +1 @@ +4C9BEC95D121491D5D65A71A614667DD42186549 diff --git a/examples/ca/CA/serial.old b/examples/ca/CA/serial.old new file mode 100644 index 00000000..bfc6fa16 --- /dev/null +++ b/examples/ca/CA/serial.old @@ -0,0 +1 @@ +4C9BEC95D121491D5D65A71A614667DD42186548 diff --git a/examples/ca/openssl.conf b/examples/ca/openssl.conf new file mode 100644 index 00000000..e18aa4e5 --- /dev/null +++ b/examples/ca/openssl.conf @@ -0,0 +1,364 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# System default +openssl_conf = default_conf + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = HU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Hungary + +localityName = Locality Name (eg, city) +localityName_default = Debrecen + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = coTURN + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +#organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = misi@majd.eu +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 + +#unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./CA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) +[default_conf] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +MinProtocol = TLSv1.2 +CipherString = DEFAULT@SECLEVEL=2 diff --git a/examples/ca/run.sh b/examples/ca/run.sh new file mode 100755 index 00000000..77d6f86c --- /dev/null +++ b/examples/ca/run.sh @@ -0,0 +1,16 @@ +#!/bin/bash +#set -x +# key passwd: coTURN +cp /usr/lib/ssl/misc/CA.pl ./CA.pl +patch < CA.pl.diff +export OPENSSL_CONFIG="-config openssl.conf" +./CA.pl -newca + +for i in "server" "client"; +do + ./CA.pl -newreq-nodes + ./CA.pl -signCA + mv newcert.pem turn_${i}_cert.pem + mv newkey.pem turn_${i}_pkey.pem + rm newreq.pem +done; diff --git a/examples/ca/turn_client_cert.pem b/examples/ca/turn_client_cert.pem new file mode 100644 index 00000000..22cb0b19 --- /dev/null +++ b/examples/ca/turn_client_cert.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:48 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu + Validity + Not Before: Mar 5 09:05:42 2020 GMT + Not After : Mar 3 09:05:42 2030 GMT + Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Client/emailAddress=misi@majd.eu + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:af:6d:38:31:23:12:12:e7:5a:8d:ed:1c:02:7e: + bf:c2:ef:7a:d1:c0:b2:4b:b4:38:9b:a7:5d:dd:01: + 2c:a0:e7:7c:5b:7a:4d:71:4b:c9:5b:77:e8:b3:4c: + 92:5b:8c:43:57:b6:c9:8c:44:66:6a:9e:8c:f2:76: + 58:a2:f5:38:a3:4f:ef:af:5a:c7:bf:e5:72:98:c0: + b8:2e:a1:75:cc:16:8b:bf:a3:6a:e6:fd:c9:25:35: + 92:31:b2:78:2a:42:7b:a1:ce:25:be:32:45:6e:0b: + 36:22:f8:6c:9c:f3:8f:bf:c8:8c:79:d5:59:02:f5: + de:1f:67:fc:ef:c7:27:88:a7:35:b1:d7:ee:dc:1c: + 74:11:fc:3c:56:33:b5:e7:88:ce:f3:ce:db:b9:3c: + e0:eb:15:bc:00:5f:29:f4:9c:8e:4d:61:df:da:aa: + f4:fc:fb:e7:4b:75:dc:dc:cf:f0:4b:3b:67:cf:bf: + 35:b8:0f:5b:20:94:60:dd:3b:e5:7a:ec:0e:30:2c: + c1:fb:f6:21:5b:ed:80:34:9d:59:5c:95:39:a2:61: + a4:13:fa:57:b9:f5:85:d4:a1:bf:91:cf:d7:dc:ac: + fa:32:47:ee:d2:86:9b:14:d1:35:88:1e:2d:9f:39: + 74:86:de:f1:04:de:e1:39:2f:a8:91:bf:8b:f7:4f: + 7c:e5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 32:BA:14:26:42:B6:5B:9E:3C:F1:53:1A:FD:DB:CB:FE:B1:A2:74:6C + X509v3 Authority Key Identifier: + keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 6b:93:56:56:81:fb:34:9e:15:2e:3e:b2:2c:73:72:60:f2:1a: + a8:bf:c3:f0:c7:57:00:48:37:2a:1c:63:71:1b:29:f4:2b:dc: + 64:07:f8:72:80:65:18:c7:74:23:c1:02:00:d8:93:1d:4f:2b: + 8c:46:34:1e:d2:6a:5c:ab:8d:ff:a7:fe:e5:c2:bf:33:55:ea: + 2b:e2:70:e9:24:4c:4d:31:d4:dd:10:55:f5:bb:2c:a5:ec:f6: + 8f:7a:05:1c:6c:7d:cf:85:6b:29:a7:bd:fe:a2:bc:00:45:b8: + ac:70:c7:c9:67:93:0a:5c:d7:52:a3:c9:fc:6c:ef:52:b2:6b: + bc:5b:f9:e1:9b:27:07:39:28:28:7f:a0:70:62:af:4f:42:82: + dd:ec:23:4d:fc:8e:19:51:87:cc:d0:29:d5:27:44:9c:fa:b5: + 51:ea:31:eb:51:84:3f:07:5b:c0:57:5d:2a:c7:15:ed:9c:46: + ac:8e:14:8b:4d:82:0e:b4:6a:47:db:37:f3:03:08:86:b6:25: + 0b:92:6d:99:a9:99:45:4e:38:45:e0:a2:4e:e7:34:50:51:ab: + f8:c8:ef:26:3d:7f:9f:8f:45:20:cf:f5:31:27:b6:00:3a:e0: + 4a:d5:62:9a:29:27:9b:aa:3a:95:56:1c:d7:65:15:ce:35:10: + 2a:7e:cc:b6 +-----BEGIN CERTIFICATE----- +MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUgwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv +VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe +Fw0yMDAzMDUwOTA1NDJaFw0zMDAzMDMwOTA1NDJaMHExCzAJBgNVBAYTAkhVMRAw +DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U +VVJOMQ8wDQYDVQQDDAZDbGllbnQxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l +dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9tODEjEhLnWo3tHAJ+ +v8LvetHAsku0OJunXd0BLKDnfFt6TXFLyVt36LNMkluMQ1e2yYxEZmqejPJ2WKL1 +OKNP769ax7/lcpjAuC6hdcwWi7+jaub9ySU1kjGyeCpCe6HOJb4yRW4LNiL4bJzz +j7/IjHnVWQL13h9n/O/HJ4inNbHX7twcdBH8PFYzteeIzvPO27k84OsVvABfKfSc +jk1h39qq9Pz750t13NzP8Es7Z8+/NbgPWyCUYN075XrsDjAswfv2IVvtgDSdWVyV +OaJhpBP6V7n1hdShv5HP19ys+jJH7tKGmxTRNYgeLZ85dIbe8QTe4TkvqJG/i/dP +fOUCAwEAAaNTMFEwHQYDVR0OBBYEFDK6FCZCtluePPFTGv3by/6xonRsMB8GA1Ud +IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAGuTVlaB+zSeFS4+sixzcmDyGqi/w/DHVwBINyocY3Eb +KfQr3GQH+HKAZRjHdCPBAgDYkx1PK4xGNB7Salyrjf+n/uXCvzNV6ivicOkkTE0x +1N0QVfW7LKXs9o96BRxsfc+Faymnvf6ivABFuKxwx8lnkwpc11Kjyfxs71Kya7xb ++eGbJwc5KCh/oHBir09Cgt3sI038jhlRh8zQKdUnRJz6tVHqMetRhD8HW8BXXSrH +Fe2cRqyOFItNgg60akfbN/MDCIa2JQuSbZmpmUVOOEXgok7nNFBRq/jI7yY9f5+P +RSDP9TEntgA64ErVYpopJ5uqOpVWHNdlFc41ECp+zLY= +-----END CERTIFICATE----- diff --git a/examples/ca/turn_client_pkey.pem b/examples/ca/turn_client_pkey.pem new file mode 100644 index 00000000..f48c3221 --- /dev/null +++ b/examples/ca/turn_client_pkey.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCvbTgxIxIS51qN +7RwCfr/C73rRwLJLtDibp13dASyg53xbek1xS8lbd+izTJJbjENXtsmMRGZqnozy +dlii9TijT++vWse/5XKYwLguoXXMFou/o2rm/cklNZIxsngqQnuhziW+MkVuCzYi ++Gyc84+/yIx51VkC9d4fZ/zvxyeIpzWx1+7cHHQR/DxWM7XniM7zztu5PODrFbwA +Xyn0nI5NYd/aqvT8++dLddzcz/BLO2fPvzW4D1sglGDdO+V67A4wLMH79iFb7YA0 +nVlclTmiYaQT+le59YXUob+Rz9fcrPoyR+7ShpsU0TWIHi2fOXSG3vEE3uE5L6iR +v4v3T3zlAgMBAAECggEBAINzP+vx75UirwQybA6ik2aqtEmALxnzDYf1PaxhOOPJ +EbIqTuVaeKOFkmToN7NJwxxy50un5WZ3L/5vF7PkNHCLcXrgd1UfxWMY5eprKi2n +p0gOWAiGmra7EbUTml9wOdvg8P84BDaVSBekNx7Ukx6OVFTmvTAutCascSfq/4Cx +K71zaW/I9hrU8oNDBDzolVW4gW8ObNLGhoDqmvkoXrlrGEBNqkuErbbYZA1k/001 +lurEh7Zp7Kp6jjHcRm83a7bWiRYGtv1K9kR9MKKLW7au8zyjYcesTvS2QjY+k20W +vE2kmyAosbJShFzTmZn8kwgh6c0BPyFDEI5XleMeefECgYEA6ZhgG87wyU4RDU1N +PxLV9ufbSYpW91KP1iuZ5Z6QdLGWZeWKjvxtoLAa3z9ceIBVvFqCGDn4DfwIaNLe +tGsjeyXre1R3/B0S/oAJbmbRV4pWl/jSzgbzCTGW7x1mpqgpJdHFmTbqTxkNB6cM +fpzTPfM012KfRglD9D+2DTOCyEsCgYEAwECXQRIe7/657J68GHSBCaQ+rzDL3nRe +exe4duHyXok0yohk7OiPepKQ1hdYq2PHhGEj6b5OgFppWeA66M/ndjX4S10oCtN0 +oEb7honFz4ZmHmqQ6UotAuBx7tq06v+KI/eTvefTVh9mujdwMW4sAowhx9Dw6PkR +ipFCdi458Y8CgYEAhJ//ySoYKaMKKWw/NFVkZ9fB+CH0OF2GzslYijcZuzdstZO6 +tG37bCUwTJozzTLH+rXEcS7QeFglCibXTMYbkfq4lQAjU1/KffaB5E26A6LGgWhD +f7gQWqLuF/qwYmTNX+yW7ONx6tDFRhgBDw3JHb4svTEATwpJq65UlXAui7sCgYBD +krBXO8JKApNg+s4MHm74b5VkyFbv4qEOzOCWUIZ6+ejnQxeOOZOstnVX+q681v5a +pjYUQ0KeVKjw4SJzkBe/8epKuvyHCZnVd/2SZTx0271q9XPnu52khDUnihHLA3SP +fcadGi2q+LCHxVKW3S1028JH1EXI7TpgJPxiQ480OwKBgQDmi0BiSFaxNVcJm+pq +rbmK2pRPl49VOlc7px89ilZgoIeU8jwWQyqXRooarFhV1H0SA6oh52jYljiIIFVn +qwKfS3Sjo6iW3ytjGcRLeNS0Sk8D2XMky7Mw120ZxatTsKw3ztmYFAlSYdxRMnue +zkYzcxL3N2LvHeY8SOwyxayfxg== +-----END PRIVATE KEY----- diff --git a/examples/ca/turn_server_cert.pem b/examples/ca/turn_server_cert.pem new file mode 100644 index 00000000..2a1fea87 --- /dev/null +++ b/examples/ca/turn_server_cert.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:47 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu + Validity + Not Before: Mar 5 09:05:21 2020 GMT + Not After : Mar 3 09:05:21 2030 GMT + Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Server/emailAddress=misi@majd.eu + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bc:db:f7:17:35:17:7c:46:79:64:89:61:5f:ac: + cf:8f:6d:97:13:87:8a:d6:f1:ab:df:f6:69:4e:04: + 57:c1:4d:6c:3d:77:c9:50:0d:3d:b6:89:cd:ac:00: + b5:02:45:e4:4c:78:ef:6f:18:7e:57:4e:bc:62:4d: + f6:de:6c:c8:77:ea:c5:b2:b4:65:2d:46:76:bf:5e: + 5f:f8:45:78:55:f4:4d:20:ac:91:f0:4f:23:cb:5d: + 40:29:44:de:9c:f7:0a:e6:48:a4:80:35:dd:cb:e8: + 02:90:59:f7:31:f9:4c:50:fe:98:ef:dd:7f:60:51: + 2d:44:0a:14:a2:57:96:51:36:3f:73:66:db:45:5f: + bd:9d:f4:82:3a:ce:ab:75:4f:d0:90:6d:43:d1:7b: + 2f:77:31:88:db:2f:4a:a9:4e:62:39:c7:14:7f:39: + ef:e2:08:b7:18:a7:6c:f8:d9:35:d5:a3:f8:64:f5: + 02:51:22:1b:8e:7a:c5:44:ae:df:b1:17:0b:71:df: + 09:82:89:49:70:c5:9b:a0:f3:3c:02:48:75:e7:81: + f9:24:51:56:24:3b:ff:b8:68:d3:13:2e:a2:f4:d1: + 70:33:a9:7a:d6:17:fd:ca:a5:6b:13:74:c9:ce:b6: + 26:4f:01:ff:eb:ba:b5:f9:a1:70:80:da:11:df:a3: + 7b:4f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 38:C1:E5:77:D3:01:6B:7A:A7:D8:18:6B:50:D6:FA:0E:D6:D9:B4:4F + X509v3 Authority Key Identifier: + keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + a3:37:55:68:68:02:9f:af:d6:b1:38:b3:d8:bf:30:27:33:6f: + 21:4c:09:ee:cf:24:d2:eb:cf:1c:7a:15:98:6d:10:94:e0:4a: + 1f:88:5c:43:90:09:78:c1:a6:82:06:16:f2:8c:d1:3a:c5:3b: + 99:67:35:3c:00:bf:9f:a2:6a:e7:33:85:83:88:72:88:e4:d2: + 83:1c:6c:49:92:5f:51:80:0d:92:0f:99:4d:cb:2a:18:4d:68: + b7:b6:d1:de:54:22:71:88:8d:04:45:c5:13:34:8d:52:7a:f7: + 2a:e7:cb:b2:41:20:7b:ef:aa:d0:58:93:b5:e6:b5:fa:8b:22: + a3:ed:a7:81:9b:ca:50:f7:d0:bd:5f:f2:52:6d:8b:af:af:64: + 36:9d:6d:81:ce:50:29:b7:db:d0:ac:a3:1d:78:77:90:29:a3: + 84:10:69:13:e9:47:fc:e1:1e:c2:74:55:61:11:65:2d:77:e1: + ca:9f:2d:6f:2f:76:f6:69:bc:09:50:9a:b0:48:05:a2:53:e6: + 93:46:81:0d:04:8b:cd:fb:a4:a7:82:08:78:f9:87:dc:0a:07: + 91:1f:de:09:fa:00:5a:16:1a:2b:5c:83:10:03:33:2f:ad:8c: + 9a:eb:94:0f:77:b1:9b:ec:e6:0e:dc:84:dd:35:3f:b5:8a:d2: + 06:0e:88:d7 +-----BEGIN CERTIFICATE----- +MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUcwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv +VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe +Fw0yMDAzMDUwOTA1MjFaFw0zMDAzMDMwOTA1MjFaMHExCzAJBgNVBAYTAkhVMRAw +DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U +VVJOMQ8wDQYDVQQDDAZTZXJ2ZXIxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l +dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzb9xc1F3xGeWSJYV+s +z49tlxOHitbxq9/2aU4EV8FNbD13yVANPbaJzawAtQJF5Ex4728YfldOvGJN9t5s +yHfqxbK0ZS1Gdr9eX/hFeFX0TSCskfBPI8tdQClE3pz3CuZIpIA13cvoApBZ9zH5 +TFD+mO/df2BRLUQKFKJXllE2P3Nm20VfvZ30gjrOq3VP0JBtQ9F7L3cxiNsvSqlO +YjnHFH857+IItxinbPjZNdWj+GT1AlEiG456xUSu37EXC3HfCYKJSXDFm6DzPAJI +deeB+SRRViQ7/7ho0xMuovTRcDOpetYX/cqlaxN0yc62Jk8B/+u6tfmhcIDaEd+j +e08CAwEAAaNTMFEwHQYDVR0OBBYEFDjB5XfTAWt6p9gYa1DW+g7W2bRPMB8GA1Ud +IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAKM3VWhoAp+v1rE4s9i/MCczbyFMCe7PJNLrzxx6FZht +EJTgSh+IXEOQCXjBpoIGFvKM0TrFO5lnNTwAv5+iauczhYOIcojk0oMcbEmSX1GA +DZIPmU3LKhhNaLe20d5UInGIjQRFxRM0jVJ69yrny7JBIHvvqtBYk7XmtfqLIqPt +p4GbylD30L1f8lJti6+vZDadbYHOUCm329Csox14d5Apo4QQaRPpR/zhHsJ0VWER +ZS134cqfLW8vdvZpvAlQmrBIBaJT5pNGgQ0Ei837pKeCCHj5h9wKB5Ef3gn6AFoW +GitcgxADMy+tjJrrlA93sZvs5g7chN01P7WK0gYOiNc= +-----END CERTIFICATE----- diff --git a/examples/ca/turn_server_pkey.pem b/examples/ca/turn_server_pkey.pem new file mode 100644 index 00000000..980bbe07 --- /dev/null +++ b/examples/ca/turn_server_pkey.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC82/cXNRd8Rnlk +iWFfrM+PbZcTh4rW8avf9mlOBFfBTWw9d8lQDT22ic2sALUCReRMeO9vGH5XTrxi +TfbebMh36sWytGUtRna/Xl/4RXhV9E0grJHwTyPLXUApRN6c9wrmSKSANd3L6AKQ +Wfcx+UxQ/pjv3X9gUS1EChSiV5ZRNj9zZttFX72d9II6zqt1T9CQbUPRey93MYjb +L0qpTmI5xxR/Oe/iCLcYp2z42TXVo/hk9QJRIhuOesVErt+xFwtx3wmCiUlwxZug +8zwCSHXngfkkUVYkO/+4aNMTLqL00XAzqXrWF/3KpWsTdMnOtiZPAf/rurX5oXCA +2hHfo3tPAgMBAAECggEALGPXVBEakA9QgRz5Ui+gKaoslF6Ld7IeH+ofHkNPDRRR +mLELFFHIa5tASGlyIjKjUoYqYQZ0y7ip9sE0gVs4U1dPWI2mKlohlyFrlUNe4XUm +m8N0GfPAChDE/+48FNDMMwxn/eqrUz4ZPCypOYnLMk5lTBvX0J/D7/Yem3nSzwt1 +qkZoijxZH5IvJAJkBWvucRuJ8XxHzOAo2V2Y+wTdilcJhfCvqGC0rkydjaN6TtRW +HWKvAOa7hEegNBbZhHhKfw5ovQwj9Cnr2+8gaTSw5gVaZNnhCO+TlUfQHIBH9rmt +82SHu1QoYSGMvkjlrrKhRYHrx+4P4TXoZ6eB1hl3QQKBgQDmwUOkh6qwL2dtcrF1 +bVdRZjb1bw6L8qZAgUkcA1IaLVUlhjEJZGXAoPbLn6Vq+jfOvaYLmzEaLcpn3pfx +Hwcb1vnNW7dlXC1vpIWXPZP4IPJV4XsL1AgoEj6mgETHxvC+4cLc2gaMY5o5TzUv +VdV/A7SIqxAyPccXt1u/eITfNwKBgQDRhVTTJiBsGGjOetfgNqNGxpkKB6W4cET9 +EyC1c7Lh40lioA2G8lzhFCdK9VZ+cAT51Bmkr5jq29EyMafSy3e4+PG8ZLHVL0ll +qBY4vSzHQNcGvUgh+15g6ISgCbM0eSsAea3LY+fmchz6mBS6DhyMkYPSbV+7YvHJ +PSnfTkTgqQKBgQCO+SQOJzjs3RI6UBv/4/V8K9bVjy/2Kiw0P2arAqu2KGxfSZvM +c/ZPuevwEkSN2ecGI59kBY4Q6FpGrTZ7YXwoFbTFNpSVKt3EFK3pHXA3B0LfT0vL +8l3zZgqHY2Y6WdsEiiEQcc4o4fXGmHsdjxMvFX6gR01Ls9dNrIAeTHAXVQKBgGoL +Q72C5JIRYKpw/mYbAVTHG5o5+KR7Hk/AqKNuJbGyqefi/jW44U2CN8j2l4pzA/G2 +aiwyPAFStHTlMP29waC7Tw59IIy33Dw5cNXS2aEXrj1Y+/NHGKOPy+B8SFlcomkh +LNduf2bhhs1Gv+bTUZvL4p5UgUmEcL/b1x+Qq8fRAoGBAIpNCp4W+TsPUJcQKoWm +L61RVr5GaHv7/qxQvYaXIVCq8/gZAbJi3/A9ieTrF72uuOZ+ajzFHDUiiDs19y67 +mCvCchPgqzLy9iSs6mm8fmS6kJnWn04I+7DOfe7kScUnD5WkyNaTYAeOqvdWzl/i +B1hQJJ9GzZG5Rztlotm5m/JY +-----END PRIVATE KEY----- diff --git a/examples/etc/cacert.pem b/examples/etc/cacert.pem new file mode 120000 index 00000000..126f30fe --- /dev/null +++ b/examples/etc/cacert.pem @@ -0,0 +1 @@ +../ca/CA/cacert.pem \ No newline at end of file diff --git a/examples/etc/turn_client_cert.pem b/examples/etc/turn_client_cert.pem deleted file mode 100644 index 2e00e7e8..00000000 --- a/examples/etc/turn_client_cert.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDzjCCArYCCQD3YHhln4EqhDANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMC -VVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3JlZWsxKzApBgNVBAoT -IlJGQzU3NjYgVFVSTiBTZXJ2ZXIgcHVibGljIHByb2plY3QxFDASBgNVBAsTC2Rl -dmVsb3BtZW50MQ0wCwYDVQQDEwRPbGVnMSIwIAYJKoZIhvcNAQkBFhNtb20wNDAy -NjdAZ21haWwuY29tMCAXDTEyMTEyNzAwNDEwNVoYDzIxMTIxMTAzMDA0MTA1WjCB -pzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3Jl -ZWsxKzApBgNVBAoTIlJGQzU3NjYgVFVSTiBTZXJ2ZXIgcHVibGljIHByb2plY3Qx -FDASBgNVBAsTC2RldmVsb3BtZW50MQ0wCwYDVQQDEwRPbGVnMSIwIAYJKoZIhvcN -AQkBFhNtb20wNDAyNjdAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEA3huHvPYyvNZBK91bP3O1dBdOj93YQ3812BTcRMjEYnvSyyEosxFd -dEnILgDiFK//pFnDtwm7FxOCtVwRQ0+8qGTH4vH0EIpKTBsaafKH3L9CYe40pwcm -BJHvclOa4vl2Ghi09+M0UEHdokkM77K9rpXx7aZILoICkqnoAuBe0TY8D5PBXinM -gtk7HlrvANxSmPHAAaGQ5t/+jfTWVH1UYCpogTgCKYPbNi+joKu6oEz+qRKAqDYd -FY6/Qpiv7reYiNiVhM7HGNY27FkKDJDBhsmZRmtTIEdYFfcWPZvv69L7Rf1skOXF -Vm5/to3HArJJF+lz6YGj0C3pE6dZt6sUmQIDAQABMA0GCSqGSIb3DQEBBQUAA4IB -AQAhXgGdXXf0dMPdkfl4jv4dqFNSmax6wmeNc+oJC9qIFVDLsdAaAWXZ+pZHYIMR -UN8mQobsIZdfPQ0gs8CgUwrKziAjA92y2Q/I7vsg83qRLhysGC5etYMD/wlySDDS -AJKraevDPTEdmfNstCblubNG2PIeqV1isWtPMqB2dMsCeyzJXVyfD0QcABzFv4Fs -MMy7JI7MsctNh1tjV/0TsddDMeMLs22rix5fS8MZ6uunFzIuJ0MshFNehXFuvz0B -uNmn0k7djUm3h+2Avs3YGCo/8GtqHapc/lva/9gT+iEW0e7i0Ru5Jhar66VMzJqv -+wEhQafC77d3vWHtXQU8dYmM ------END CERTIFICATE----- diff --git a/examples/etc/turn_client_cert.pem b/examples/etc/turn_client_cert.pem new file mode 120000 index 00000000..d6e90b6c --- /dev/null +++ b/examples/etc/turn_client_cert.pem @@ -0,0 +1 @@ +../ca/turn_client_cert.pem \ No newline at end of file diff --git a/examples/etc/turn_client_pkey.pem b/examples/etc/turn_client_pkey.pem deleted file mode 100644 index 11f9d2aa..00000000 --- a/examples/etc/turn_client_pkey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA3huHvPYyvNZBK91bP3O1dBdOj93YQ3812BTcRMjEYnvSyyEo -sxFddEnILgDiFK//pFnDtwm7FxOCtVwRQ0+8qGTH4vH0EIpKTBsaafKH3L9CYe40 -pwcmBJHvclOa4vl2Ghi09+M0UEHdokkM77K9rpXx7aZILoICkqnoAuBe0TY8D5PB -XinMgtk7HlrvANxSmPHAAaGQ5t/+jfTWVH1UYCpogTgCKYPbNi+joKu6oEz+qRKA -qDYdFY6/Qpiv7reYiNiVhM7HGNY27FkKDJDBhsmZRmtTIEdYFfcWPZvv69L7Rf1s -kOXFVm5/to3HArJJF+lz6YGj0C3pE6dZt6sUmQIDAQABAoIBAH5ITN8FZEe10gws -qUrkcRD2h3aI/gMyetzGz45UUERmfq17xvY5M1eA884kNmbowoMhfoO9hqBSOYkA -Ndh9p5he5L+GLeyRlDi9WEFQ4iqCnC2uEEW/bMBAcVIhcvkGOT4ROiOPDRlsuaUh -v7cxe2OeYZVra7L1vJzC+eVYyNBN5CgK8w08MPEkupQS9+Jvr0QWCikRz187cG45 -EiDMrBKyJNE9lY6u4P8gJ+/NgaASWP/D3kbsjiQ2OwSGLrwDAvWC7Bx2GK3/0goA -btp7YGaWvp+mE5V91cOW+PfweC5Do4MjOr4ToNkczW0AxKE5o94yo56h+II5bX6N -z65VvtkCgYEA/Sq/3S2yup/Oodzj003KG4skWYFrj7KXeXgm7RZcpNwkd8JaFXJ/ -Cwl7/3bkRv6RHLmXX/2hcNWlxq3u6Efs1EjtycdArU68kO01vLdExJYIzHKmHikV -n+T4hukxGDzObxn3lH1KcOodh/x572Uufn79dewoZCPzH8t/jiMOWGcCgYEA4JfN -66Kq/oDookqenM9Ij5l6zeeNwzMjIlkU2eG0DAH0KdsBN/hTGGGRQVBk03YREQmK -crEhGAZxzfrX5fK11UVG3C2pqAtrVe6FuD32vFUpP1MO0ftSA889NoEwGdNZV4pV -Mk0+6xVCNOatj2inMXlQq5s68WfCzkiWD7uLCv8CgYBcwuYsF4tuYBGpMzNzAAS2 -1OPLu+T6cPiZdFHm+xOVAGiITPkO9LXiCGabsydvb+UhvkrdzCP0IQQt6RsplvkK -y3H9RfnHxprHC3NuI0SaN1Mf/j4pvOoEfTQm0pi/hcAp6zzQ9ptpBg8t/W98LPm9 -NbCPHamrD5UMqFajcOrXrwKBgD8D2M8IcRm/aYY/kYlFz4Ia+g3Trj7alj0I6YTI -gw/rbGph/FGL5ySsG2lL+T4rnlY9aw8LC9IF3OCCRRlLpCEWsu8MENIJgjA2IGa1 -XAkzi8MstrfL4BMZjn9AeBKG7kZVldnrOoATEuRs5L2cC20iMLQ1dbBOAKaITzJS -2IxZAoGBAKqwr/uennxJrnMtpjLBgcphoU3aXJZvzzDqlOaqzJp6Xmbese4sDEe0 -hvVHreigDzOnGnqL/vSjTDWaLqS/O1iE7p+UrGIkZj/Zl6Jk54OX6AHmWE2LhdlU -FYgIQKX7fuocpF1Dpe7xEeVwvdp+UqbDzHQg1CWGe1cBPYDYIkSH ------END RSA PRIVATE KEY----- diff --git a/examples/etc/turn_client_pkey.pem b/examples/etc/turn_client_pkey.pem new file mode 120000 index 00000000..f89f87bc --- /dev/null +++ b/examples/etc/turn_client_pkey.pem @@ -0,0 +1 @@ +../ca/turn_client_pkey.pem \ No newline at end of file diff --git a/examples/etc/turn_server_cert.pem b/examples/etc/turn_server_cert.pem deleted file mode 100644 index 99b3f018..00000000 --- a/examples/etc/turn_server_cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDsDCCApgCCQCmgrJCiQlGOTANBgkqhkiG9w0BAQUFADCBmDELMAkGA1UEBhMC -VVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3JlZWsxHDAaBgNVBAoT -E1RVUk4gU2VydmVyIHByb2plY3QxFDASBgNVBAsTC0RldmVsb3BtZW50MQ0wCwYD -VQQDEwRPbGVnMSIwIAYJKoZIhvcNAQkBFhNtb20wNDAyNjdAZ21haWwuY29tMCAX -DTEyMTEyNTA4MjAxNloYDzIxMTIxMTAxMDgyMDE2WjCBmDELMAkGA1UEBhMCVVMx -CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3JlZWsxHDAaBgNVBAoTE1RV -Uk4gU2VydmVyIHByb2plY3QxFDASBgNVBAsTC0RldmVsb3BtZW50MQ0wCwYDVQQD -EwRPbGVnMSIwIAYJKoZIhvcNAQkBFhNtb20wNDAyNjdAZ21haWwuY29tMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv6bYkERhZ43RjW4EuqCaTq5g+D+l -JI/GwlVzdzQ3+F4clMQDR1kp1nX+9AvwjCXz3AYwY1H9CqjmjGM4R9uNJJseK/aJ -d2DUFADkF+7I674XwX8U2Fy5on9jqWq3jdbb8eg/awcTBdrNLWNPquwfS2KVdooj -9yPkqnO0c3ko1/OzIQCcs09O3l/MPt+aOsHk3B9l79ZRs3zWkylI+we0Fnc+7tZE -psCztA+KCCoiJf7NenOvVhdKg7D1AXuzJ/P/Euvc3+CIiS9HI4pWLopY1k+HydLe -IcopqSbg9CRIKe1HOL8YTvCm2ZoTqgijwWUlGtwEDf2xxUQX/TLYiW8JFQIDAQAB -MA0GCSqGSIb3DQEBBQUAA4IBAQATbrBOLV4e8Qmsby9+srxXsdbNc60PmDZ4WiZ1 -IElfWmzM7wGXm9sJg1PX/7T24R1tbwZGLIhZnkhecG372GChULZJ9Pdjh0Ab2nK5 -LRKHXTpjp/xOJvx0JMCIIyRnGZT1nABPOk8uEjNW8PaU6yhQ4f5nKaSOgYGRCln6 -dcy5vylCsyD9Q7GXs0KOC38XD+Ycv6VLX4zKJ2Yum50Wt643nLjG9RlGT3FXWJ1K -HUbPC5TO6bcYLdiTjaYr+X8xC/x6h/Ngdo/16w7fRmQQ4uS+TVXrg8ITmI71KX/I -m7C9jbsubwzrhW84oZXYf+o/0ATtEAhiVLnHifKCCYikqfVj ------END CERTIFICATE----- diff --git a/examples/etc/turn_server_cert.pem b/examples/etc/turn_server_cert.pem new file mode 120000 index 00000000..bb93b79a --- /dev/null +++ b/examples/etc/turn_server_cert.pem @@ -0,0 +1 @@ +../ca/turn_server_cert.pem \ No newline at end of file diff --git a/examples/etc/turn_server_pkey.pem b/examples/etc/turn_server_pkey.pem deleted file mode 100644 index ada07d6c..00000000 --- a/examples/etc/turn_server_pkey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAv6bYkERhZ43RjW4EuqCaTq5g+D+lJI/GwlVzdzQ3+F4clMQD -R1kp1nX+9AvwjCXz3AYwY1H9CqjmjGM4R9uNJJseK/aJd2DUFADkF+7I674XwX8U -2Fy5on9jqWq3jdbb8eg/awcTBdrNLWNPquwfS2KVdooj9yPkqnO0c3ko1/OzIQCc -s09O3l/MPt+aOsHk3B9l79ZRs3zWkylI+we0Fnc+7tZEpsCztA+KCCoiJf7NenOv -VhdKg7D1AXuzJ/P/Euvc3+CIiS9HI4pWLopY1k+HydLeIcopqSbg9CRIKe1HOL8Y -TvCm2ZoTqgijwWUlGtwEDf2xxUQX/TLYiW8JFQIDAQABAoIBADUPHCXUyKLCwKFH -NEf27sGZxX71H+NfaseioLT/3/8DDyagncfDB7I4OL2YEKC8YScpD3xv1n59BFcZ -oRtDzW+1AkVpm+VRCWYAWSXHFhkuJ6WKaVr9UOeMHStqQCcktP/kLKqU6s9UJDnM -pOHNPVzBjl+jHxHs/gGyxuKxSH2Anwkrzpiv5j0obKFnw3QtAqeZRs1NlvPtYt2S -eihZWr8r8LqylPk9ga9MYmO79Yr+EPVaqd6bmz4MpZJ4/7LEjx03Q6azdMCPhFNY -cYzPIDZFEj81Zj/tqA2MU/uTTUUrcXint4dHRJs34m5N68PV1Y1XhhH6FG0+X711 -ZymudoECgYEA/ChS5zmmOoLoaq2441+PzQbDP45qR6+G4slHwC8RDZhsYw0hQnp9 -n44Qagpt74J4FjxT20BdE714DZP32IqagUwatWRQ+z3UoGafkJSNc5JSEogwZ65C -nC8RI1pPHLEvE8IzBJiqUA1kbMOMfTYW694wdN9JVZang05/AXaJzm8CgYEAwpJ8 -nJRR9JFweHRrRgnrVk0Qi+ABbN9T/nhPXYab2vjBfeBOTA1Mob0M3zMJDCnL2i+D -K1GzE6WaYHElr45j2Wfphd/rRTk74WR4BaPpTCGaAhBQNn0ufqUkKsCPEAlTU+nG -iyXP4OvdMPjEBckjbKm/mlX7m0njSHAY6SWNorsCgYEAi8Yubk3efwChpMC3hBIs -vBHLmSdwclwyAPRh+X4djdO4AQ/+J8OObytond86IVHJD0pRkW+UKKUWLzCeakIq -cxGknHgHC72yZ1d7i8FMx4uMQwmLC23lLn5ImbgtslHlLqavcRTPE6DY0hFzhtS8 -z/JSGfbLx83C/V49uKnkqbECgYA6h1oYt70XdpCAi3ShcuZp5XCuwslq+JsJlyM4 -nP9RFTcPKGQlGHMOzBGNKor0L7Z0gYpRg5f8tvoDPMX7UzfR9CIY9UyOXDMZD+HS -wIWzMwBi0olueqV7zy1b9uSSDFwWh+IDhXJM1GaLDqnYm7KeQ0mxoV+4TLej2KSF -rZg3dQKBgQCVrVxFV8jHBsRsH5PzMx6pUSAollmuyte9mGU1MIE7EZf+LEQIAjGZ -9jvtAILYVJXwVZv1/zNxldUfBNuWc95ft+Gg7FEN0p0uLpdYNXQUcXuJaJ9tJ1td -ZfvRcrUXdFNKYt9/yaGeHVaIQfp4W1faZD7OnII7EOVkUKyv/qNGAA== ------END RSA PRIVATE KEY----- diff --git a/examples/etc/turn_server_pkey.pem b/examples/etc/turn_server_pkey.pem new file mode 120000 index 00000000..e84cd674 --- /dev/null +++ b/examples/etc/turn_server_pkey.pem @@ -0,0 +1 @@ +../ca/turn_server_pkey.pem \ No newline at end of file diff --git a/examples/scripts/longtermsecure/secure_dtls_client_cert.sh b/examples/scripts/longtermsecure/secure_dtls_client_cert.sh index a779ac68..49ea96dc 100755 --- a/examples/scripts/longtermsecure/secure_dtls_client_cert.sh +++ b/examples/scripts/longtermsecure/secure_dtls_client_cert.sh @@ -32,5 +32,5 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/ -PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -S -i turn_server_cert.pem -k turn_server_pkey.pem -E turn_server_cert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -g -u bolt -w kwyjibo -s -X $@ 127.0.0.1 +PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -S -i turn_server_cert.pem -k turn_server_pkey.pem -E cacert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -g -u bolt -w kwyjibo -s -X $@ 127.0.0.1 diff --git a/examples/scripts/longtermsecure/secure_relay_cert.sh b/examples/scripts/longtermsecure/secure_relay_cert.sh index aa6a90ba..cf10eece 100755 --- a/examples/scripts/longtermsecure/secure_relay_cert.sh +++ b/examples/scripts/longtermsecure/secure_relay_cert.sh @@ -36,4 +36,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --cli-password=secret --db=var/db/turndb $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=cacert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --cli-password=secret --db=var/db/turndb $@ diff --git a/examples/scripts/longtermsecure/secure_tls_client_cert.sh b/examples/scripts/longtermsecure/secure_tls_client_cert.sh index 80d7db5e..da8926ed 100755 --- a/examples/scripts/longtermsecure/secure_tls_client_cert.sh +++ b/examples/scripts/longtermsecure/secure_tls_client_cert.sh @@ -32,5 +32,5 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/ -PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -t -S -i turn_server_cert.pem -k turn_server_pkey.pem -E turn_server_cert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -X -g -u bolt -w kwyjibo -s $@ 127.0.0.1 +PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -t -S -i turn_server_cert.pem -k turn_server_pkey.pem -E cacert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -X -g -u bolt -w kwyjibo -s $@ 127.0.0.1