Merge tag 'upstream/4.5.0.3'

Upstream version 4.5.0.3

ChangeLog

@@ -1,3 +1,15 @@
+11/15/2015 Oleg Moskalenko <mom040267@gmail.com>
+Version 4.5.0.3 'dan Eider':
+	- SSLv3 support removed. That provides extra security and
+	compatibility with OpenSSL distributions or clones
+	that does not support SSLv3 (like LibreSSL 2.3.0).
+	This fix is required for fresh FreeBSD and for Debian unstable.
+	- Compilation and configuration cleaning.
+	- Fix for non-interactive shells.
+	- RPM: Fixed mongo-c-driver include path (by Sergey Safarov).
+	- RPM: Fixed startup daemon as non root user (by Sergey Safarov).
+	- RPM: Systemd optimized for high-volume network traffic (by Sergey Safarov).
+
 9/29/2015 Oleg Moskalenko <mom040267@gmail.com>
 Version 4.5.0.2 'dan Eider':
 	- DTLS segmentation fault fixed;

README.md

@@ -24,7 +24,7 @@ TURN specs:
   * DTLS support (http://tools.ietf.org/html/draft-petithuguenin-tram-turn-dtls-00).
   * Mobile ICE (MICE) support (http://tools.ietf.org/html/draft-wing-tram-turn-mobility-02).
   * TURN REST API (http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00)
-  * Origin field in TURN (Multi-tenant TURN Server) (https://tools.ietf.org/html/draft-ietf-tram-stun-origin-05)
+  * Origin field in TURN (Multi-tenant TURN Server) (https://tools.ietf.org/html/draft-ietf-tram-stun-origin-06)
   * TURN Bandwidth draft specs (http://tools.ietf.org/html/draft-thomson-tram-turn-bandwidth-01)
   * TURN-bis (with dual allocation) draft specs (http://tools.ietf.org/html/draft-ietf-tram-turnbis-04).
 
@@ -49,7 +49,7 @@ The implementation fully supports the following client-to-TURN-server protocols:
 
   * UDP (per RFC 5766)
   * TCP (per RFC 5766 and RFC 6062)
-  * TLS (per RFC 5766 and RFC 6062): SSL3/TLS1.0/TLS1.1/TLS1.2; ECDHE is supported.
+  * TLS (per RFC 5766 and RFC 6062): TLS1.0/TLS1.1/TLS1.2; ECDHE is supported.
   * DTLS  (http://tools.ietf.org/html/draft-petithuguenin-tram-turn-dtls-00): DTLS versions 1.0 and 1.2.
   * SCTP (experimental implementation).
 

README.turnserver

@@ -187,8 +187,6 @@ Flags:
 
 --dh2066		Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
 
---no-sslv3		Do not allow SSLv3 protocol.
-
 --no-tlsv1		Do not allow TLSv1/DTLSv1 protocol.
 
 --no-tlsv1_1		Do not allow TLSv1.1 protocol.

configure

@@ -142,7 +142,7 @@ testlibmysql() {
 }
 
 testlibmongoc() {
-    for inc in ${PREFIX}/libmongoc-1.0 ${PREFIX}/libbson-1.0 /usr/local/include/libmongoc-1.0 /usr/local/include/libbson-1.0 /usr/libmongoc-1.0 -I/usr/libbson-1.0
+    for inc in ${PREFIX}/libmongoc-1.0 ${PREFIX}/libbson-1.0 /usr/local/include/libmongoc-1.0 /usr/local/include/libbson-1.0 /usr/libmongoc-1.0 /usr/libbson-1.0 /usr/include/libbson-1.0/ /usr/include/libmongoc-1.0/
     do
       if [ -d ${inc} ] ; then
         MONGO_CFLAGS="${MONGO_CFLAGS} -I${inc}"
@@ -521,19 +521,7 @@ if [ -z "${ARCHIVERCMD}" ] ; then
 fi
 
 if [ -z "${MORECMD}" ]; then
-	type more 2>>/dev/null
-	ER=$?
-	if [ ${ER} -eq 0 ] ; then
-		MORECMD="more"
-	else
-		type less 2>>/dev/null
-		ER=$?
-		if [ ${ER} -eq 0 ] ; then
-			MORECMD="less"
-		else
-			MORECMD="cat"
-		fi
-	fi
+	MORECMD="cat"
 fi
 
 OSCFLAGS="-I${INCLUDEDIR} -I${PREFIX}/include/ -I/usr/local/include ${CFLAGS}"

examples/etc/turnserver.conf

@@ -615,9 +615,8 @@
 #
 #ne=[1|2|3]
 
-# Do not allow an SSL/TLS/DTLS version of protocol
+# Do not allow an TLS/DTLS version of protocol
 #
-#no-sslv3
 #no-tlsv1
 #no-tlsv1_1
 #no-tlsv1_2

man/man1/turnadmin.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "13 September 2015" "" ""
+.TH TURN 1 "15 November 2015" "" ""
 .SH GENERAL INFORMATION
 
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 

man/man1/turnserver.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "13 September 2015" "" ""
+.TH TURN 1 "15 November 2015" "" ""
 .SH GENERAL INFORMATION
 
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
@@ -276,10 +276,6 @@ Use 566 bits predefined DH TLS key. Default size of the key is 1066.
 Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
 .TP
 .B
-\fB\-\-no\-sslv3\fP
-Do not allow SSLv3 protocol.
-.TP
-.B
 \fB\-\-no\-tlsv1\fP
 Do not allow TLSv1/DTLSv1 protocol.
 .TP

man/man1/turnutils.1

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "13 September 2015" "" ""
+.TH TURN 1 "15 November 2015" "" ""
 .SH GENERAL INFORMATION
 
 A set of turnutils_* programs provides some utility functionality to be used

rpm/build.settings.sh

@@ -2,7 +2,7 @@
 
 # Common settings script.
 
-TURNVERSION=4.5.0.2
+TURNVERSION=4.5.0.3
 BUILDDIR=~/rpmbuild
 ARCH=`uname -p`
 TURNSERVER_GIT_URL=https://github.com/coturn/coturn.git

rpm/turnserver-tmpfiles.conf

@@ -0,0 +1 @@
+d /run/turnserver 0750 turnserver turnserver -

rpm/turnserver.init.el

@@ -6,7 +6,7 @@
 # description: RFC 5766 TURN Server
 #
 # processname: turnserver
-# pidfile: /var/run/turnserver.pid
+# pidfile: /var/run/turnserver/turnserver.pid
 # config: /etc/turnserver/turnserver.conf
 #
 ### BEGIN INIT INFO
@@ -22,7 +22,7 @@
 TURN=/usr/bin/turnserver
 PROG=turnserver
 TURNCFG=/etc/turnserver/$PROG.conf
-PID_FILE=/var/run/$PROG.pid
+PID_FILE=/var/run/turnserver/$PROG.pid
 LOCK_FILE=/var/lock/subsys/$PROG
 DEFAULTS=/etc/sysconfig/$PROG
 RETVAL=0

rpm/turnserver.service.fc

@@ -4,12 +4,25 @@ Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
 After=syslog.target network.target
 
 [Service]
+User=turnserver
+Group=turnserver
 Type=forking
 EnvironmentFile=/etc/sysconfig/turnserver
-PIDFile=/var/run/turnserver.pid
+PIDFile=/var/run/turnserver/turnserver.pid
 ExecStart=/usr/bin/turnserver -o -c /etc/turnserver/turnserver.conf $EXTRA_OPTIONS
-ExecStopPost=/usr/bin/rm -f /var/run/turnserver.pid
+ExecStopPost=/usr/bin/rm -f /var/run/turnserver/turnserver.pid
 Restart=on-abort
 
+LimitCORE=infinity
+LimitNOFILE=999999
+LimitNPROC=60000
+LimitRTPRIO=infinity
+LimitRTTIME=7000000
+IOSchedulingClass=realtime
+IOSchedulingPriority=2
+CPUSchedulingPolicy=fifo
+CPUSchedulingPriority=1
+UMask=0007
+
 [Install]
 WantedBy=multi-user.target

rpm/turnserver.spec

@@ -1,5 +1,5 @@
 Name:		turnserver
-Version:	4.5.0.2
+Version:	4.5.0.3
 Release:	0%{dist}
 Summary:	Coturn TURN Server
 
@@ -44,7 +44,7 @@ STUN specs:
 The implementation fully supports the following client-to-TURN-server protocols:
 - UDP (per RFC 5766)
 - TCP (per RFC 5766 and RFC 6062)
-- TLS (per RFC 5766 and RFC 6062); SSL3/TLS1.0/TLS1.1/TLS1.2
+- TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2
 - DTLS (experimental non-standard feature)
 
 Supported relay protocols:
@@ -101,7 +101,7 @@ This package contains the TURN client development headers.
 
 %build
 PREFIX=%{_prefix} CONFDIR=%{_sysconfdir}/%{name} EXAMPLESDIR=%{_datadir}/%{name} \
-	MANPREFIX=%{_datadir} LIBDIR=%{_libdir} MORECMD=cat ./configure
+	MANPREFIX=%{_datadir} LIBDIR=%{_libdir} ./configure
 make
 
 %install
@@ -110,25 +110,24 @@ DESTDIR=$RPM_BUILD_ROOT make install
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
 install -m644 rpm/turnserver.sysconfig \
 		$RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/turnserver
+sed -i -e "s/#syslog/syslog/g" \
+    -e "s/#no-stdout-log/no-stdout-log/g" \
+    $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/turnserver.conf.default
 %if 0%{?el6}
-cat $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/turnserver.conf.default | \
-    sed s/#syslog/syslog/g | \
-    sed s/#no-stdout-log/no-stdout-log/g > \
-    $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/turnserver.conf
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rc.d/init.d
 install -m755 rpm/turnserver.init.el \
 		$RPM_BUILD_ROOT/%{_sysconfdir}/rc.d/init.d/turnserver
 %else
-cat $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/turnserver.conf.default | \
-    sed s/#syslog/syslog/g | \
-    sed s/#no-stdout-log/no-stdout-log/g | \
-    sed s/#pidfile/pidfile/g > \
-    $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/turnserver.conf
+sed -i -e "s/#pidfile/pidfile/g" \
+    -e "s:/var/run/turnserver.pid:/var/run/turnserver/turnserver.pid:g" \
+    $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/turnserver.conf.default
 mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
 install -m755 rpm/turnserver.service.fc \
 		$RPM_BUILD_ROOT/%{_unitdir}/turnserver.service
 %endif
-rm -rf $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/turnserver.conf.default
+mv $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/turnserver.conf.default $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/turnserver.conf
+%{__install} -Dpm 0644 rpm/turnserver-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/turnserver.conf
+mkdir -p %{buildroot}%{_localstatedir}/run/turnserver
 
 %clean
 rm -rf "$RPM_BUILD_ROOT"
@@ -165,17 +164,19 @@ fi
 %defattr(-,root,root)
 %{_bindir}/turnserver
 %{_bindir}/turnadmin
-%{_localstatedir}/db/turndb
+%attr(0640,turnserver,turnserver) %{_localstatedir}/db/turndb
 %{_mandir}/man1/coturn.1.gz
 %{_mandir}/man1/turnserver.1.gz
 %{_mandir}/man1/turnadmin.1.gz
 %dir %attr(-,turnserver,turnserver) %{_sysconfdir}/%{name}
 %config(noreplace) %attr(0644,turnserver,turnserver) %{_sysconfdir}/%{name}/turnserver.conf
+%dir %attr(0750,turnserver,turnserver) %{_localstatedir}/run/turnserver
 %config(noreplace) %{_sysconfdir}/sysconfig/turnserver
 %if 0%{?el6}
 %config %{_sysconfdir}/rc.d/init.d/turnserver
 %else
 %config %{_unitdir}/turnserver.service
+%{_tmpfilesdir}/turnserver.conf
 %endif
 %dir %{_docdir}/%{name}
 %{_docdir}/%{name}/LICENSE
@@ -289,6 +290,8 @@ fi
 %{_includedir}/turn/client/TurnMsgLib.h
 
 %changelog
+* Sun Oct 11 2015 Oleg Moskalenko <mom040267@gmail.com>
+  - Sync to 4.5.0.3
 * Tue Sep 29 2015 Oleg Moskalenko <mom040267@gmail.com>
   - Sync to 4.5.0.2
 * Sun Sep 13 2015 Oleg Moskalenko <mom040267@gmail.com>

src/apps/common/apputils.c

@@ -1037,12 +1037,7 @@ static const char* turn_get_method(const SSL_METHOD *method, const char* mdefaul
 		if(!method)
 			return mdefault;
 		else {
-
-			if(method == SSLv3_server_method()) {
-				return "SSLv3";
-			} else if(method == SSLv3_client_method()) {
-				return "SSLv3";
-			} else if(method == SSLv23_server_method()) {
+			if(method == SSLv23_server_method()) {
 					return "SSLv23";
 			} else if(method == SSLv23_client_method()) {
 					return "SSLv23";

src/apps/relay/mainrelay.c

@@ -47,8 +47,6 @@ char HTTP_ALPN[128] = "http/1.1";
 
 ////// TURNDB //////////////
 
-#if defined(TURNDB)
-
 #if defined(Q)
 #undef Q
 #endif
@@ -63,12 +61,6 @@ char HTTP_ALPN[128] = "http/1.1";
 
 #define DEFAULT_USERDB_FILE QUOTE(TURNDB)
 
-#else
-
-#define DEFAULT_USERDB_FILE "/usr/local/var/db/turndb"
-
-#endif
-
 //////TURN PARAMS STRUCTURE DEFINITION //////
 
 #define DEFAULT_GENERAL_RELAY_SERVERS_NUMBER (1)
@@ -90,7 +82,7 @@ NULL,
 
 DH_1066, "", "", "",
 "turn_server_cert.pem","turn_server_pkey.pem", "", "",
-0,0,0,0,
+0,0,0,
 #if !TLS_SUPPORTED
 1,
 #else
@@ -526,7 +518,6 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " --dh2066					Use 2066 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
 " --dh-file	<dh-file-name>			Use custom DH TLS key, stored in PEM format in the file.\n"
 "						Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.\n"
-" --no-sslv3					Do not allow SSLv3 protocol.\n"
 " --no-tlsv1					Do not allow TLSv1/DTLSv1 protocol.\n"
 " --no-tlsv1_1					Do not allow TLSv1.1 protocol.\n"
 " --no-tlsv1_2					Do not allow TLSv1.2/DTLSv1.2 protocol.\n"
@@ -710,7 +701,7 @@ enum EXTRA_OPTS {
 	DH2066_OPT,
 	NE_TYPE_OPT,
 	NO_SSLV2_OPT, /*deprecated*/
-	NO_SSLV3_OPT,
+	NO_SSLV3_OPT, /*deprecated*/
 	NO_TLSV1_OPT,
 	NO_TLSV1_1_OPT,
 	NO_TLSV1_2_OPT,
@@ -829,7 +820,7 @@ static const struct myoption long_options[] = {
 				{ "dh2066", optional_argument, NULL, DH2066_OPT },
 				{ "ne", required_argument, NULL, NE_TYPE_OPT },
 				{ "no-sslv2", optional_argument, NULL, NO_SSLV2_OPT }, /* deprecated */
-				{ "no-sslv3", optional_argument, NULL, NO_SSLV3_OPT },
+				{ "no-sslv3", optional_argument, NULL, NO_SSLV3_OPT }, /* deprecated */
 				{ "no-tlsv1", optional_argument, NULL, NO_TLSV1_OPT },
 				{ "no-tlsv1_1", optional_argument, NULL, NO_TLSV1_1_OPT },
 				{ "no-tlsv1_2", optional_argument, NULL, NO_TLSV1_2_OPT },
@@ -915,7 +906,7 @@ static void set_option(int c, char *value)
     //deprecated
 	  break;
   case NO_SSLV3_OPT:
-	  turn_params.no_sslv3 = get_bool_value(value);
+	  //deprecated
 	  break;
   case NO_TLSV1_OPT:
 	  turn_params.no_tlsv1 = get_bool_value(value);
@@ -2556,8 +2547,9 @@ static void set_ctx(SSL_CTX* ctx, const char *protocol)
 		op |= SSL_OP_NO_SSLv2;
 #endif
 
-		if(turn_params.no_sslv3)
+#if defined(SSL_OP_NO_SSLv2)
 			op |= SSL_OP_NO_SSLv3;
+#endif
 
 		if(turn_params.no_tlsv1)
 			op |= SSL_OP_NO_TLSv1;

src/apps/relay/mainrelay.h

@@ -198,8 +198,7 @@ typedef struct _turn_params_ {
   char pkey_file[1025];
   char tls_password[513];
   char dh_file[1025];
-  
-  int no_sslv3;
+
   int no_tlsv1;
   int no_tlsv1_1;
   int no_tlsv1_2;

src/apps/relay/ns_ioalib_engine_impl.c

@@ -1416,7 +1416,10 @@ ioa_socket_handle create_ioa_socket_from_fd(ioa_engine_handle e,
 static void ssl_info_callback(SSL *ssl, int where, int ret) {
 
     UNUSED_ARG(ret);
+    UNUSED_ARG(ssl);
+    UNUSED_ARG(where);
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
     if (0 != (where & SSL_CB_HANDSHAKE_START)) {
     	ioa_socket_handle s = (ioa_socket_handle)SSL_get_app_data(ssl);
     	if(s) {
@@ -1432,6 +1435,7 @@ static void ssl_info_callback(SSL *ssl, int where, int ret) {
     		}
     	}
     }
+#endif
 }
 
 typedef void (*ssl_info_callback_t)(const SSL *ssl,int type,int val);

src/apps/relay/turn_admin_server.c

@@ -701,7 +701,6 @@ static void cli_print_configuration(struct cli_session* cs)
 		cli_print_flag(cs,turn_params.no_dtls,"no-dtls",0);
 		cli_print_flag(cs,turn_params.no_tls,"no-tls",0);
 
-		cli_print_flag(cs,(!turn_params.no_sslv3 && !turn_params.no_tls),"SSLv3",0);
 		cli_print_flag(cs,(!turn_params.no_tlsv1 && !turn_params.no_tls),"TLSv1.0",0);
 		cli_print_flag(cs,(!turn_params.no_tlsv1_1 && !turn_params.no_tls),"TLSv1.1",0);
 		cli_print_flag(cs,(!turn_params.no_tlsv1_2 && !turn_params.no_tls),"TLSv1.2",0);
@@ -1963,7 +1962,6 @@ static void write_pc_page(ioa_socket_handle s)
 				https_print_flag(sb,turn_params.no_dtls,"no-dtls",0);
 				https_print_flag(sb,turn_params.no_tls,"no-tls",0);
 
-				https_print_flag(sb,(!turn_params.no_sslv3 && !turn_params.no_tls),"SSLv3",0);
 				https_print_flag(sb,(!turn_params.no_tlsv1 && !turn_params.no_tls),"TLSv1.0",0);
 				https_print_flag(sb,(!turn_params.no_tlsv1_1 && !turn_params.no_tls),"TLSv1.1",0);
 				https_print_flag(sb,(!turn_params.no_tlsv1_2 && !turn_params.no_tls),"TLSv1.2",0);

src/apps/uclient/mainuclient.c

@@ -483,12 +483,11 @@ int main(int argc, char **argv)
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv23_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
 		  root_tls_ctx_num++;
-		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv3_client_method());
-		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
-		  root_tls_ctx_num++;
+
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
 		  root_tls_ctx_num++;
+
 #if TLSv1_1_SUPPORTED
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_1_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);

src/ns_turn_defs.h

@@ -31,7 +31,7 @@
 #ifndef __IOADEFS__
 #define __IOADEFS__
 
-#define TURN_SERVER_VERSION "4.5.0.2"
+#define TURN_SERVER_VERSION "4.5.0.3"
 #define TURN_SERVER_VERSION_NAME "dan Eider"
 #define TURN_SOFTWARE "Coturn-" TURN_SERVER_VERSION " '" TURN_SERVER_VERSION_NAME "'"