how to force only SSL/TLS listening sockets?
2,047 views
Skip to first unread message
Julio Carlos Barrera Juez
Jan 7, 2016, 11:17:58 AM1/7/16
to TURN Server (Open-Source project)
I have a successful deployment with coturn as STUN/TURN server. I want to force all client connections to use SSL/TLS sockets. I tried disabling plain socket with no-tcp and no-udp flags, but it only stops listening on port 3478. It continue accepting plain connection on port 5349, and I want only accepting SSL/TLS connections.
How can I force coturn to listen/accept only SSL/TLS connections?
Oleg Moskalenko
Jan 7, 2016, 4:47:26 PM1/7/16
to Julio Carlos Barrera Juez, TURN Server (Open-Source project)
I do not think that there is a way to achieve that. Create an issue in
the project page. I believe that --no_tcp and --no_udp options must do
just that. If they do not work that way, then this is a bug and it
has to be fixed.
> --
> You received this message because you are subscribed to the Google Groups
> "TURN Server (Open-Source project)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> turn-server-project-rfc57...@googlegroups.com.
> To post to this group, send email to
> turn-server-project...@googlegroups.com.
> Visit this group at
> https://groups.google.com/group/turn-server-project-rfc5766-turn-server.
> For more options, visit https://groups.google.com/d/optout.
the project page. I believe that --no_tcp and --no_udp options must do
just that. If they do not work that way, then this is a bug and it
has to be fixed.
> You received this message because you are subscribed to the Google Groups
> "TURN Server (Open-Source project)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> turn-server-project-rfc57...@googlegroups.com.
> To post to this group, send email to
> turn-server-project...@googlegroups.com.
> Visit this group at
> https://groups.google.com/group/turn-server-project-rfc5766-turn-server.
> For more options, visit https://groups.google.com/d/optout.
Julio Carlos Barrera Juez
Jan 8, 2016, 5:57:23 AM1/8/16
to TURN Server (Open-Source project), juliocarl...@i2cat.net
Current documentation in configuration files and flags says:
-p, --listening-port <port> TURN listener port for UDP and TCP listeners (Default: 3478). Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP port(s), too - if allowed by configuration.
and
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, we currently support SSL version 3 and
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, we support DTLS version 1.
#
#tls-listening-port=5349It says, "if allowed by configuration". I suppose that flags no-udp and no-tcp disable plain sockets, but the behaviour is different: If I activate both flags, coturn stops listening in 3478 port and only listens in 5349 port. On this port I can connect using TLS (TCP) and DTLS (UDP), but sniffing network and checking with Google Chrome and Mozilla Firefox, both connect using plain sockets (moreover, none of them support stuns yet).
As you mentioned, I created the issue here: https://github.com/coturn/coturn/issues/33
Thank you for your help, Oleg.
On Thursday, 7 January 2016 22:47:26 UTC+1, Oleg Moskalenko wrote:
I do not think that there is a way to achieve that. Create an issue in
the project page. I believe that --no_tcp and --no_udp options must do
just that. If they do not work that way, then this is a bug and it
has to be fixed.
On Thu, Jan 7, 2016 at 8:17 AM, Julio Carlos Barrera Juez
<juliocarl...@i2cat.net> wrote:
>
> I have a successful deployment with coturn as STUN/TURN server. I want to
> force all client connections to use SSL/TLS sockets. I tried disabling plain
> socket with no-tcp and no-udp flags, but it only stops listening on port
> 3478. It continue accepting plain connection on port 5349, and I want only
> accepting SSL/TLS connections.
>
> How can I force coturn to listen/accept only SSL/TLS connections?
>
> --
> You received this message because you are subscribed to the Google Groups
> "TURN Server (Open-Source project)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> To post to this group, send email to
Xavi Noguera
Nov 4, 2016, 7:43:46 AM11/4/16
to TURN Server (Open-Source project), juliocarl...@i2cat.net
Hello Julio Carlos,
El divendres, 8 gener de 2016 11:57:23 UTC+1, Julio Carlos Barrera Juez va escriure:
Could you solve the problem? We are searching to securing CoTurn but we have the same problem that you.
Thank you.
El divendres, 8 gener de 2016 11:57:23 UTC+1, Julio Carlos Barrera Juez va escriure:
Julio Carlos Barrera Juez
Nov 7, 2016, 3:39:59 AM11/7/16
to Xavi Noguera, TURN Server (Open-Source project)
Hi.
I didn't take further actions, because I'm only a user of coturn and don't know how to develop changes on it.
Kind regards.
Julio C. Barrera JuezHead of Engineering at Software Engineering Group (SEG)
Room: 2nd floor, 203
Office phone: (+34) 93 567 99 27i2CAT FoundationGran Capità 2-4, Nexus I building, 08034 Barcelona
Reply all
Reply to author
Forward
0 new messages