REST API credentials

381 views
Skip to first unread message

DotanS

unread,
Jul 1, 2014, 10:34:45 AM7/1/14
to turn-server-project...@googlegroups.com
Hi,

I am trying using the REST API with the following settings:

- turnserver.conf:

lt-cred-mech
use-auth-secret

- redis DB:

turn/secret/dummy -> mysecret

- WebRTC client

username: 2404206032:myuser ( = timestamp:username)
credential: ZWVmMjllZTg3MjFiMzk3ZGUxMmZlZTZjMDljNTM4NDhmMzA5MDZiNA== ( = BASE64-ENCODE(HMAC-SHA1(mysecret,username)))

TURN Server reports: ERROR: check_stun_auth: Cannot find credentials of user <2404206032:myuser>

Please advise

Oleg Moskalenko

unread,
Jul 1, 2014, 11:45:06 AM7/1/14
to DotanS, turn-server-project...@googlegroups.com
The realm setting has to be used, too.

Sent from my iPhone
--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

DotanS

unread,
Jul 1, 2014, 11:50:09 AM7/1/14
to turn-server-project...@googlegroups.com, dota...@gmail.com
Yes, realm is also set. It was omitted accidentally.

- turnserver.conf:

lt-cred-mech
use-auth-secret
realm=mycompany


On Tuesday, July 1, 2014 6:45:06 PM UTC+3, Oleg Moskalenko wrote:
The realm setting has to be used, too.

Sent from my iPhone

On Jul 1, 2014, at 7:34 AM, DotanS <dota...@gmail.com> wrote:

Hi,

I am trying using the REST API with the following settings:

- turnserver.conf:

lt-cred-mech
use-auth-secret

- redis DB:

turn/secret/dummy -> mysecret

- WebRTC client

username: 2404206032:myuser ( = timestamp:username)
credential: ZWVmMjllZTg3MjFiMzk3ZGUxMmZlZTZjMDljNTM4NDhmMzA5MDZiNA== ( = BASE64-ENCODE(HMAC-SHA1(mysecret,username)))

TURN Server reports: ERROR: check_stun_auth: Cannot find credentials of user <2404206032:myuser>

Please advise

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc5766-turn-server+unsubscribe@googlegroups.com.
To post to this group, send email to turn-server-project-rfc5766-turn-...@googlegroups.com.

Oleg Moskalenko

unread,
Jul 1, 2014, 12:43:56 PM7/1/14
to
try to compare your settings to the script in examples/scripts/restapi/secure_relay_secret_with_db_redis.sh and to the redis settings in turndb/testredisdbsetup.sh. I cannot verify that you calculated the key correctly.

DotanS

unread,
Jul 1, 2014, 1:06:47 PM7/1/14
to turn-server-project...@googlegroups.com
Hi Oleg,

Does the generated credential needed to be stored at the user DB too?
Currently, only the secret is stored.


On Tuesday, July 1, 2014 7:43:56 PM UTC+3, Oleg Moskalenko wrote:
try to compare your settings to the script in examples/scripts/restapi/secure_relay_secret_with_db_redis.sh and to the redis settings in turndb/testredisdbsetup.sh. I cannot verify that you calculated the key correctly.

On Tuesday, July 1, 2014 8:50:09 AM UTC-7, DotanS wrote:

Oleg Moskalenko

unread,
Jul 1, 2014, 1:33:06 PM7/1/14
to turn-server-project...@googlegroups.com
No, the generated credentials are ephemeral and they are not stored anywhere.

DotanS

unread,
Jul 1, 2014, 1:38:22 PM7/1/14
to turn-server-project...@googlegroups.com
OK, but once the user obtains the generated credential, does it perform the LTC mechanism? In that case, the TURN server is looking for the user password by the username?

Oleg Moskalenko

unread,
Jul 1, 2014, 3:31:17 PM7/1/14
to DotanS, turn-server-project...@googlegroups.com


Sent from my iPhone

On Jul 1, 2014, at 10:38 AM, DotanS <dota...@gmail.com> wrote:

OK, but once the user obtains the generated credential, does it perform the LTC mechanism?

Yes

In that case, the TURN server is looking for the user password by the username?

No

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.

DotanS

unread,
Jul 2, 2014, 4:25:26 AM7/2/14
to turn-server-project...@googlegroups.com, dota...@gmail.com
Hi Oleg,

Thanks for you reply. I find out the issue, which was wrong calculation of the HMAC value.

For future assistance to others, I posting the shell command for generating the encoded HMAC used as credential for TURN session:

echo -n "USERCOMBO" | openssl dgst -TURN-DIGEST-ALGORITHM -hmac "SECRET" -binary | base64

where:

USERCOMBO = timestamp:username
TURN-DIGEST-ALGORITHM = sha1 | sha256 (matching turnserver configuration. default is sha1)
SECRET = REST API secret value

Oleg Moskalenko

unread,
Jul 2, 2014, 11:15:49 AM7/2/14
to DotanS, turn-server-project...@googlegroups.com
Thanks for sharing the information.

Oleg

Sent from my iPhone
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.

Padma Prasad Dharmaraja

unread,
Feb 16, 2015, 7:30:44 AM2/16/15
to turn-server-project...@googlegroups.com, dota...@gmail.com
Hi Oleg,
Even I was facing the same issue as DotanS,  turnserver.conf points wrong way of generating hash which is hmac(secret key, usercombo).
Instead the way hash is generated is hmac( usercombo,secret key), its reversed.

The shell script helped me to figure that out and was able to fix it.
I am using hmac-sha1.js on client side to create hash and works fine after reversing the hash ( hmac) parameters.

Example to run hash and password using bash:
to verify hash:
echo -n "timestamp:username" | openssl dgst -sha1 -hmac "secret"

to verify password:
echo -n "timestamp:username" | openssl dgst -sha1 -hmac "secret" -binary | base64

Hope this helps others as well.

-Padma Prasad

On Wednesday, 2 July 2014 20:45:49 UTC+5:30, Oleg Moskalenko wrote:
Thanks for sharing the information.


Oleg Moskalenko

unread,
Feb 16, 2015, 12:16:05 PM2/16/15
to turn-server-project...@googlegroups.com, dota...@gmail.com
I'll clarify that in the next build.

Regards,
Oleg
Reply all
Reply to author
Forward
0 new messages