REST API credentials

[DotanS]

Hi,

I am trying using the REST API with the following settings:

- turnserver.conf:

lt-cred-mech

use-auth-secret

- redis DB:

turn/secret/dummy -> mysecret

- WebRTC client

username: 2404206032:myuser ( = timestamp:username)

credential: ZWVmMjllZTg3MjFiMzk3ZGUxMmZlZTZjMDljNTM4NDhmMzA5MDZiNA== ( = BASE64-ENCODE(HMAC-SHA1(mysecret,username)))

TURN Server reports: ERROR: check_stun_auth: Cannot find credentials of user <2404206032:myuser>

Please advise

[Oleg Moskalenko]

The realm setting has to be used, too.

Sent from my iPhone

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

[DotanS]

Yes, realm is also set. It was omitted accidentally.

- turnserver.conf:

lt-cred-mech

use-auth-secret

realm=mycompany

On Tuesday, July 1, 2014 6:45:06 PM UTC+3, Oleg Moskalenko wrote:

The realm setting has to be used, too.

Sent from my iPhone

On Jul 1, 2014, at 7:34 AM, DotanS <dota...@gmail.com> wrote:

Hi,

I am trying using the REST API with the following settings:

- turnserver.conf:

lt-cred-mech

use-auth-secret

- redis DB:

turn/secret/dummy -> mysecret

- WebRTC client

username: 2404206032:myuser ( = timestamp:username)

credential: ZWVmMjllZTg3MjFiMzk3ZGUxMmZlZTZjMDljNTM4NDhmMzA5MDZiNA== ( = BASE64-ENCODE(HMAC-SHA1(mysecret,username)))

TURN Server reports: ERROR: check_stun_auth: Cannot find credentials of user <2404206032:myuser>

Please advise

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc5766-turn-server+unsubscribe@googlegroups.com.
To post to this group, send email to turn-server-project-rfc5766-turn-...@googlegroups.com.

[Oleg Moskalenko]

try to compare your settings to the script in examples/scripts/restapi/secure_relay_secret_with_db_redis.sh and to the redis settings in turndb/testredisdbsetup.sh. I cannot verify that you calculated the key correctly.

[DotanS]

Hi Oleg,

Does the generated credential needed to be stored at the user DB too?

Currently, only the secret is stored.

On Tuesday, July 1, 2014 7:43:56 PM UTC+3, Oleg Moskalenko wrote:

try to compare your settings to the script in examples/scripts/restapi/secure_relay_secret_with_db_redis.sh and to the redis settings in turndb/testredisdbsetup.sh. I cannot verify that you calculated the key correctly.

On Tuesday, July 1, 2014 8:50:09 AM UTC-7, DotanS wrote:

[Oleg Moskalenko]

No, the generated credentials are ephemeral and they are not stored anywhere.

[DotanS]

OK, but once the user obtains the generated credential, does it perform the LTC mechanism? In that case, the TURN server is looking for the user password by the username?

[Oleg Moskalenko]

Sent from my iPhone

On Jul 1, 2014, at 10:38 AM, DotanS <dota...@gmail.com> wrote:

OK, but once the user obtains the generated credential, does it perform the LTC mechanism?

Yes

In that case, the TURN server is looking for the user password by the username?

No

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.

[DotanS]

Hi Oleg,

Thanks for you reply. I find out the issue, which was wrong calculation of the HMAC value.

For future assistance to others, I posting the shell command for generating the encoded HMAC used as credential for TURN session:

echo -n "USERCOMBO" | openssl dgst -TURN-DIGEST-ALGORITHM -hmac "SECRET" -binary | base64

where:

USERCOMBO = timestamp:username

TURN-DIGEST-ALGORITHM = sha1 | sha256 (matching turnserver configuration. default is sha1)

SECRET = REST API secret value

[Oleg Moskalenko]

Thanks for sharing the information.

Oleg

Sent from my iPhone

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.

[Padma Prasad Dharmaraja]

Hi Oleg,

Even I was facing the same issue as DotanS,  turnserver.conf points wrong way of generating hash which is hmac(secret key, usercombo).

Instead the way hash is generated is hmac( usercombo,secret key), its reversed.

The shell script helped me to figure that out and was able to fix it.

I am using hmac-sha1.js on client side to create hash and works fine after reversing the hash ( hmac) parameters.

Example to run hash and password using bash:

to verify hash:

echo -n "timestamp:username" | openssl dgst -sha1 -hmac "secret"

to verify password:

echo -n "timestamp:username" | openssl dgst -sha1 -hmac "secret" -binary | base64

Hope this helps others as well.

-Padma Prasad

On Wednesday, 2 July 2014 20:45:49 UTC+5:30, Oleg Moskalenko wrote:

Thanks for sharing the information.

[Oleg Moskalenko]

I'll clarify that in the next build.

Regards,
Oleg