How to set CA-file in turnserver.conf AND suppress the client Certificate Verify.

[iwasaki_at_silklab]

Hi all, 

Is there a way to set the 'CA-file' option in turnserver.conf  AND suppress the verification over the client certificates?

I'm trying to establish DTLSv1.2 communication from turnutils_uclient to turnserver which is deployed on a public server with a certificate chain signed by a well-known agency.

That is, CA-file option is filled with the root-CA file path.

Unfortunately, the TLS handshake fails at the verification of the client certificates.

I'd like to know how to suppress the  verification of the client certificates.

Thanks for your help

iwasaki

[Warren McDonald]

Hi,

The use of the CA file is what enables the checking of client certificates. You don't need this for TLS or DTLS connections

Instead you need to create a private key and requests a certificate using a well known CA, so that the browser will accept it, and configure these in the cert=  and pkey= parameters. 

Also set the pkey-pwd=  if the private key is protected.

Note: The certificate has to be in valid date range but the CN checking to DNS address is not used, to allow for fan out to alternate servers with different names and certs. 

i.e. I could install a cert with cn=turn.example.com on a server with DNS turn.example.com, but also use the same cert on other servers addressed as turn1.example.com, turn2.example.com etc

Warren

[iwasaki_at_silklab]

Warren, thanks for your help.

Our turnserver is already configured with its own private key and its cert file issued from a not-so-well known CA.  

According to your advice,  we need to eliminate the CA-file setting from turnserver.conf and to move the root CA file to the client side - is that right?

If turnutils_uclient is used, its -E option has to be set with the root CA file moved from the server - is this right?

 iwasaki

2021年8月20日金曜日 9:38:17 UTC+9 Warren McDonald:

[iwasaki_at_silklab]

Warren,

In my last message, "to move the root CA file to the client" seems misleading.

The root CA should be acquired from the CA by clients independently.

Here remains the question about the intermediate certificates.

What is the appropriate configuration of the intermediate certificates chained to  the server certificate?

  iwasaki

2021年8月20日金曜日 18:04:02 UTC+9 iwasaki_at_silklab: