Groups

Will a self-signed cert provided to the turnserver work with chrome for a simple WebRTC experiment?

929 views

WebRTCchromesecurity

Skip to first unread message

auro tripathy

unread,

Jan 16, 2015, 10:55:20 AM1/16/15

to turn-server-project...@googlegroups.com

Hi,

Need help.

Will a self-signed cert provided to the turnserver work with chrome for a simple WebRTC experiment?

The chrome version is 40.0.2214.85 beta (64-bit).

Please see the line highlighted in yellow.

Also, after a minute or so the connection is closed by the turnserver (as far as I can tell, by a TCP-reset)

Client-side

auro-mbp:~ tripathy_a$ openssl s_client -connect xx.xx.xx.xx:443

CONNECTED(00000003)

depth=0 /C=US/ST=California/L=Mountain View/O=company/OU=NCS/CN=deveng1.remotewd2.com/emailAddress=first...@company.com

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=US/ST=California/L=Mountain View/O=company/OU=NCS/CN=deveng1.remotewd2.com/emailAddress=first...@company.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=company/OU=NCS/CN=deveng1.remotewd2.com/emailAddress=first...@company.com

i:/C=US/ST=California/L=Mountain View/O=company/OU=NCS/CN=deveng1.remotewd2.com/emailAddress=first...@company.com

---

Turnserver-side

1045: IPv4. tcp or tls connected to: xx.xx.xx.xx:50471

1105: session 000000000000000005: closed (2nd stage), user <>, local yy.yy.yy.yy:443, remote xx.xx.xx.xx:50471, reason: allocation watchdog determined stale session state

1105: session 000000000000000005: SSL shutdown received, socket to be closed (local yy.yy.yy.yy:443, remote xx.xx.xx.xx:50471)

Oleg Moskalenko

unread,

Jan 16, 2015, 12:12:58 PM1/16/15

to auro tripathy, turn-server-project...@googlegroups.com

The connection is closed because there is a timeout on the allocation completion. The ssl client installs the ssl connection but it cannot complete the TURN allocation process.

Chrome probably will need a setting to accept a self-signed certificate.

Sent from my iPhone

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

auro tripathy

unread,

Jan 16, 2015, 5:58:22 PM1/16/15

to turn-server-project...@googlegroups.com, auro.t...@gmail.com

Thanks. Once Chrome was allowed to accept my self-signed cert, I get "ALLOCATE success".

But still *no* video-chat session over TCP :-(

With your permission, I'll resurrect the old thread about TURN-TCP relay and WebRTC (which was not conclusive at all).

23: session 000000000000000003: user <>: incoming packet message processed, error 401: Unauthorised

23: IPv4. Local relay addr: xx.xx.xx.xx:65192

23: session 000000000000000003: new, username=<user1>, lifetime=600, cipher=DHE-RSA-AES256-SHA, method=TLSv1.0 (TLSv1.0)

23: session 000000000000000003: user <user1>: incoming packet ALLOCATE processed, success

41: IPv4. tcp or tls connected to: 12.0.66.43:57975

41: session 000000000000000004: user <>: incoming packet message processed, error 401: Unauthorised

41: IPv4. Local relay addr: xx.xx.xx.xx:50333

41: session 000000000000000004: new, username=<user1>, lifetime=600, cipher=DHE-RSA-AES256-SHA, method=TLSv1.0 (TLSv1.0)

41: session 000000000000000004: user <user1>: incoming packet ALLOCATE processed, success

On Friday, January 16, 2015 at 9:12:58 AM UTC-8, Oleg Moskalenko wrote:

The connection is closed because there is a timeout on the allocation completion. The ssl client installs the ssl connection but it cannot complete the TURN allocation process.

Chrome probably will need a setting to accept a self-signed certificate.

Sent from my iPhone

On Jan 16, 2015, at 7:55 AM, auro tripathy <auro.t...@gmail.com> wrote:

Hi,
Need help.
Will a self-signed cert provided to the turnserver work with chrome for a simple WebRTC experiment?
The chrome version is 40.0.2214.85 beta (64-bit).
Please see the line highlighted in yellow.
Also, after a minute or so the connection is closed by the turnserver (as far as I can tell, by a TCP-reset)

Client-side

auro-mbp:~ tripathy_a$ openssl s_client -connect xx.xx.xx.xx:443
CONNECTED(00000003)

depth=0 /C=US/ST=California/L=Mountain View/O=company/OU=NCS/CN=deveng1.remotewd2.com/emailAddress=first.last@company.com

verify error:num=18:self signed certificate
verify return:1

depth=0 /C=US/ST=California/L=Mountain View/O=company/OU=NCS/CN=deveng1.remotewd2.com/emailAddress=first.last@company.com

verify return:1
---
Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=company/OU=NCS/CN=deveng1.remotewd2.com/emailAddress=first.last@company.com
i:/C=US/ST=California/L=Mountain View/O=company/OU=NCS/CN=deveng1.remotewd2.com/emailAddress=first.last@company.com

---
Turnserver-side
1045: IPv4. tcp or tls connected to: xx.xx.xx.xx:50471
1105: session 000000000000000005: closed (2nd stage), user <>, local yy.yy.yy.yy:443, remote xx.xx.xx.xx:50471, reason: allocation watchdog determined stale session state
1105: session 000000000000000005: SSL shutdown received, socket to be closed (local yy.yy.yy.yy:443, remote xx.xx.xx.xx:50471)

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc5766-turn-server+unsubscribe@googlegroups.com.
To post to this group, send email to turn-server-project-rfc5766-turn-...@googlegroups.com.

Oleg Moskalenko

unread,

Jan 16, 2015, 6:55:40 PM1/16/15

to auro tripathy, turn-server-project...@googlegroups.com

I am afraid that TURN-TCP relay is not going to be supported by WebRTC, anyway.

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.

auro tripathy

unread,

Jan 20, 2015, 4:36:21 PM1/20/15

to turn-server-project...@googlegroups.com, auro.t...@gmail.com

OK, thank you.

I'm guessing, its because the data-channel uses the SCTP transport and there isn't an use-case for TCP transport for browser-to-browser communication.

To post to this group, send email to turn-server-project-rfc5766-turn-s...@googlegroups.com.

Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

Oleg Moskalenko

unread,

Jan 20, 2015, 4:41:18 PM1/20/15

to auro tripathy, turn-server-project...@googlegroups.com

TURN-TCP (RFC 6062) is about relay-to-relay or relay-to-browser communications.

Browser-to-TURN-server TCP communications are perfectly covered by the original RFC 5766 TURN specs.

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.

Reply all

Reply to author

Forward

0 new messages

Search

Clear search

Close search

Google apps

Main menu