My coTurn Server fails in Chrome but it works fine in Firefox.

1,819 views
Skip to first unread message

Héctor Juan Martínez Guzmán

unread,
Nov 19, 2014, 10:07:20 AM11/19/14
to turn-server-project...@googlegroups.com

What steps will reproduce the problem?
1. Setup coturn in AWS Amazon instances, lt-cred-mech, use-auth-secret, static-auth-secret=Veureka123, without database, just generic username (timestamp:userx), credential base64(hmac(Veureka123, username)).
2. Use SimpleWebRTC in client side.
3. Create crdentials like:

self.webrtc.config.peerConnectionConfig.iceServers = [{"url" : "stun:myStunIP:3478"},
            { 
            "url" : "turn:myTurnIP:3478?transport=udp",
            "username": username,
            "credential":hashEncoded
            }];

What is the expected output? What do you see instead?

In Firefox it works fine, but in Chrome it isn't.


What version of the product are you using? On what operating system?
I test coTurn 4.2.3.1, 4.0.0.0 and 4.1.1.1, all they fail. All in Ubuntu 13.10


Is there any reason of structure in ice servers config?? I tried use adapterjs but simplewebrtc don't supports it.

Thanks for your time.

Regards, Hector

Oleg Moskalenko

unread,
Nov 19, 2014, 12:43:12 PM11/19/14
to turn-server-project...@googlegroups.com
As far as I know, there are problems in some Chrome builds in regard to the TURN operations.

There are no known bugs in the TURN server.

Regards,
Oleg

Héctor Juan Martínez Guzmán

unread,
Nov 19, 2014, 1:10:07 PM11/19/14
to turn-server-project...@googlegroups.com
Thanks for your time and response, I have doubts about that because I have used restund and xirsys servers and I have not had any problems with that, so I though the only reason for the error in the server (error 401, unauthorized) can be for the credentials format.

What do you think?

Regards, Hector

Oleg Moskalenko

unread,
Nov 19, 2014, 1:57:49 PM11/19/14
to turn-server-project...@googlegroups.com
then... why Firefox works ?

Coturn uses exactly the same credentials format as rfc5766-turn-server. Except that it has extra capabilities (like origin).

Try to compare Firefox and Chrome TURN traffic in wireshark, and try to find the difference.

Oleg Moskalenko

unread,
Nov 19, 2014, 4:21:37 PM11/19/14
to turn-server-project...@googlegroups.com
if you cannot find out what is the problem, then send the wireshark captures to me - with Firefox, with Chrome and Chrome/restund combination.

I guess that the most probable reason is that you misconfigured the coturn server (its database structure is slightly different from rfc5766-turn-server).

Oleg Moskalenko

unread,
Nov 26, 2014, 2:07:13 AM11/26/14
to turn-server-project...@googlegroups.com
Did you solve the problem ?

Héctor Juan Martínez Guzmán

unread,
Nov 26, 2014, 1:15:54 PM11/26/14
to turn-server-project...@googlegroups.com
Sorry sir, I have not solved my problem yet. I want to explain better the situation:

FIRST:

  • I download and install coturn server in an Amazon instance, I use the .deb package and gdebi.
  • I configured the server just changing the follow lines in the .conf file:
  • listening-port=3478
  • external-ip=[MyExternalIP]
  • lt-cred-mech
  • use-auth-secret
  • static-auth-secret=[MySecret]
  • All else as default
  • My client app generate the credential with base64(hmac(MySecret, username)), where username = timestamp:useridX. I know that generation must be secure but now it is just for test.
  • Using all that in two different networks, one behind a proxy, I have the follow results:
    • With Firefox-Firefox peers it works perfectly! The Firefox webrtc log shows some like this:
    • so it is working fine, but when a use a Chrome-Firefox or Chrome-Chrome peers it just show the two first candidates and in the server shows the error "error 401, unauthorized".

For all that I think the error is that coturn is not receiving the credentials in the right format, because it looks like the auth fails and thats the reason the turn service is not working. So I think the error is the iceServers struct in Chrome. I tried to use adapter.js but the framework SimpleWebRTC is not compatible with that.

About wireshark I can do the test and send to you if you want, but I wuld like to know if you have another idea now that I have explained a little more my problem.

Best Regards, Hector

Oleg Moskalenko

unread,
Nov 26, 2014, 2:17:35 PM11/26/14
to turn-server-project...@googlegroups.com
I do not have new ideas, that is probably a question for the Chrome team.




On Wednesday, November 26, 2014 10:15:54 AM UTC-8, Héctor Juan Martínez Guzmán wrote:
Sorry sir, I have not solved my problem yet. I want to explain better the situation:

FIRST:

  • I download and install coturn server in an Amazon instance, I use the .deb package and gdebi.
  • I configured the server just changing the follow lines in the .conf file:
  • listening-port=3478
  • external-ip=[MyExternalIP]
  • lt-cred-mech
  • use-auth-secret
  • static-auth-secret=[MySecret]
  • All else as default
  • My client app generate the credential with base64(hmac(MySecret, username)), where username = timestamp:useridX. I know that generation must be secure but now it is just for test.
  • Using all that in two different networks, one behind a proxy, I have the follow results:
    • With Firefox-Firefox peers it works perfectly! The Firefox webrtc log shows some like this:
...

Oleg Moskalenko

unread,
Nov 26, 2014, 2:40:12 PM11/26/14
to turn-server-project...@googlegroups.com

溫啟清

unread,
Apr 9, 2015, 9:06:39 AM4/9/15
to turn-server-project...@googlegroups.com
I also encounter "error 401, unauthorized" on my coturn at EC2, I setup the coturn via coturn-4.4.2.3 (ami-dd4d6eed)

share my finding as below

PC Firefox + Android Firefox = Success
PC Firefox + Android Chrome = Fail
PC Chrome + Android Firefox = Success
PC Chrome + Android Chrome = Success


can refer my turnserver.conf here

Oleg Moskalenko

unread,
Apr 9, 2015, 3:41:08 PM4/9/15
to 溫啟清, turn-server-project...@googlegroups.com
This is not a TURN server failure.

401 error is a part of normal session negotiation. Eventually you must
see the success message. If that is not happening, then something is
wrong in the messages that the client is sending.

Each client negotiates the session independently with the TURN server.
So pairing them together does not make sense - unless the failure is
in the protocol between the clients.
> --
> You received this message because you are subscribed to the Google Groups
> "TURN Server (Open-Source project)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> turn-server-project-rfc57...@googlegroups.com.
> To post to this group, send email to
> turn-server-project...@googlegroups.com.
> Visit this group at
> http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages