Guy
Oct 27, 2014, 10:03:35 AM10/27/14
to turn-server-project...@googlegroups.com
Hello all,
I have just finished setting up the rfc5766-turn-server and Turn Rest api to use for in a webrtc application and I had a few questions.
I read :
I have just finished setting up the rfc5766-turn-server and Turn Rest api to use for in a webrtc application and I had a few questions.
I read :
also a few posts in this group
and i'm still unclear about a few things
and i'm still unclear about a few things
after installing the turn server I started it like this:
turnserver -n --verbose --fingerprint --lt-cred-mech --use-auth-secret --external-ip=xxx.xx.x.xx --realm=xxx.xx.x.xx:3478 --static-auth-secret=some_secret_key
turnserver -n --verbose --fingerprint --lt-cred-mech --use-auth-secret --external-ip=xxx.xx.x.xx --realm=xxx.xx.x.xx:3478 --static-auth-secret=some_secret_key
i have a web server running to generate the temp username and password:
$secret_key = 'some_secret_key';
$password_ttl = 60*60;
$real_timestamp = time();
$timestamp = $real_timestamp + $password_ttl;
$turn_user='testuser';
$timestamp .= ':';
$timestamp .= $turn_user;
$turn_user = $timestamp;
$turn_password = hash_hmac('sha1', $turn_user, $secret_key);
$turn_password = base64_encode($turn_password);
$json_array = array('username' => $turn_user, 'password' => $turn_password, 'uris' => ["turn:xxx.xx.x.xx:3478"]);
header('Content-Type: application/json');
echo json_encode($json_array);
json output:
{"username":"1414416539:testuser","password":"MDYyNGMwZmRjMzc3MDIzZjMzYDM0NTkzY2UyYmMxNw==","uris":["turn:xxx.xx.x.xx:3478"]}
{"username":"1414416539:testuser","password":"MDYyNGMwZmRjMzc3MDIzZjMzYDM0NTkzY2UyYmMxNw==","uris":["turn:xxx.xx.x.xx:3478"]}
when i try to connect between 2 devices , they connect and i get the following from the turn server:
9275: handle_udp_packet: New UDP endpoint: local addr 163.9.18.1:3478, remote addr 61.29.28.7 1:53221
9275: user <>: incoming packet BINDING processed, success
9275: handle_udp_packet: New UDP endpoint: local addr 163.9.18.1:3478, remote addr 61.29.28.7 1:53612
9275: user <>: incoming packet message processed, error 401
9275: ERROR: check_stun_auth: Cannot find credentials of user <1414412897:testuser>
9275: user <>: incoming packet message processed, error 401
9276: ERROR: check_stun_auth: Cannot find credentials of user <1414412897:testuser>
9276: user <>: incoming packet message processed, error 401
9285: user <>: incoming packet BINDING processed, success
9285: user <>: incoming packet BINDING processed, success
9290: handle_udp_packet: New UDP endpoint: local addr 163.9.18.1:3478, remote addr 61.29.28.7 1:40194
9290: user <>: incoming packet BINDING processed, success
9290: handle_udp_packet: New UDP endpoint: local addr 163.9.18.1:3478, remote addr 61.29.28.7 1:45113
9290: user <>: incoming packet message processed, error 401
9291: user <>: incoming packet BINDING processed, success
9291: user <>: incoming packet message processed, error 401
9291: ERROR: check_stun_auth: Cannot find credentials of user <1414412896:testuser>
9291: user <>: incoming packet message processed, error 401
9291: ERROR: check_stun_auth: Cannot find credentials of user <1414412896:testuser>
9291: user <>: incoming packet message processed, error 401
9295: user <>: incoming packet BINDING processed, success
9301: user <>: incoming packet BINDING processed, success
9306: user <>: incoming packet BINDING processed, success
9311: user <>: incoming packet BINDING processed, success
9316: user <>: incoming packet BINDING processed, success
9321: user <>: incoming packet BINDING processed, success
9326: user <>: incoming packet BINDING processed, success
9331: user <>: incoming packet BINDING processed, success
9335: TURN connection closed (non-mobile pattern), user <>
9335: TURN connection closed (non-mobile pattern), user <>
9336: handle_udp_packet: New UDP endpoint: local addr 163.9.18.1:3478, remote addr 61.29.28.71:53221
9336: user <>: incoming packet BINDING processed, success
9341: user <>: incoming packet BINDING processed, success
9346: user <>: incoming packet BINDING processed, success
9350: TURN connection closed (non-mobile pattern), user <>
9351: TURN connection closed (non-mobile pattern), user <>
9351: handle_udp_packet: New UDP endpoint: local addr 163.9.18.1:3478, remote addr 61.29.28.71:40194
9351: user <>: incoming packet BINDING processed, success
9356: user <>: incoming packet BINDING processed, success
9361: user <>: incoming packet BINDING processed, success
9366: user <>: incoming packet BINDING processed, success
9371: user <>: incoming packet BINDING processed, success
9376: user <>: incoming packet BINDING processed, success
9381: user <>: incoming packet BINDING processed, success
9386: user <>: incoming packet BINDING processed, success
9391: user <>: incoming packet BINDING processed, success
9396: TURN connection closed (non-mobile pattern), user <>
9396: handle_udp_packet: New UDP endpoint: local addr 163.9.18.1:3478, remote addr 61.29.28.71:53221
9396: user <>: incoming packet BINDING processed, success
9402: user <>: incoming packet BINDING processed, success
9406: user <>: incoming packet BINDING processed, success
9408: TURN connection closed (non-mobile pattern), user <>
9409: TURN connection closed (non-mobile pattern), user <>
so my questions are:
1. from what i read a 401 message is part of the authentication process , so from the log output added above does it seem that everything is running correctly?
2. the last 2 "TURN connection closed" messages are ok because i hung up the call, how come i keep getting the same messages while devices are connected and everything is supposedly working
3. if not how can i run more test besides trying to connect between 2 clients running the app???
3. if not how can i run more test besides trying to connect between 2 clients running the app???
4.the turn server is also a stun server, so, does it automatically function as a stun server when it can and function as turn when relay is needed, or do I need to make any alteration ( set any flags) to the turn server?
any help with those questions will be great.
Thanks
Thanks
Oleg Moskalenko
Oct 27, 2014, 2:09:35 PM10/27/14
to turn-server-project...@googlegroups.com
On Monday, October 27, 2014 7:03:35 AM UTC-7, Guy wrote:
1. from what i read a 401 message is part of the authentication process , so from the log output added above does it seem that everything is running correctly?
yes
2. the last 2 "TURN connection closed" messages are ok because i hung up the call, how come i keep getting the same messages while devices are connected and everything is supposedly working
the TURN server reports that error when the client session is expired or have not completed the allocation (UDP case).
3. if not how can i run more test besides trying to connect between 2 clients running the app???
There are test scripts in the examples/scripts/ directory. Read the script comments, change the IP addresses and try them.
4.the turn server is also a stun server, so, does it automatically function as a stun server when it can and function as turn when relay is needed, or do I need to make any alteration ( set any flags) to the turn server?
by default, it runs as both TURN and STUN server.
May be the WebRTC folks can tell you more on your app configuration.
Oleg
Guy
Nov 9, 2014, 3:40:14 AM11/9/14
to turn-server-project...@googlegroups.com
Hi Oleg,
Thank you for taking the time to answer my questions, I'm new to all this TURN area.
I have a few more questions,
1. If, lets say I use the static lt-cred-mech with same username/password for all users, will the server accept all the requests, all using the same static credentials???
I have a few more questions,
1. If, lets say I use the static lt-cred-mech with same username/password for all users, will the server accept all the requests, all using the same static credentials???
2. In the TURN REST API the temp password is generated with user,timestamp and secret, but I noticed that the same password is generated if 2 requests are within the same second, thus making one of them not unique, so won't one of those users receive an unauthorised message and get rejected
Thank you
-Guy
Thank you
-Guy
Oleg Moskalenko
Nov 9, 2014, 4:11:17 AM11/9/14
to Guy, turn-server-project...@googlegroups.com
On Sun, Nov 9, 2014 at 12:40 AM, Guy <bpath.d...@gmail.com> wrote:
I have a few more questions,
1. If, lets say I use the static lt-cred-mech with same username/password for all users, will the server accept all the requests, all using the same static credentials???
I did not get the question. The server will use whatever username/password it was given in the configuration. If the connection's username and password match, then of course it will be accepted. If a thousand of users will have use the same username/password, they will be accepted, all of them - up to the limit set by the --user-quota.
2. In the TURN REST API the temp password is generated with user,timestamp and secret, but I noticed that the same password is generated if 2 requests are within the same second, thus making one of them not unique, so won't one of those users receive an unauthorised message and get rejected
Why one of them is unauthorized and why it has to be rejected ? The same legitimate user may need several TURN sessions allocated. The server has no means to distinguish the case of two connections of the same user from the case of two connections from two different users if they use the same username.
Thank you
-Guy--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.
Guy
Nov 20, 2014, 4:17:04 AM11/20/14
to turn-server-project...@googlegroups.com, bpath.d...@gmail.com
Hi Oleg,
1.Just wanted to confirm, if no quota is set when using static user:password, then it will work as mentioned in the turnserver.conf example: default value is 0 (no quota, unlimited number of sessions per user). correct?
2. after a while using the turn rest api it stopped working and i keep getting unauthorised messages
I'm using the same script (the one from the first message) for generating the ephemeral credentials and I run the server with "turnserver" command in cygwin
in the turnserver.conf file i uncommented:
2. after a while using the turn rest api it stopped working and i keep getting unauthorised messages
I'm using the same script (the one from the first message) for generating the ephemeral credentials and I run the server with "turnserver" command in cygwin
in the turnserver.conf file i uncommented:
verbose
lt-cred-mech
fingerprint
use-auth-secret
realm=companyname.com
static-auth-secret= some_secret_key
output:
output:
58: handle_udp_packet: New UDP endpoint: local addr 162.15.2.35:3478, remote addr 94.84.16.148:54284
58: session 136000000000000001: user <>: incoming packet message processed, error 401: Unauthorised
58: session 136000000000000001: user <>: incoming packet message processed, error 401: Unauthorised
58: ERROR: check_stun_auth: Cannot find credentials of user <1416492798:testuser>
58: session 136000000000000001: user <1416492798:testuser>: incoming packet message processed, error 401: Unauthorised
58: ERROR: check_stun_auth: Cannot find credentials of user <1416492798:testuser>
58: session 136000000000000001: user <1416492798:testuser>: incoming packet message processed, error 401: Unauthorised
59: handle_udp_packet: New UDP endpoint: local addr 162.15.2.35:3478, remote addr 32.24.17.180:28680
59: session 136000000000000002: user <>: incoming packet message processed, error 401: Unauthorised
59: session 136000000000000002: user <>: incoming packet message processed, error 401: Unauthorised
59: ERROR: check_stun_auth: Cannot find credentials of user <1416492795:testuser>
59: session 136000000000000002: user <1416492795:testuser>: incoming packet message processed, error 401: Unauthorised
59: ERROR: check_stun_auth: Cannot find credentials of user <1416492795:testuser>
59: session 136000000000000002: user <1416492795:testuser>: incoming packet message processed, error 401: Unauthorised
60: ERROR: check_stun_auth: Cannot find credentials of user <1416492795:testuser>
60: session 136000000000000002: user <1416492795:testuser>: incoming packet message processed, error 401: Unauthorised
any ideas as to why it worked before and suddenly user is Unauthorised?
is there anything wrong with the steps i've taken for implementing the TURN Rest API with rfc5766-Turn-server
no changes have been made except using the turnserver.conf file instead of the command line flags/options
when i use static testuser:password
in the turnserver.conf file i uncommented:
no changes have been made except using the turnserver.conf file instead of the command line flags/options
when i use static testuser:password
in the turnserver.conf file i uncommented:
verbose
lt-cred-mech
fingerprint
user=testuser:password
realm= companyname.com
it works fine
3. one more question regarding cygwin
3. one more question regarding cygwin
I came across this thread: https://groups.google.com/d/msg/turn-server-project-rfc5766-turn-server/NaJVSWnD7CI/5QXYZzGXJZ4J
where you mentioned
"Cygwin platform is not a reliable platform for a network server. We would recommend using it only for R&D, not for a real production environment."
is that still the case regarding cygwin and you do not recommend using it for production use?
Thank you,
-Guy
where you mentioned
"Cygwin platform is not a reliable platform for a network server. We would recommend using it only for R&D, not for a real production environment."
is that still the case regarding cygwin and you do not recommend using it for production use?
Thank you,
-Guy
Oleg Moskalenko
Nov 20, 2014, 4:35:00 AM11/20/14
to Guy, turn-server-project...@googlegroups.com
On Thu, Nov 20, 2014 at 1:17 AM, Guy <bpath.d...@gmail.com> wrote:
Hi Oleg,1.Just wanted to confirm, if no quota is set when using static user:password, then it will work as mentioned in the turnserver.conf example: default value is 0 (no quota, unlimited number of sessions per user). correct?
Yes
are you sure that the timestamp parameters are correct ?
Are you saying that it fails after some time, or it does not work only when is used with the options in the turnserver.conf file ?
is there anything wrong with the steps i've taken for implementing the TURN Rest API with rfc5766-Turn-server
no changes have been made except using the turnserver.conf file instead of the command line flags/options
when i use static testuser:password
in the turnserver.conf file i uncommented:verboselt-cred-mechfingerprintuser=testuser:passwordrealm= companyname.comit works fine
3. one more question regarding cygwinI came across this thread: https://groups.google.com/d/msg/turn-server-project-rfc5766-turn-server/NaJVSWnD7CI/5QXYZzGXJZ4J
where you mentioned
"Cygwin platform is not a reliable platform for a network server. We would recommend using it only for R&D, not for a real production environment."
is that still the case regarding cygwin and you do not recommend using it for production use?
Yes, it is not recommended for the production. This is only for evaluation by people who have no immediate access to a Linux/BSD/Mac OS X systems.
Regards,
Oleg
Oleg
Oleg Moskalenko
Nov 20, 2014, 4:42:55 AM11/20/14
to Guy, turn-server-project...@googlegroups.com
I just tested your setup... it works fine.
make sure that you are not using spaces after the '=' sign in the turnserver.conf.Guy
Nov 20, 2014, 5:28:08 AM11/20/14
to turn-server-project...@googlegroups.com, bpath.d...@gmail.com
are you sure that the timestamp parameters are correct ?Are you saying that it fails after some time, or it does not work only when is used with the options in the turnserver.conf file ?
The script generating the ephemeral credentials and the TURN are running on the same server so there shouldn't be problem with the timestamp.
I think there is no problem with the turnserver.conf file because it works fine when i use static user:pass.
it worked fine for sometime, then one time when i restarted the server and ran the TURN again i started getting the unauthorised messages and couldn't get it working since. it only works with static user:pass.
I think there is no problem with the turnserver.conf file because it works fine when i use static user:pass.
it worked fine for sometime, then one time when i restarted the server and ran the TURN again i started getting the unauthorised messages and couldn't get it working since. it only works with static user:pass.
Guy
Nov 20, 2014, 5:29:53 AM11/20/14
to turn-server-project...@googlegroups.com, bpath.d...@gmail.com
I checked and there are no spaces. i also tried again and same result ...
thank you for testing it yourself
i don't know what went wrong
בתאריך יום חמישי, 20 בנובמבר 2014 11:42:55 UTC+2, מאת Oleg Moskalenko:
thank you for testing it yourself
i don't know what went wrong
בתאריך יום חמישי, 20 בנובמבר 2014 11:42:55 UTC+2, מאת Oleg Moskalenko:
Reply all
Reply to author
Forward
0 new messages