ATS support issue of coTurn 4.5.0.5
63 views
Skip to first unread message
Ersan Alfan
Dec 1, 2016, 5:02:43 PM12/1/16
to TURN Server (Open-Source project)
Hi,
We have an App Transport Security (ATS, https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW35 ) support issue with coturn 4.5.0.5
We executed a ATS diagnostic tool called nscurl on macOS Sierra and got connection errors with 4.5.0.5, but if we use the older versions 4.5.0.3 or 4.5.0.4, this diagnostic tool is successfully passed.
Tool outputs are listed below.
We use following cipher list :
cipher-list="TLSv1.2+HIGH:TLSv1+HIGH:!aNULL:!eNULL:!MD5:!DSS:!RC4:!PSK:!3DES:!DH:!EXPORT:!LOW:!SSLv2:@STRENGTH"
Are there any suggestions for successful ATS support with version 4.5.0.5 ?
Thanks in advance,
Ersan
nscurl diagnostic tool output for 4.5.0.5 (errors observed)
mac-mini:~ root# nscurl --ats-diagnostics --verbose https://turn.xxx:443
Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://turn.xxx:443.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
2016-12-02 00:35:35.351 nscurl[15457:2006767] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7f9990e29ee0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://turn.xxx:443/, NSErrorFailingURLStringKey=https://turn.xxx:443/, _kCFStreamErrorDomainKey=3}
---
================================================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS
---
================================================================================
Configuring TLS exceptions for turn.xxx
---
TLSv1.2
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
};
};
}
2016-12-02 00:35:35.393 nscurl[15457:2006767] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7f9990e28a70 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://turn.xxx:443/, NSErrorFailingURLStringKey=https://turn.xxx:443/, _kCFStreamErrorDomainKey=3}
---
---
TLSv1.1
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
};
};
}
2016-12-02 00:35:35.406 nscurl[15457:2006767] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7f9990d0ecf0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://turn.xxx:443/, NSErrorFailingURLStringKey=https://turn.xxx:443/, _kCFStreamErrorDomainKey=3}
---
---
TLSv1.0
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
};
};
}
2016-12-02 00:35:35.421 nscurl[15457:2006767] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7f9990d12720 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://turn.xxx:443/, NSErrorFailingURLStringKey=https://turn.xxx:443/, _kCFStreamErrorDomainKey=3}
---
================================================================================
Configuring PFS exceptions for turn.xxx
---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring PFS exceptions and allowing insecure HTTP for turn.xxx
---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled for turn.xxx
---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for turn.xxx
---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
mac-mini:~ root#
nscurl diagnostic tool output for 4.5.0.4 (passed)
mac-mini:~ root# nscurl --ats-diagnostics --verbose https://turn.xxx:443
Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://turn.xxx:443.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : PASS
---
================================================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS
---
================================================================================
Configuring TLS exceptions for turn.xxx
---
TLSv1.2
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
};
};
}
Result : PASS
---
---
TLSv1.1
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
};
};
}
Result : PASS
---
---
TLSv1.0
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
};
};
}
Result : PASS
---
================================================================================
Configuring PFS exceptions for turn.xxx
---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring PFS exceptions and allowing insecure HTTP for turn.xxx
---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled for turn.xxx
---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for turn.xxx
---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"turn.xxx" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
================================================================================
mac-mini:~ root#
Oleg Moskalenko
Dec 1, 2016, 11:27:58 PM12/1/16
to Ersan Alfan, TURN Server (Open-Source project)
Is that possible that the older and the newer servers were set
slightly different ?
Or those versions were compiled with different SSL libraries ?
The SSL code is the same, some minor tweaks were made just for
compilation compatibility. I do not think that it could affect the SSL
connections.
Could you please double-check your setup ? What exactly those errors mean ?
Thanks
Oleg
> --
> You received this message because you are subscribed to the Google Groups
> "TURN Server (Open-Source project)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> turn-server-project-rfc57...@googlegroups.com.
> To post to this group, send email to
> turn-server-project...@googlegroups.com.
> Visit this group at
> https://groups.google.com/group/turn-server-project-rfc5766-turn-server.
> For more options, visit https://groups.google.com/d/optout.
slightly different ?
Or those versions were compiled with different SSL libraries ?
The SSL code is the same, some minor tweaks were made just for
compilation compatibility. I do not think that it could affect the SSL
connections.
Could you please double-check your setup ? What exactly those errors mean ?
Thanks
Oleg
> You received this message because you are subscribed to the Google Groups
> "TURN Server (Open-Source project)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> turn-server-project-rfc57...@googlegroups.com.
> To post to this group, send email to
> turn-server-project...@googlegroups.com.
> Visit this group at
> https://groups.google.com/group/turn-server-project-rfc5766-turn-server.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages