Unable to use TURNS
Closed this issue · 1 comments
Hi,
I have been using the TCP TURN server for a while, and it works pretty well. However, today I was trying to enable TURNS with my Lets Encrypt certificate, and I always get the following error when connecting to the TURNS server from a TURNS client:
[info] Connection failure: SSL_do_handshake failed: error:0A000412:SSL routines::sslv3 alert bad certificate [TLS, session 0nli2su5mttw, anonymous, client <MYIP>:<MYPORT>]
I've been looking around, and couldn't find anything about this error in eturnal or coturn; can someone throw some light into this?
I use the certificate for my nginx too, and it works good. Also, if I connect to the TURNS server using openssl s_client, the connection is successfully established. Weird.
Thanks!
Eturnal config:
eturnal:
secret: <secret>
listen:
-
ip: "0.0.0.0"
port: 45139
transport: tcp
-
ip: "0.0.0.0"
port: 45140
transport: tls
tls_crt_file: /etc/eturnal/certs/cert.cert
tls_key_file: /etc/eturnal/certs/key.key
relay_min_port: 60455
relay_max_port: 60555
strict_expiry: false
log_level: info
log_rotate_size: 10485760
log_rotate_count: 10
modules:
mod_log_stun: {}
At least libwebrtc shipped a short, hard-coded list of trusted CAs that didn't include Let's Encrypt for quite a while. I think that has been fixed by now, but I'm not sure, and I think I've seen other client libraries with the same issue. If the client code you're using allows for disabling certificate validation (libwebrtc does), that might be the easiest workaround. (Assuming you're using TLS just as a fallback for circumventing restrictive firewalls, as opposed to being interested in its security properties for TURN.)