processone/eturnal

Unable to use TURNS

0-wHiTeHand-0 opened this issue · 1 comments

Hi,

I have been using the TCP TURN server for a while, and it works pretty well. However, today I was trying to enable TURNS with my Lets Encrypt certificate, and I always get the following error when connecting to the TURNS server from a TURNS client:

[info] Connection failure: SSL_do_handshake failed: error:0A000412:SSL routines::sslv3 alert bad certificate [TLS, session 0nli2su5mttw, anonymous, client <MYIP>:<MYPORT>]

I've been looking around, and couldn't find anything about this error in eturnal or coturn; can someone throw some light into this?
I use the certificate for my nginx too, and it works good. Also, if I connect to the TURNS server using openssl s_client, the connection is successfully established. Weird.

Thanks!

Eturnal config:

eturnal:
secret: <secret>

listen:
-
    ip: "0.0.0.0"
    port: 45139
     transport: tcp
 -
      ip: "0.0.0.0"
      port: 45140
      transport: tls

  tls_crt_file: /etc/eturnal/certs/cert.cert
  tls_key_file: /etc/eturnal/certs/key.key

  relay_min_port: 60455
  relay_max_port: 60555

  strict_expiry: false

  log_level: info
  log_rotate_size: 10485760
  log_rotate_count: 10

  modules:
    mod_log_stun: {} 

At least libwebrtc shipped a short, hard-coded list of trusted CAs that didn't include Let's Encrypt for quite a while. I think that has been fixed by now, but I'm not sure, and I think I've seen other client libraries with the same issue. If the client code you're using allows for disabling certificate validation (libwebrtc does), that might be the easiest workaround. (Assuming you're using TLS just as a fallback for circumventing restrictive firewalls, as opposed to being interested in its security properties for TURN.)