Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Juliusz Chroboczek <jch@irif.fr>
Cc: Cell <galene.org@kn1ght.org>, galene@lists.galene.org
Subject: [Galene] Re: coturn config
Date: Mon, 28 Dec 2020 20:59:53 +0100	[thread overview]
Message-ID: <8735zpya4m.fsf@toke.dk> (raw)
In-Reply-To: <87a6tx7olm.wl-jch@irif.fr>

Juliusz Chroboczek <jch@irif.fr> writes:

>>> In Galène, authentication only happens when you join a group, so that
>>> would mean communicating the ICE configuration together with the "joined"
>>> message that carries the client's permissions.
>
>> Yup, that makes sense!
>
> I've made the protocol change in the master branch, and made it so the
> TURN configuration can change at any time and Galène will notice within
> 5 minutes at most.  We're not changing the configuration of previously
> joined clients yet, but the protocol could support it quite easily.
>
> (We'd simply need to send a "type=joined, kind=change" message to all the
> clients when we detect a change, and the clients will switch to the new
> TURN credentials at the next ICE restart.)
>
>> I look forward to your implementation :)
>
> I've put an implementation into the branch "tokes-folly".  It's completely
> untested, please let me know if it works.
>
> I'm a little hesitant to merge it, since it is just as easily done by
> writing a five-line Python or Lua script that fetches the new
> configuration and dumps it into Galènes data directory.

Heh, I see what you mean. And indeed when looking at this I failed to
actually get coturn to return anything via any REST interface, so I went
and looked at what Nextcloud Talk is actually doing...

...And it turns out that I completely misunderstood how this is supposed
to work: there's not supposed to be any communication between the WebRTC
server and Coturn. Rather, there's a configured shared secret that the
WebRTC server can use to generate as many ephemeral credentials as it
wants. In Nextcloud Talk, the relevant code is just this:

               $timestamp = $this->timeFactory->getTime() + 86400;
               $rnd = $this->secureRandom->generate(16);
               $username = $timestamp . ':' . $rnd;
               $password = base64_encode(hash_hmac('sha1', $username, $server['secret'], true));

where $server['secret'] is the value configured as 'static-auth-secret'
in coturn. The resulting username and password is then communicated to
the client.

I didn't dig any further, so not sure if a separate set of credentials
is generated for every user in a call; but I suppose they could be? The
actual username could also be used in place of (or together with) the
random value above? Not sure what makes the most sense for Galene. TBH
I'm less concerned about the security aspects of this, and more about
compatibility with other software (i.e., being able to use
static-auth-secret at all).

My apologies for the misunderstanding! Hope the above makes (more) sense :)

-Toke

  reply	other threads:[~2020-12-28 19:59 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-27 16:57 [Galene] " Cell
2020-12-27 17:55 ` [Galene] " Toke Høiland-Jørgensen
2020-12-27 18:02 ` Cell
2020-12-27 18:06 ` Cell
2020-12-27 18:16   ` Toke Høiland-Jørgensen
2020-12-27 19:04 ` Juliusz Chroboczek
2020-12-27 19:27   ` Juliusz Chroboczek
2020-12-27 20:32     ` Toke Høiland-Jørgensen
2020-12-27 23:28       ` Juliusz Chroboczek
2020-12-28  1:38         ` Toke Høiland-Jørgensen
2020-12-28 18:49           ` Juliusz Chroboczek
2020-12-28 19:59             ` Toke Høiland-Jørgensen [this message]
2020-12-29  1:56               ` Juliusz Chroboczek
2020-12-29  2:09                 ` Toke Høiland-Jørgensen
2020-12-29  8:35                   ` Michael Ströder
2021-01-01 22:55               ` Juliusz Chroboczek
2021-01-01 23:43                 ` Gabriel Kerneis
2021-01-02  0:02                   ` Juliusz Chroboczek
2021-01-07 12:07                 ` Michael Ströder
2021-01-07 12:14                   ` Toke Høiland-Jørgensen
2021-01-07 12:31                     ` [Galene] logging (was: coturn config) Michael Ströder
2021-01-07 13:27                   ` [Galene] Re: coturn config Juliusz Chroboczek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8735zpya4m.fsf@toke.dk \
    --to=toke@toke.dk \
    --cc=galene.org@kn1ght.org \
    --cc=galene@lists.galene.org \
    --cc=jch@irif.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox