Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
* [Galene] coturn config
@ 2020-12-27 16:57 Cell
  2020-12-27 17:55 ` [Galene] " Toke Høiland-Jørgensen
                   ` (3 more replies)
  0 siblings, 4 replies; 22+ messages in thread
From: Cell @ 2020-12-27 16:57 UTC (permalink / raw)
  To: galene

Hi,

Would there be anyone with an example of a coturn config? I don't know how to setup the user and password.

More about my context: I just put a coturn in place for my synapse server and it's working. I would like to use the same one in place for a future galene but I don't know if the secret for the API is in conflict with the user/password needed for galene.

All examples and input welcomed.

C.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-27 16:57 [Galene] coturn config Cell
@ 2020-12-27 17:55 ` Toke Høiland-Jørgensen
  2020-12-27 18:02 ` Cell
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 22+ messages in thread
From: Toke Høiland-Jørgensen @ 2020-12-27 17:55 UTC (permalink / raw)
  To: Cell, galene

"Cell" <galene.org@kn1ght.org> writes:

> Hi,
>
> Would there be anyone with an example of a coturn config? I don't know
> how to setup the user and password.
>
> More about my context: I just put a coturn in place for my synapse
> server and it's working. I would like to use the same one in place for
> a future galene but I don't know if the secret for the API is in
> conflict with the user/password needed for galene.

It is; you can't use both in the same coturn config.

> All examples and input welcomed.

What I do is just run two coturn instances on different ports, one for
Galene with username/password, and one for other applications that use
the REST API secret-based auth (the latter being Nextcloud Talk in my
instance).

-Toke

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-27 16:57 [Galene] coturn config Cell
  2020-12-27 17:55 ` [Galene] " Toke Høiland-Jørgensen
@ 2020-12-27 18:02 ` Cell
  2020-12-27 18:06 ` Cell
  2020-12-27 19:04 ` Juliusz Chroboczek
  3 siblings, 0 replies; 22+ messages in thread
From: Cell @ 2020-12-27 18:02 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen, galene

This would be my plan B then.

December 27, 2020 6:55 PM, "Toke Høiland-Jørgensen" <toke@toke.dk> wrote:

> "Cell" <galene.org@kn1ght.org> writes:
> 
>> Hi,
>> 
>> Would there be anyone with an example of a coturn config? I don't know
>> how to setup the user and password.
>> 
>> More about my context: I just put a coturn in place for my synapse
>> server and it's working. I would like to use the same one in place for
>> a future galene but I don't know if the secret for the API is in
>> conflict with the user/password needed for galene.
> 
> It is; you can't use both in the same coturn config.
> 
>> All examples and input welcomed.
> 
> What I do is just run two coturn instances on different ports, one for
> Galene with username/password, and one for other applications that use
> the REST API secret-based auth (the latter being Nextcloud Talk in my
> instance).
> 
> -Toke
> _______________________________________________
> Galene mailing list -- galene@lists.galene.org
> To unsubscribe send an email to galene-leave@lists.galene.org

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-27 16:57 [Galene] coturn config Cell
  2020-12-27 17:55 ` [Galene] " Toke Høiland-Jørgensen
  2020-12-27 18:02 ` Cell
@ 2020-12-27 18:06 ` Cell
  2020-12-27 18:16   ` Toke Høiland-Jørgensen
  2020-12-27 19:04 ` Juliusz Chroboczek
  3 siblings, 1 reply; 22+ messages in thread
From: Cell @ 2020-12-27 18:06 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen, galene

Damned. I read too fast.

Ok then, two instances is the way.

How do you declare the user/password in coturn?


December 27, 2020 6:55 PM, "Toke Høiland-Jørgensen" <toke@toke.dk> wrote:

> "Cell" <galene.org@kn1ght.org> writes:
> 
>> Hi,
>> 
>> Would there be anyone with an example of a coturn config? I don't know
>> how to setup the user and password.
>> 
>> More about my context: I just put a coturn in place for my synapse
>> server and it's working. I would like to use the same one in place for
>> a future galene but I don't know if the secret for the API is in
>> conflict with the user/password needed for galene.
> 
> It is; you can't use both in the same coturn config.
> 
>> All examples and input welcomed.
> 
> What I do is just run two coturn instances on different ports, one for
> Galene with username/password, and one for other applications that use
> the REST API secret-based auth (the latter being Nextcloud Talk in my
> instance).
> 
> -Toke

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-27 18:06 ` Cell
@ 2020-12-27 18:16   ` Toke Høiland-Jørgensen
  0 siblings, 0 replies; 22+ messages in thread
From: Toke Høiland-Jørgensen @ 2020-12-27 18:16 UTC (permalink / raw)
  To: Cell, galene

"Cell" <galene.org@kn1ght.org> writes:

> Damned. I read too fast.
>
> Ok then, two instances is the way.
>
> How do you declare the user/password in coturn?

It's in the man page:

      -u, --user
              Long-term security mechanism credentials user account, in
              the column-separated form username:key. Multiple user
              accounts may be used in the command line. The key is
              either the user password, or the key is generated by
              turnadmin command. In the second case, the key must be
              prepended with 0x symbols. The key is calculated over the
              user name, the user realm, and the user password. This
              setting may not be used with TURN REST API.


-Toke

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-27 16:57 [Galene] coturn config Cell
                   ` (2 preceding siblings ...)
  2020-12-27 18:06 ` Cell
@ 2020-12-27 19:04 ` Juliusz Chroboczek
  2020-12-27 19:27   ` Juliusz Chroboczek
  3 siblings, 1 reply; 22+ messages in thread
From: Juliusz Chroboczek @ 2020-12-27 19:04 UTC (permalink / raw)
  To: Cell; +Cc: galene

> More about my context: I just put a coturn in place for my synapse
> server and it's working. I would like to use the same one in place for
> a future galene but I don't know if the secret for the API is in
> conflict with the user/password needed for galene.

According to what Toke explained to me, Cell is referring to this protocol:

  https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00

which is apparently designed to allow the WebRTC server to learn the TURN
credentials on behalf of the WebRTC client.  I'm not particularly keen on
that particular protocol — I'd much rather we fixed ICE-TCP in Pion¹ —
but I haven't made up my mind yet.

¹ https://github.com/pion/webrtc/issues/1356

-- Juliusz


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-27 19:04 ` Juliusz Chroboczek
@ 2020-12-27 19:27   ` Juliusz Chroboczek
  2020-12-27 20:32     ` Toke Høiland-Jørgensen
  0 siblings, 1 reply; 22+ messages in thread
From: Juliusz Chroboczek @ 2020-12-27 19:27 UTC (permalink / raw)
  To: Cell; +Cc: galene

>> More about my context: I just put a coturn in place for my synapse
>> server and it's working. I would like to use the same one in place for
>> a future galene but I don't know if the secret for the API is in
>> conflict with the user/password needed for galene.

> According to what Toke explained to me, Cell is referring to this protocol:

>   https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00

I've now read this document a second time, and I still don't get it.
Could somebody please explain the purpose of this protocol?

In normal TURN, there is a username/password key that must be known by the
WebRTC peers.  That's well known to be insecure, but it only protects
access to the TURN server, so the only bad thing that could happen is that
the TURN server will be used by other services.

With the REST API, we introduce an extra web server.  The web server and
the TURN server somehow coordinate to generate ephemeral passwords (for
a very lax notion of ephemeral -- the draft recommends 86400 seconds)
which are communicated over HTTP to the WebRTC peers.

The TURN credentials are now being rotated periodically, granted, but an
attacker can simply contact the web server to find out what they are.
We're adding an extra point of failure, but I don't see what we are gaining.

What am I missing?

-- Juliusz



^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-27 19:27   ` Juliusz Chroboczek
@ 2020-12-27 20:32     ` Toke Høiland-Jørgensen
  2020-12-27 23:28       ` Juliusz Chroboczek
  0 siblings, 1 reply; 22+ messages in thread
From: Toke Høiland-Jørgensen @ 2020-12-27 20:32 UTC (permalink / raw)
  To: Juliusz Chroboczek, Cell; +Cc: galene

Juliusz Chroboczek <jch@irif.fr> writes:

>>> More about my context: I just put a coturn in place for my synapse
>>> server and it's working. I would like to use the same one in place for
>>> a future galene but I don't know if the secret for the API is in
>>> conflict with the user/password needed for galene.
>
>> According to what Toke explained to me, Cell is referring to this protocol:
>
>>   https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
>
> I've now read this document a second time, and I still don't get it.
> Could somebody please explain the purpose of this protocol?
>
> In normal TURN, there is a username/password key that must be known by the
> WebRTC peers.  That's well known to be insecure, but it only protects
> access to the TURN server, so the only bad thing that could happen is that
> the TURN server will be used by other services.
>
> With the REST API, we introduce an extra web server.  The web server and
> the TURN server somehow coordinate to generate ephemeral passwords (for
> a very lax notion of ephemeral -- the draft recommends 86400 seconds)
> which are communicated over HTTP to the WebRTC peers.
>
> The TURN credentials are now being rotated periodically, granted, but an
> attacker can simply contact the web server to find out what they are.
> We're adding an extra point of failure, but I don't see what we are gaining.
>
> What am I missing?

Well presumably the REST web server will only respond to the WebRTC
server (in coturn you specify an API key)? And the WebRTC server can
limit which clients it will give the actual TURN credentials to? I
suppose this is most useful in cases where users have to authenticate to
use the WebRTC service; with this you can revoke access (after the key
expires), whereas if you are using fixed TURN credentials any user that
has used the WebRTC service at any point in the past can continue to
access the TURN server indefinitely...

So yeah, I agree, it's not exactly Fort Knox, but it does provide some
additional access control as long as the WebRTC service itself is not
available without authentication (which may or may not be the case for
Galene deployments I suppose).

-Toke

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-27 20:32     ` Toke Høiland-Jørgensen
@ 2020-12-27 23:28       ` Juliusz Chroboczek
  2020-12-28  1:38         ` Toke Høiland-Jørgensen
  0 siblings, 1 reply; 22+ messages in thread
From: Juliusz Chroboczek @ 2020-12-27 23:28 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen; +Cc: Cell, galene

> Well presumably the REST web server will only respond to the WebRTC server

Ah... so the WebRTC signalling server only communicates the ICE
configuration once a client has authentified.  That was the bit I was
missing.

In Galène, authentication only happens when you join a group, so that
would mean communicating the ICE configuration together with the "joined"
message that carries the client's permissions.

> (in coturn you specify an API key)?

Ah, I see.  Section 2.1 of the draft.

Thanks, Toke, it makes a lot more sense now.

-- Juliusz

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-27 23:28       ` Juliusz Chroboczek
@ 2020-12-28  1:38         ` Toke Høiland-Jørgensen
  2020-12-28 18:49           ` Juliusz Chroboczek
  0 siblings, 1 reply; 22+ messages in thread
From: Toke Høiland-Jørgensen @ 2020-12-28  1:38 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: Cell, galene

Juliusz Chroboczek <jch@irif.fr> writes:

>> Well presumably the REST web server will only respond to the WebRTC server
>
> Ah... so the WebRTC signalling server only communicates the ICE
> configuration once a client has authentified.  That was the bit I was
> missing.
>
> In Galène, authentication only happens when you join a group, so that
> would mean communicating the ICE configuration together with the "joined"
> message that carries the client's permissions.

Yup, that makes sense!

>> (in coturn you specify an API key)?
>
> Ah, I see.  Section 2.1 of the draft.
>
> Thanks, Toke, it makes a lot more sense now.

You're welcome - I look forward to your implementation :)

-Toke

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-28  1:38         ` Toke Høiland-Jørgensen
@ 2020-12-28 18:49           ` Juliusz Chroboczek
  2020-12-28 19:59             ` Toke Høiland-Jørgensen
  0 siblings, 1 reply; 22+ messages in thread
From: Juliusz Chroboczek @ 2020-12-28 18:49 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen; +Cc: Cell, galene

>> In Galène, authentication only happens when you join a group, so that
>> would mean communicating the ICE configuration together with the "joined"
>> message that carries the client's permissions.

> Yup, that makes sense!

I've made the protocol change in the master branch, and made it so the
TURN configuration can change at any time and Galène will notice within
5 minutes at most.  We're not changing the configuration of previously
joined clients yet, but the protocol could support it quite easily.

(We'd simply need to send a "type=joined, kind=change" message to all the
clients when we detect a change, and the clients will switch to the new
TURN credentials at the next ICE restart.)

> I look forward to your implementation :)

I've put an implementation into the branch "tokes-folly".  It's completely
untested, please let me know if it works.

I'm a little hesitant to merge it, since it is just as easily done by
writing a five-line Python or Lua script that fetches the new
configuration and dumps it into Galènes data directory.

-- Juliuszp

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-28 18:49           ` Juliusz Chroboczek
@ 2020-12-28 19:59             ` Toke Høiland-Jørgensen
  2020-12-29  1:56               ` Juliusz Chroboczek
  2021-01-01 22:55               ` Juliusz Chroboczek
  0 siblings, 2 replies; 22+ messages in thread
From: Toke Høiland-Jørgensen @ 2020-12-28 19:59 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: Cell, galene

Juliusz Chroboczek <jch@irif.fr> writes:

>>> In Galène, authentication only happens when you join a group, so that
>>> would mean communicating the ICE configuration together with the "joined"
>>> message that carries the client's permissions.
>
>> Yup, that makes sense!
>
> I've made the protocol change in the master branch, and made it so the
> TURN configuration can change at any time and Galène will notice within
> 5 minutes at most.  We're not changing the configuration of previously
> joined clients yet, but the protocol could support it quite easily.
>
> (We'd simply need to send a "type=joined, kind=change" message to all the
> clients when we detect a change, and the clients will switch to the new
> TURN credentials at the next ICE restart.)
>
>> I look forward to your implementation :)
>
> I've put an implementation into the branch "tokes-folly".  It's completely
> untested, please let me know if it works.
>
> I'm a little hesitant to merge it, since it is just as easily done by
> writing a five-line Python or Lua script that fetches the new
> configuration and dumps it into Galènes data directory.

Heh, I see what you mean. And indeed when looking at this I failed to
actually get coturn to return anything via any REST interface, so I went
and looked at what Nextcloud Talk is actually doing...

...And it turns out that I completely misunderstood how this is supposed
to work: there's not supposed to be any communication between the WebRTC
server and Coturn. Rather, there's a configured shared secret that the
WebRTC server can use to generate as many ephemeral credentials as it
wants. In Nextcloud Talk, the relevant code is just this:

               $timestamp = $this->timeFactory->getTime() + 86400;
               $rnd = $this->secureRandom->generate(16);
               $username = $timestamp . ':' . $rnd;
               $password = base64_encode(hash_hmac('sha1', $username, $server['secret'], true));

where $server['secret'] is the value configured as 'static-auth-secret'
in coturn. The resulting username and password is then communicated to
the client.

I didn't dig any further, so not sure if a separate set of credentials
is generated for every user in a call; but I suppose they could be? The
actual username could also be used in place of (or together with) the
random value above? Not sure what makes the most sense for Galene. TBH
I'm less concerned about the security aspects of this, and more about
compatibility with other software (i.e., being able to use
static-auth-secret at all).

My apologies for the misunderstanding! Hope the above makes (more) sense :)

-Toke

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-28 19:59             ` Toke Høiland-Jørgensen
@ 2020-12-29  1:56               ` Juliusz Chroboczek
  2020-12-29  2:09                 ` Toke Høiland-Jørgensen
  2021-01-01 22:55               ` Juliusz Chroboczek
  1 sibling, 1 reply; 22+ messages in thread
From: Juliusz Chroboczek @ 2020-12-29  1:56 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen; +Cc: Cell, galene

> ...And it turns out that I completely misunderstood how this is supposed
> to work:

Yeah, so did I.  What coturn apparently implements makes a lot more sense
than what the draft describes.

Apparently, the credentials are computed deterministically from the
username and a shared secret.  In order to avoid replay, a timestamp is
encoded within the username (phooey).  Since both servers perform the same
computation, there is no need for the brittle HTTP-based protocol.  See 

  https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L209

Supposing I decide to implement this -- any ideas how this should be
configured?

-- Juliusz

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-29  1:56               ` Juliusz Chroboczek
@ 2020-12-29  2:09                 ` Toke Høiland-Jørgensen
  2020-12-29  8:35                   ` Michael Ströder
  0 siblings, 1 reply; 22+ messages in thread
From: Toke Høiland-Jørgensen @ 2020-12-29  2:09 UTC (permalink / raw)
  To: Juliusz Chroboczek; +Cc: Cell, galene

Juliusz Chroboczek <jch@irif.fr> writes:

>> ...And it turns out that I completely misunderstood how this is supposed
>> to work:
>
> Yeah, so did I.  What coturn apparently implements makes a lot more sense
> than what the draft describes.
>
> Apparently, the credentials are computed deterministically from the
> username and a shared secret.  In order to avoid replay, a timestamp is
> encoded within the username (phooey).  Since both servers perform the same
> computation, there is no need for the brittle HTTP-based protocol.  See 
>
>   https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L209
>
> Supposing I decide to implement this -- any ideas how this should be
> configured?

Well, Nextcloud Talk just takes server name/port, shared secret, and
whether to use UDP, TCP or both. The interval is hard-coded, and the
userid random as in the code I pasted before. So replicating that would
be fine with me. I seem to recall BBB had a similar config option...

-Toke

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-29  2:09                 ` Toke Høiland-Jørgensen
@ 2020-12-29  8:35                   ` Michael Ströder
  0 siblings, 0 replies; 22+ messages in thread
From: Michael Ströder @ 2020-12-29  8:35 UTC (permalink / raw)
  To: galene

On 12/29/20 3:09 AM, Toke Høiland-Jørgensen wrote:
> Juliusz Chroboczek <jch@irif.fr> writes:
>> Supposing I decide to implement this -- any ideas how this should be
>> configured?
> 
> Well, Nextcloud Talk just takes server name/port, shared secret, and
> whether to use UDP, TCP or both. The interval is hard-coded, and the
> userid random as in the code I pasted before. So replicating that would
> be fine with me.

+1

Ciao, Michael.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2020-12-28 19:59             ` Toke Høiland-Jørgensen
  2020-12-29  1:56               ` Juliusz Chroboczek
@ 2021-01-01 22:55               ` Juliusz Chroboczek
  2021-01-01 23:43                 ` Gabriel Kerneis
  2021-01-07 12:07                 ` Michael Ströder
  1 sibling, 2 replies; 22+ messages in thread
From: Juliusz Chroboczek @ 2021-01-01 22:55 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen; +Cc: Cell, galene

> ...And it turns out that I completely misunderstood how this is supposed
> to work: there's not supposed to be any communication between the WebRTC
> server and Coturn. Rather, there's a configured shared secret that the
> WebRTC server can use to generate as many ephemeral credentials as it
> wants.

I just pushed an implementation.  Your ice-servers.json should look like
this:

    [
        {
            "urls": [
                "turn:turn.example.org:3479",
                "turn:turn.example.org:3479?transport=tcp"
            ],
            "username": "galene",
            "credential": "secret",
            "credentialType": "hmac-sha1"
        }
    ]

In other words, I've kept the standard configuration syntax, just added
a non-standard value for "credentialType".

Your turnserver.conf should look like this:

    use-auth-secret
    static-auth-secret=secret
    realm=trun.example.org

I've done some testing, but I didn't test that it will properly rotate the
key — please let me know if it survives 24h.

-- Juliusz

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2021-01-01 22:55               ` Juliusz Chroboczek
@ 2021-01-01 23:43                 ` Gabriel Kerneis
  2021-01-02  0:02                   ` Juliusz Chroboczek
  2021-01-07 12:07                 ` Michael Ströder
  1 sibling, 1 reply; 22+ messages in thread
From: Gabriel Kerneis @ 2021-01-01 23:43 UTC (permalink / raw)
  To: Juliusz Chroboczek, Toke Høiland-Jørgensen; +Cc: Cell, galene

On Fri, 1 Jan 2021, at 23:55, Juliusz Chroboczek wrote:
> I just pushed an implementation.  Your ice-servers.json should look like
> this:
> 
>     [
>         {
>             "urls": [
>                 "turn:turn.example.org:3479",
>                 "turn:turn.example.org:3479?transport=tcp"
>             ],
>             "username": "galene",
>             "credential": "secret",
>             "credentialType": "hmac-sha1"
>         }
>     ]

There is no username in the coturn configuration when using TURN REST API, so is the "username" key still necessary here?

-- 
Gabriel

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2021-01-01 23:43                 ` Gabriel Kerneis
@ 2021-01-02  0:02                   ` Juliusz Chroboczek
  0 siblings, 0 replies; 22+ messages in thread
From: Juliusz Chroboczek @ 2021-01-02  0:02 UTC (permalink / raw)
  To: Gabriel Kerneis; +Cc: Cell, galene

>>             "username": "galene",
>>             "credential": "secret",
>>             "credentialType": "hmac-sha1"

> There is no username in the coturn configuration when using TURN REST API,
> so is the "username" key still necessary here?

It is optional.  If present, it will be communicated to the TURN server in
a secure manner (it cannot be spoofed by the client), so it may be used
for logging or accounting.

The protocol is fairly simple.  The WebRTC server picks an expiration date
for the credentials and encodes it as Unix time in base 10.  It then sets

   if original_username == ""
      username = expires
   else
      username = expires:original_username

   password = BASE64(HMAC_SHA1(username, secret))

This is equivalent to the code that Toke posted earlier, except that that
code picks the username at random.

-- Juliusz

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2021-01-01 22:55               ` Juliusz Chroboczek
  2021-01-01 23:43                 ` Gabriel Kerneis
@ 2021-01-07 12:07                 ` Michael Ströder
  2021-01-07 12:14                   ` Toke Høiland-Jørgensen
  2021-01-07 13:27                   ` [Galene] Re: coturn config Juliusz Chroboczek
  1 sibling, 2 replies; 22+ messages in thread
From: Michael Ströder @ 2021-01-07 12:07 UTC (permalink / raw)
  To: galene

On 1/1/21 11:55 PM, Juliusz Chroboczek wrote:
>> ...And it turns out that I completely misunderstood how this is supposed
>> to work: there's not supposed to be any communication between the WebRTC
>> server and Coturn. Rather, there's a configured shared secret that the
>> WebRTC server can use to generate as many ephemeral credentials as it
>> wants.
> 
> I just pushed an implementation.
> [..]
> In other words, I've kept the standard configuration syntax, just added
> a non-standard value for "credentialType".
> 
> Your turnserver.conf should look like this:
> 
>     use-auth-secret
>     static-auth-secret=secret
>     realm=trun.example.org
> 
> I've done some testing, but I didn't test that it will properly rotate the
> key — please let me know if it survives 24h.

I'm already using this (with git revision d2f7010) since 2+ days. No
issues so far.

How to ensure that it survived key rotation?
Does key rotation affect existing TURN sessions?

Maybe some logging would be good.

Ciao, Michael.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2021-01-07 12:07                 ` Michael Ströder
@ 2021-01-07 12:14                   ` Toke Høiland-Jørgensen
  2021-01-07 12:31                     ` [Galene] logging (was: coturn config) Michael Ströder
  2021-01-07 13:27                   ` [Galene] Re: coturn config Juliusz Chroboczek
  1 sibling, 1 reply; 22+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-01-07 12:14 UTC (permalink / raw)
  To: Michael Ströder, galene

Michael Ströder <michael@stroeder.com> writes:

> On 1/1/21 11:55 PM, Juliusz Chroboczek wrote:
>>> ...And it turns out that I completely misunderstood how this is supposed
>>> to work: there's not supposed to be any communication between the WebRTC
>>> server and Coturn. Rather, there's a configured shared secret that the
>>> WebRTC server can use to generate as many ephemeral credentials as it
>>> wants.
>> 
>> I just pushed an implementation.
>> [..]
>> In other words, I've kept the standard configuration syntax, just added
>> a non-standard value for "credentialType".
>> 
>> Your turnserver.conf should look like this:
>> 
>>     use-auth-secret
>>     static-auth-secret=secret
>>     realm=trun.example.org
>> 
>> I've done some testing, but I didn't test that it will properly rotate the
>> key — please let me know if it survives 24h.
>
> I'm already using this (with git revision d2f7010) since 2+ days. No
> issues so far.
>
> How to ensure that it survived key rotation?
> Does key rotation affect existing TURN sessions?
>
> Maybe some logging would be good.

+1 on the logging - in particular at startup. I messed up the JSON
syntax and didn't notice until the video started failing for some
people...

-Toke

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] logging (was: coturn config)
  2021-01-07 12:14                   ` Toke Høiland-Jørgensen
@ 2021-01-07 12:31                     ` Michael Ströder
  0 siblings, 0 replies; 22+ messages in thread
From: Michael Ströder @ 2021-01-07 12:31 UTC (permalink / raw)
  To: galene

On 1/7/21 1:14 PM, Toke Høiland-Jørgensen wrote:
> Michael Ströder <michael@stroeder.com> writes:
>> Maybe some logging would be good.
> 
> +1 on the logging - in particular at startup. I messed up the JSON
> syntax and didn't notice until the video started failing for some
> people...

Same here...we're all humans...

Ciao, Michael.


^ permalink raw reply	[flat|nested] 22+ messages in thread

* [Galene] Re: coturn config
  2021-01-07 12:07                 ` Michael Ströder
  2021-01-07 12:14                   ` Toke Høiland-Jørgensen
@ 2021-01-07 13:27                   ` Juliusz Chroboczek
  1 sibling, 0 replies; 22+ messages in thread
From: Juliusz Chroboczek @ 2021-01-07 13:27 UTC (permalink / raw)
  To: Michael Ströder; +Cc: galene

> I'm already using this (with git revision d2f7010) since 2+ days. No
> issues so far.

Excellent.

> How to ensure that it survived key rotation?

Keep Galène running for more than 24h after the initial key is generated
(which happens the first time a client joins).  If the group is still
accessible, then key rotation was successful.

I've got unit tests for key rotation, but not for key rotation.  See
ice/ice_test.go.

> Does key rotation affect existing TURN sessions?

No.  It doesn't even affect existing client sessions, you need to leave
the group and re-join in order to get a new key.  The protocol supports
rotating a joined client's keys, but doing that properly would require
maintaining key age for each client, so I didn't bother for now.

A new key is generated every 2 to 5 minutes, and it has a validity of 24h,
so you'll only run into the issue if you remain connected for (24h - 5min).

In case anyone wants to hack on it, here's what's needed:

  - maintain credential age somewhere in the client structure;
  - at the right time, launch a goroutine to send
    { type: "join", kind: "changed"} to all clients nearing expiration;
  - for extra credit, trigger an ICE restart for all streams to and from
    affected clients so that existing streams pick up the new TURN
    credentials; not sure if that's better done in the client or in the
    server (either side can trigger a restart).

> Maybe some logging would be good.

Yeah.

-- Juliusz

^ permalink raw reply	[flat|nested] 22+ messages in thread

end of thread, other threads:[~2021-01-07 13:27 UTC | newest]

Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-27 16:57 [Galene] coturn config Cell
2020-12-27 17:55 ` [Galene] " Toke Høiland-Jørgensen
2020-12-27 18:02 ` Cell
2020-12-27 18:06 ` Cell
2020-12-27 18:16   ` Toke Høiland-Jørgensen
2020-12-27 19:04 ` Juliusz Chroboczek
2020-12-27 19:27   ` Juliusz Chroboczek
2020-12-27 20:32     ` Toke Høiland-Jørgensen
2020-12-27 23:28       ` Juliusz Chroboczek
2020-12-28  1:38         ` Toke Høiland-Jørgensen
2020-12-28 18:49           ` Juliusz Chroboczek
2020-12-28 19:59             ` Toke Høiland-Jørgensen
2020-12-29  1:56               ` Juliusz Chroboczek
2020-12-29  2:09                 ` Toke Høiland-Jørgensen
2020-12-29  8:35                   ` Michael Ströder
2021-01-01 22:55               ` Juliusz Chroboczek
2021-01-01 23:43                 ` Gabriel Kerneis
2021-01-02  0:02                   ` Juliusz Chroboczek
2021-01-07 12:07                 ` Michael Ströder
2021-01-07 12:14                   ` Toke Høiland-Jørgensen
2021-01-07 12:31                     ` [Galene] logging (was: coturn config) Michael Ströder
2021-01-07 13:27                   ` [Galene] Re: coturn config Juliusz Chroboczek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox