Wednesday, July 5, 2023

How to configure Eturnal TURN server with TLSv1.3 support on Debian 12

 eturnal is a turn server and an alternative to coturn. It can be installed on Debian using the instructions provided here

To use a static username and password, a script must be used to generate one that works with the defined secret code in the config file. 

The following python code can be used for such conversion:

import hmac

import hashlib

import base64

username = "1735686000"          # For credentials valid until 2025-01-01.

secret = "1pIFIj70BPsgBI92j5ux"  # As specified in your configuration file.

sha = hmac.new(secret.encode('utf-8'), username.encode('utf-8'), hashlib.sha1)

password = base64.b64encode(sha.digest()).decode('utf-8')

print(username)

print(password)


The following options can be used to disable older versions of tls to force tlsv1.3:

  ## TLS certificate/key files (must be readable by 'eturnal' user!):
  tls_crt_file: /opt/fullchain.pem
  tls_key_file: /opt/privkey.pem
  tls_options:
    - no_tlsv1
    - no_tlsv1_1
    - no_tlsv1_2

It is recommended to also uncomment the - recommended item in the blacklist section to blacklist local network ip addresses from turn and speed up connection.
at 2 comments:

Monday, July 3, 2023

How to Install coturn 4.6.2 with TLSv1.3 support on Debian 12

 TLSv1.3 support is added in coturn >4.6.2  . Debian 12 bookworm comes with coturn 4.6.1 which does support TLSv1.3. Docker version of coturn may be used to get the last version of coturn then, or a compilation from source is needed.  

In case of compiling from source, openssl 1.1.1 is needed to support TLSv1.3.

To compile the last version of coturn on Debian, follow these instructions:

apt-get install pkg-config build-essential libssl-dev libevent-dev libsystemd-dev -y

cd /usr/src

wget https://github.com/coturn/coturn/archive/refs/tags/4.6.2.tar.gz

tar -zxvf 4.6.2.tar.gz

cd coturn-4.6.2

./configure --prefix=/usr --confdir=/etc

make

make install

cp ./examples/etc/coturn.service /etc/systemd/system/

mv /etc/turnserver.conf.default /etc/turnserver.conf

systemctl daemon-reload

chown turnserver:turnserver /var/run/turnserver.pid

useradd turnserver -s /bin/false

systemctl enable coturn --now

service coturn status

Now, in the log file you should see:

INFO: TLS 1.3 supported

Jitsi provides a sample turnserver.conf file to use for media streaming and TURNS. The syntax file can be found here

The following configuration can be added to the /etc/turnserver.conf file to disable older versions of SSL/TLS incuding tlsv1.2 to enfore tlsv1.3 connections:

no-sslv3

no-tlsv1

no-tlsv1_1

no-tlsv1_2

A static user and password for turn can be defined using the following config:

lt-cred-mech

user=TURNUSER:TURNPASSWORD


at No comments:
Subscribe to: Posts (Atom)

How to disable Debian 12 sleep on production servers

 Debian 12 has power saver enabled by default which causes your server to go to sleep if there is no mouse / keyboard interaction. To resolv...