diff --git a/examples/run_tests.sh b/examples/run_tests.sh index 8468279..69965e9 100755 --- a/examples/run_tests.sh +++ b/examples/run_tests.sh @@ -33,3 +33,12 @@ else echo FAIL exit $? fi + +echo 'Running turn client DTLS' +../bin/turnutils_uclient -S -e 127.0.0.1 -X -g -u user -W secret 127.0.0.1 | grep "start_mclient: tot_send_bytes ~ 1000, tot_recv_bytes ~ 1000" > /dev/null +if [ $? -eq 0 ]; then + echo OK +else + echo FAIL + exit $? +fi diff --git a/src/apps/relay/dtls_listener.c b/src/apps/relay/dtls_listener.c index c53f8b5..949458e 100644 --- a/src/apps/relay/dtls_listener.c +++ b/src/apps/relay/dtls_listener.c @@ -279,18 +279,7 @@ static ioa_socket_handle dtls_server_input_handler(dtls_listener_relay_server_ty timeout.tv_usec = 0; BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); -#if DTLSv1_2_SUPPORTED - if(get_dtls_version(ioa_network_buffer_data(nbh), - (int)ioa_network_buffer_get_size(nbh)) == 1) { - connecting_ssl = SSL_new(server->e->dtls_ctx_v1_2); - } else { - connecting_ssl = SSL_new(server->e->dtls_ctx); - } -#else - { - connecting_ssl = SSL_new(server->e->dtls_ctx); - } -#endif + connecting_ssl = SSL_new(server->e->dtls_ctx); SSL_set_accept_state(connecting_ssl); @@ -573,18 +562,7 @@ static int create_new_connected_udp_socket( timeout.tv_usec = 0; BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); -#if DTLSv1_2_SUPPORTED - if(get_dtls_version(ioa_network_buffer_data(server->sm.m.sm.nd.nbh), - (int)ioa_network_buffer_get_size(server->sm.m.sm.nd.nbh)) == 1) { - connecting_ssl = SSL_new(server->e->dtls_ctx_v1_2); - } else { - connecting_ssl = SSL_new(server->e->dtls_ctx); - } -#else - { - connecting_ssl = SSL_new(server->e->dtls_ctx); - } -#endif + connecting_ssl = SSL_new(server->e->dtls_ctx); SSL_set_accept_state(connecting_ssl); @@ -966,8 +944,6 @@ void setup_dtls_callbacks(SSL_CTX *ctx) { SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback); #endif - SSL_CTX_set_read_ahead(ctx, 1); - SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie); SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie); } diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 6c7a841..f95f900 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -83,37 +83,31 @@ char HTTP_ALPN[128] = "http/1.1"; #define DEFAULT_GENERAL_RELAY_SERVERS_NUMBER (1) turn_params_t turn_params = { - NULL, -#if DTLS_SUPPORTED -NULL, -#endif -#if DTLSv1_2_SUPPORTED -NULL, -#endif - +NULL, /* tls_ctx */ +NULL, /* dtls_ctx */ DH_2066, "", "", "", "turn_server_cert.pem","turn_server_pkey.pem", "", "", 0,0,0, #if !TLS_SUPPORTED -1, + 1, #else -0, + 0, #endif #if !DTLS_SUPPORTED -1, + 1, #else -0, + 0, #endif NULL, PTHREAD_MUTEX_INITIALIZER, //////////////// Common params //////////////////// -TURN_VERBOSE_NONE, /* verbose */ -0, /* turn_daemon */ -0, /* no_software_attribute */ -0, /* web_admin_listen_on_workers */ -0, /* do_not_use_config_file */ + TURN_VERBOSE_NONE, /* verbose */ + 0, /* turn_daemon */ + 0, /* no_software_attribute */ + 0, /* web_admin_listen_on_workers */ + 0, /* do_not_use_config_file */ "/var/run/turnserver.pid", /* pidfile */ "", /* acme_redirect */ DEFAULT_STUN_PORT, /* listener_port*/ @@ -3100,14 +3094,6 @@ static void set_ctx(SSL_CTX** out, const char *protocol, const SSL_METHOD* metho dh = get_dh2066(); } - /* - if(!dh) { - dh = DH_new(); - DH_generate_parameters_ex(dh, 32, DH_GENERATOR_2, 0); - DH_generate_key(dh); - } - */ - if(!dh) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: cannot allocate DH suite\n",__FUNCTION__); err = 1; @@ -3260,24 +3246,32 @@ static void openssl_load_certificates(void) if(!turn_params.no_dtls) { #if !DTLS_SUPPORTED TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "ERROR: DTLS is not supported.\n"); -#else - if(OPENSSL_VERSION_NUMBER < 0x10000000L) { +#elif OPENSSL_VERSION_NUMBER < 0x10000000L TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: TURN Server was compiled with rather old OpenSSL version, DTLS may not be working correctly.\n"); - } - -#if DTLSv1_2_SUPPORTED - set_ctx(&turn_params.dtls_ctx,"DTLS",DTLS_server_method()); - set_ctx(&turn_params.dtls_ctx_v1_2,"DTLS1.2",DTLSv1_2_server_method()); - SSL_CTX_set_read_ahead(turn_params.dtls_ctx_v1_2, 1); - setup_dtls_callbacks(turn_params.dtls_ctx_v1_2); #else - set_ctx(&turn_params.dtls_ctx,"DTLS",DTLSv1_server_method()); +#if OPENSSL_VERSION_NUMBER < 0x10100000L // before openssl-1.1.0 no version independent API +#if DTLSv1_2_SUPPORTED + set_ctx(&turn_params.dtls_ctx,"DTLS",DTLSv1_2_server_method()); // openssl-1.0.2 + if(!turn_params.no_tlsv1_2) { + SSL_CTX_set_options(turn_params.dtls_ctx, SSL_OP_NO_DTLSv1_2); + } +#else + set_ctx(&turn_params.dtls_ctx,"DTLS",DTLSv1_server_method()); // < openssl-1.0.2 #endif - SSL_CTX_set_read_ahead(turn_params.dtls_ctx, 1); + if(!turn_params.no_tlsv1 || !turn_params.no_tlsv1_1) { + SSL_CTX_set_options(turn_params.dtls_ctx, SSL_OP_NO_DTLSv1); + } +#else // OPENSSL_VERSION_NUMBER < 0x10100000L + set_ctx(&turn_params.dtls_ctx,"DTLS",DTLS_server_method()); + if(!turn_params.no_tlsv1 || !turn_params.no_tlsv1_1) { + SSL_CTX_set_min_proto_version(turn_params.tls_ctx, DTLS1_2_VERSION); + } + if(!turn_params.no_tlsv1_2) { + SSL_CTX_set_max_proto_version(turn_params.tls_ctx, DTLS1_VERSION); + } +#endif //OPENSSL_VERSION_NUMBER < 0x10100000L setup_dtls_callbacks(turn_params.dtls_ctx); - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS cipher suite: %s\n",turn_params.cipher_list); - #endif } pthread_mutex_unlock(&turn_params.tls_mutex); diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index 2368f53..273a1f4 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -177,13 +177,7 @@ typedef struct _turn_params_ { //////////////// OpenSSL group ////////////////////// SSL_CTX *tls_ctx; - -#if DTLS_SUPPORTED SSL_CTX *dtls_ctx; -#if DTLSv1_2_SUPPORTED - SSL_CTX *dtls_ctx_v1_2; -#endif -#endif DH_KEY_SIZE dh_key_size; diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index c464d5c..7f96d70 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -336,9 +336,6 @@ static void update_ssl_ctx(evutil_socket_t sock, short events, update_ssl_ctx_cb replace_one_ssl_ctx(&e->tls_ctx, params->tls_ctx); #if DTLS_SUPPORTED replace_one_ssl_ctx(&e->dtls_ctx, params->dtls_ctx); -#endif -#if DTLSv1_2_SUPPORTED - replace_one_ssl_ctx(&e->dtls_ctx_v1_2, params->dtls_ctx_v1_2); #endif struct event *next = args->next; pthread_mutex_unlock(&turn_params.tls_mutex); diff --git a/src/apps/relay/ns_ioalib_impl.h b/src/apps/relay/ns_ioalib_impl.h index f239397..61f758f 100644 --- a/src/apps/relay/ns_ioalib_impl.h +++ b/src/apps/relay/ns_ioalib_impl.h @@ -142,12 +142,7 @@ struct _ioa_engine rtcp_map *map_rtcp; stun_buffer_list bufs; SSL_CTX *tls_ctx; -#if DTLS_SUPPORTED SSL_CTX *dtls_ctx; -#endif -#if DTLSv1_2_SUPPORTED - SSL_CTX *dtls_ctx_v1_2; -#endif turn_time_t jiffie; /* bandwidth check interval */ ioa_timer_handle timer_ev; char cmsg[TURN_CMSG_SZ+1];