Skip to content
Snippets Groups Projects
Unverified Commit cefd4b87 authored by AndrewFerr's avatar AndrewFerr Committed by GitHub
Browse files

Warn against using Let's Encrypt certs for encrypted TURN (#11686) 

* Warn against using Let's Encrypt certs for encrypted TURN

This helps to avoid client-side issues:
* https://github.com/vector-im/element-android/issues/1533
* https://github.com/vector-im/element-ios/issues/2712



Signed-off-by: default avatarAndrew Ferrazzutti <fair@miscworks.net>
parent 86615aa9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
changelog.d/11686.doc 0 → 100644
+ 1
0
View file @ cefd4b87
Warn against using a Let's Encrypt certificate for TLS/DTLS TURN server client connections, and suggest using ZeroSSL certificate instead. This bypasses client-side connectivity errors caused by WebRTC libraries that reject Let's Encrypt certificates. Contibuted by @AndrewFerr.
docs/turn-howto.md
+ 16
0
View file @ cefd4b87
...@@ -137,6 +137,10 @@ This will install and start a systemd service called `coturn`. ...@@ -137,6 +137,10 @@ This will install and start a systemd service called `coturn`.
# TLS private key file # TLS private key file
pkey=/path/to/privkey.pem pkey=/path/to/privkey.pem
# Ensure the configuration lines that disable TLS/DTLS are commented-out or removed
#no-tls
#no-dtls
``` ```
In this case, replace the `turn:` schemes in the `turn_uris` settings below In this case, replace the `turn:` schemes in the `turn_uris` settings below
...@@ -145,6 +149,14 @@ This will install and start a systemd service called `coturn`. ...@@ -145,6 +149,14 @@ This will install and start a systemd service called `coturn`.
We recommend that you only try to set up TLS/DTLS once you have set up a We recommend that you only try to set up TLS/DTLS once you have set up a
basic installation and got it working. basic installation and got it working.
NB: If your TLS certificate was provided by Let's Encrypt, TLS/DTLS will
not work with any Matrix client that uses Chromium's WebRTC library. This
currently includes Element Android & iOS; for more details, see their
[respective](https://github.com/vector-im/element-android/issues/1533)
[issues](https://github.com/vector-im/element-ios/issues/2712) as well as the underlying
[WebRTC issue](https://bugs.chromium.org/p/webrtc/issues/detail?id=11710).
Consider using a ZeroSSL certificate for your TURN server as a working alternative.
1. Ensure your firewall allows traffic into the TURN server on the ports 1. Ensure your firewall allows traffic into the TURN server on the ports
you've configured it to listen on (By default: 3478 and 5349 for TURN you've configured it to listen on (By default: 3478 and 5349 for TURN
traffic (remember to allow both TCP and UDP traffic), and ports 49152-65535 traffic (remember to allow both TCP and UDP traffic), and ports 49152-65535
...@@ -250,6 +262,10 @@ Here are a few things to try: ...@@ -250,6 +262,10 @@ Here are a few things to try:
* Check that you have opened your firewall to allow UDP traffic to the UDP * Check that you have opened your firewall to allow UDP traffic to the UDP
relay ports (49152-65535 by default). relay ports (49152-65535 by default).
* Try disabling `coturn`'s TLS/DTLS listeners and enable only its (unencrypted)
TCP/UDP listeners. (This will only leave signaling traffic unencrypted;
voice & video WebRTC traffic is always encrypted.)
* Some WebRTC implementations (notably, that of Google Chrome) appear to get * Some WebRTC implementations (notably, that of Google Chrome) appear to get
confused by TURN servers which are reachable over IPv6 (this appears to be confused by TURN servers which are reachable over IPv6 (this appears to be
an unexpected side-effect of its handling of multiple IP addresses as an unexpected side-effect of its handling of multiple IP addresses as
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment