-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hash algorithm that will be used in REST API setup #1293
Comments
Sorry, re-opening this issue. |
Hello, |
I'm also curious about this. We are striving to be compliant with NIST and SHA1 is no longer recommended by them see HERE and also we will probably need to use other algorithm for FIPS compliance. |
I'm gauging the work required to add support for SHA-256 for the "REST API". Currently, the hash algorithm to use is controlled by the same logic as the message integrity (which is controlled by a specification). I haven't found anything about the auth secret logic being controlled by a specification, so are we free to change how the algorithm is used? coturn/src/apps/relay/userdb.c Lines 532 to 571 in 412788b
If that's the case it should be quite easy to make it configurable and not rely on the STUN attribute (which will always be SHA-1 anyway). So it's a nice backward-compatible change to just default to SHA-1. |
I've opened a really quick and dirty PoC here (#1447). I'm pretty sure I'm missing something. But it does work in practice with the peers I tested with. So the question is more or less, will this break compatibility when changed or is the token/hmac just used by coturn and whatever produced the token in the first place? |
ohh, let me know when it's available or if there's any progress... |
Hello,
What will be the HMAC algorithm used by coturn? Is there a way to specify/set this in the config?
For eg: If the client sends the password with HMAC sha-256, will coturn be able to understand or know to use the same algo to generate its own HMAC to compare and validate?
The text was updated successfully, but these errors were encountered: