crash coturn 4.5.0.6 when accessing https

[marcelrouw]

When I access my coturn server using https using a browser it crash.
If I access it with a browser on http it works fine.

I'm using debian jessie on AWS and installed only coturn form the sid repository (and to be sure I also installed openssl from the sid repository)

/var/log/syslog

May 31 12:06:25 ip-10-0-1-242 kernel: [  380.530268] turnserver[488]: segfault at ffffffff00000000 ip 00007fa181796d31 sp 00007fa17d374c80 error 5
May 31 12:06:25 ip-10-0-1-242 kernel: [  380.535280] turnserver[487]: segfault at ffffffff00000000 ip 00007fa181796d31 sp 00007fa17dd76c80 error 5 in libcrypto.so.1.0.0[7fa181694000+1cd000]
May 31 12:06:25 ip-10-0-1-242 kernel: [  380.542600]  in libcrypto.so.1.0.0[7fa181694000+1cd000]

coturn log

0: log file opened: /var/log/turn_486_2017-05-31.log
0:
RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server
Version Coturn-4.5.0.6 'dan Eider'
0:
Max number of open files/sockets allowed for this process: 65536
0:
Due to the open files/sockets limitation,
max supported number of TURN Sessions possible is: 32500 (approximately)
0:

==== Show him the instruments, Practical Frost: ====

0: TLS supported
0: DTLS supported
0: DTLS 1.2 supported
0: TURN/STUN ALPN supported
0: Third-party authorization (oAuth) supported
0: GCM (AEAD) supported
0: OpenSSL compile-time version: OpenSSL 1.1.0e  16 Feb 2017 (0x1010005f)
0:
0: SQLite supported, default database location is /var/lib/turn/turndb
0: Redis supported
0: PostgreSQL supported
0: MySQL supported
0: MongoDB is not supported
0:
0: Default Net Engine version: 3 (UDP thread per CPU core)

=====================================================

0: Domain name:
0: Default realm: cammio.me
0: SSL23: Certificate file found: /etc/turn-ssl/cammio.me.2017.crt
0: SSL23: Private key file found: /etc/turn-ssl/cammio.me.2017.key
0: TLS1.0: Certificate file found: /etc/turn-ssl/cammio.me.2017.crt
0: TLS1.0: Private key file found: /etc/turn-ssl/cammio.me.2017.key
0: TLS1.1: Certificate file found: /etc/turn-ssl/cammio.me.2017.crt
0: TLS1.1: Private key file found: /etc/turn-ssl/cammio.me.2017.key
0: TLS1.2: Certificate file found: /etc/turn-ssl/cammio.me.2017.crt
0: TLS1.2: Private key file found: /etc/turn-ssl/cammio.me.2017.key
0: TLS cipher suite: DEFAULT
0: DTLS1.2: Certificate file found: /etc/turn-ssl/cammio.me.2017.crt
0: DTLS1.2: Private key file found: /etc/turn-ssl/cammio.me.2017.key
0: DTLS: Certificate file found: /etc/turn-ssl/cammio.me.2017.crt
0: DTLS: Private key file found: /etc/turn-ssl/cammio.me.2017.key
0: DTLS cipher suite: DEFAULT
0: NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
0: ===========Discovering listener addresses: =========
0: Listener address to use: 127.0.0.1
0: Listener address to use: 10.0.1.242
0: Listener address to use: ::1
0: =====================================================
0: Total: 1 'real' addresses discovered
0: =====================================================
0: NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED
0: ===========Discovering relay addresses: =============
0: Relay address to use: 10.0.1.242
0: Relay address to use: ::1
0: =====================================================
0: Total: 2 relay addresses discovered
0: =====================================================
0: pid file created: /tmp/turnserver.pid
0: IO method (main listener thread): epoll (with changelist)
0: Wait for relay ports initialization...
0:   relay 10.0.1.242 initialization...
0:   relay 10.0.1.242 initialization done
0:   relay ::1 initialization...
0:   relay ::1 initialization done
0: Relay ports initialization done
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=1 created
0: IPv4. TLS/SCTP listener opened on : 127.0.0.1:3478
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:3478
0: IPv4. TLS/SCTP listener opened on : 127.0.0.1:443
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:443
0: IPv4. TLS/SCTP listener opened on : 127.0.0.1:5349
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:5349
0: IPv4. TLS/SCTP listener opened on : 127.0.0.1:5350
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:5350
0: IPv4. TLS/SCTP listener opened on : 10.0.1.242:3478
0: IPv4. TLS/TCP listener opened on : 10.0.1.242:3478
0: IPv4. TLS/SCTP listener opened on : 10.0.1.242:443
0: IPv4. TLS/TCP listener opened on : 10.0.1.242:443
0: IPv4. TLS/SCTP listener opened on : 10.0.1.242:5349
0: IPv4. TLS/TCP listener opened on : 10.0.1.242:5349
0: IPv4. TLS/SCTP listener opened on : 10.0.1.242:5350
0: IPv4. TLS/TCP listener opened on : 10.0.1.242:5350
0: IPv6. TLS/SCTP listener opened on : ::1:3478
0: IPv6. TLS/TCP listener opened on : ::1:3478
0: IPv6. TLS/SCTP listener opened on : ::1:443
0: IPv6. TLS/TCP listener opened on : ::1:443
0: IPv6. TLS/SCTP listener opened on : ::1:5349
0: IPv6. TLS/TCP listener opened on : ::1:5349
0: IPv6. TLS/SCTP listener opened on : ::1:5350
0: IPv6. TLS/TCP listener opened on : ::1:5350
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=0 created
0: IPv4. DTLS/UDP listener opened on: 127.0.0.1:3478
0: IPv4. DTLS/UDP listener opened on: 127.0.0.1:443
0: IPv4. DTLS/UDP listener opened on: 127.0.0.1:5349
0: IPv4. DTLS/UDP listener opened on: 127.0.0.1:5350
0: IPv4. DTLS/UDP listener opened on: 10.0.1.242:3478
0: IPv4. DTLS/UDP listener opened on: 10.0.1.242:443
0: IPv4. DTLS/UDP listener opened on: 10.0.1.242:5349
0: IPv4. DTLS/UDP listener opened on: 10.0.1.242:5350
0: IPv6. DTLS/UDP listener opened on: ::1:3478
0: IPv6. DTLS/UDP listener opened on: ::1:443
0: IPv6. DTLS/UDP listener opened on: ::1:5349
0: IPv6. DTLS/UDP listener opened on: ::1:5350
0: Total General servers: 2
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:3478
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:443
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:5349
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:5350
0: IPv4. TLS/TCP listener opened on : 10.0.1.242:3478
0: IPv4. TLS/TCP listener opened on : 10.0.1.242:443
0: IPv4. TLS/TCP listener opened on : 10.0.1.242:5349
0: IPv4. TLS/TCP listener opened on : 10.0.1.242:5350
0: IPv6. TLS/TCP listener opened on : ::1:3478
0: IPv6. TLS/TCP listener opened on : ::1:443
0: IPv6. TLS/TCP listener opened on : ::1:5349
0: IPv6. TLS/TCP listener opened on : ::1:5350
0: IO method (admin thread): epoll (with changelist)
0: IPv4. CLI listener opened on : 127.0.0.1:5766
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: SQLite DB connection success: /var/lib/turn/turndb
0: New GID: turnserver(111)
0: New UID: turnserver(106)

[misi]

Can you please check it with the latest git master?

[misi]

@marcelrouw
I have just checked and I don't see this problem with it...

[hthetiot]

I can reproduce on debian jessie with rfc5766-turn-server accessing stun on port 5349 via http crash the server.

[misi]

@hthetiot Which version you are using?
Are you using the latest git master version?
(It will be released soon..)

There is bug that I have fixed..
So try the latest..

[misi]

@marcelrouw Can you attach a core file or a backtrace?

[marcelrouw]

@misi sorry I have terminated this instances (on AWS) and chosen to use jessie-backports repo instead of the sid repo. This worked for me

[hthetiot]

@misi the rfc5766-turn-server version from debian jessie I get is 3.2.4.5-1

Via docker jessie:

# Install turn-server pkg
RUN echo "deb http://ftp.no.debian.org/debian/ stable main contrib non-free" >> /etc/apt/sources.list.d/jessie.list && apt-get update
RUN apt-get install -y -q --no-install-recommends \
    rfc5766-turn-server

I know that not coturn fork, but does that mean the legacy will have this deny of service issue forever ? or is there a way to fix legacy turn-server on debian. I will try coturn later today I have no issue migrating, I just think debian dlike to know that one of the pkg have a deny of service bug and fixing legacy pkg would be great.

Let me know your thoughts @misi

[hthetiot]

I wonder why debian pkg is not version 3.2.5+ yet.
I might try last version of turn-server to see if it has been fixed there first.

• https://github.com/coturn/rfc5766-turn-server/blob/v3.2/ChangeLog

[hthetiot]

Fixed using coturn 4.5.0.7-1 for me.

Here is my Dockerfile for ref:

#name of container: coturn-relay
#versison of container: 0.0.1
FROM debian:jessie
MAINTAINER Harold Thetiot <hthetiot@sylaps.com>

# Set debconf to run non-interactively
RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections

# Install base dependencies
RUN apt-get update && apt-get upgrade -y
RUN apt-get install -y -q --no-install-recommends \
        apt-transport-https \
        software-properties-common \
        ca-certificates \
        libssl-dev \
        ssl-cert \
        curl \
        dnsutils \
    && apt-get clean \
    && rm -rf /tmp/* /var/tmp/*  \
    && rm -rf /var/lib/apt/lists/*

RUN ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/coturn-server.key \
    && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/coturn-server.crt

# Install turn-server pkg
ARG COTURN_VERSION=4.5.0.7-1

RUN echo "deb http://ftp.no.debian.org/debian/ testing main contrib non-free" >> /etc/apt/sources.list.d/jessie.list && apt-get update
RUN apt-get install -t testing -y -q --no-install-recommends \
    coturn

# deps fail using debt directly on stable
#RUN curl http://ftp.us.debian.org/debian/pool/main/c/coturn/coturn_4.5.0.7-1_amd64.deb --output coturn_4.5.0.7-1_amd64.deb
#RUN dpkg -i coturn_4.5.0.7-1_amd64.deb

# Check turnserver version
RUN echo $(dpkg -l | grep coturn)

# Get Current IP and test it
RUN echo $(dig +short myip.opendns.com @resolver1.opendns.com)

ADD etc/turnserver.conf etc/turnserver.conf
ADD etc/turnuserdb etc/turnuserdb

EXPOSE 5766
EXPOSE 5349
EXPOSE 3478:3479
#EXPOSE 32855:32865/tcp
#EXPOSE 32855:32865/udp

COPY entrypoint.sh /entrypoint.sh
RUN chmod u+x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

[misi]

@hthetiot @marcelrouw
I think there are no more remaining open question.
If you agree, then please close this issue..

[billzhuang]

i meet the exactly same issue under ubuntu 16.04 with self compiled Coturn-4.5.0.8

[Mortagne]

@hthetiot, about your Dockerfile,
do you have some example of your setup for this files :
etc/turnserver.conf
etc/turnuserdb

Regards

[hthetiot]

Crash again with exited with code 139 on 4.5.2 but works on 4.5.1.3 when visiting admin page.
I will try to reproduce with and provide configs.