Cannot connect to TURN server using TLS and letsencrypt certificate #545
Description
Describe the bug
flutter-webrtc cannot connect to a TURN server using TLS, with a letsencrypt certificate.
To Reproduce
turns: URL fails to connect, but if you change the following to use turn: is connects and works correctly. I can see the traffic in the TURN server logs.
Map<String, dynamic> _iceServers = {
'iceServers': [
{'url': 'turns:$hostName:5349', 'username': username, 'credential': credential},
],
'iceTransportPolicy': 'relay',
};
This was tested using pion/turn and a cell phone. On a LAN, it also fails when configured with 'iceTransportPolicy': 'relay', but works without this setting.
Note that Chromium WebRTC had a bug filed with regard to letsencrypt certificates, as noted here. Discussion here.
Expected behavior
letsencrypt certificates should be trusted. As a secondary goal, self-signed certificates should have a way to be trusted.
Platform information
- Flutter version:
• Flutter version 2.1.0-12.1.pre at /Users/travis/Dev/flutter
• Framework revision 8264cb3e8a (7 weeks ago), 2021-03-10 12:37:57 -0800
• Engine revision 711ab3fda0
• Dart version 2.13.0 (build 2.13.0-116.0.dev)
- Plugin version: 0.6.3
- OS: iOS (Android not yet tested)
- OS version: 14.4.2 - iPhone or XCode simulator
pion/turn logs:
turn DEBUG: 23:57:35.291212 server.go:143: exit read loop on error: remote error: tls: unknown certificate authority
I believe that the pion/turn server is working correctly, because the content streaming application (Golang), is connecting to it with turns: without any problems.
flutter-webrtc logs related to TLS:
(turn_port.cc:798): Port[151a9800:1:1:0:relay:Net[en2:169.200.0.x/16:Wifi:id=1]]: Starting TURN host lookup for abc.example.com:5349
(turn_port.cc:365): Port[151a1000:0:1:0:relay:Net[en2:169.200.0.x/16:Wifi:id=1]]: Trying to connect to TURN server via tls @ abc.example.com:5349
(basic_packet_socket_factory.cc:171): TCP connect failed with error 65
(openssl_adapter.cc:443): OpenSSLAdapter::Cleanup
(turn_port.cc:369): Failed to create TURN client socket
...
(openssl_adapter.cc:675): OpenSSLAdapter::OnConnectEvent
(openssl_adapter.cc:270): OpenSSLAdapter::BeginSSL: abc.example.com
(openssl_adapter.cc:410): -- error want read
(openssl_adapter.cc:425): ContinueSSL -- error -1
(openssl_adapter.cc:433): OpenSSLAdapter::Error(ContinueSSL, -1)
(turn_port.cc:508): Port[1519e000:0:1:0:relay:Net[pdp_ip0:192.0.0.x/32:Cellular:id=6]]: Connection with server failed with error: -1
(basic_port_allocator.cc:1086): Port[1519e000:0:1:0:relay:Net[pdp_ip0:192.0.0.x/32:Cellular:id=6]]: Port encountered error while gathering candidates....
...
From some web searches, error 65 appears to mean "host not reachable".