reSIProcate

Mailing Lists

Source Code

Google Search:



< Previous by Date Date Index Next by Date >
  Thread Index Next in Thread >

[reSIProcate-users] TLS Handshake failure on debian 8

Hey,


I am trying to set-up reTurn server for a project requiring SSL/TLS encryption,
On a debian 8 server (installed with the official packets, apt-get install resiprocate-turn-server)
The server seems to work fine on unencrypted port, but I have troubles with TLS.

I am using letsencrypt to generate certificates, not with the certbot utility but another client.

I have the following valid certificates for my subdomain (turn.my-domain.com) ;
(Regenerated automatically every 3 months)

cert.pem (certificate part only)
chain.pem (chain part only)
combined.pem (combines the full-chain and the certificate private key)
fullchain.pem (it includes all the issuers chain)

Plus I of course have the keys

public.pem
private.pem

All those files are set in a specific location on my server, and are 0600, owned by a specific user (let say « acme »)

Few informations about my /etc/reTurn/reTurnServer.config :

TurnPort = 3478
TlsTurnPort = 5349

I am running the server with the user who owns the certificates (so they can be read) :
RunAsUser = acme
RunAsGroup = acme

And settings the absolute paths of the certificates

TlsServerCertificateFilename = /[...]/fullchain.pem
TlsServerPrivateKeyFilename = /[...]/private.pem


Authentication is working fine on port 3478, with the test user I’ve set ;
However, it doesn’t work on port 5349 (got some kind of timeout).

In the log file, I can see a "TlsConnection handshake failure error » :

WARNING | 20170130-105917.582 | reTurnServer | RETURN | 140414884460288 | TlsConnection.cxx:80 | TlsConnection handshake failure, error=335544539-short read


But I don’t understand what’s going on exactly ;
Do you know if there is something specific to check about TLS configuration, certificates or whatever ?
Am I supposed to provide the « fullchain.pem » certificate, or another one ?
(I’ve already tested with the four differente certificates, without success)

I’m also interested to know if there would be a better practice that running the server with my « acme » user,
But how to access the certificates ?


Best regards,

Florent Schildknecht
UX-designer et développeur web auto-entrepreneur
+33 6 78 41 74 79 (France)
+46 7 64 15 32 64 (Sweden)

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail