0

我使用这个 Flutter 数据通道示例将我的 Android 应用程序连接到我本地网络上的CoTURN 服务器。CoTURN 日志显示 Android 应用程序成功连接到 CoTURN 服务器,但未显示任何用户名。我想确保在不使用长期凭据的情况下无法访问我的 CoTURN 服务器。

我的 CoTURN 服务器版本在 Debian Linux Stable (10 Buster) 上是 4.5.1.1-1.1。已lt-cred-mech在 CoTURN 服务器配置中设置,no-auth但未设置(已注释)。我verbose用来检查日志。我在我的 MySQL 数据库中创建了一个用于长期凭据的用户。在安全端口上使用此命令进行验证:

turnutils_uclient -p 5349 -u myuser -w mypassword 192.168.188.28

它在 coturn 日志中导致以下内容:

1992: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.28:58256
1992: session 002000000000000002: realm <myrealm> user <>: incoming packet message processed, error 401: Unauthorized
1992: IPv4. Local relay addr: 192.168.188.28:64632
1992: IPv4. Local reserved relay addr: 192.168.188.28:64633
1992: session 002000000000000002: new, realm=<myrealm>, username=<myuser>, lifetime=777
1992: session 002000000000000002: realm <myrealm> user <myuser>: incoming packet ALLOCATE processed, success
1992: session 002000000000000002: refreshed, realm=<myrealm>, username=<myuser>, lifetime=777
1992: session 002000000000000002: realm <myrealm> user <myuser>: incoming packet REFRESH processed, success
...
2007: session 003000000000000003: delete: realm=<myrealm>, username=<myuser>
2007: session 003000000000000003: peer 0.0.0.0:3481 deleted
2008: session 001000000000000008: usage: realm=<myrealm>, username=<myuser>, rp=13, rb=1360, sp=8, sb=768
2008: session 001000000000000008: closed (2nd stage), user <myuser> realm <myrealm> origin <>, local 192.168.188.28:5349, remote 192.168.188.28:48266, reason: allocation timeout
2008: session 001000000000000008: delete: realm=<myrealm>, username=<myuser>
2008: session 001000000000000008: peer 0.0.0.0:3481 deleted

如果我对故意无效的用户尝试相同的命令,我会在服务器日志中得到预期的以下结果:

2227: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.28:40431
2227: session 002000000000000003: realm <myrealm> user <>: incoming packet message processed, error 401: Unauthorized
2227: check_stun_auth: Cannot find credentials of user <myuserfaulty>
2227: session 002000000000000003: realm <myrealm> user <myuserfaulty>: incoming packet message processed, error 401: Unauthorized
2227: check_stun_auth: Cannot find credentials of user <myuserfaulty>
...

因此,这意味着 CoTURN 服务器确实检查了凭据。

但是,当我如下向 Flutter 应用程序添加凭据时,我得到的服务器日志似乎没有显示任何用户。最糟糕的是,如果用户故意犯错,它什么也不会改变。这是改编的代码部分:

...
    Map<String, dynamic> configuration = {
      "iceServers": [
        {"url": "stun:192.168.188.28:5349"},
        {"username": "myuserfaulty"},
        {"credential": "mypassword"},
      ]
    };
...

请注意,我从以下文件中猜测了配置中的username和条目:credential

https://github.com/cloudwebrtc/flutter-webrtc/blob/master/ios/Classes/FlutterWebRTCPlugin.m

https://github.com/cloudwebrtc/flutter-webrtc/blob/master/android/src/main/java/com/cloudwebrtc/webrtc/FlutterWebRTCPlugin.java

以下是使用 Flutter 故意错误凭据时的 CoTURN 日志:

2945: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.31:58350
2945: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2955: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2965: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2975: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2985: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2995: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
3005: session 002000000000000004: usage: realm=<myrealm>, username=<>, rp=6, rb=120, sp=6, sb=528
3005: session 002000000000000004: closed (2nd stage), user <> realm <myrealm> origin <>, local 192.168.188.28:5349, remote 192.168.188.31:58350, reason: allocation watchdog determined stale session state
3005: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.31:58350
3005: session 002000000000000005: realm <myrealm> user <>: incoming packet BINDING processed, success
3015: session 002000000000000005: realm <myrealm> user <>: incoming packet BINDING processed, success
...

所以,我有以下问题:

  1. 如何确保我的 CoTURN 服务器在没有授权的长期凭据的情况下无法使用?

  2. 为什么 Flutter 应用程序不受相同的凭据验证的约束turnutils_uclient

  3. 我是否猜对了在 Flutter 应用程序中通过在配置中添加usernamecredential条目来指定凭据的方式?

4

1 回答 1

0

  1. 使用此配置 ( lt-cred-mech),如果没有授权的长期凭据,则无法使用 TURN 服务器。但是,STUN 服务器从不需要身份验证。

  2. turnutils_uclient命令需要身份验证,因为它调用 TURN 服务器。要进行 STUN 服务器测试调用,turnutils_stunclient可以使用该命令,但不能为其提供凭据。

  3. Flutter 中 TURN 服务器上的长期身份验证格式在此文件的注释中进行了描述: https ://github.com/cloudwebrtc/flutter-webrtc-demo/blob/master/lib/src/call_sample/signaling.dart

...
      {
        'url': 'turn:123.45.67.89:3478',
        'username': 'change_to_real_user',
        'credential': 'change_to_real_secret'
      },
...

这表明我的尝试是错误的,原因有两个:

  • 协议必须设置为 turn 而不是 stun。
  • 配置项必须在同一个数组中。

在这些更正之后,我确实在 coturn 服务器日志中获得了用户名,如下所示:

87055: session 000000000000000540: new, realm=<myrealm>, username=<myuser>, lifetime=600
87055: session 000000000000000540: realm <myrealm> user <myuser>: incoming packet ALLOCATE processed, success
87065: session 000000000000000540: realm <myrealm> user <myuser>: incoming packet BINDING processed, success

请注意,coturn 服务器配置也可能需要对 STUN 绑定请求进行身份验证:

...
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
#secure-stun
...
于 2019-09-01T02:49:31.453 回答