coturn TLS1.3 support

Any plans for adding TLS1.3 support?

Oct 06 '20 16:10 jpds

@jpds Unfortunately I don't have time to implement it in foreseeable future, but I would very happy to merge a Pull Request with it. It is a needed feature, but unfortunately I don't have capacity and enough knowledge to implement it. Any help would be great!

Dec 08 '20 13:12 misi

I was debugging a coturn server I run today, when I noticed that the openssl client I was using was talking TLS1.3 to it?

$ openssl s_client -connect turn.test:5349
...
---
SSL handshake has read 1384 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
...

coturn version is 4.5.1.1-1.1+deb10u1.

Jan 06 '21 18:01 jpds

Coturn itself might not support TLSv1.3 right now, but the OpenSSL libraries of most OS do. That's when you get this strange mismatch where the application does not officially support 1.3, but you can connect anyway.

The downside is that you can't disable TLSv1.3 or modify the cipher list from within the coturn configuration file. All those values will only affect TLSv1.2 and below. If you want to modify those things for 1.3 you need to do so in the global openssl configuration, usually at "/etc/ssl/openssl.cnf".

I'm running Debian with latest coturn and a few TLSv1.3 clients and so far I didn't encounter any errors.

Jan 09 '21 19:01 SirCypher

Addressed in #989 When building with openssl version that supports TLS1.3 you automatically get support

Sep 29 '22 01:09 eakraly