1.17.90: TURN credentials containing a colon in the username are still not properly handled by webrtcbin
There was a lengthy discussion regarding this problem already in the past: If the TURN username contained a ":" the credentials have not been properly taken over by webrtcbin, because the ":", which intentionally belonged to the username, was erroneously taken as the separator between username and password in gst-plugins-bad, gstwebrtcice.c.
See here:
I was contributing a PR which fixed the problem for me. I think it was ignored. Instead something else has been implemented in 1.17.90, which in turn again leads to the situation, that webrtcbin is not issuing RELAY candidates. Right now I'm unable to detect where the problem is, but a return to 1.17.2 and application of my patch immediately made webrtcbin spit RELAY candidates again.
Here are some traces. For privacy reasons the IP of my TURN server is obfuscated. You can be assured, that the plain credentials are always completely OK. It has been verified several times with the trickle ICE website (see image)
I tested both versions, each time cloned from scratch. In both gstwebrtcice.c files I added a trace at the end of _parse_user_info():
*user = g_strndup (userinfo, colon - userinfo);
*pass = g_strdup (&colon[1]);
GST_WARNING("---- TURN user '%s', pass '%s'", *user, *pass);
1.17.90:
The trace shows you the plain credentials as created by my Python script, the URL encoded credentials, the embedding of the credentials in the pipeline and what is finally seen by _parse_user_info(). Please note: The "speciality" of my username is the trailing ":", which is created following the COTURN specification. I think a trailing ":" is maybe uncommon, but allowed and nobody should stumble over this in 2020 anymore :)
2020-08-23 16:24:51,267 df.py-INFO : plain TURN credentials: username: 1598203491:, password: 3vEIIrTx6BUCnlvnSRTdwkpyPYs=
2020-08-23 16:24:51,269 df.py-INFO : URL encoded TURN credentials: username: 1598203491%3A, password: 3vEIIrTx6BUCnlvnSRTdwkpyPYs%3D
2020-08-23 16:24:51,270 df.py-INFO : provided STUN/TURN config: ['stun://xx.xx.xx.xx:3478', 'turn://1598203491%3A:3vEIIrTx6BUCnlvnSRTdwkpyPYs%3D@xx.xx.xx.xx:3478']
2020-08-23 16:24:51,271 df.py-DEBUG : selected pipeline:
webrtcbin name=webrtcbin bundle-policy=max-bundle stun-server=stun://xx.xx.xx.xx:3478 turn-server=turn://1598203491%3A:3vEIIrTx6BUCnlvnSRTdwkpyPYs%3D@xx.xx.xx.xx:3478
rpicamsrc bitrate=5000000 awb-mode=tungsten preview=false ! video/x-h264,profile=constrained-baseline, width=640, height=480, framerate=30/1 ! h264parse ! rtph264pay config-interval=-1 name=payloader !
application/x-rtp,media=video,encoding-name=H264,payload=96 ! webrtcbin.
0:00:06.648152758 21417 0x71522e20 WARN webrtcice gstwebrtcice.c:302:_parse_userinfo: ---- TURN user '1598203491%3A', pass '3vEIIrTx6BUCnlvnSRTdwkpyPYs%3D'
Note: In contrary to 1.17.2 the credentials as splitted up by _parse_user_info() are still URLEncoded.
In fact webrtcbin does NOT send any relay candidates with this setup. Made several attempts to prove. The GST debug level is WARNING, there is also no indication of any problem after the split.
It can't work, since - as anticipated and confirmed by my COTURN log - the stack uses the URLEncoded credentials (at least the username) for authentication:
1126784: session 003000000000000810: realm <kurento.org> user <1598203491%3A>: incoming packet message processed, error 401: Unauthorized
1.17.2, w/o my patch:
2020-08-23 17:26:10,551 df.py-INFO : plain TURN credentials: username: 1598207170:, password: ckIJqZlS34kFnefC2O1zifteA+M=
2020-08-23 17:26:10,552 df.py-INFO : URL encoded TURN credentials: username: 1598207170%3A, password: ckIJqZlS34kFnefC2O1zifteA%2BM%3D
2020-08-23 17:26:10,552 df.py-INFO : provided STUN/TURN config: ['stun://xx.xx.xx.xx:3478', 'turn://1598207170%3A:ckIJqZlS34kFnefC2O1zifteA%2BM%3D@xx.xx.xx.xx:3478']
2020-08-23 17:26:10,553 df.py-DEBUG : selected pipeline:
webrtcbin name=webrtcbin bundle-policy=max-bundle stun-server=stun://xx.xx.xx.xx:3478 turn-server=turn://1598207170%3A:ckIJqZlS34kFnefC2O1zifteA%2BM%3D@xx.xx.xx.xx:3478
rpicamsrc bitrate=5000000 awb-mode=tungsten preview=false ! video/x-h264,profile=constrained-baseline, width=640, height=480, framerate=30/1 ! h264parse ! rtph264pay config-interval=-1 name=payloader !
application/x-rtp,media=video,encoding-name=H264,payload=96 ! webrtcbin.
0:00:06.208803854 6128 0x71521ae0 WARN webrtcice gstwebrtcice.c:299:_parse_userinfo: ---- TURN user '1598207170', pass ':ckIJqZlS34kFnefC2O1zifteA+M='
As you can see, the function provides URLDecoded credentials, but the split is happening at the wrong place.
As the result the stack does NOT provide RELAY candidates, because of 401 at COTURN.
1130462: session 003000000000000815: realm <kurento.org> user <1598207170>: incoming packet message processed, error 401: Unauthorized
1.17.2 with patching _parse_user_info():
My patch just changes this line:
colon = g_strstr_len (userinfo, -1, ":");
to this
colon = g_strrstr_len (userinfo, -1, ":");
2020-08-23 17:31:18,903 df.py-INFO : plain TURN credentials: username: 1598207478:, password: EGwfkNeR1ASduBBO2qnfysIdzAE=
2020-08-23 17:31:18,904 df.py-INFO : URL encoded TURN credentials: username: 1598207478%3A, password: EGwfkNeR1ASduBBO2qnfysIdzAE%3D
2020-08-23 17:31:18,904 df.py-INFO : provided STUN/TURN config: ['stun://xx.xx.xx.xx:3478', 'turn://1598207478%3A:EGwfkNeR1ASduBBO2qnfysIdzAE%3D@xx.xx.xx.xx:3478']
2020-08-23 17:31:18,905 df.py-DEBUG : selected pipeline:
webrtcbin name=webrtcbin bundle-policy=max-bundle stun-server=stun://xx.xx.xx.xx:3478 turn-server=turn://1598207478%3A:EGwfkNeR1ASduBBO2qnfysIdzAE%3D@xx.xx.xx.xx:3478
rpicamsrc bitrate=5000000 awb-mode=tungsten preview=false ! video/x-h264,profile=constrained-baseline, width=640, height=480, framerate=30/1 ! h264parse ! rtph264pay config-interval=-1 name=payloader !
application/x-rtp,media=video,encoding-name=H264,payload=96 ! webrtcbin.
0:00:12.568729534 6283 0x71521ae0 WARN webrtcice gstwebrtcice.c:299:_parse_userinfo: ---- TURN user '1598207478:', pass 'EGwfkNeR1ASduBBO2qnfysIdzAE='
Since COTURN is happy now, finally I have RELAY candidates from webrtcbin.
1130772: session 002000000000000962: realm <kurento.org> user <1598207478:>: incoming packet ALLOCATE processed, success
Please check.
And sorry for the long post.
Regards