SSL connections ending prematurely

Hello,

Our uptime monitoring has started receiving a empty response from Jitsi on port 443

The response ended prematurely.

I can see NGINX passing this response through to coturn at port 5349, coturn then sends out the following message:

HTTPS connection has been disabled due Vulnerability in the Web interface !!!

Apparently this is a issue with this version of coturn.

I’m running the stock Ubuntu 18.04 version 4.5.0.7-1ubuntu2.18.04.2, has anyone else found this issue? and or any fixes?

Does Jitsi use the web interface for coturn? it’s been broken for so long I imagine not. Are these SSL settings used for anything else?

I think one potential fix would be to move SSL termination into NGINX and proxy to the unencrypted coturn port.

If the web admin interface is giving you grief, why not disable it ? As far as I remember it’s disabled by default in Jitsi. If you want admin you can also enable the telnet interface (protect it with firewall) or use another ip address as advised in the issue.

in the default setup, I think yes since nginx is working in passthrough.

Thanks for your reply. When you say web admin interface, do you mean to coturn? or Jitsi?
I don’t think I’m personally using any coturn web interface - except for this log saying that HTTPS connections are being rejected by it. I assumed Jitsi needed it.

My coturn config is already matching stock, same for NGINX which is proxying to it - matching this config.

yes, that’s the subject of the coturn issue you linked to. To enable it the instruction
web-admin
should be included in the config file. If it’s here, remove it. By default it’s listening on port 8080 so if your coturn instance listens on this port (or on the port defined by web-admin-port=) it’s definitely enabled.

OK, it sounds like that github issue I found was a red herring because web-admin isn’t enabled.
The turn server is only listening on listening-port=3478 and tls-listening-port=5349.

These errors…

HTTPS connection has been disabled due Vulnerability in the Web interface !!!

…are showing up when web traffic is proxied to the TLS port.

Well, that’s strange because it seems to concern the web admin interface, not the TLS traffic to 5379 port. As I don’t use coturn with TLS myself, I have no quick way to test it. Try to upgrade coturn then.

Interesting, how are you using coturn? do you not need it for the nginx proxy config?

Upgrading coturn will probably fix it, but I’d like to stick with the version provided by the ubuntu repos, I figure this is the version most people are using. Surprised no one else is seeing this issue.