cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1467
Views
0
Helpful
5
Replies

CMS TURN process certificate chain issues

Stephen Carr
Level 1
Level 1

So, it looks like the CMS TURN server process doesn't hand out the CA bundle the same way as the web process. We are running into issue with our security auditor as they are saying we don't have a "legal" cert bundle for our TURN process on port 3478. Thing is, we are using the same cert bundle for our web process on 443 and that process is passing the auditing tests.When I run a SSL Shopper scan to try and see what is going on it shows a weird chain being handed out where it shows CMS Cert-> CA cert -> Inter Cert->Inter Cert again ->CA cert again (whereas the web process shows the correct chain of CMS cert->Inter Cert ->CA cert). Looks like a bug to me. Now, the TURN functionality seems to work as the clients probably just ignore this stuff but I need this fixed to pass our security audit. Any ideas (I've tried messing with the bundle all sorts of ways to no avail)?

Steve

5 Replies 5

Stephen Carr
Level 1
Level 1

just to add some detail. If I remove the cert bundle from the TURN install and just use the key and file then I get only CMS cert->CA cert-> Inter cert

so clearly there is something built into the TURN process that does this backwards (based on what is present for the web process?). So, the bundle adds the right order chain but only after it tries the wrong order chain.

Steve

Hi Stephen,

 

what do you have in your cert file? (pki inspect <filename> )
It looks like you may have several certificates in one file.

 

Cheers,
  Zoltan

thanks for the response. The bundle cert file just has the two certs needed (the Intermediate and the CA). Again, it works fine on the webbridge process (port 443) with the exact same bundle file so it seems like the TURN process just does it incorrectly

Steve

hmm, anyone willing to check their own cert chain results on port 3478 through a resource like SSL Shopper (if you have a publicly accessible TURN server) to see if you get the same or different results from checking port 443? I'm just trying to identify if it is an issue with Comodo certs or if it is an issue with CMS.

Steve

So, after digging through this issue on and off for a while and waiting through an update to 2.2.8 I believe there is a bug in the CMS code for providing the certificate chain correctly from the TURN service on port 3478. With the exact same cert and CA bundle installed on port 443 and 3478, port 443 (webbridge) hands out the cert chain correctly for certs that have AIA chaining (that have multiple paths through intermediate certs to old CAs and newer ones like Comodo) but the TURN process does not (it hands the CA root first and then loops backwards through the chain and then forwards which runs afoul of security scanning services for audits).

Does this need to be entered as a TAC case? I'm looking for guidance on how best to get this fixed.

thanks

Steve