forked from coturn/coturn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
1618 lines (1341 loc) · 56.5 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
TBD Version 4.7.0 '':
Contributors:
- Arjun (36335769+0x34d@users.noreply.github.com)
- Emil Ljungdahl (111423223+pando-emil@users.noreply.github.com)
- Gregor Jasny (gjasny@googlemail.com)
- Gustavo Garcia (gustavogb@gmail.com)
- Hyorin Choi (17173216+hyorin@users.noreply.github.com)
- Joachim Bauch (bauch@struktur.de)
- Kang Lin (kl222@126.com)
- Paul Kramer (47924093+paulkram@users.noreply.github.com)
- Pavel Punsky (eakraly@users.noreply.github.com)
- Robert Scheck (robert-scheck@users.noreply.github.com)
- Samuel Marks (807580+SamuelMarks@users.noreply.github.com)
- Scott Godin (sgodin@sipspectrum.com)
- Thibaut ACKERMANN (thib-ack@users.noreply.github.com)
- Tom Bevan (thehorrorthehorror@gmail.com)
- Yoshiki Kadoshita (sublimer.me@gmail.com)
- tyranron (tyranron@gmail.com)
Changelist:
- Do not build debug version during PR preflight (Pavel Punsky)
- Fix duplicate prometheus metric report (#1079) (Pavel Punsky)
- feature(1026): add sessioncount to prometheus metrics (#1075) (Paul Kramer)
- Update openssl API use to non-deprecated version (#1072) (Pavel Punsky)
- Log threadId to logs to aid in multi-threaded debugging. (#1030) (Scott Godin)
- Use khash 0.2.8 (#1047) (Gregor Jasny)
- Reflect new native Windows build support in documentation (#1060) (Samuel Marks)
- Check and fix format string for turn_log_func_default (#1064) (Gregor Jasny)
- Properly calculate size for sm_allocated (#1063) (Gregor Jasny)
- Do not discard qualifiers in free() (#1065) (Gregor Jasny)
- Simplify defines for macOS platform (#1058) (Pavel Punsky)
- Fix warnings (unused arguments, undeclared function) (#1057) (Pavel Punsky)
- WINDOWS: unsigned long should not be used to store pointers (#1055) (Emil Ljungdahl)
- Reduce usage of TURN_NO_HIREDIS macros (#1022) (Pavel Punsky)
- Update to fix duplicate stdout log output (#1054) (Yoshiki Kadoshita)
- Use c11 standard See: #1055 (#1056) (Kang Lin)
- Reduce usage of TURN_NO_PROMETHEUS (#1023) (Pavel Punsky)
- Remove unnecessary declaration from header file (#1052) (Yoshiki Kadoshita)
- Fix compilation warnings for functions with no arguments (#1053) (Pavel Punsky)
- Support Windows MSVC (#855) (Kang Lin)
- Fix resource leaks (#1048) (Gregor Jasny)
- Update turnserver.conf (#1009) (Hyorin Choi)
- Fix warnings (#1046) (Gregor Jasny)
- Backlog fifo (#1029) (Scott Godin)
- Change rpm systemd service type from notify to exec (#1043) (Gustavo Garcia)
- Add missing comma (#1041) (Gregor Jasny)
- Fix off-by-one when terminating gcm_nonce (#1039) (Gregor Jasny)
- Use %zu format specifier for size_t (#1040) (Gregor Jasny)
- Fix variable argument handling (#1042) (Gregor Jasny)
- Cleanup openssl initialization (#1012) (Pavel Punsky)
- fuzzing support (#982) (Arjun)
- created netengine.c get_relay_server utility method to reduce code duplication (#1032) (Scott Godin)
- fix bug in calls to ssl_read and ssl_send where extra verbose flag goes missing (#1033) (Scott Godin)
- ignore raw UDP if no_udp is enabled (#1031) (Scott Godin)
- Fix 2 warnings in code (#1027) (Pavel Punsky)
- Sanitize DB connection string before printing to log (#1020) (Pavel Punsky)
- Better detect SCTP protocol (#1016) (Pavel Punsky)
- Redis memleaks and socketleaks (#1015) (Thibaut ACKERMANN)
- Fix : Issue 51563 in oss-fuzz (#1010) (Arjun)
- Fix multiple warnings in libtelnet.c file (#1011) (Pavel Punsky)
- Update libtelnet to 0.23 (portability issues) (#1005) (Pavel Punsky)
- Remove debug publish to redis (#1008) (Pavel Punsky)
- Cleanup unused include of header files (#1004) (Pavel Punsky)
- Use single SSL_CTX for DTLS support (#996) (Pavel Punsky)
- Malformed response to mobility refresh request (#1006) (Tom Bevan)
- Silence warnings by converting STRCPY to strncpy calls (#995) (Pavel Punsky)
- Build CI with prometheus support (#999) (Pavel Punsky)
- Replace references to non-existent pdf file with links (#1002) (Pavel Punsky)
- Fix TLS1.3 support (Pavel Punsky)
- Use a single SSL context object (#989) (Pavel Punsky)
- Use epoll for promhttp server if supported. (#997) (Joachim Bauch)
- Fix issues reported by cppcheck (#987) (Pavel Punsky)
- Replace bcopy with memcpy (#991) (Pavel Punsky)
- Add CI tests in older ubuntu version (#981) (Gustavo Garcia)
- Replace bzero with memset (#986) (Pavel Punsky)
- Fix a warning (#988) (Pavel Punsky)
- Improve openssl3 and FIPS support (#955) (Pavel Punsky)
- Preserve file timestamps when using install(1) (#983) (Robert Scheck)
- Fix renegotiation flag for older version of openssl (#978) (Pavel Punsky)
03/12/2022 Gustavo Garcia <gustavogb@gmail.com> Paul Kramer <paul.kramer@logmein.com>
Version 4.6.1 'Gorst':
- merge PR #1113 (paulkram)
* fix memory corruption on socket close
13/09/2022 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu> Gustavo Garcia <gustavogb@gmail.com> Pavel Punsky <pavel.punsky@epicgames.com>
Version 4.6.0 'Gorst':
- merge PR #967 (eakraly)
* fix small issues reported by cppcheck
- merge PR #974 (eakraly)
* fix long log line printing
- merge PR #973 (eakraly)
* Print turnserver version with --version
- merge PR #972 (eakraly)
* do not write outside of a buffer in admin interface
- merge PR #970 (eakraly)
* fix uclient certificate loading bug
- merge PR #971 (eakraly)
* fix duplicate TCP flag in run_tests.sh script
- merge PR #962 (huhaipeng)
* fix turn session leak
- merge PR #963 (eakraly)
* Document dependency of new-log-timestamp-format on new-log-timestamp
- merge PR #951 (steffen-moser)
* Enable compilation of coturn on Solaris 11.4
- merge PR #949 (eakraly)
* First step to re-enable compilation with OpenSSL 1.0.x
- merge PR #949 (eakraly)
* Fix cmake build on macOS
- merge PR #942 (eakraly)
* Disable SSL renegotiation
- merge PR #792 (yfaker)
* Fix user quota release #786
- merge PR #829 (fancycode)
* add more info to redis allocation status
- merge PR #938 (eakraly)
* update turnserver.conf comment
- merge PR #773 (haseebq)
* fix performance regression
- merge PR #773 (korayvt)
* add syslog facility config
- merge PR #897 (unicode-it)
* add support for dual-stack prom listener
- merge PR #984 (rozhuk-im)
* fix build with libressl 3.4.0+
- merge PR #926 (ggarber)
* add ci tests workflow
- merge PR #934 (neocat)
* show error on invalid config
- merge PR #787 (dsmeytis)
* add new prom allocations metric
- merge PR #869 (micmac1)
* don't link in libintl
- merge PR #895 (alexnedo)
* fix access to freed memory
- merge PR #919 (sysvinit)
* configurable prom username labels
- merge PR #840 (sysvinit)
* configurable prometheus listener port
- merge PR #870 (micmac1)
* fix build mariadb connector
- merge PR #851 (freedomben)
* fix README typo
- merge PR #877 (davel)
* correct doc typo
- merge PR #755(moznuy) and #825(by argggh)
* fix sqlite3_shutdown and sqlite3_config race
- merge PR #826 (by giavac)
* prom server better
- merge PR #684 (by brevilo)
* Define OPENSSL_VERSION_1_1_1 on systems where it doesn't (yet) exist
* Regression in 4.5.2 that cause issues in openssl version < 1.1.1.
- typo fix in prometheus (by fcecagno)
- merge PR #687 (by Wuelber Castillo)
* Add hash algorithm for hmackey value to redis userdb schema docs
- replace keep-address-family with allocation-default-address-family (keep-address-family deprecated and will be removed!!)
- merge PR #703 (by j4zzc4t)
* Restore no_stdout_log behavior
- merge PR #727 (by JoKoT3)
* Support older mysql client version in configure
- merge PR #721 (by KangLin)
* Add to support cmake
- merge PR #717 (by marcoschum)
* Fix typo in turnserver.conf
- merge PR #704 (by hills)
* Packaging scripts can miss out on these errors (exit code)
- merge PR #679 (by rubo77)
* Readme.turnserver: how to run server as a daemon
- merge PR #739 (by hills)
* SSL reload has hidden bugs which cause crashes
- Fix regression in PR #739
- Try to mitigate STUN amplification attatck
* Add new option --no-rfc5780
to force disable RFC8750
* Add new option --no-stun-backward-compatibility
Disable handling old STUN Binding requests and disable
MAPPED-ADDRESS attribute in binding response (use only the
XOR-MAPPED-ADDRESS)
* Add new option --response-origin-only-with-rfc5780
Add RESPONSE_ORIGIN attribute only if rfc5780 is enabled
* Don't send SOFTWARE attribute if --no-software-attribute
set on (BREAKING CHANGE)
- merge PR #767 (by ggalperi)
* fix for log_binding (regression)
10/01/2021 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.2 'dan Eider':
- fix null pointer dereference in case of out of memory. (thanks to Thomas Moeller for the report)
- merge PR #517 (by wolmi)
* add prometheus metrics
- merge PR #637 (by David Florness)
* Delete trailing whitespace in example configuration files
- merge PR #631 (by Debabrata Deka)
* Add architecture ppc64le to travis build
- merge PR #627 (by Samuel)
* Fix misleading option in doc (prometheus)
- merge PR #643 (by tupelo-schneck)
* Allow RFC6062 TCP relay data to look like TLS
- merge PR #655 (by plinss)
* Add support for proxy protocol V1
- merge PR #618 (by Paul Wayper)
* Print full date and time in logs
* Add new options: "new-log-timestamp" and "new-log-timestamp-format"
- merge PR #599 (by Cédric Krier)
* Do not use FIPS and remove hardcode OPENSSL_VERSION_NUMBER with LibreSSL
- update Docker mongoDB and fix with workaround the missing systemctl
- merge PR #660 (by Camden Narzt)
* fix compilation on macOS Big Sur
- merge PR #546 (by jelmd)
* Add ACME redirect url
- merge PR #551 (by jelmd)
* support of --acme-redirect <URL>
- merge PR #672 further acme fixes (by jemld)
* fix acme security, redundancy, consistency
- Disable binding request logging to avoid DoS attacks. (Breaking change!)
* Add new --log-binding option to enable binding request logging
- Fix stale-nonce documentation. Resolves #604
- Version number is changed to semver 2.0
- Merge PR #288 (by Hristo Venev)
* pkg-config, and various cleanups in configure file
- Add systemd notification for better systemd integration
- Fix Issue #621 (by ycaibb)
* Fix: Null pointer dereference on tcp_client_input_handler_rfc6062data function
- Fix Issue #600 (by ycaibb)
* Fix: use-after-free vulnerability on write_to_peerchannel function
- Fix Issue #601 (by ycaibb)
* Fix: use-after-free vulnerability on write_client_connection function
- Little refactoring prometheus
* Fix c++ support
* Simplify (as agreed in Issue #666)
* Remove session id/allocation labels
* Remove per session metrics. We should later add more counters.
- Fix CVE-2020-26262 (credits: Enable-Security)
* Fix ipv6 ::1 loopback check
* Not allow allocate peer address 0.0.0.0/8 and ::/128
* For more details see the github security advisory:
https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
24/06/2020 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.1.3 'dan Eider':
- merge PR #575: (by osterik)
* fix rpm packaging
- merge PR #576: (by osterik)
* tell tar to not include the metadata into release
- merge PR #574: (by DevRockstarZ)
* change Docker turnserver.conf to latest turnserver.conf
- merge PR #566: (by bpcurse)
* Remove reference to SSLv3
- merge PR #579: (by islamoglus)
*Ignore MD5 for BoringSSL
- merge PR #577: (by osterik)
*build RPM from local folder instead of git repo
- Fix for CVE-2020-4067
* STUN response buffer not initialized properly
* The issue found and reported #583 by Felix Dörre all credits belongs to him.
30/04/2020 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.1.2 'dan Eider':
- merge regression fix: (by Mathieu Brunot)
* Do not display empty CLI passwd alert if CLI is not enabled
- merge PR #359: (by bradleythughes)
* Remove turn_free_simple
* Remove turn_malloc()
* Remote turn_realloc()
* Remote turn_free()
* Remove turn_calloc()
* Remove turn_strdup()
* Remove SSL_NEW() and SSL_FREE()
* Remove pointer debugging machinery
* Remove ns_bzero(), ns_bcopy(), and ns_bcmp()
* Remove [su]{08,16,32,64}bits type defines
- merge PR #327 (by Alexander Terczka)
* Strip white-spaces from config file lines end
- merge PR #386 (by Thibaut ACKERMANN)
* fix the webadmin ip permission add/delete sql injection
- merge PR #390 (by Thibaut ACKERMANN)
* fix mongo driver crash when invalid connection string is used
- merge PR #392 enhanced fread return length check (by islamoglus)
- merge PR #367 disconnect database gracefully (by Shu Muto)
- merge PR #382 (by islamoglus)
* Using SSL_get_version method for BoringSSL compatibility
* Now we put in turn_session_info->tls_method the real TLS version.
Earlier we put UNKNOWN in this field if it was a TLS protocol
that was not defined supportel TLS protocol during compile time.
- merge PR #276 Add systemd service example (by Liberasys)
- merge PR #284 Add bandwidth usage reporting packet/bandwidth usage by peers
- merge PR #381 Modifying configure to enable compile with private libraries
- merge PR #455 Typo corrected (by chanduthedev)
- merge PR #417 Append only to log files rather to override them (by robert-scheck)
- merge PR #442 Updated incorrect string length check for 'ssh' (by chanduthedev)
- merge PR #449 Fix Dockerfile for latest Debian (by rao-donut)
- http server NULL dereference
* Reported (by quarkslab.com, cisco/talos)
* CVE-2020-6061 / TALOS-2020-0984
- http server out of bound read
* Reported (by quarkslab.com, cisco/talos)
* CVE-2020-6061 / TALOS-2020-0984
- merge PR #472 STUN input validation (by bobsayshilol)
- merge PR #398 FIPS (by byronclark)
- merge PR #478 prod (by alepolidori)
- merge PR #463 fix typos and grammar (by xthursdayx)
- update travis config ubuntu/mac images
- merge PR #466 added null check for second char (by chanduthedev)
- merge PR #470 compiler warning fixes (by bobsayshilol)
- merge PR #475 Update README.docker (by raksonibs)
- merge PR #471 Fix a memory leak when an SHATYPE isn't supported (by bobsayshilol)
- merge PR #488 Fix typos about INSTALL filenames (by raccoonback)
- fix compiler warning comparison between signed and unsigned integer expressions
- fix compiler warning string truncation
- change Diffie Hellman default key length from 1066 to 2066
- merge PR #522 drop of supplementary group IDs (by weberhofer)
- merge PR #514 Unify spelling of Coturn (by paulmenzel)
- merge PR#506 Rename "prod" config option to "no-software-attribute" (by dbrgn)
- merge PR #519 fix config extension in README.docker (by ooookai)
- merge PR #516 change sql data dir in docker-compose-all.yml (by raghumuppa)
- merge PR #513 remove trailing spaces from READMEs (by paulmenzel)
- merge PR #525 add flags to disable periodic use of dynamic tables (by gfodor)
02/03/2019 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.1.1 'dan Eider':
- merge PR #330 missing \r\n after http Connection:close (by gribunin)
- merge PR #303 fix typo enpoint (by Majid Motallebikashani)
- merge PR #129 seperate http web-admin listener (by Thibaut ACKERMANN)
- regression from 4.5.1.0
* readd pwd check
* add to config missing web-admin-listen-on-workers option
- merge docker branch
* Add Docker file for all database backend.
- merge sparc64 branch
* Fix mem alingment issue on 64 bit architecture
That issue caused earlier "bus error" on sparc64 and armhf
- merge PR #336 Clarify Debian install (by David-dp-)
- merge PR #339 RPM build fix (by Peter Hudec )
24/11/2018 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.1.0 'dan Eider':
Consider to change config file after upgrade, because it contains some
not backward compatible breaking changes !!
- Security fixes
Many thanks to Nicolas Edet (Cisco) !!
who reported all of the following issues:
* DB/SQL injection in stun realm. Fix: add extra string validation.
* DB/SQL injection in web-admin interface lack of admin user validation.
Fix: add extra string validation.
* Fix for earlier unsafe default settings:
o HTTPS administrator interface should be disabled by default
It could be enbled with "web-admin" option.
o Default configuration allowed earlier forwarding traffic
from an external interface to loopback interface. Now it
has been changed and option name is also changed!
!!BREAKING change!! Don't forget to change config!!
"no-loopback-peers" replaced by "allow-loopback-peers"
o Unauthenticated telnet admin interface runs on the
loopback interface, which can be accessed by exploiting the
loopback relay that was enabled by default.
* Add username string sanity check on web admin interface to
avoid any sql-injection attacks.
- Admin portal does not list TCP session ( reported and fixed by Nicolas Edet )
- Fix memory leak in read_config_file (by Thibaut Ackermann)
- Add a release helper script.
- Web Admin interface use own listener (it is disableb by default) (by Thibaut ACKERMANN)
!!BREAKING change!! Don't forget to change/review config!!
* Add new option "web-admin-ip" to set listener ip. By default (127.0.0.1)
* Add new option "web-admin-port" to set webadmin listen port
* Add new option "web-admin-listen-on-workers" to change back to earlier
behaviour and listen web admin on all worker processes and ports.
- Not allow to start server if "allow-loopback-peers" set without "cli-password"
!!BREAKING change!! Don't forget to change config!!
Added a warning if cli-password is empty or missing, but allow-loopback-peers
set, and so loopback allocation is enalbed.
27/09/2018 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
Version 4.5.0.8 'dan Eider':
- Travis CI integration
- to avoid warnings add compiler comment hint to fallthrough
- reload-tls-certs PR#236 (by Arne Georg Gisnås Gleditsch)
- minor fixes PR#223 (by Pavel Kretov)
move rm Makefile to distclean
list all phony targets
- Fix typo PR#253 (by Orsiris de Jong)
- Fix stuck IPv6 connections. (issue #217)
THX to damencho, vol4iniche
- Spelling fixes.
- Add a warning if --lt-cred-mech and --use-auth-secret both presents.
- Revert "Add the realm parameter in the example config file (by Domenico)"
- Fix for Verbose config file option -v cli option override
- Add a Notice to config about realm default value is the domain name.
- Update total allocation usage on client shutdown
- Fix total and user quota mix-up
- Fixed typos in postinstall.txt (by Prashanth Rajaram)
- MySQL password encryption (by Mustafa Bingül & Erdem Duman)
- Do not write to log before logging configuration is read from a config file (by eiver)
- Add more explanation on use-auth-secret / REST in example config (by Krithin Sitaram)
- Add a Warning if lines in config file ends with semicolon (by heyheyjc)
- Fix --prod pointer bug
- Fix auth server thread detach race (by weishuyin)
- New Feature: Add -K --keep-address-family
Be aware if you enable it, then it breaks rfc6156 section 4.2 (default IPv4 family fallback)
- Fix dtls double free crash
- Fix compilation errors and warnings (by Oleg)
12/10/2017 Oleg Moskalenko <mom040267@gmail.com>
Version 4.5.0.7 'dan Eider':
- Misc security improvements.
10/17/2016 Oleg Moskalenko <mom040267@gmail.com>
Version 4.5.0.6 'dan Eider':
- Typos in the text fixed.
- TLS1.2 support fixed.
- uclient minor performance tweak.
- Issue #113 fixed (by David Benjamin)
- Report total traffic used per allocation via Redis (by Bradley T. Hughes)
- Add the realm parameter in the example config file (by Domenico)
08/27/2016 Oleg Moskalenko <mom040267@gmail.com>
Version 4.5.0.5 'dan Eider':
- Typos in the text fixed.
- LibreSSL compatibility fixed.
- "read_timeout" option support for MySQL.
- new NAT behavior discovery utilty.
- new OAuth access_token encrypt/decrypt utilty.
- improved configurability: added parameters for
allocate, channel and permission lifetimes (by Richard Garnier).
08/20/2016 Oleg Moskalenko <mom040267@gmail.com>
Version 4.5.0.4 'dan Eider':
- OpenSSL 1.1.0 support added.
- CentOS 7 installation updated.
- hiredis and mongo compilation configuration fixed
(fix provided by Harsha Bellur).
- RPM: Systemd optimization.
- REST API option fixed.
- Thread creation error handling fixed.
- Issue #36 fixed.
11/15/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.5.0.3 'dan Eider':
- SSLv3 support removed. That provides extra security and
compatibility with OpenSSL distributions or clones
that do not support SSLv3 (like LibreSSL 2.3.0).
This fix is required for fresh FreeBSD and for Debian unstable.
- Compilation and configuration cleaning.
- Fix for non-interactive shells.
- RPM: Fixed mongo-c-driver include path (by Sergey Safarov).
- RPM: Fixed startup daemon as non root user (by Sergey Safarov).
- RPM: Systemd optimized for high-volume network traffic (by Sergey Safarov).
9/29/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.5.0.2 'dan Eider':
- DTLS segmentation fault fixed;
9/13/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.5.0.1 'dan Eider':
- multiple realms based on oAuth (third-party authorization);
- STUN attributes conflict resolution;
- SIGHUP handler fixed;
- error message logging improved;
- mongo test db files fixed.
7/18/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.5.4 'Ardee West':
- moved to github.
6/20/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.5.3 'Ardee West':
- third-party authorization STUN attributes adjusted according
to the values assigned by IANA.
- SQL injection security hole fixed.
5/29/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.5.2 'Ardee West':
- dual allocation adjusted according to the new TURN-bis draft;
- options sha256, sha384, sha512 retired as non-standard;
- third-party authorization (oAuth) updated according to the
version 16 of the draft;
- C++ compilation fixes;
- cosmetic fixes;
- fixed binary package for CentOS 7.1;
- support for older SQLite versions added;
- compilation support for older CentOS release 5.x added;
- Issue 11 fixed;
- Issue 12 fixed.
3/31/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.4.2 'Ardee West':
- SCTP fixes;
3/15/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.4.1 'Ardee West':
- 'native' SCTP support (experimental);
- option of encrypted stored passwords for web admin users;
- option of encrypted stored password for CLI user;
2/28/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.2.3 'Ardee West':
- bandwidth control fixed;
- STUN/TURN control traffic counted separately from data traffic,
for the sake of the bandwidth control;
- higher bandwidth limit capacity on 64 bits systems;
- redis operations with the realm options fixed;
2/18/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.2.2 'Ardee West':
- admin_user table schema fixed;
- REST API docs fixed;
- Amazon AWS uses syslog;
2/3/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.2.1 'Ardee West':
- (HMAC-)SHA-512 and -384 algorithms added;
- TOS (DiffServer) and TTL IP header field handling fixed;
- updates according to the new third-party-auth draft (oauth);
- peer logging added;
2/1/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.1.2 'Ardee West':
- SSODA updates according to turnbis specs;
- TRANSPORT attribute handling fixed;
- hostname-to-IP-address resolution fix;
- updates for Solaris (name resolution libraries);
1/24/2015 Oleg Moskalenko <mom040267@gmail.com>
Version 4.4.1.1 'Ardee West':
- https admin server;
- SSLv2 support cancelled (security concern fixed);
- The server-side short-term credentials mechanism support cancelled;
- OpenSSL 1.1.0 supported;
- shared secrets fixed in MongoDB: multiple secrets per realm allowed;
- shared secrets admin fixed in Redis;
12/24/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.3.3.1 'Tolomei':
- multiple authentication threads;
- database code cleaned;
12/14/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.3.2.2 'Tolomei':
- Redis read message queue bug fixed;
- STUN/TURN ALPN supported (when compiled with OpenSSL 1.0.2+ );
- DTLS v1.2 supported (when compiled with OpenSSL 1.0.2+ );
- Auto optimal ECDH parameters (when compiled with OpenSSL 1.0.2+ );
- TLS/DTLS code cleaning.
11/29/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.3.1.3 'Tolomei':
- Reliability fixes (Issue 141 from rfc5766-turn-server).
- HTTP/HTTPS echo fixed.
- External address mapping fixes for Amazon EC2.
- Minor docs improvements.
11/23/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.3.1.2 'Tolomei':
- Debian package fixes.
11/22/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.3.1.1 'Tolomei':
- SQLite supported as the default user database.
- Support of the flat-file user database removed.
- TLS connection procedure improved in uclient test program.
11/07/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.2.3.1 'Monza':
- Request re-transmission implemented in uclient test program.
- TLS connection procedure improved in uclient test program.
10/26/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.2.2.2 'Monza':
- Black- and white- IP lists are divided per realm
(the DB schema for those two tables changed);
- Updated Redis database schema.
- Debian UFW file added (Issue 1 fixed).
- TCP/TLS tests extended.
- Relay RTCP sockets ports allocation fixed.
- List of libraries cleaned.
- SSL renegotiation callback fixed.
10/05/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.2.1.2 'Monza':
- oAuth security experimental implementation;
- The "TLS renegotiation" DoS attack prevention implemented;
- FQDN as relay-ip and listener-ip parameters (issue 6)
(patch provided by Iñaki Baz Castillo);
- redis user key operation fixed.
- redis, mysql and psql db operations fixed.
- SHA-256 memory leak fixed.
- Mobility ticket retransmission fixed.
- Move debian package from SVN to GIT.
- Move secondary download area to coturn.net.
- Quota allocation fixed.
- Core dump fixed.
- Bandwidth allocation fixed.
- Memory code cleaning.
- Logging fixed.
08/14/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.1.2.1 'Vitari':
- The origin attribute is verified in the subsequent
session messages (server flag --check-origin-consistency).
- MySQL SSL connection support.
- Crash fixed when the DB connection string is incorrect.
- Minor docs fixes.
07/29/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.1.1.1 'Vitari':
- Forceful server-side session cancellation implemented
(in telnet console).
07/22/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.1.0.2 'Vitari':
- SSODA (double allocation) draft support added.
- DB "driver" abstraction and MongoDB support (by Federico Pinna).
- multiple origins supported per request.
- "allocation mismatch" condition fixed (merged from rfc5766-turn-server).
- STUN BINDING response fixed in the case of -X (external address) option.
- "pu" CLI command fixed.
- session cleaning fixed in TCP relay functionality (RFC 6062).
- some crash conditions fixed.
- working on compilation warnings.
06/21/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.0.1.3 'Severard':
- Redis DB connection status fixed (Issue 129).
- Logfile reset on SIGHUP
(Gustavo Garcia suggestion).
- Log reset CLI command.
- Some error code corrections:
* "Mobility forbidden" error changed, to value 405.
* "Wrong credentials" situation is now treated as error 441.
06/06/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.0.1.2 'Severard':
- Bandwidth draft implemented.
- Issues 126, 127 and 128 fixes merged from rfc5766-turn-server.
05/18/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.0.0.2 'Threetrees':
- Code cleaning.
05/07/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.0.0.1 'Threetrees':
- Kernel channel placeholder definitions.
05/02/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 4.0.0.0 'Threetrees':
- Multi-tenant server.
04/13/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.3.6 'Marshal West':
- Addresses logging fixed.
- Redis admin options fixed.
- Redis compilation cleaned.
04/07/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.3.5 'Marshal West':
- Mobile allocation quota fixed (issue 121);
- --simple-log option added (Issue 122);
- documentation fixes (REST API, Redis).
04/06/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.3.4 'Marshal West':
- Mobile TCP sessions fixed (issue 120);
- log information improvements.
04/04/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.3.3 'Marshal West':
- Pkey and cert file descriptors to be closed
on initialization (issue 118);
- Address bind indefinite cycle on start-up fixed
(Issue 119);
- Allocation counters time lag improved.
03/30/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.3.2 'Marshal West':
- Allocation counters fixed (issue 117);
- a possible core dump in the server code fixed;
- a possible memory leak in server fixed.
03/29/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.3.1 'Marshal West':
- TCP congestion avoidance completed.
- Read and write streams are treated separately in
bandwidth control.
- Test client fixed.
- Experimental SHA256 key storage supported.
03/17/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.912 'Marshal West':
- TCP-in-TCP congestion avoidance implemented.
- UDP-in-TCP congestion avoidance improved.
- Alternate-server code cleaned.
03/10/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.911 'Marshal West':
- "Congestion control" for UDP-inside-TCP tunneling;
- memory management improvements;
- socket logging improvements;
- debug info added to CentOS and Fedora RPMs;
- TCP traffic buffering improved;
- Thread barriers cleaned;
- TCP memory leak fixed;
- minor TCP test client improvement.
03/09/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.910 'Marshal West':
- Log messages extended and cleaned.
- Some memory cleaning.
03/02/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.9 'Marshal West':
- Issue 113 fixed (TCP rate limit fixed);
- Issue 114 fixed (TCP stability).
02/18/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.8 'Marshal West':
- Issue 102: SO_BSDCOMPAT socket option removed;
- Issue 104: check for the REALM attribute value;
- Issue 105: no-cli segfault fixed;
- Issue 106: MESSAGE-INTEGRITY removed from DATA indication;
- Issue 108: Server should return 438 on unknown nonce;
- Issue 109: make the random functions stronger (mostly for
transaction ID and for nonce);
- Issue 111: fix valgrind warning on memory initialization.
- Issue 112: RTCP sockets logging.
02/12/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.7 'Marshal West':
- Possible indefinite cycle fixed in TCP/TCP routing (Issue 99);
- Address 0.0.0.0 can be used as a listener address (Issue 100);
- DHCP-configured servers supported (Issue 101);
02/04/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.6 'Marshal West':
- Channel traffic memory copy elimination.
- Send indication memory copy elimination.
- DTLS traffic processing memory copy eliminated.
- Mobility forbidden error code number fixed - according to the new draft document.
- getsockname() usage minimized.
- port allocation improved.
- default relay behavior fixed (when no relay addresses defined).
- atomic create permission request handling (Issue 97).
01/25/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.5 'Marshal West':
- code optimization.
01/24/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.4 'Marshal West':
- HMAC key handling fixed (Issue 96).
01/23/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.3 'Marshal West':
- Security fix (issue 95).
- Default "implicit" relay IP allocation policy is more usable
(issue 94 fixed).
- SSLv2 fixed (for those who are still using it)
(issue 93 fixed).
- Cosmetic changes.
01/19/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.2.1 'Marshal West':
- CPU/memory cache optimization (memory locality).
- torture tests enhanced.
- stability fixes.
- minor possible memory leak fix.
- new TLS options: --no-sslv2, --no-sslv3, --no-tlsv1,
--no-tlsv1_1, --no-tlsv1_2
01/06/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.1.4 'Marshal West':
- Linux epoll performance improvements.
- DTLS minor fix.
01/06/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.1.3 'Marshal West':
- Telnet client added to installation when necessary.
01/05/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.1.2 'Marshal West':
- Config file adjusted for DragonFly.
01/03/2014 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.1.1 'Marshal West':
- Minor TLS fix.
- Default cipher list is DEFAULT now.
12/26/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.2.1.0 'Marshal West':
- Optimized TCP network engine for Linux 3.9+.
- Security fix: DH and ECDH temporary keys are now
regenerated for each TLS or DTLS session.
- Fix for systems with multiple CPU cores (more than 128).
- DH TLS key now can be configured as 566, 1066 (default) or 2066 bits.
- DH TLS key can be taken from a PEM file.
- Issue 91 (test client crash) fixed.
- Configurable net engine type.
12/25/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.1.6.0 'Arch Lector':
- Timers optimization: linked list timers structure
for often-used intervals.
12/23/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.1.5.3 'Arch Lector':
- HTTP "keep-alive" support improved.
- TCP channel "fortification".
12/19/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.1.5.1 'Arch Lector':
- Private key password allowed for encrypted keys.
- HTTP "keep-alive" supported.
- "psd" CLI command added (ps dump to file).
12/18/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.1.4.2 'Arch Lector':
- Time functions optimization.
- Online changes to the alternate servers list thru telnet CLI.
- Certificate chain files allowed.
12/13/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.1.3.1 'Arch Lector':
- "Start time" ps command info added.
- Protocol option added to "pu" command.
- "Delete allocation" debug message fixed.
- "Allocation id" debug info message fixed.
- RFC6062 usage statistics fixed.
- Info/Debug messages cleaned.
12/11/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.1.2.3 'Arch Lector':
- CentOS 6 package fixed.
12/10/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.1.2.2 'Arch Lector':
- ps output typo fixed (TLS params).
- configurable EC curve name.
- CLI TLS-related information extended.
- "print users" (pu) CLI command added.
12/09/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.1.2.1 'Arch Lector':
- DH cipher suites basic implementation.
- Elliptic Curve cipher suites basic implementation.
- RFC 6062 crash fixed.
- More CLI parameters added.
- Redis allocation statistics fixed.
- Number of cli max session lines configurable.
- uclient cipher suite configurable.
12/08/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.1.1.0 'Arch Lector':
- Telnet CLI.
- RFC 6062 internal messaging fixed.
- Server relay endpoints (a non-standard feature).
- "atomic line" stdout log print.
- printed help minor fix.
- client program does not necessary
require certificate for TLS.
- docs fixes.
- allocation quota bug fixed.
11/29/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.0.2.1 'Practical Frost':
- TCP stability fixes.
- RFC 6062 "first packet(s)" bug fixed.
- RFC 6062 stability fixes.
- Multithreaded Mobile ICE.
11/28/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.0.1.4 'Practical Frost':
- CentOS/Fedora packaging fixed.
- PID file fixed.
11/26/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.0.1.3 'Practical Frost':
- Misc cosmetic changes.
- CentOS/Fedora packaging fixed.
11/25/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.0.1.2 'Practical Frost':
- Mobility draft implemented.
- DTLS communications fixes.
- UDP Linux optimization.
- Log output time starts with 0.
- A new "drop root privileges" options:
--proc-user and --proc-group added.
- SHA256 agility updated: 426 error code on too weak SHA function.
- "-m 0" and "-m 1" options improved.
- non-threading environment support dropped.
- stability fixes.
- OpenSUSE support added.
11/10/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 3.0.0.0 'Practical Frost':
- New network engine for Linux kernel 3.9+.
11/08/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.7.2 'Harding Grim':
- SHA256 agility updated: 441 error code on too weak SHA function.
11/07/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.7.1 'Harding Grim':
- CentOS / Fedora uninstall script.
- Debian compilation error fixed.
- OpenSSL 0.9.7 and earlier build fixed.
- NetBSD build fixed.
11/03/2013 Oleg Moskalenko <mom040267@gmail.com>,
Peter Dunkley <peter.dunkley@crocodilertc.net>
Version 2.6.7.0 'Harding Grim':
- CentOS 6 pre-compiled distribution.
- Fedora pre-compiled distribution.
- TURN_NO_TLS case compilation cleaning.
- Text files cleaning.
- Issue 68 fixed (no-stun option added).
10/27/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.6.1 'Harding Grim':
- SHA256 added as a non-standard message integrity option.
- CentOS rpm specs added.
- Peter Dunkley added to the authors list.
10/20/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.6.0 'Harding Grim':
- Cygwin loopback relay interfaces fixed (Issue 62).
- rpath added to the Makefile (Issue 63).
- CONFLICTS added to FreeBSD port Makefile (Issue 64).
- Certificate check options, for server and for the test client (Issue 65).
- Some compilation cleaning.
10/09/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.5.2 'Harding Grim':
- Documentation changes.
- Redis-related memory leak fixed (Issue 61).
09/25/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.4.1 'Harding Grim':
- Crash on uninitialized redis db name is fixed (Issue 59).
- Optional authentication of STUN Binding request is implemented (Issue 60).
09/16/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.3.1 'Harding Grim':
- Issue 58: support changing white/black IP lists while server is running.
database tables (keys for redis) added for that new functionality.
09/03/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.2.2 'Harding Grim':
- Issue 52: RFC 6062 relay endpoints connection process
fixed for Linux pre-3.9 kernel.
09/03/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.2.1 'Harding Grim':
- UDP performance improvements.
- Issue 56: DTLS scaleability improvements.
- Issue 55: DTLS support in Cygwin.
- Issue 57: --pidfile option
- Issue 52: RFC 6062 relay endpoints connection process fixed.
- Issue 53: Fingerprints added to the indications.
- Issue 54: Long-term credentials mechanism integrity and software attributes
added to the indications.
08/11/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.1.4 'Harding Grim':
- UDP memory leak fixed.
08/11/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.1.3 'Harding Grim':
- DTLS crash fix.
08/10/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.1.2 'Harding Grim':
- TLS buffer decreased to avoid memory problems.
- TLS BIO object fix.
- UDP socket open/reopen process fixed.
08/08/2013 Oleg Moskalenko <mom040267@gmail.com>
Version 2.6.1.1 'Harding Grim':
- Network optimization:
* "pure" UDP setup optimized (when no DTLS configured);
* Auxiliary listening endpoints (configured by
--aux-server=<ip:port>).
* --udp-self-balance option to balance the UDP traffic
among the aux endpoints (for clients supporting
300 ALTERNATE-SERVER response).
- Security improvements:
* no authentication required on the load balancer server (Issue 50).
* REST API improvement:
= --secret-ts-exp-time option deprecated;
= In REST API timestamp, we are now using
the expiration time (Issue 31).
* Configurable cipher suite in the TURN server.
* SSLv3 support.
* TLS 1.1 and 1.2 support.
* SSLv2 "encapsulation" mode support.
* NULL OpenSSL cipher is allowed to be negotiated between