Improper Initialization in coturn

@@ -1,3 +1,83 @@
+24/06/2020 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
+Version 4.5.1.3 'dan Eider':
+	- merge PR #575: (by osterik)
+		* fix rpm packaging
+	- merge PR #576: (by osterik)
+		* tell tar to not include the metadata into release
+	- merge PR #574: (by DevRockstarZ)
+		* change Docker turnserver.conf to latest turnserver.conf
+	- merge PR #566: (by bpcurse)
+		* Remove reference to SSLv3
+	- merge PR #579: (by islamoglus)
+		*Ignore MD5 for BoringSSL
+	- merge PR #577: (by osterik)
+		*build RPM from local folder instead of git repo
+	- Fix for CVE-2020-4067
+		* STUN response buffer not initialized properly
+		* The issue found and reported #583 by Felix Dörre all credits belongs to him.
+
+30/04/2020 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
+Version 4.5.1.2 'dan Eider':
+	- merge regression fix: (by Mathieu Brunot)
+		* Do not display empty CLI passwd alert if CLI is not enabled
+	- merge PR #359: (by bradleythughes)
+		* Remove turn_free_simple
+		* Remove turn_malloc()
+		* Remote turn_realloc()
+		* Remote turn_free()
+		* Remove turn_calloc()
+		* Remove turn_strdup()
+		* Remove SSL_NEW() and SSL_FREE()
+		* Remove pointer debugging machinery
+		* Remove ns_bzero(), ns_bcopy(), and ns_bcmp()
+		* Remove [su]{08,16,32,64}bits type defines
+	- merge PR #327 (by Alexander Terczka)
+		* Strip white-spaces from config file lines end
+	- merge PR #386 (by Thibaut ACKERMANN)
+		* fix the webadmin ip permission add/delete sql injection
+	- merge PR #390 (by Thibaut ACKERMANN)
+		* fix mongo driver crash when invalid connection string is used
+	- merge PR #392 enhanced fread return length check (by islamoglus)
+	- merge PR #367 disconnect database gracefully (by Shu Muto)
+	- merge PR #382 (by islamoglus)
+		* Using SSL_get_version method for BoringSSL compatibility
+		* Now we put in turn_session_info->tls_method the real TLS version.
+		  Earlier we put UNKNOWN in this field if it was a TLS protocol
+		  that was not defined supportel TLS protocol during compile time.
+	- merge PR #276 Add systemd service example (by Liberasys)
+	- merge PR #284 Add bandwidth usage reporting packet/bandwidth usage by peers
+	- merge PR #381 Modifying configure to enable compile with private libraries
+	- merge PR #455 Typo corrected (by chanduthedev)
+	- merge PR #417 Append only to log files rather to override them (by robert-scheck)
+	- merge PR #442 Updated incorrect string length check for 'ssh' (by chanduthedev)
+	- merge PR #449 Fix Dockerfile for latest Debian (by rao-donut)
+	- http server NULL dereference
+		* Reported (by quarkslab.com, cisco/talos)
+		* CVE-2020-6061 / TALOS-2020-0984
+	- http server out of bound read
+		* Reported (by quarkslab.com, cisco/talos)
+		* CVE-2020-6061 / TALOS-2020-0984
+	- merge PR #472 STUN input validation (by bobsayshilol)
+	- merge PR #398 FIPS (by  byronclark)
+	- merge PR #478 prod (by alepolidori)
+	- merge PR #463 fix typos and grammar (by xthursdayx)
+	- update travis config ubuntu/mac images
+	- merge PR #466 added null check for second char (by chanduthedev)
+	- merge PR #470 compiler warning fixes (by bobsayshilol)
+	- merge PR #475 Update README.docker (by raksonibs)
+	- merge PR #471 Fix a memory leak when an SHATYPE isn't supported (by bobsayshilol)
+	- merge PR #488 Fix typos about INSTALL filenames (by raccoonback)
+	- fix compiler warning comparison between signed and unsigned integer expressions
+	- fix compiler warning string truncation
+	- change Diffie Hellman default key length from 1066 to 2066
+	- merge PR #522 drop of supplementary group IDs (by weberhofer)
+	- merge PR #514 Unify spelling of Coturn (by paulmenzel)
+	- merge PR#506 Rename "prod" config option to "no-software-attribute" (by dbrgn)
+	- merge PR #519 fix config extension in README.docker (by ooookai)
+	- merge PR #516 change sql data dir in docker-compose-all.yml (by raghumuppa)
+	- merge PR #513 remove trailing spaces from READMEs (by paulmenzel)
+	- merge PR #525 add flags to disable periodic use of dynamic tables (by gfodor)
+
 02/03/2019 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
 Version 4.5.1.1 'dan Eider':
 	- merge PR #330 missing \r\n after http Connection:close (by gribunin)

@@ -63,14 +63,16 @@ testlibevent2_comp() {
 }
 
 testhiredis() {
-    for inc in ${INCLUDEDIR}/hiredis /usr/local/include/hiredis /usr/hiredis /usr/include/hiredis
-    do
-        if [ -d ${inc} ] ; then
-            HIREDISCFLAGS="${HIREDISCFLAGS} -I${inc}"
-        fi
-    done
-    HIREDISLIBS=-lhiredis
-    ${CC} ${HR_TMPCPROGC} -o ${HR_TMPCPROGB} ${OSCFLAGS} ${DBLIBS} ${HIREDISCFLAGS} ${HIREDISLIBS} ${OSLIBS} 2>>/dev/null
+    if [ -z "${HIREDIS_CFLAGS}" ] || [ -z "${HIREDIS_LIBS}" ]; then
+        for inc in ${INCLUDEDIR}/hiredis /usr/local/include/hiredis /usr/hiredis /usr/include/hiredis
+        do
+            if [ -d ${inc} ] ; then
+                HIREDIS_CFLAGS="${HIREDIS_CFLAGS} -I${inc}"
+            fi
+        done
+        HIREDIS_LIBS=-lhiredis
+    fi
+    ${CC} ${HR_TMPCPROGC} -o ${HR_TMPCPROGB} ${OSCFLAGS} ${DBLIBS} ${HIREDIS_CFLAGS} ${HIREDIS_LIBS} ${OSLIBS} 2>>/dev/null
     ER=$?
     if ! [ ${ER} -eq 0 ] ; then
 		${ECHO_CMD}
@@ -80,27 +82,29 @@ testhiredis() {
 		${ECHO_CMD}
 		return 0
     else
-		DBCFLAGS="${DBCFLAGS} ${HIREDISCFLAGS}"
-		DBLIBS="${DBLIBS} ${HIREDISLIBS}"
+		DBCFLAGS="${DBCFLAGS} ${HIREDIS_CFLAGS}"
+		DBLIBS="${DBLIBS} ${HIREDIS_LIBS}"
 		return 1
     fi
 }
 
 testlibpq() {
-    POSTCFLAGS="-I${PREFIX}/pgsql/include -I${PREFIX}/include/pgsql/ -I${PREFIX}/include/postgres/ -I${PREFIX}/postgres/include/ -I${PREFIX}/include/postgresql/ -I${PREFIX}/postgresql/include/"
-    POSTCFLAGS="${POSTCFLAGS} -I/usr/local/pgsql/include -I/usr/local/include/pgsql/ -I/usr/local/include/postgres/ -I/usr/local/postgres/include/ -I/usr/local/include/postgresql/ -I/usr/local/postgresql/include/"
-    POSTCFLAGS="${POSTCFLAGS} -I/usr/pgsql/include -I/usr/include/pgsql/ -I/usr/include/postgres/ -I/usr/postgres/include/ -I/usr/include/postgresql/ -I/usr/postgresql/include/"
-    for ilib in ${PREFIX}/pgsql/lib ${PREFIX}/lib/pgsql ${PREFIX}/lib64/pgsql /usr/local/pgsql/lib /usr/local/lib/pgsql /usr/local/lib64/pgsql /usr/pgsql/lib /usr/lib/pgsql /usr/lib64/pgsql ${PREFIX}/postgres/lib ${PREFIX}/lib/postgres ${PREFIX}/lib64/postgres /usr/local/postgres/lib /usr/local/lib/postgres /usr/local/lib64/postgres /usr/postgres/lib /usr/lib/postgres /usr/lib64/postgres ${PREFIX}/postgresql/lib ${PREFIX}/lib/postgresql ${PREFIX}/lib64/postgresql /usr/local/postgresql/lib /usr/local/lib/postgresql /usr/local/lib64/postgresql /usr/postgresql/lib /usr/lib/postgresql /usr/lib64/postgresql
-    do
-	if [ -d ${ilib} ] ; then
-    	    POSTLIBS="${POSTLIBS} -L${ilib}"
-	    if ! [ -z "${TURN_ACCEPT_RPATH}" ] ; then
-		TURN_RPATH="${TURN_RPATH} -Wl,-rpath,${ilib}"
+    if [ -z "${PSQL_CFLAGS}" ] || [ -z "${PSQL_LIBS}" ]; then
+        PSQL_CFLAGS="-I${PREFIX}/pgsql/include -I${PREFIX}/include/pgsql/ -I${PREFIX}/include/postgres/ -I${PREFIX}/postgres/include/ -I${PREFIX}/include/postgresql/ -I${PREFIX}/postgresql/include/"
+        PSQL_CFLAGS="${PSQL_CFLAGS} -I/usr/local/pgsql/include -I/usr/local/include/pgsql/ -I/usr/local/include/postgres/ -I/usr/local/postgres/include/ -I/usr/local/include/postgresql/ -I/usr/local/postgresql/include/"
+        PSQL_CFLAGS="${PSQL_CFLAGS} -I/usr/pgsql/include -I/usr/include/pgsql/ -I/usr/include/postgres/ -I/usr/postgres/include/ -I/usr/include/postgresql/ -I/usr/postgresql/include/"
+        for ilib in ${PREFIX}/pgsql/lib ${PREFIX}/lib/pgsql ${PREFIX}/lib64/pgsql /usr/local/pgsql/lib /usr/local/lib/pgsql /usr/local/lib64/pgsql /usr/pgsql/lib /usr/lib/pgsql /usr/lib64/pgsql ${PREFIX}/postgres/lib ${PREFIX}/lib/postgres ${PREFIX}/lib64/postgres /usr/local/postgres/lib /usr/local/lib/postgres /usr/local/lib64/postgres /usr/postgres/lib /usr/lib/postgres /usr/lib64/postgres ${PREFIX}/postgresql/lib ${PREFIX}/lib/postgresql ${PREFIX}/lib64/postgresql /usr/local/postgresql/lib /usr/local/lib/postgresql /usr/local/lib64/postgresql /usr/postgresql/lib /usr/lib/postgresql /usr/lib64/postgresql
+        do
+	    if [ -d ${ilib} ] ; then
+    	        PSQL_LIBS="${PSQL_LIBS} -L${ilib}"
+	        if ! [ -z "${TURN_ACCEPT_RPATH}" ] ; then
+		    TURN_RPATH="${TURN_RPATH} -Wl,-rpath,${ilib}"
+	        fi
 	    fi
-	fi
-    done
-    POSTLIBS="${OSLIBS} ${POSTLIBS} -lpq"
-    ${CC} ${PQ_TMPCPROGC} -o ${PQ_TMPCPROGB} ${OSCFLAGS} ${DBCFLAGS} ${POSTCFLAGS} ${DBLIBS} ${POSTLIBS} ${OSLIBS} 2>>/dev/null 
+        done
+        PSQL_LIBS="${OSLIBS} ${PSQL_LIBS} -lpq"
+    fi
+    ${CC} ${PQ_TMPCPROGC} -o ${PQ_TMPCPROGB} ${OSCFLAGS} ${DBCFLAGS} ${PSQL_CFLAGS} ${DBLIBS} ${PSQL_LIBS} ${OSLIBS} 2>>/dev/null 
     ER=$?
     if ! [ ${ER} -eq 0 ] ; then
     	${ECHO_CMD}
@@ -110,26 +114,28 @@ testlibpq() {
 		${ECHO_CMD}
 		return 0
     else
-		DBCFLAGS="${DBCFLAGS} ${POSTCFLAGS}"
-		DBLIBS="${DBLIBS} ${POSTLIBS}"
+		DBCFLAGS="${DBCFLAGS} ${PSQL_CFLAGS}"
+		DBLIBS="${DBLIBS} ${PSQL_LIBS}"
 		return 1
     fi
 }
 
 testlibmysql() {
-    MYSQL_CFLAGS="-I${PREFIX}/mysql/include -I${PREFIX}/include/mysql/"
-    MYSQL_CFLAGS="${MYSQL_CFLAGS} -I/usr/local/mysql/include -I/usr/local/include/mysql/"
-    MYSQL_CFLAGS="${MYSQL_CFLAGS} -I/usr/mysql/include -I/usr/include/mysql/"
-    for ilib in ${PREFIX}/mysql/lib ${PREFIX}/lib/mysql ${PREFIX}/lib64/mysql /usr/local/mysql/lib /usr/local/lib/mysql /usr/local/lib64/mysql /usr/mysql/lib /usr/lib/mysql /usr/lib64/mysql
-    do
-      if [ -d ${ilib} ] ; then
-        MYSQL_LIBS="${MYSQL_LIBS} -L${ilib}"
-	if ! [ -z "${TURN_ACCEPT_RPATH}" ] ; then
-	    TURN_RPATH="${TURN_RPATH} -Wl,-rpath,${ilib}"
-	fi
-      fi
-    done
-    MYSQL_LIBS="${OSLIBS} ${MYSQL_LIBS} -lmysqlclient"
+    if [ -z "${MYSQL_CFLAGS}" ] || [ -z "${MYSQL_LIBS}" ]; then
+        MYSQL_CFLAGS="-I${PREFIX}/mysql/include -I${PREFIX}/include/mysql/"
+        MYSQL_CFLAGS="${MYSQL_CFLAGS} -I/usr/local/mysql/include -I/usr/local/include/mysql/"
+        MYSQL_CFLAGS="${MYSQL_CFLAGS} -I/usr/mysql/include -I/usr/include/mysql/"
+        for ilib in ${PREFIX}/mysql/lib ${PREFIX}/lib/mysql ${PREFIX}/lib64/mysql /usr/local/mysql/lib /usr/local/lib/mysql /usr/local/lib64/mysql /usr/mysql/lib /usr/lib/mysql /usr/lib64/mysql
+        do
+            if [ -d ${ilib} ] ; then
+                MYSQL_LIBS="${MYSQL_LIBS} -L${ilib}"
+                if ! [ -z "${TURN_ACCEPT_RPATH}" ] ; then
+                    TURN_RPATH="${TURN_RPATH} -Wl,-rpath,${ilib}"
+                fi
+            fi
+        done
+        MYSQL_LIBS="${OSLIBS} ${MYSQL_LIBS} -lmysqlclient"
+    fi
     ${CC} ${MYSQL_TMPCPROGC} -o ${MYSQL_TMPCPROGB} ${OSCFLAGS} ${DBCFLAGS} ${DBLIBS} ${MYSQL_CFLAGS} ${MYSQL_LIBS} ${OSLIBS} 2>>/dev/null
     ER=$?
     if ! [ ${ER} -eq 0 ] ; then
@@ -147,13 +153,15 @@ testlibmysql() {
 }
 
 testlibmongoc() {
-    for inc in ${INCLUDEDIR}/libmongoc-1.0 ${INCLUDEDIR}/libbson-1.0 /usr/local/include/libmongoc-1.0 /usr/local/include/libbson-1.0 /usr/libmongoc-1.0 /usr/libbson-1.0 /usr/include/libbson-1.0/ /usr/include/libmongoc-1.0/
-    do
-      if [ -d ${inc} ] ; then
-        MONGO_CFLAGS="${MONGO_CFLAGS} -I${inc}"
-      fi
-    done
-    MONGO_LIBS="-lmongoc-1.0 -lbson-1.0"
+    if [ -z "${MONGO_CFLAGS}" ] || [ -z "${MONGO_LIBS}" ]; then
+        for inc in ${INCLUDEDIR}/libmongoc-1.0 ${INCLUDEDIR}/libbson-1.0 /usr/local/include/libmongoc-1.0 /usr/local/include/libbson-1.0 /usr/libmongoc-1.0 /usr/libbson-1.0 /usr/include/libbson-1.0/ /usr/include/libmongoc-1.0/
+        do
+            if [ -d ${inc} ] ; then
+                MONGO_CFLAGS="${MONGO_CFLAGS} -I${inc}"
+            fi
+        done
+        MONGO_LIBS="-lmongoc-1.0 -lbson-1.0"
+    fi
     ${CC} ${MONGO_TMPCPROGC} -o ${MONGO_TMPCPROGB} ${OSCFLAGS} ${DBCFLAGS} ${DBLIBS} ${MONGO_CFLAGS} ${MONGO_LIBS} ${OSLIBS} 2>>/dev/null
     ER=$?
     if ! [ ${ER} -eq 0 ] ; then
@@ -910,28 +918,39 @@ testdaemon
 # Test OpenSSL installation
 ###########################
 
-testlib crypto
-ER=$?
-if ! [ ${ER} -eq 0 ] ; then
-    ${ECHO_CMD} "Crypto SSL lib found."
+if [ -n "${SSL_CFLAGS}" ] && [ -n "${SSL_LIBS}" ]; then
+    ${CC} ${TMPCPROGC} ${SSL_CFLAGS} -o ${TMPCPROGB} ${OSCFLAGS} ${OSLIBS} ${SSL_LIBS} 2>>/dev/null
+    ER=$?
+    if ! [ ${ER} -eq 0 ] ; then
+        ${ECHO_CMD} "Private SSL Library option cannot be used"
+        exit
+    else
+        OSCFLAGS="${OSCFLAGS} ${SSL_CFLAGS}"
+        OSLIBS="${OSLIBS} ${SSL_LIBS}"
+    fi
 else
-    ${ECHO_CMD} "ERROR: OpenSSL Crypto development libraries are not installed properly in required location."
-    ${ECHO_CMD} "Abort."
-    cleanup
-    exit
-fi
+    testlib crypto
+    ER=$?
+    if ! [ ${ER} -eq 0 ] ; then
+        ${ECHO_CMD} "Crypto SSL lib found."
+    else
+        ${ECHO_CMD} "ERROR: OpenSSL Crypto development libraries are not installed properly in required location."
+        ${ECHO_CMD} "Abort."
+        cleanup
+        exit
+    fi
 
-testlib ssl
-ER=$?
-if ! [ ${ER} -eq 0 ] ; then
-    ${ECHO_CMD} "SSL lib found."
-else
-    ${ECHO_CMD} "ERROR: OpenSSL development libraries are not installed properly in required location."
-    ${ECHO_CMD} "Abort."
-    cleanup
-    exit
+    testlib ssl
+    ER=$?
+    if ! [ ${ER} -eq 0 ] ; then
+        ${ECHO_CMD} "SSL lib found."
+    else
+        ${ECHO_CMD} "ERROR: OpenSSL development libraries are not installed properly in required location."
+        ${ECHO_CMD} "Abort."
+        cleanup
+        exit
+    fi
 fi
-
 ###########################
 # Can we use GCM cipher ?
 ###########################
@@ -953,71 +972,83 @@ fi
 ###########################
 # Test Libevent2 setup
 ###########################
-testlibevent2_comp
-ER=$?
-if ! [ ${ER} -eq 0 ] ; then
-    ${ECHO_CMD} "Libevent2 development found."
-else
-    ${ECHO_CMD} "ERROR: Libevent2 development libraries are not installed properly in required location."
-    ${ECHO_CMD} "ERROR: may be you have just too old libevent tool - then you have to upgrade it."
-    ${ECHO_CMD} "See the INSTALL file."
-    ${ECHO_CMD} "Abort."
-    cleanup
-    exit
-fi
-
-testlib event_core
-ER=$?
-if ! [ ${ER} -eq 0 ] ; then
-    ${ECHO_CMD} "Libevent2 runtime found."
-    testlib event_extra
+if [ -n "${EVENT_CFLAGS}" ] && [ -n "${EVENT_LIBS}" ]; then
+    ${CC} ${TMPCPROGC} ${EVENT_CFLAGS} -o ${TMPCPROGB} ${OSCFLAGS} ${OSLIBS} ${EVENT_LIBS} 2>>/dev/null
     ER=$?
     if ! [ ${ER} -eq 0 ] ; then
-	${ECHO_CMD} "Libevent2 runtime 'extra' found."
+        ${ECHO_CMD} "Private Event Library option cannot be used"
+        exit
     else
-	${ECHO_CMD} "ERROR: Libevent2 'extra' runtime library is not installed properly in required location."
-	${ECHO_CMD} "See the INSTALL file."
-	${ECHO_CMD} "Abort."
-	cleanup
-	exit
+        OSCFLAGS="${OSCFLAGS} ${EVENT_CFLAGS}"
+        OSLIBS="${OSLIBS} ${EVENT_LIBS}"
     fi
 else
-    testlib event
+    testlibevent2_comp
     ER=$?
     if ! [ ${ER} -eq 0 ] ; then
-		${ECHO_CMD} "Libevent2 runtime found (old style)."
+        ${ECHO_CMD} "Libevent2 development found."
     else
-		${ECHO_CMD} "ERROR: Libevent2 runtime libraries are not installed properly in required location."
-		${ECHO_CMD} "See the INSTALL file."
-		${ECHO_CMD} "Abort."
-		cleanup
-		exit
+        ${ECHO_CMD} "ERROR: Libevent2 development libraries are not installed properly in required location."
+        ${ECHO_CMD} "ERROR: may be you have just too old libevent tool - then you have to upgrade it."
+        ${ECHO_CMD} "See the INSTALL file."
+        ${ECHO_CMD} "Abort."
+        cleanup
+        exit
     fi
-fi
 
-if [ -z "${TURN_NO_TLS}" ] ; then
+    testlib event_core
+    ER=$?
+    if ! [ ${ER} -eq 0 ] ; then
+        ${ECHO_CMD} "Libevent2 runtime found."
+        testlib event_extra
+        ER=$?
+        if ! [ ${ER} -eq 0 ] ; then
+	    ${ECHO_CMD} "Libevent2 runtime 'extra' found."
+        else
+	    ${ECHO_CMD} "ERROR: Libevent2 'extra' runtime library is not installed properly in required location."
+	    ${ECHO_CMD} "See the INSTALL file."
+	    ${ECHO_CMD} "Abort."
+	    cleanup
+	    exit
+        fi
+    else
+        testlib event
+        ER=$?
+        if ! [ ${ER} -eq 0 ] ; then
+            ${ECHO_CMD} "Libevent2 runtime found (old style)."
+        else
+            ${ECHO_CMD} "ERROR: Libevent2 runtime libraries are not installed properly in required location."
+            ${ECHO_CMD} "See the INSTALL file."
+            ${ECHO_CMD} "Abort."
+            cleanup
+            exit
+        fi
+    fi
+
+    if [ -z "${TURN_NO_TLS}" ] ; then
 
 	testlib event_openssl
 	ER=$?
 	if ! [ ${ER} -eq 0 ] ; then
-    	${ECHO_CMD} "Libevent2 openssl found."
+    	    ${ECHO_CMD} "Libevent2 openssl found."
 	else
-    	${ECHO_CMD} "ERROR: Libevent2 development libraries are not compiled with OpenSSL support."
-    	${ECHO_CMD} "TLS will be disabled."
-    	TURN_NO_TLS="-DTURN_NO_TLS"
+    	    ${ECHO_CMD} "ERROR: Libevent2 development libraries are not compiled with OpenSSL support."
+    	    ${ECHO_CMD} "TLS will be disabled."
+    	    TURN_NO_TLS="-DTURN_NO_TLS"
 	fi
 
-else
+    else
 	TURN_NO_TLS="-DTURN_NO_TLS"
-fi
+    fi
 
-testlib event_pthreads
-ER=$?
-if ! [ ${ER} -eq 0 ] ; then
-	${ECHO_CMD} "Libevent2 pthreads found."
-else
-   	${ECHO_CMD} "ERROR: Libevent2 development libraries are not compiled with threads support."
-	exit
+    testlib event_pthreads
+    ER=$?
+    if ! [ ${ER} -eq 0 ] ; then
+        ${ECHO_CMD} "Libevent2 pthreads found."
+    else
+        ${ECHO_CMD} "ERROR: Libevent2 development libraries are not compiled with threads support."
+        exit
+    fi
 fi
 
 ###########################

@@ -8,11 +8,11 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
 	apt-get update && \
 	apt-get install -y build-essential git debhelper dpkg-dev libssl-dev libevent-dev sqlite3 libsqlite3-dev postgresql-client libpq-dev default-mysql-client default-libmysqlclient-dev libhiredis-dev libmongoc-dev libbson-dev
 
-# Clone coTURN
+# Clone Coturn
 WORKDIR ${BUILD_PREFIX}
 RUN git clone https://github.com/coturn/coturn.git
 
-# Build coTURN
+# Build Coturn
 WORKDIR coturn
 RUN ./configure
 RUN make
@@ -34,8 +34,17 @@ COPY --from=coturn-build ${BUILD_PREFIX}/coturn/turndb ${INSTALL_PREFIX}/turndb
 # Install lib dependencies
 RUN export DEBIAN_FRONTEND=noninteractive && \
 	apt-get update && \
-	apt-get install -y libc6>=2.15 libevent-core-2.0-5>=2.0.10-stable libevent-extra-2.0-5>=2.0.10-stable libevent-openssl-2.0-5>=2.0.10-stable libevent-pthreads-2.0-5>=2.0.10-stable libhiredis0.13>=0.13.1 libmariadbclient18>=5.5.36 libpq5>=8.4~ libsqlite3-0>=3.6.0 libssl1.1>=1.1.0 libmongoc-1.0 libbson-1.0
-RUN	apt-get install -y mysql-client postgresql-client redis-tools mongodb-clients
+	apt-get install -y libc6>=2.15 libevent-core-2.1-6>=libevent-core-2.1-6 libevent-extra-2.1-6>=2.1.8-stable-4 libevent-openssl-2.1-6>=2.1.8-stable-4 libevent-pthreads-2.1-6>=2.1.8-stable-4 libhiredis0.14>=0.14.0 libmariadbclient-dev>=10.3.17 libpq5>=8.4~ libsqlite3-0>=3.6.0 libssl1.1>=1.1.0 libmongoc-1.0 libbson-1.0
+RUN apt-get install -y default-mysql-client postgresql-client redis-tools
+
+# Install MongoDB
+RUN apt-get update && \
+  apt-get install -y wget gnupg && \
+  wget -qO - https://www.mongodb.org/static/pgp/server-4.0.asc | apt-key add - && \
+  echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/4.0 main" | tee /etc/apt/sources.list.d/mongodb-org-4.0.list && \
+  echo "deb http://deb.debian.org/debian/ stretch main" | tee /etc/apt/sources.list.d/debian-stretch.list && \
+  apt-get update && \
+  apt-get install -y libcurl3 mongodb-org mongodb-org-server mongodb-org
 
 RUN if ! getent group "$TURNSERVER_GROUP" >/dev/null; then \
         addgroup --system "$TURNSERVER_GROUP" || exit 1 ;\

@@ -1,52 +1,60 @@
 # Coturn TURN SERVER configuration file
 #
-# Boolean values note: where boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', 'f' as 'false,
-# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
-# If the value is missed, then it means 'true'.
+# Boolean values note: where a boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false, 
+# and you can use '1', 'on', 'yes', 'true', or 't' as 'true' 
+# If the value is missing, then it means 'true' by default.
 #
 
 # Listener interface device (optional, Linux only).
-# NOT RECOMMENDED.
+# NOT RECOMMENDED. 
 #
 #listening-device=eth0
 
 # TURN listener port for UDP and TCP (Default: 3478).
-# Note: actually, TLS & DTLS sessions can connect to the
+# Note: actually, TLS & DTLS sessions can connect to the 
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
 listening-port=3478
 
 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
-# port(s), too - if allowed by configuration. The TURN server
+# port(s), too - if allowed by configuration. The TURN server 
 # "automatically" recognizes the type of traffic. Actually, two listening
 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
-# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, we currently support SSL version 3 and
+# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, Coturn currently supports SSL version 3 and 
 # TLS version 1.0, 1.1 and 1.2.
-# For secure UDP connections, we support DTLS version 1.
+# For secure UDP connections, Coturn supports DTLS version 1.
 #
 tls-listening-port=5349
 
 # Alternative listening port for UDP and TCP listeners;
-# default (or zero) value means "listening port plus one".
+# default (or zero) value means "listening port plus one". 
 # This is needed for RFC 5780 support
-# (STUN extension specs, NAT behavior discovery). The TURN Server
-# supports RFC 5780 only if it is started with more than one
+# (STUN extension specs, NAT behavior discovery). The TURN Server 
+# supports RFC 5780 only if it is started with more than one 
 # listening IP address of the same family (IPv4 or IPv6).
 # RFC 5780 is supported only by UDP protocol, other protocols
 # are listening to that endpoint only for "symmetry".
 #
 #alt-listening-port=0
-
+							 
 # Alternative listening port for TLS and DTLS protocols.
 # Default (or zero) value means "TLS listening port plus one".
 #
 #alt-tls-listening-port=0
 
+# Some network setups will require using a TCP reverse proxy in front
+# of the STUN server. If the proxy port option is set a single listener
+# is started on the given port that accepts connections using the
+# haproxy proxy protocol v2.
+# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+#
+#tcp-proxy-port=5555
+	
 # Listener IP address of relay server. Multiple listeners can be specified.
-# If no IP(s) specified in the config file or in the command line options,
+# If no IP(s) specified in the config file or in the command line options, 
 # then all IPv4 and IPv6 system IPs will be used for listening.
 #
 #listening-ip=172.17.19.101
@@ -61,7 +69,7 @@ tls-listening-port=5349
 # they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
 #
 # 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
-#
+# 
 # Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
 #
 # There may be multiple aux-server options, each will be used for listening
@@ -73,7 +81,7 @@ tls-listening-port=5349
 # (recommended for older Linuxes only)
 # Automatically balance UDP traffic over auxiliary servers (if configured).
 # The load balancing is using the ALTERNATE-SERVER mechanism.
-# The TURN client must support 300 ALTERNATE-SERVER response for this
+# The TURN client must support 300 ALTERNATE-SERVER response for this 
 # functionality.
 #
 #udp-self-balance
@@ -83,13 +91,13 @@ tls-listening-port=5349
 #
 #relay-device=eth1
 
-# Relay address (the local IP address that will be used to relay the
+# Relay address (the local IP address that will be used to relay the 
 # packets to the peer).
 # Multiple relay addresses may be used.
 # The same IP(s) can be used as both listening IP(s) and relay IP(s).
 #
 # If no relay IP(s) specified, then the turnserver will apply the default
-# policy: it will decide itself which relay addresses to be used, and it
+# policy: it will decide itself which relay addresses to be used, and it 
 # will always be using the client socket IP address as the relay IP address
 # of the TURN session (if the requested relay address family is the same
 # as the family of the client socket).
@@ -112,35 +120,33 @@ tls-listening-port=5349
 # that option must be used several times, each entry must
 # have form "-X <public-ip/private-ip>", to map all involved addresses.
 # RFC5780 NAT discovery STUN functionality will work correctly,
-# if the addresses are mapped properly, even when the TURN server itself
+# if the addresses are mapped properly, even when the TURN server itself 
 # is behind A NAT.
 #
 # By default, this value is empty, and no address mapping is used.
 #
-#external-ip=60.70.80.91
+external-ip=193.224.22.37
 #
 #OR:
 #
 #external-ip=60.70.80.91/172.17.19.101
 #external-ip=60.70.80.92/172.17.19.102
-#external-ip=60.70.80.92/172.17.19.102
-external-ip=193.224.22.37
 
 
 # Number of the relay threads to handle the established connections
 # (in addition to authentication thread and the listener thread).
-# If explicitly set to 0 then application runs relay process in a
-# single thread, in the same thread with the listener process
+# If explicitly set to 0 then application runs relay process in a 
+# single thread, in the same thread with the listener process 
 # (the authentication thread will still be a separate thread).
 #
-# If this parameter is not set, then the default OS-dependent
+# If this parameter is not set, then the default OS-dependent 
 # thread pattern algorithm will be employed. Usually the default
-# algorithm is the most optimal, so you have to change this option
-# only if you want to make some fine tweaks.
+# algorithm is optimal, so you have to change this option
+# if you want to make some fine tweaks. 
 #
 # In the older systems (Linux kernel before 3.9),
 # the number of UDP threads is always one thread per network listening
-# endpoint - including the auxiliary endpoints - unless 0 (zero) or
+# endpoint - including the auxiliary endpoints - unless 0 (zero) or 
 # 1 (one) value is set.
 #
 #relay-threads=0
@@ -150,15 +156,15 @@ external-ip=193.224.22.37
 #
 min-port=49152
 max-port=65535
-
+	
 # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
 # By default the verbose mode is off.
 verbose
-
+	
 # Uncomment to run TURN server in 'extra' verbose mode.
 # This mode is very annoying and produces lots of output.
-# Not recommended under any normal circumstances.
-#
+# Not recommended under normal circumstances.
+#	
 #Verbose
 
 # Uncomment to use fingerprints in the TURN messages.
@@ -171,11 +177,11 @@ fingerprint
 #
 lt-cred-mech
 
-# This option is opposite to lt-cred-mech.
+# This option is the opposite of lt-cred-mech. 
 # (TURN Server with no-auth option allows anonymous access).
 # If neither option is defined, and no users are defined,
-# then no-auth is default. If at least one user is defined,
-# in this file or in command line or in usersdb file, then
+# then no-auth is default. If at least one user is defined, 
+# in this file, in command line or in usersdb file, then
 # lt-cred-mech is default.
 #
 #no-auth
@@ -185,44 +191,43 @@ lt-cred-mech
 # Flag that sets a special authorization option that is based upon authentication secret.
 #
 # This feature's purpose is to support "TURN Server REST API", see
-# "TURN REST API" link in the project's page
+# "TURN REST API" link in the project's page 
 # https://github.com/coturn/coturn/
 #
 # This option is used with timestamp:
-#
+# 
 # usercombo -> "timestamp:userid"
 # turn user -> usercombo
 # turn password -> base64(hmac(secret key, usercombo))
 #
 # This allows TURN credentials to be accounted for a specific user id.
-# If you don't have a suitable id, the timestamp alone can be used.
-# This option is just turning on secret-based authentication.
-# The actual value of the secret is defined either by option static-auth-secret,
+# If you don't have a suitable id, then the timestamp alone can be used.
+# This option is enabled by turning on secret-based authentication.
+# The actual value of the secret is defined either by the option static-auth-secret,
 # or can be found in the turn_secret table in the database (see below).
-#
+# 
 # Read more about it:
 #  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
 #  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
 #
-# Be aware that use-auth-secret overrides some part of lt-cred-mech.
-# Notice that this feature depends internally on lt-cred-mech, so if you set
-# use-auth-secret then it enables internally automatically lt-cred-mech option
-# like if you enable both.
-#
-# You can use only one of the to auth mechanisms in the same time because,
-# both mechanism use the username and password validation in different way.
+# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
+# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
+# this option then it automatically enables lt-cred-mech internally
+# as if you had enabled both.
 #
-# This way be aware that you can't use both auth mechnaism in the same time!
-# Use in config either the lt-cred-mech or the use-auth-secret
+# Note that you can use only one auth mechanism at the same time! This is because,
+# both mechanisms conduct username and password validation in different ways.
+# 
+# Use either lt-cred-mech or use-auth-secret in the conf
 # to avoid any confusion.
 #
 #use-auth-secret
 
-# 'Static' authentication secret value (a string) for TURN REST API only.
+# 'Static' authentication secret value (a string) for TURN REST API only. 
 # If not set, then the turn server
-# will try to use the 'dynamic' value in turn_secret table
-# in user database (if present). The database-stored  value can be changed on-the-fly
-# by a separate program, so this is why that other mode is 'dynamic'.
+# will try to use the 'dynamic' value in the turn_secret table
+# in the user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that mode is considered 'dynamic'.
 #
 #static-auth-secret=north
 
@@ -236,10 +241,10 @@ lt-cred-mech
 #
 #oauth
 
-# 'Static' user accounts for long term credentials mechanism, only.
+# 'Static' user accounts for the long term credentials mechanism, only.
 # This option cannot be used with TURN REST API.
-# 'Static' user accounts are NOT dynamically checked by the turnserver process,
-# so that they can NOT be changed while the turnserver is running.
+# 'Static' user accounts are NOT dynamically checked by the turnserver process, 
+# so they can NOT be changed while the turnserver is running.
 #
 #user=username1:key1
 #user=username2:key2
@@ -257,103 +262,91 @@ lt-cred-mech
 # password. If it has 0x then it is a key, otherwise it is a password).
 #
 # The corresponding user account entry in the config file will be:
-#
+# 
 #user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
 # Or, equivalently, with open clear password (less secure):
 #user=ninefingers:youhavetoberealistic
 #
 
 # SQLite database file name.
 #
-# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
 # /var/lib/turn/turndb.
-#
+# 
 #userdb=/var/db/turndb
 
-# PostgreSQL database connection string in the case that we are using PostgreSQL
+# PostgreSQL database connection string in the case that you are using PostgreSQL
 # as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API. 
 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
-# versions connection string format, see
+# versions connection string format, see 
 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
 # for 9.x and newer connection string formats.
 #
 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
 
-#psql-userdb="host=postgresql dbname=coturn user=coturn password=CHANGE_ME connect_timeout=30"
-
-# MySQL database connection string in the case that we are using MySQL
+# MySQL database connection string in the case that you are using MySQL
 # as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
 #
-# Optional connection string parameters for the secure communications (SSL):
-# ca, capath, cert, key, cipher
-# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
+# Optional connection string parameters for the secure communications (SSL): 
+# ca, capath, cert, key, cipher 
+# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the 
 # command options description).
 #
-# Use string format as below (space separated parameters, all optional):
+# Use the string format below (space separated parameters, all optional):
 #
-#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
-
 mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
 
-# If you want to use in the MySQL connection string the password in encrypted format,
-# then set in this option the MySQL password encryption secret key file.
+# If you want to use an encrypted password in the MySQL connection string,
+# then set the MySQL password encryption secret key file with this option.
 #
-# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
-# If you want to use cleartext password then do not set this option!
+# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format! 
+# If you want to use a cleartext password then do not set this option!
 #
-# This is the file path which contain secret key of aes encryption while using password encryption.
+# This is the file path for the aes encrypted secret key used for password encryption.
 #
 #secret-key-file=/path/
 
-# MongoDB database connection string in the case that we are using MongoDB
+# MongoDB database connection string in the case that you are using MongoDB
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API.
-# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+# and it can store the secret value for secret-based timed authentication in TURN REST API. 
+# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
 #
 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
 
-#mongo-userdb="mongodb://coturn:CHANGE_ME@mongodb/coturn"
-#mongo-userdb="mongodb://mongodb/coturn"
-
-# Redis database connection string in the case that we are using Redis
+# Redis database connection string in the case that you are using Redis
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API.
-# Use string format as below (space separated parameters, all optional):
+# and it can store the secret value for secret-based timed authentication in TURN REST API. 
+# Use the string format below (space separated parameters, all optional):
 #
 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
-#redis-userdb="ip=redis dbname=2 password=CHANGE_ME connect_timeout=30"
-
 # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
 # This database keeps allocations status information, and it can be also used for publishing
 # and delivering traffic and allocation event notifications.
-# The connection string has the same parameters as redis-userdb connection string.
-# Use string format as below (space separated parameters, all optional):
+# The connection string has the same parameters as redis-userdb connection string. 
+# Use the string format below (space separated parameters, all optional):
 #
 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
-#redis-statsdb="ip=redis dbname=2 password=CHANGE_ME connect_timeout=30"
-
-# The default realm to be used for the users when no explicit
-# origin/realm relationship was found in the database, or if the TURN
+# The default realm to be used for the users when no explicit 
+# origin/realm relationship is found in the database, or if the TURN
 # server is not using any database (just the commands-line settings
-# and the userdb file). Must be used with long-term credentials
+# and the userdb file). Must be used with long-term credentials 
 # mechanism or with TURN REST API.
 #
-# Note: If default realm is not specified at all, then realm falls back to the host domain name.
-#       If domain name is empty string, or '(None)', then it is initialized to am empty string.
+# Note: If the default realm is not specified, then realm falls back to the host domain name.
+#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
 #
-#realm=mycompany.org
 realm=example.org
 
-# The flag that sets the origin consistency
-# check: across the session, all requests must have the same
+# This flag sets the origin consistency 
+# check. Across the session, all requests must have the same
 # main ORIGIN attribute value (if the ORIGIN was
 # initially used by the session).
 #
@@ -373,7 +366,7 @@ realm=example.org
 
 # Max bytes-per-second bandwidth a TURN session is allowed to handle
 # (input and output network streams are treated separately). Anything above
-# that limit will be dropped or temporary suppressed (within
+# that limit will be dropped or temporarily suppressed (within
 # the available buffer limits).
 # This option can also be set through the database, for a particular realm.
 #
@@ -417,11 +410,11 @@ realm=example.org
 #no-tcp-relay
 
 # Uncomment if extra security is desired,
-# with nonce value having limited lifetime.
+# with nonce value having a limited lifetime.
 # By default, the nonce value is unique for a session,
-# and has unlimited lifetime.
-# Set this option to limit the nonce lifetime.
-# It defaults to 600 secs (10 min) if no value is provided. After that delay,
+# and has an unlimited lifetime. 
+# Set this option to limit the nonce lifetime. 
+# It defaults to 600 secs (10 min) if no value is provided. After that delay, 
 # the client will get 438 error and will have to re-authenticate itself.
 #
 #stale-nonce=600
@@ -447,18 +440,17 @@ realm=example.org
 #permission-lifetime=300
 
 # Certificate file.
-# Use an absolute path or path relative to the
+# Use an absolute path or path relative to the 
 # configuration file.
+# Use PEM file format.
 #
-#cert=/usr/local/etc/turn_server_cert.pem
 cert=/etc/ssl/certs/cert.pem
 
 # Private key file.
-# Use an absolute path or path relative to the
+# Use an absolute path or path relative to the 
 # configuration file.
 # Use PEM file format.
 #
-#pkey=/usr/local/etc/turn_server_pkey.pem
 pkey=/etc/ssl/private/privkey.pem
 
 # Private key file password, if it is in encoded format.
@@ -471,51 +463,51 @@ pkey=/etc/ssl/private/privkey.pem
 #
 #cipher-list="DEFAULT"
 
-# CA file in OpenSSL format.
+# CA file in OpenSSL format. 
 # Forces TURN server to verify the client SSL certificates.
-# By default it is not set: there is no default value and the client
+# By default this is not set: there is no default value and the client
 # certificate is not checked.
 #
 # Example:
 #CA-file=/etc/ssh/id_rsa.cert
 
-# Curve name for EC ciphers, if supported by OpenSSL
-# library (TLS and DTLS). The default value is prime256v1,
+# Curve name for EC ciphers, if supported by OpenSSL 
+# library (TLS and DTLS). The default value is prime256v1, 
 # if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
 # an optimal curve will be automatically calculated, if not defined
 # by this option.
 #
 #ec-curve-name=prime256v1
 
-# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
+# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh566
 
-# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
+# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
 #
-#dh2066
+#dh1066
 
 # Use custom DH TLS key, stored in PEM format in the file.
 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
 #
 #dh-file=<DH-PEM-file-name>
 
 # Flag to prevent stdout log messages.
-# By default, all log messages are going to both stdout and to
-# the configured log file. With this option everything will be
-# going to the configured log only (unless the log file itself is stdout).
+# By default, all log messages go to both stdout and to 
+# the configured log file. With this option everything will 
+# go to the configured log only (unless the log file itself is stdout).
 #
 #no-stdout-log
 
 # Option to set the log file name.
-# By default, the turnserver tries to open a log file in
-# /var/log, /var/tmp, /tmp and current directories directories
-# (which open operation succeeds first that file will be used).
+# By default, the turnserver tries to open a log file in 
+# /var/log, /var/tmp, /tmp and the current directory
+# (Whichever file open operation succeeds first will be used).
 # With this option you can set the definite log file name.
-# The special names are "stdout" and "-" - they will force everything
+# The special names are "stdout" and "-" - they will force everything 
 # to the stdout. Also, the "syslog" name will force everything to
-# the system log (syslog).
-# In the runtime, the logfile can be reset with the SIGHUP signal
+# the system log (syslog). 
+# In the runtime, the logfile can be reset with the SIGHUP signal 
 # to the turnserver process.
 #
 #log-file=/var/tmp/turn.log
@@ -531,40 +523,40 @@ syslog
 #simple-log
 
 # Option to set the "redirection" mode. The value of this option
-# will be the address of the alternate server for UDP & TCP service in form of
+# will be the address of the alternate server for UDP & TCP service in the form of 
 # <ip>[:<port>]. The server will send this value in the attribute
 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
 # Client will receive only values with the same address family
-# as the client network endpoint address family.
-# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
+# as the client network endpoint address family. 
+# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality. 
 # The client must use the obtained value for subsequent TURN communications.
-# If more than one --alternate-server options are provided, then the functionality
-# can be more accurately described as "load-balancing" than a mere "redirection".
-# If the port number is omitted, then the default port
+# If more than one --alternate-server option is provided, then the functionality
+# can be more accurately described as "load-balancing" than a mere "redirection". 
+# If the port number is omitted, then the default port 
 # number 3478 for the UDP/TCP protocols will be used.
-# Colon (:) characters in IPv6 addresses may conflict with the syntax of
-# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
-# in square brackets in such resource identifiers, for example:
-# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
+# Colon (:) characters in IPv6 addresses may conflict with the syntax of 
+# the option. To alleviate this conflict, literal IPv6 addresses are enclosed 
+# in square brackets in such resource identifiers, for example: 
+# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . 
 # Multiple alternate servers can be set. They will be used in the
-# round-robin manner. All servers in the pool are considered of equal weight and
-# the load will be distributed equally. For example, if we have 4 alternate servers,
-# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
-# address can be used more than one time with the alternate-server option, so this
+# round-robin manner. All servers in the pool are considered of equal weight and 
+# the load will be distributed equally. For example, if you have 4 alternate servers, 
+# then each server will receive 25% of ALLOCATE requests. A alternate TURN server 
+# address can be used more than one time with the alternate-server option, so this 
 # can emulate "weighting" of the servers.
 #
-# Examples:
+# Examples: 
 #alternate-server=1.2.3.4:5678
 #alternate-server=11.22.33.44:56789
 #alternate-server=5.6.7.8
 #alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
-
-# Option to set alternative server for TLS & DTLS services in form of
-# <ip>:<port>. If the port number is omitted, then the default port
-# number 5349 for the TLS/DTLS protocols will be used. See the previous
+			
+# Option to set alternative server for TLS & DTLS services in form of 
+# <ip>:<port>. If the port number is omitted, then the default port 
+# number 5349 for the TLS/DTLS protocols will be used. See the previous 
 # option for the functionality description.
 #
-# Examples:
+# Examples: 
 #tls-alternate-server=1.2.3.4:5678
 #tls-alternate-server=11.22.33.44:56789
 #tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
@@ -575,6 +567,15 @@ syslog
 #
 #stun-only
 
+# Option to hide software version. Enhance security when used in production.
+# Revealing the specific software version of the agent through the
+# SOFTWARE attribute might allow them to become more vulnerable to
+# attacks against software that is known to contain security holes.
+# Implementers SHOULD make usage of the SOFTWARE attribute a
+# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
+#
+#no-software-attribute
+
 # Option to suppress STUN functionality, only TURN requests will be processed.
 # Run as TURN server only, all STUN requests will be ignored.
 # By default, this option is NOT set.
@@ -583,30 +584,37 @@ syslog
 
 # This is the timestamp/username separator symbol (character) in TURN REST API.
 # The default value is ':'.
-# rest-api-separator=:
+# rest-api-separator=:	
 
-# Flag that can be used to disallow peers on the loopback addresses (127.x.x.x and ::1).
+# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
 # This is an extra security measure.
 #
-no-loopback-peers
+# (To avoid any security issue that allowing loopback access may raise,
+# the no-loopback-peers option is replaced by allow-loopback-peers.)
+#
+# Allow it only for testing in a development environment! 
+# In production it adds a possible security vulnerability, so for security reasons 
+# it is not allowed using it together with empty cli-password. 
+#
+#allow-loopback-peers
 
 # Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
 # This is an extra security measure.
 #
 #no-multicast-peers
 
-# Option to set the max time, in seconds, allowed for full allocation establishment.
+# Option to set the max time, in seconds, allowed for full allocation establishment. 
 # Default is 60 seconds.
 #
 #max-allocate-timeout=60
 
-# Option to allow or ban specific ip addresses or ranges of ip addresses.
-# If an ip address is specified as both allowed and denied, then the ip address is
-# considered to be allowed. This is useful when you wish to ban a range of ip
+# Option to allow or ban specific ip addresses or ranges of ip addresses. 
+# If an ip address is specified as both allowed and denied, then the ip address is 
+# considered to be allowed. This is useful when you wish to ban a range of ip 
 # addresses, except for a few specific ips within that range.
 #
 # This can be used when you do not want users of the turn server to be able to access
-# machines reachable by the turn server, but would otherwise be unreachable from the
+# machines reachable by the turn server, but would otherwise be unreachable from the 
 # internet (e.g. when the turn server is sitting behind a NAT)
 #
 # Examples:
@@ -628,22 +636,22 @@ no-loopback-peers
 #
 #mobility
 
-# Allocate Address Family according
-# If enabled then TURN server allocates address family according  the TURN
+# Allocate Address Family according 
+# If enabled then TURN server allocates address family according  the TURN 
 # Client <=> Server communication address family.
-# (By default coTURN works according RFC 6156.)
+# (By default Coturn works according RFC 6156.)
 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
 #
 #keep-address-family
 
 
 # User name to run the process. After the initialization, the turnserver process
-# will make an attempt to change the current user ID to that user.
+# will attempt to change the current user ID to that user.
 #
 #proc-user=<user-name>
 
 # Group name to run the process. After the initialization, the turnserver process
-# will make an attempt to change the current group ID to that group.
+# will attempt to change the current group ID to that group.
 #
 #proc-group=<group-name>
 
@@ -663,22 +671,40 @@ cli-ip=127.0.0.1
 cli-port=5766
 
 # CLI access password. Default is empty (no password).
-# For the security reasons, it is recommended to use the encrypted
-# for of the password (see the -P command in the turnadmin utility).
+# For the security reasons, it is recommended that you use the encrypted
+# form of the password (see the -P command in the turnadmin utility).
 #
 # Secure form for password 'qwerty':
 #
 #cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
 #
 # Or unsecure form for the same password:
 #
-#cli-password=qwerty
 cli-password=CHANGE_ME
 
-# Server relay. NON-STANDARD AND DANGEROUS OPTION.
-# Only for those applications when we want to run
+# Enable Web-admin support on https. By default it is Disabled.
+# If it is enabled it also enables a http a simple static banner page
+# with a small reminder that the admin page is available only on https.
+#
+#web-admin
+
+# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
+#
+#web-admin-ip=127.0.0.1
+
+# Web-admin server port. Default is 8080.
+#
+#web-admin-port=8080
+
+# Web-admin server listen on STUN/TURN worker threads
+# By default it is disabled for security resons! (Not recommended in any production environment!)
+#
+#web-admin-listen-on-workers
+
+# Server relay. NON-STANDARD AND DANGEROUS OPTION. 
+# Only for those applications when you want to run 
 # server applications on the relay endpoints.
-# This option eliminates the IP permissions check on
+# This option eliminates the IP permissions check on 
 # the packets incoming to the relay endpoints.
 #
 #server-relay

@@ -7,7 +7,7 @@ services:
       context: ./mysql
     restart: unless-stopped
     volumes:
-      - mysql-data:/var/lib/mysql/data
+      - mysql-data:/var/lib/mysql
     env_file: 
       - mysql/mysql.env
     networks:
@@ -19,7 +19,7 @@ services:
       context: ./postgresql
     restart: unless-stopped
     volumes:
-      - postgresql-data:/var/lib/postgresql/data
+      - postgresql-data:/var/lib/postgresql
     env_file: 
       - postgresql/postgresql.env
     networks:
@@ -49,7 +49,7 @@ services:
       - backend
 
 
-# coTURN
+# Coturn
   coturn:
     build:
       context: ./coturn

@@ -13,7 +13,7 @@ services:
       - backend
 
 
-# coTURN
+# Coturn
   coturn:
     build:
       context: ./coturn

@@ -14,7 +14,7 @@ services:
       - backend
 
 
-# coTURN
+# Coturn
   coturn:
     build:
       context: ./coturn

@@ -14,7 +14,7 @@ services:
       - backend
 
 
-# coTURN
+# Coturn
   coturn:
     build:
       context: ./coturn

@@ -14,7 +14,7 @@ services:
       - backend
 
 
-# coTURN
+# Coturn
   coturn:
     build:
       context: ./coturn

@@ -1,6 +1,6 @@
 Before you begin
- * copy db schema run ./cp_schema.sh
- * edit turnserver/turnserver.cfg according your db selection (mysql or postgresql or redis or mongodb)
+ * copy db schema run ./cp-schema.sh
+ * edit coturn/turnserver.conf according your db selection (mysql or postgresql or redis or mongodb)
 
 # start
 

@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:46
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
+        Validity
+            Not Before: Mar  5 09:05:10 2020 GMT
+            Not After : Jul  7 09:05:10 3019 GMT
+        Subject: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d8:76:2a:59:44:73:da:25:38:93:54:d8:c5:2b:
+                    11:bd:30:80:21:5f:47:95:7d:eb:5e:3e:98:0d:a7:
+                    a8:30:8c:07:6d:1a:ee:89:c1:4c:cc:64:81:90:b3:
+                    ab:54:1f:9b:72:23:c5:2f:0a:32:52:be:27:ad:2f:
+                    51:ee:62:9e:ed:44:d0:ba:aa:72:67:03:a2:ee:a0:
+                    e3:5d:9e:37:ec:ee:0b:29:59:e8:d8:d5:84:a1:6d:
+                    36:5d:85:6b:0d:73:a0:32:fe:b6:fa:99:ef:8c:78:
+                    a9:02:f4:3a:bd:13:bc:1a:9b:72:55:0b:e7:0c:ed:
+                    68:00:c2:e7:78:4a:df:ce:14:2a:99:f1:de:97:16:
+                    60:44:f1:fc:f8:74:e5:33:31:cc:f9:ff:5d:9e:c1:
+                    c7:c6:21:75:48:08:26:f5:7c:f1:56:ec:15:c5:7f:
+                    24:0f:08:03:74:e0:da:10:bf:3d:90:67:09:1e:b2:
+                    3f:b4:f4:15:df:53:e8:68:e8:d1:28:8e:2d:37:f9:
+                    e0:3a:a3:29:00:3d:0a:66:7c:71:ab:54:e5:da:fe:
+                    44:18:3c:b4:be:c5:ce:49:26:8c:cc:ab:88:8f:b7:
+                    e3:ad:5b:df:b2:d4:a3:f8:a9:06:4f:38:6e:b7:05:
+                    b3:3a:bd:63:cd:f7:26:15:e0:98:fd:30:7e:d3:33:
+                    56:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
+            X509v3 Authority Key Identifier: 
+                keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         b4:d5:d9:7a:46:1e:1a:95:02:b5:7e:86:45:16:26:d5:8a:11:
+         b9:34:98:58:df:cd:0c:d5:a5:f2:cc:24:1a:22:f4:c7:3e:50:
+         39:40:f5:d6:e8:3b:9c:05:e9:f9:95:9b:c2:01:3b:69:d5:ba:
+         4f:cf:7c:a6:7c:6e:f4:24:a3:d1:88:e2:29:60:ca:6d:b0:ee:
+         a6:b8:d1:5f:49:d5:08:a6:c2:79:3a:3f:8a:63:ec:53:ef:48:
+         00:8c:61:d2:0f:38:e0:00:ac:6d:a6:bf:ed:6a:42:c3:cf:4e:
+         e3:0d:48:c5:a7:6d:5e:af:5a:e4:30:26:ba:19:2a:a5:57:da:
+         ce:b7:b6:45:24:fb:36:b6:a3:6c:55:ca:9f:91:19:29:db:a4:
+         22:d4:45:53:b9:79:6a:a7:5e:90:a3:4d:3b:c1:b6:2b:52:41:
+         97:7d:9e:0c:cf:0a:5f:ce:0e:fe:bf:a9:e5:b7:60:17:f5:93:
+         4b:b5:6d:2d:51:a6:c1:54:65:f9:e1:5c:21:8d:3d:19:0c:dc:
+         2c:c9:17:40:65:15:d0:ad:98:06:a0:11:aa:87:b3:2d:03:29:
+         37:24:f6:42:a8:d5:58:ae:55:20:c3:37:a3:62:33:36:34:73:
+         98:bc:70:30:aa:33:b0:e4:86:b6:d9:22:79:1f:3f:68:6f:f5:
+         66:75:e8:70
+-----BEGIN CERTIFICATE-----
+MIIDlzCCAn+gAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUYwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
+VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAg
+Fw0yMDAzMDUwOTA1MTBaGA8zMDE5MDcwNzA5MDUxMFowWjELMAkGA1UEBhMCSFUx
+EDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNvVFVSTjELMAkGA1UEAwwCQ0Ex
+GzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANh2KllEc9olOJNU2MUrEb0wgCFfR5V9614+mA2nqDCMB20a
+7onBTMxkgZCzq1Qfm3IjxS8KMlK+J60vUe5inu1E0LqqcmcDou6g412eN+zuCylZ
+6NjVhKFtNl2Faw1zoDL+tvqZ74x4qQL0Or0TvBqbclUL5wztaADC53hK384UKpnx
+3pcWYETx/Ph05TMxzPn/XZ7Bx8YhdUgIJvV88VbsFcV/JA8IA3Tg2hC/PZBnCR6y
+P7T0Fd9T6Gjo0SiOLTf54DqjKQA9CmZ8catU5dr+RBg8tL7FzkkmjMyriI+3461b
+37LUo/ipBk84brcFszq9Y833JhXgmP0wftMzVo0CAwEAAaNTMFEwHQYDVR0OBBYE
+FBwnXkA5jOxxx+3pKlbJnt9I6oJCMB8GA1UdIwQYMBaAFBwnXkA5jOxxx+3pKlbJ
+nt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALTV2XpG
+HhqVArV+hkUWJtWKEbk0mFjfzQzVpfLMJBoi9Mc+UDlA9dboO5wF6fmVm8IBO2nV
+uk/PfKZ8bvQko9GI4ilgym2w7qa40V9J1Qimwnk6P4pj7FPvSACMYdIPOOAArG2m
+v+1qQsPPTuMNSMWnbV6vWuQwJroZKqVX2s63tkUk+za2o2xVyp+RGSnbpCLURVO5
+eWqnXpCjTTvBtitSQZd9ngzPCl/ODv6/qeW3YBf1k0u1bS1RpsFUZfnhXCGNPRkM
+3CzJF0BlFdCtmAagEaqHsy0DKTck9kKo1ViuVSDDN6NiMzY0c5i8cDCqM7DkhrbZ
+InkfP2hv9WZ16HA=
+-----END CERTIFICATE-----

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxETAP
+BgNVBAcMCERlYnJlY2VuMQ8wDQYDVQQKDAZjb1RVUk4xCzAJBgNVBAMMAkNBMRsw
+GQYJKoZIhvcNAQkBFgxtaXNpQG1hamQuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDYdipZRHPaJTiTVNjFKxG9MIAhX0eVfetePpgNp6gwjAdtGu6J
+wUzMZIGQs6tUH5tyI8UvCjJSvietL1HuYp7tRNC6qnJnA6LuoONdnjfs7gspWejY
+1YShbTZdhWsNc6Ay/rb6me+MeKkC9Dq9E7wam3JVC+cM7WgAwud4St/OFCqZ8d6X
+FmBE8fz4dOUzMcz5/12ewcfGIXVICCb1fPFW7BXFfyQPCAN04NoQvz2QZwkesj+0
+9BXfU+ho6NEoji03+eA6oykAPQpmfHGrVOXa/kQYPLS+xc5JJozMq4iPt+OtW9+y
+1KP4qQZPOG63BbM6vWPN9yYV4Jj9MH7TM1aNAgMBAAGgADANBgkqhkiG9w0BAQsF
+AAOCAQEAmvXWsoJQneJFFHb+qTNjkA3sHduyB+kQ5qUVlFoT6U6IKyWnVUqAKc9a
+eFKw94yq/01cqOBd4MWKTg9k/wjjmkJA9WtXMrVq8HW1rKVRCCJxtzUKTR3pet/z
+gs3YwbTlqpljtpn3qEzspMaeyvh391A4IVykDZHGR12+4LqZhoUyGl1QJ7KgQwGM
++Vi2TL3fY8PDxvGFmGvWnUIWYkB31vAuDz1xOqm2JlP0kTHMUPiVBlwJVuHdATy2
+sWZEzsNnXBt2vAVwhTdFEajF4ut8guPQWW8XcTiaEOGJUIY8J4Yb2wqHk+4HsIFV
+i2vua41jc90Ki3EA0+QDB7BJAvC4yw==
+-----END CERTIFICATE REQUEST-----

@@ -0,0 +1 @@
+01

@@ -0,0 +1,3 @@
+V	30190707090510Z		4C9BEC95D121491D5D65A71A614667DD42186546	unknown	/C=HU/ST=Hungary/O=coTURN/CN=CA/emailAddress=misi@majd.eu
+V	300303090521Z		4C9BEC95D121491D5D65A71A614667DD42186547	unknown	/C=HU/ST=Hungary/L=Debrecen/O=coTURN/CN=Server/emailAddress=misi@majd.eu
+V	300303090542Z		4C9BEC95D121491D5D65A71A614667DD42186548	unknown	/C=HU/ST=Hungary/L=Debrecen/O=coTURN/CN=Client/emailAddress=misi@majd.eu

@@ -0,0 +1 @@
+unique_subject = yes

@@ -0,0 +1 @@
+unique_subject = yes

@@ -0,0 +1,2 @@
+V	30190707090510Z		4C9BEC95D121491D5D65A71A614667DD42186546	unknown	/C=HU/ST=Hungary/O=coTURN/CN=CA/emailAddress=misi@majd.eu
+V	300303090521Z		4C9BEC95D121491D5D65A71A614667DD42186547	unknown	/C=HU/ST=Hungary/L=Debrecen/O=coTURN/CN=Server/emailAddress=misi@majd.eu

@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:46
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
+        Validity
+            Not Before: Mar  5 09:05:10 2020 GMT
+            Not After : Jul  7 09:05:10 3019 GMT
+        Subject: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d8:76:2a:59:44:73:da:25:38:93:54:d8:c5:2b:
+                    11:bd:30:80:21:5f:47:95:7d:eb:5e:3e:98:0d:a7:
+                    a8:30:8c:07:6d:1a:ee:89:c1:4c:cc:64:81:90:b3:
+                    ab:54:1f:9b:72:23:c5:2f:0a:32:52:be:27:ad:2f:
+                    51:ee:62:9e:ed:44:d0:ba:aa:72:67:03:a2:ee:a0:
+                    e3:5d:9e:37:ec:ee:0b:29:59:e8:d8:d5:84:a1:6d:
+                    36:5d:85:6b:0d:73:a0:32:fe:b6:fa:99:ef:8c:78:
+                    a9:02:f4:3a:bd:13:bc:1a:9b:72:55:0b:e7:0c:ed:
+                    68:00:c2:e7:78:4a:df:ce:14:2a:99:f1:de:97:16:
+                    60:44:f1:fc:f8:74:e5:33:31:cc:f9:ff:5d:9e:c1:
+                    c7:c6:21:75:48:08:26:f5:7c:f1:56:ec:15:c5:7f:
+                    24:0f:08:03:74:e0:da:10:bf:3d:90:67:09:1e:b2:
+                    3f:b4:f4:15:df:53:e8:68:e8:d1:28:8e:2d:37:f9:
+                    e0:3a:a3:29:00:3d:0a:66:7c:71:ab:54:e5:da:fe:
+                    44:18:3c:b4:be:c5:ce:49:26:8c:cc:ab:88:8f:b7:
+                    e3:ad:5b:df:b2:d4:a3:f8:a9:06:4f:38:6e:b7:05:
+                    b3:3a:bd:63:cd:f7:26:15:e0:98:fd:30:7e:d3:33:
+                    56:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
+            X509v3 Authority Key Identifier: 
+                keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         b4:d5:d9:7a:46:1e:1a:95:02:b5:7e:86:45:16:26:d5:8a:11:
+         b9:34:98:58:df:cd:0c:d5:a5:f2:cc:24:1a:22:f4:c7:3e:50:
+         39:40:f5:d6:e8:3b:9c:05:e9:f9:95:9b:c2:01:3b:69:d5:ba:
+         4f:cf:7c:a6:7c:6e:f4:24:a3:d1:88:e2:29:60:ca:6d:b0:ee:
+         a6:b8:d1:5f:49:d5:08:a6:c2:79:3a:3f:8a:63:ec:53:ef:48:
+         00:8c:61:d2:0f:38:e0:00:ac:6d:a6:bf:ed:6a:42:c3:cf:4e:
+         e3:0d:48:c5:a7:6d:5e:af:5a:e4:30:26:ba:19:2a:a5:57:da:
+         ce:b7:b6:45:24:fb:36:b6:a3:6c:55:ca:9f:91:19:29:db:a4:
+         22:d4:45:53:b9:79:6a:a7:5e:90:a3:4d:3b:c1:b6:2b:52:41:
+         97:7d:9e:0c:cf:0a:5f:ce:0e:fe:bf:a9:e5:b7:60:17:f5:93:
+         4b:b5:6d:2d:51:a6:c1:54:65:f9:e1:5c:21:8d:3d:19:0c:dc:
+         2c:c9:17:40:65:15:d0:ad:98:06:a0:11:aa:87:b3:2d:03:29:
+         37:24:f6:42:a8:d5:58:ae:55:20:c3:37:a3:62:33:36:34:73:
+         98:bc:70:30:aa:33:b0:e4:86:b6:d9:22:79:1f:3f:68:6f:f5:
+         66:75:e8:70
+-----BEGIN CERTIFICATE-----
+MIIDlzCCAn+gAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUYwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
+VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAg
+Fw0yMDAzMDUwOTA1MTBaGA8zMDE5MDcwNzA5MDUxMFowWjELMAkGA1UEBhMCSFUx
+EDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNvVFVSTjELMAkGA1UEAwwCQ0Ex
+GzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBANh2KllEc9olOJNU2MUrEb0wgCFfR5V9614+mA2nqDCMB20a
+7onBTMxkgZCzq1Qfm3IjxS8KMlK+J60vUe5inu1E0LqqcmcDou6g412eN+zuCylZ
+6NjVhKFtNl2Faw1zoDL+tvqZ74x4qQL0Or0TvBqbclUL5wztaADC53hK384UKpnx
+3pcWYETx/Ph05TMxzPn/XZ7Bx8YhdUgIJvV88VbsFcV/JA8IA3Tg2hC/PZBnCR6y
+P7T0Fd9T6Gjo0SiOLTf54DqjKQA9CmZ8catU5dr+RBg8tL7FzkkmjMyriI+3461b
+37LUo/ipBk84brcFszq9Y833JhXgmP0wftMzVo0CAwEAAaNTMFEwHQYDVR0OBBYE
+FBwnXkA5jOxxx+3pKlbJnt9I6oJCMB8GA1UdIwQYMBaAFBwnXkA5jOxxx+3pKlbJ
+nt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALTV2XpG
+HhqVArV+hkUWJtWKEbk0mFjfzQzVpfLMJBoi9Mc+UDlA9dboO5wF6fmVm8IBO2nV
+uk/PfKZ8bvQko9GI4ilgym2w7qa40V9J1Qimwnk6P4pj7FPvSACMYdIPOOAArG2m
+v+1qQsPPTuMNSMWnbV6vWuQwJroZKqVX2s63tkUk+za2o2xVyp+RGSnbpCLURVO5
+eWqnXpCjTTvBtitSQZd9ngzPCl/ODv6/qeW3YBf1k0u1bS1RpsFUZfnhXCGNPRkM
+3CzJF0BlFdCtmAagEaqHsy0DKTck9kKo1ViuVSDDN6NiMzY0c5i8cDCqM7DkhrbZ
+InkfP2hv9WZ16HA=
+-----END CERTIFICATE-----

@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:47
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
+        Validity
+            Not Before: Mar  5 09:05:21 2020 GMT
+            Not After : Mar  3 09:05:21 2030 GMT
+        Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Server/emailAddress=misi@majd.eu
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:db:f7:17:35:17:7c:46:79:64:89:61:5f:ac:
+                    cf:8f:6d:97:13:87:8a:d6:f1:ab:df:f6:69:4e:04:
+                    57:c1:4d:6c:3d:77:c9:50:0d:3d:b6:89:cd:ac:00:
+                    b5:02:45:e4:4c:78:ef:6f:18:7e:57:4e:bc:62:4d:
+                    f6:de:6c:c8:77:ea:c5:b2:b4:65:2d:46:76:bf:5e:
+                    5f:f8:45:78:55:f4:4d:20:ac:91:f0:4f:23:cb:5d:
+                    40:29:44:de:9c:f7:0a:e6:48:a4:80:35:dd:cb:e8:
+                    02:90:59:f7:31:f9:4c:50:fe:98:ef:dd:7f:60:51:
+                    2d:44:0a:14:a2:57:96:51:36:3f:73:66:db:45:5f:
+                    bd:9d:f4:82:3a:ce:ab:75:4f:d0:90:6d:43:d1:7b:
+                    2f:77:31:88:db:2f:4a:a9:4e:62:39:c7:14:7f:39:
+                    ef:e2:08:b7:18:a7:6c:f8:d9:35:d5:a3:f8:64:f5:
+                    02:51:22:1b:8e:7a:c5:44:ae:df:b1:17:0b:71:df:
+                    09:82:89:49:70:c5:9b:a0:f3:3c:02:48:75:e7:81:
+                    f9:24:51:56:24:3b:ff:b8:68:d3:13:2e:a2:f4:d1:
+                    70:33:a9:7a:d6:17:fd:ca:a5:6b:13:74:c9:ce:b6:
+                    26:4f:01:ff:eb:ba:b5:f9:a1:70:80:da:11:df:a3:
+                    7b:4f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                38:C1:E5:77:D3:01:6B:7A:A7:D8:18:6B:50:D6:FA:0E:D6:D9:B4:4F
+            X509v3 Authority Key Identifier: 
+                keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         a3:37:55:68:68:02:9f:af:d6:b1:38:b3:d8:bf:30:27:33:6f:
+         21:4c:09:ee:cf:24:d2:eb:cf:1c:7a:15:98:6d:10:94:e0:4a:
+         1f:88:5c:43:90:09:78:c1:a6:82:06:16:f2:8c:d1:3a:c5:3b:
+         99:67:35:3c:00:bf:9f:a2:6a:e7:33:85:83:88:72:88:e4:d2:
+         83:1c:6c:49:92:5f:51:80:0d:92:0f:99:4d:cb:2a:18:4d:68:
+         b7:b6:d1:de:54:22:71:88:8d:04:45:c5:13:34:8d:52:7a:f7:
+         2a:e7:cb:b2:41:20:7b:ef:aa:d0:58:93:b5:e6:b5:fa:8b:22:
+         a3:ed:a7:81:9b:ca:50:f7:d0:bd:5f:f2:52:6d:8b:af:af:64:
+         36:9d:6d:81:ce:50:29:b7:db:d0:ac:a3:1d:78:77:90:29:a3:
+         84:10:69:13:e9:47:fc:e1:1e:c2:74:55:61:11:65:2d:77:e1:
+         ca:9f:2d:6f:2f:76:f6:69:bc:09:50:9a:b0:48:05:a2:53:e6:
+         93:46:81:0d:04:8b:cd:fb:a4:a7:82:08:78:f9:87:dc:0a:07:
+         91:1f:de:09:fa:00:5a:16:1a:2b:5c:83:10:03:33:2f:ad:8c:
+         9a:eb:94:0f:77:b1:9b:ec:e6:0e:dc:84:dd:35:3f:b5:8a:d2:
+         06:0e:88:d7
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUcwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
+VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe
+Fw0yMDAzMDUwOTA1MjFaFw0zMDAzMDMwOTA1MjFaMHExCzAJBgNVBAYTAkhVMRAw
+DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U
+VVJOMQ8wDQYDVQQDDAZTZXJ2ZXIxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l
+dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzb9xc1F3xGeWSJYV+s
+z49tlxOHitbxq9/2aU4EV8FNbD13yVANPbaJzawAtQJF5Ex4728YfldOvGJN9t5s
+yHfqxbK0ZS1Gdr9eX/hFeFX0TSCskfBPI8tdQClE3pz3CuZIpIA13cvoApBZ9zH5
+TFD+mO/df2BRLUQKFKJXllE2P3Nm20VfvZ30gjrOq3VP0JBtQ9F7L3cxiNsvSqlO
+YjnHFH857+IItxinbPjZNdWj+GT1AlEiG456xUSu37EXC3HfCYKJSXDFm6DzPAJI
+deeB+SRRViQ7/7ho0xMuovTRcDOpetYX/cqlaxN0yc62Jk8B/+u6tfmhcIDaEd+j
+e08CAwEAAaNTMFEwHQYDVR0OBBYEFDjB5XfTAWt6p9gYa1DW+g7W2bRPMB8GA1Ud
+IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAKM3VWhoAp+v1rE4s9i/MCczbyFMCe7PJNLrzxx6FZht
+EJTgSh+IXEOQCXjBpoIGFvKM0TrFO5lnNTwAv5+iauczhYOIcojk0oMcbEmSX1GA
+DZIPmU3LKhhNaLe20d5UInGIjQRFxRM0jVJ69yrny7JBIHvvqtBYk7XmtfqLIqPt
+p4GbylD30L1f8lJti6+vZDadbYHOUCm329Csox14d5Apo4QQaRPpR/zhHsJ0VWER
+ZS134cqfLW8vdvZpvAlQmrBIBaJT5pNGgQ0Ei837pKeCCHj5h9wKB5Ef3gn6AFoW
+GitcgxADMy+tjJrrlA93sZvs5g7chN01P7WK0gYOiNc=
+-----END CERTIFICATE-----

@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:48
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
+        Validity
+            Not Before: Mar  5 09:05:42 2020 GMT
+            Not After : Mar  3 09:05:42 2030 GMT
+        Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Client/emailAddress=misi@majd.eu
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:af:6d:38:31:23:12:12:e7:5a:8d:ed:1c:02:7e:
+                    bf:c2:ef:7a:d1:c0:b2:4b:b4:38:9b:a7:5d:dd:01:
+                    2c:a0:e7:7c:5b:7a:4d:71:4b:c9:5b:77:e8:b3:4c:
+                    92:5b:8c:43:57:b6:c9:8c:44:66:6a:9e:8c:f2:76:
+                    58:a2:f5:38:a3:4f:ef:af:5a:c7:bf:e5:72:98:c0:
+                    b8:2e:a1:75:cc:16:8b:bf:a3:6a:e6:fd:c9:25:35:
+                    92:31:b2:78:2a:42:7b:a1:ce:25:be:32:45:6e:0b:
+                    36:22:f8:6c:9c:f3:8f:bf:c8:8c:79:d5:59:02:f5:
+                    de:1f:67:fc:ef:c7:27:88:a7:35:b1:d7:ee:dc:1c:
+                    74:11:fc:3c:56:33:b5:e7:88:ce:f3:ce:db:b9:3c:
+                    e0:eb:15:bc:00:5f:29:f4:9c:8e:4d:61:df:da:aa:
+                    f4:fc:fb:e7:4b:75:dc:dc:cf:f0:4b:3b:67:cf:bf:
+                    35:b8:0f:5b:20:94:60:dd:3b:e5:7a:ec:0e:30:2c:
+                    c1:fb:f6:21:5b:ed:80:34:9d:59:5c:95:39:a2:61:
+                    a4:13:fa:57:b9:f5:85:d4:a1:bf:91:cf:d7:dc:ac:
+                    fa:32:47:ee:d2:86:9b:14:d1:35:88:1e:2d:9f:39:
+                    74:86:de:f1:04:de:e1:39:2f:a8:91:bf:8b:f7:4f:
+                    7c:e5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                32:BA:14:26:42:B6:5B:9E:3C:F1:53:1A:FD:DB:CB:FE:B1:A2:74:6C
+            X509v3 Authority Key Identifier: 
+                keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         6b:93:56:56:81:fb:34:9e:15:2e:3e:b2:2c:73:72:60:f2:1a:
+         a8:bf:c3:f0:c7:57:00:48:37:2a:1c:63:71:1b:29:f4:2b:dc:
+         64:07:f8:72:80:65:18:c7:74:23:c1:02:00:d8:93:1d:4f:2b:
+         8c:46:34:1e:d2:6a:5c:ab:8d:ff:a7:fe:e5:c2:bf:33:55:ea:
+         2b:e2:70:e9:24:4c:4d:31:d4:dd:10:55:f5:bb:2c:a5:ec:f6:
+         8f:7a:05:1c:6c:7d:cf:85:6b:29:a7:bd:fe:a2:bc:00:45:b8:
+         ac:70:c7:c9:67:93:0a:5c:d7:52:a3:c9:fc:6c:ef:52:b2:6b:
+         bc:5b:f9:e1:9b:27:07:39:28:28:7f:a0:70:62:af:4f:42:82:
+         dd:ec:23:4d:fc:8e:19:51:87:cc:d0:29:d5:27:44:9c:fa:b5:
+         51:ea:31:eb:51:84:3f:07:5b:c0:57:5d:2a:c7:15:ed:9c:46:
+         ac:8e:14:8b:4d:82:0e:b4:6a:47:db:37:f3:03:08:86:b6:25:
+         0b:92:6d:99:a9:99:45:4e:38:45:e0:a2:4e:e7:34:50:51:ab:
+         f8:c8:ef:26:3d:7f:9f:8f:45:20:cf:f5:31:27:b6:00:3a:e0:
+         4a:d5:62:9a:29:27:9b:aa:3a:95:56:1c:d7:65:15:ce:35:10:
+         2a:7e:cc:b6
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUgwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
+VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe
+Fw0yMDAzMDUwOTA1NDJaFw0zMDAzMDMwOTA1NDJaMHExCzAJBgNVBAYTAkhVMRAw
+DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U
+VVJOMQ8wDQYDVQQDDAZDbGllbnQxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l
+dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9tODEjEhLnWo3tHAJ+
+v8LvetHAsku0OJunXd0BLKDnfFt6TXFLyVt36LNMkluMQ1e2yYxEZmqejPJ2WKL1
+OKNP769ax7/lcpjAuC6hdcwWi7+jaub9ySU1kjGyeCpCe6HOJb4yRW4LNiL4bJzz
+j7/IjHnVWQL13h9n/O/HJ4inNbHX7twcdBH8PFYzteeIzvPO27k84OsVvABfKfSc
+jk1h39qq9Pz750t13NzP8Es7Z8+/NbgPWyCUYN075XrsDjAswfv2IVvtgDSdWVyV
+OaJhpBP6V7n1hdShv5HP19ys+jJH7tKGmxTRNYgeLZ85dIbe8QTe4TkvqJG/i/dP
+fOUCAwEAAaNTMFEwHQYDVR0OBBYEFDK6FCZCtluePPFTGv3by/6xonRsMB8GA1Ud
+IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAGuTVlaB+zSeFS4+sixzcmDyGqi/w/DHVwBINyocY3Eb
+KfQr3GQH+HKAZRjHdCPBAgDYkx1PK4xGNB7Salyrjf+n/uXCvzNV6ivicOkkTE0x
+1N0QVfW7LKXs9o96BRxsfc+Faymnvf6ivABFuKxwx8lnkwpc11Kjyfxs71Kya7xb
++eGbJwc5KCh/oHBir09Cgt3sI038jhlRh8zQKdUnRJz6tVHqMetRhD8HW8BXXSrH
+Fe2cRqyOFItNgg60akfbN/MDCIa2JQuSbZmpmUVOOEXgok7nNFBRq/jI7yY9f5+P
+RSDP9TEntgA64ErVYpopJ5uqOpVWHNdlFc41ECp+zLY=
+-----END CERTIFICATE-----

@@ -0,0 +1,22 @@
+--- CA.pl	2019-10-12 19:56:43.000000000 +0000
++++ CA.pl	2020-03-05 07:58:41.112690266 +0000
+@@ -25,8 +25,8 @@
+ my $verbose = 1;
+ 
+ my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} || "";
+-my $DAYS = "-days 365";
+-my $CADAYS = "-days 1095";	# 3 years
++my $DAYS = "-days 36500";
++my $CADAYS = "-days 365000";	# 1000 years
+ my $REQ = "$openssl req $OPENSSL_CONFIG";
+ my $CA = "$openssl ca $OPENSSL_CONFIG";
+ my $VERIFY = "$openssl verify";
+@@ -34,7 +34,7 @@
+ my $PKCS12 = "$openssl pkcs12";
+ 
+ # default openssl.cnf file has setup as per the following
+-my $CATOP = "./demoCA";
++my $CATOP = "./CA";
+ my $CAKEY = "cakey.pem";
+ my $CAREQ = "careq.pem";
+ my $CACERT = "cacert.pem";

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIeK2OY7PJbzYCAggA
+MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECKP+q72oc4q7BIIEyHkaZfqjSX9W
+HIHqbQtHOMlAtqSxmAyV6C3pXLwNuEpo4cYwyPUdJwMNxm8OjsxuH708daZu5QWl
+7EVNV4WY9ff4/4geJAp9ZrqJN5TsgFIUyss5NzHjTMPUz/yunr0Hk5OOVLusTCqF
+Ys0Qdo2Gy33NZCK53U22pa0S/szppN4DIDujSOuUAiyxJdz12cCUyw/OlAXvDLJb
+I9oObKWpbYBtJSLk5aWblZDUTVmFWngkTIc76wchBXu7WntLjXdMG2lv4Gy/ozUb
+vsYvEADNRJFOpYyfWvmEFNKvEcVxfzshnms9TdzhDCmYhmYR+NfamYq5Om+81Pv3
+h+z1Zd7x3uYs8NM+DbRKhwHS6jkQCxelWdQbeSJj/Fz9VpWSrJlkmhXI+7qkBCsv
+DVoz017Y2zK/iM5JRPTH65tnNMeH61Zj4EOHBEzMBE6EvugJcSqPXfBKtVMwVAzV
+Mva8gtOlMN0Ce9dmG+HZKDek6S++5AbkxuOwRb+YOVXjUrNXXf0YqglM9Nb/RCr4
+Z+gkuTCwARJZqjebZnUw1mSZp2R89X774wNDHAlw96tSW2OZlfPmbvXBnwT7QwPm
+YBZT6CrLL7LEIs0G5zFh1L/PCQi7EyNaE9Ixw52nqc5Ej2M6Rj6XcdCRdw5IKmh/
+BbTzD0LxfNh+XKpAIzkuNfGkwUVtfldmfpW3xRKzI1o+rbgDGMA/eEFYWmyE9326
+/vsv7daE4zWAG4O5OdGKMKBABCqM92X2YU7bZoNQS25dy7uZsQ8zvkcI1Q1GKMW0
+Lg2oDTSTSrPRVgLAcb0o06Frvler5F277OBfBm1+6+7aL3hct4TZjb+0pp5SuxrS
+7PpRXMFYzbQ+Z7YrRv6uwrrxVl99Ok/jBGLYT+CllZ+PNvRbcgsy0xUIz6KTbQQZ
+H4qqkObdKFHQLqfP9+YUwjE2akR/prOR2Dfoq648L/eEF4qpGCADaXFoHODWfiqz
+VQHvLP4FN4ppYn3jB4lSTIl+7s92XznK5aN5AERRdUIfjPnZB8lQkDP/qwwCI0Ki
+SRxUtsrMef1biTKL5HI3On2wPLFQCGVEmiQoD8uEqaB/vAdJy5ZdQ3HA547TxLmy
+TJ6je8QMFUcO3n1pJWeUHuL+WyGrcstOEkZiFQyVpAFFeS7h6u2UI7HyNXGaP1mk
++vWulewlMjWHw05qG9wLqEiDkpZgmx4garfWbR2rggBu1Jlg4svS2jdmytuKQ735
+E1e5g7TCSzv6sHzdHfQ2WaVvfM5YfxqWpgPhNH2t7rScoLTvI2txyhpIIEIMn+ip
+tBM15Ai+L92gr4wLJlsBOcKOWSN46ucqQsGla3so0PZAtU4hVPEJ+PzaR2czStUk
+MzrKfG1qox+JW8BBiW2zV2idKy2440Sn/NSqMyvZgEFn7GDaAcTsZi2FhRLT1Fg+
+2c5viBTaCRdh20QDQQu3skEhbFU5GjeZEqCO25hX5L3BZPnQtwQujc2RU9aGWwPm
+o/nrp8ilBRI18qFdxfqFEV6ftdVNXlrV+cMgtuwPNX6vnmKWjN67/cDIUML3ab+e
+9cx0rBvCBvMn7Q0AvY/RcsVP0DaLmov7ciuvih0ptCgYThov7FJ2V+q+2LbNLwSc
+qpi/6R+l6bIjP0UITKZlug==
+-----END ENCRYPTED PRIVATE KEY-----

@@ -0,0 +1 @@
+4C9BEC95D121491D5D65A71A614667DD42186549

@@ -0,0 +1 @@
+4C9BEC95D121491D5D65A71A614667DD42186548

@@ -0,0 +1,364 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# System default
+openssl_conf = default_conf
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./CA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several certs with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= HU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Hungary
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Debrecen
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= coTURN
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+#organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_default		= misi@majd.eu
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+#challengePassword		= A challenge password
+#challengePassword_min		= 4
+#challengePassword_max		= 20
+
+#unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= ./CA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+ess_cert_id_alg		= sha1	# algorithm to compute certificate
+				# identifier (optional, default: sha1)
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = TLSv1.2
+CipherString = DEFAULT@SECLEVEL=2

@@ -0,0 +1,16 @@
+#!/bin/bash
+#set -x
+# key passwd: coTURN
+cp /usr/lib/ssl/misc/CA.pl ./CA.pl
+patch < CA.pl.diff
+export OPENSSL_CONFIG="-config openssl.conf"
+./CA.pl -newca
+
+for i in "server" "client"; 
+do
+	./CA.pl -newreq-nodes
+	./CA.pl -signCA
+	mv newcert.pem turn_${i}_cert.pem
+	mv newkey.pem turn_${i}_pkey.pem
+	rm newreq.pem
+done;

@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:48
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
+        Validity
+            Not Before: Mar  5 09:05:42 2020 GMT
+            Not After : Mar  3 09:05:42 2030 GMT
+        Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Client/emailAddress=misi@majd.eu
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:af:6d:38:31:23:12:12:e7:5a:8d:ed:1c:02:7e:
+                    bf:c2:ef:7a:d1:c0:b2:4b:b4:38:9b:a7:5d:dd:01:
+                    2c:a0:e7:7c:5b:7a:4d:71:4b:c9:5b:77:e8:b3:4c:
+                    92:5b:8c:43:57:b6:c9:8c:44:66:6a:9e:8c:f2:76:
+                    58:a2:f5:38:a3:4f:ef:af:5a:c7:bf:e5:72:98:c0:
+                    b8:2e:a1:75:cc:16:8b:bf:a3:6a:e6:fd:c9:25:35:
+                    92:31:b2:78:2a:42:7b:a1:ce:25:be:32:45:6e:0b:
+                    36:22:f8:6c:9c:f3:8f:bf:c8:8c:79:d5:59:02:f5:
+                    de:1f:67:fc:ef:c7:27:88:a7:35:b1:d7:ee:dc:1c:
+                    74:11:fc:3c:56:33:b5:e7:88:ce:f3:ce:db:b9:3c:
+                    e0:eb:15:bc:00:5f:29:f4:9c:8e:4d:61:df:da:aa:
+                    f4:fc:fb:e7:4b:75:dc:dc:cf:f0:4b:3b:67:cf:bf:
+                    35:b8:0f:5b:20:94:60:dd:3b:e5:7a:ec:0e:30:2c:
+                    c1:fb:f6:21:5b:ed:80:34:9d:59:5c:95:39:a2:61:
+                    a4:13:fa:57:b9:f5:85:d4:a1:bf:91:cf:d7:dc:ac:
+                    fa:32:47:ee:d2:86:9b:14:d1:35:88:1e:2d:9f:39:
+                    74:86:de:f1:04:de:e1:39:2f:a8:91:bf:8b:f7:4f:
+                    7c:e5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                32:BA:14:26:42:B6:5B:9E:3C:F1:53:1A:FD:DB:CB:FE:B1:A2:74:6C
+            X509v3 Authority Key Identifier: 
+                keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         6b:93:56:56:81:fb:34:9e:15:2e:3e:b2:2c:73:72:60:f2:1a:
+         a8:bf:c3:f0:c7:57:00:48:37:2a:1c:63:71:1b:29:f4:2b:dc:
+         64:07:f8:72:80:65:18:c7:74:23:c1:02:00:d8:93:1d:4f:2b:
+         8c:46:34:1e:d2:6a:5c:ab:8d:ff:a7:fe:e5:c2:bf:33:55:ea:
+         2b:e2:70:e9:24:4c:4d:31:d4:dd:10:55:f5:bb:2c:a5:ec:f6:
+         8f:7a:05:1c:6c:7d:cf:85:6b:29:a7:bd:fe:a2:bc:00:45:b8:
+         ac:70:c7:c9:67:93:0a:5c:d7:52:a3:c9:fc:6c:ef:52:b2:6b:
+         bc:5b:f9:e1:9b:27:07:39:28:28:7f:a0:70:62:af:4f:42:82:
+         dd:ec:23:4d:fc:8e:19:51:87:cc:d0:29:d5:27:44:9c:fa:b5:
+         51:ea:31:eb:51:84:3f:07:5b:c0:57:5d:2a:c7:15:ed:9c:46:
+         ac:8e:14:8b:4d:82:0e:b4:6a:47:db:37:f3:03:08:86:b6:25:
+         0b:92:6d:99:a9:99:45:4e:38:45:e0:a2:4e:e7:34:50:51:ab:
+         f8:c8:ef:26:3d:7f:9f:8f:45:20:cf:f5:31:27:b6:00:3a:e0:
+         4a:d5:62:9a:29:27:9b:aa:3a:95:56:1c:d7:65:15:ce:35:10:
+         2a:7e:cc:b6
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUgwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
+VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe
+Fw0yMDAzMDUwOTA1NDJaFw0zMDAzMDMwOTA1NDJaMHExCzAJBgNVBAYTAkhVMRAw
+DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U
+VVJOMQ8wDQYDVQQDDAZDbGllbnQxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l
+dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9tODEjEhLnWo3tHAJ+
+v8LvetHAsku0OJunXd0BLKDnfFt6TXFLyVt36LNMkluMQ1e2yYxEZmqejPJ2WKL1
+OKNP769ax7/lcpjAuC6hdcwWi7+jaub9ySU1kjGyeCpCe6HOJb4yRW4LNiL4bJzz
+j7/IjHnVWQL13h9n/O/HJ4inNbHX7twcdBH8PFYzteeIzvPO27k84OsVvABfKfSc
+jk1h39qq9Pz750t13NzP8Es7Z8+/NbgPWyCUYN075XrsDjAswfv2IVvtgDSdWVyV
+OaJhpBP6V7n1hdShv5HP19ys+jJH7tKGmxTRNYgeLZ85dIbe8QTe4TkvqJG/i/dP
+fOUCAwEAAaNTMFEwHQYDVR0OBBYEFDK6FCZCtluePPFTGv3by/6xonRsMB8GA1Ud
+IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAGuTVlaB+zSeFS4+sixzcmDyGqi/w/DHVwBINyocY3Eb
+KfQr3GQH+HKAZRjHdCPBAgDYkx1PK4xGNB7Salyrjf+n/uXCvzNV6ivicOkkTE0x
+1N0QVfW7LKXs9o96BRxsfc+Faymnvf6ivABFuKxwx8lnkwpc11Kjyfxs71Kya7xb
++eGbJwc5KCh/oHBir09Cgt3sI038jhlRh8zQKdUnRJz6tVHqMetRhD8HW8BXXSrH
+Fe2cRqyOFItNgg60akfbN/MDCIa2JQuSbZmpmUVOOEXgok7nNFBRq/jI7yY9f5+P
+RSDP9TEntgA64ErVYpopJ5uqOpVWHNdlFc41ECp+zLY=
+-----END CERTIFICATE-----

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCvbTgxIxIS51qN
+7RwCfr/C73rRwLJLtDibp13dASyg53xbek1xS8lbd+izTJJbjENXtsmMRGZqnozy
+dlii9TijT++vWse/5XKYwLguoXXMFou/o2rm/cklNZIxsngqQnuhziW+MkVuCzYi
++Gyc84+/yIx51VkC9d4fZ/zvxyeIpzWx1+7cHHQR/DxWM7XniM7zztu5PODrFbwA
+Xyn0nI5NYd/aqvT8++dLddzcz/BLO2fPvzW4D1sglGDdO+V67A4wLMH79iFb7YA0
+nVlclTmiYaQT+le59YXUob+Rz9fcrPoyR+7ShpsU0TWIHi2fOXSG3vEE3uE5L6iR
+v4v3T3zlAgMBAAECggEBAINzP+vx75UirwQybA6ik2aqtEmALxnzDYf1PaxhOOPJ
+EbIqTuVaeKOFkmToN7NJwxxy50un5WZ3L/5vF7PkNHCLcXrgd1UfxWMY5eprKi2n
+p0gOWAiGmra7EbUTml9wOdvg8P84BDaVSBekNx7Ukx6OVFTmvTAutCascSfq/4Cx
+K71zaW/I9hrU8oNDBDzolVW4gW8ObNLGhoDqmvkoXrlrGEBNqkuErbbYZA1k/001
+lurEh7Zp7Kp6jjHcRm83a7bWiRYGtv1K9kR9MKKLW7au8zyjYcesTvS2QjY+k20W
+vE2kmyAosbJShFzTmZn8kwgh6c0BPyFDEI5XleMeefECgYEA6ZhgG87wyU4RDU1N
+PxLV9ufbSYpW91KP1iuZ5Z6QdLGWZeWKjvxtoLAa3z9ceIBVvFqCGDn4DfwIaNLe
+tGsjeyXre1R3/B0S/oAJbmbRV4pWl/jSzgbzCTGW7x1mpqgpJdHFmTbqTxkNB6cM
+fpzTPfM012KfRglD9D+2DTOCyEsCgYEAwECXQRIe7/657J68GHSBCaQ+rzDL3nRe
+exe4duHyXok0yohk7OiPepKQ1hdYq2PHhGEj6b5OgFppWeA66M/ndjX4S10oCtN0
+oEb7honFz4ZmHmqQ6UotAuBx7tq06v+KI/eTvefTVh9mujdwMW4sAowhx9Dw6PkR
+ipFCdi458Y8CgYEAhJ//ySoYKaMKKWw/NFVkZ9fB+CH0OF2GzslYijcZuzdstZO6
+tG37bCUwTJozzTLH+rXEcS7QeFglCibXTMYbkfq4lQAjU1/KffaB5E26A6LGgWhD
+f7gQWqLuF/qwYmTNX+yW7ONx6tDFRhgBDw3JHb4svTEATwpJq65UlXAui7sCgYBD
+krBXO8JKApNg+s4MHm74b5VkyFbv4qEOzOCWUIZ6+ejnQxeOOZOstnVX+q681v5a
+pjYUQ0KeVKjw4SJzkBe/8epKuvyHCZnVd/2SZTx0271q9XPnu52khDUnihHLA3SP
+fcadGi2q+LCHxVKW3S1028JH1EXI7TpgJPxiQ480OwKBgQDmi0BiSFaxNVcJm+pq
+rbmK2pRPl49VOlc7px89ilZgoIeU8jwWQyqXRooarFhV1H0SA6oh52jYljiIIFVn
+qwKfS3Sjo6iW3ytjGcRLeNS0Sk8D2XMky7Mw120ZxatTsKw3ztmYFAlSYdxRMnue
+zkYzcxL3N2LvHeY8SOwyxayfxg==
+-----END PRIVATE KEY-----

@@ -0,0 +1,80 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4c:9b:ec:95:d1:21:49:1d:5d:65:a7:1a:61:46:67:dd:42:18:65:47
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=HU, ST=Hungary, O=coTURN, CN=CA/emailAddress=misi@majd.eu
+        Validity
+            Not Before: Mar  5 09:05:21 2020 GMT
+            Not After : Mar  3 09:05:21 2030 GMT
+        Subject: C=HU, ST=Hungary, L=Debrecen, O=coTURN, CN=Server/emailAddress=misi@majd.eu
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:db:f7:17:35:17:7c:46:79:64:89:61:5f:ac:
+                    cf:8f:6d:97:13:87:8a:d6:f1:ab:df:f6:69:4e:04:
+                    57:c1:4d:6c:3d:77:c9:50:0d:3d:b6:89:cd:ac:00:
+                    b5:02:45:e4:4c:78:ef:6f:18:7e:57:4e:bc:62:4d:
+                    f6:de:6c:c8:77:ea:c5:b2:b4:65:2d:46:76:bf:5e:
+                    5f:f8:45:78:55:f4:4d:20:ac:91:f0:4f:23:cb:5d:
+                    40:29:44:de:9c:f7:0a:e6:48:a4:80:35:dd:cb:e8:
+                    02:90:59:f7:31:f9:4c:50:fe:98:ef:dd:7f:60:51:
+                    2d:44:0a:14:a2:57:96:51:36:3f:73:66:db:45:5f:
+                    bd:9d:f4:82:3a:ce:ab:75:4f:d0:90:6d:43:d1:7b:
+                    2f:77:31:88:db:2f:4a:a9:4e:62:39:c7:14:7f:39:
+                    ef:e2:08:b7:18:a7:6c:f8:d9:35:d5:a3:f8:64:f5:
+                    02:51:22:1b:8e:7a:c5:44:ae:df:b1:17:0b:71:df:
+                    09:82:89:49:70:c5:9b:a0:f3:3c:02:48:75:e7:81:
+                    f9:24:51:56:24:3b:ff:b8:68:d3:13:2e:a2:f4:d1:
+                    70:33:a9:7a:d6:17:fd:ca:a5:6b:13:74:c9:ce:b6:
+                    26:4f:01:ff:eb:ba:b5:f9:a1:70:80:da:11:df:a3:
+                    7b:4f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                38:C1:E5:77:D3:01:6B:7A:A7:D8:18:6B:50:D6:FA:0E:D6:D9:B4:4F
+            X509v3 Authority Key Identifier: 
+                keyid:1C:27:5E:40:39:8C:EC:71:C7:ED:E9:2A:56:C9:9E:DF:48:EA:82:42
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         a3:37:55:68:68:02:9f:af:d6:b1:38:b3:d8:bf:30:27:33:6f:
+         21:4c:09:ee:cf:24:d2:eb:cf:1c:7a:15:98:6d:10:94:e0:4a:
+         1f:88:5c:43:90:09:78:c1:a6:82:06:16:f2:8c:d1:3a:c5:3b:
+         99:67:35:3c:00:bf:9f:a2:6a:e7:33:85:83:88:72:88:e4:d2:
+         83:1c:6c:49:92:5f:51:80:0d:92:0f:99:4d:cb:2a:18:4d:68:
+         b7:b6:d1:de:54:22:71:88:8d:04:45:c5:13:34:8d:52:7a:f7:
+         2a:e7:cb:b2:41:20:7b:ef:aa:d0:58:93:b5:e6:b5:fa:8b:22:
+         a3:ed:a7:81:9b:ca:50:f7:d0:bd:5f:f2:52:6d:8b:af:af:64:
+         36:9d:6d:81:ce:50:29:b7:db:d0:ac:a3:1d:78:77:90:29:a3:
+         84:10:69:13:e9:47:fc:e1:1e:c2:74:55:61:11:65:2d:77:e1:
+         ca:9f:2d:6f:2f:76:f6:69:bc:09:50:9a:b0:48:05:a2:53:e6:
+         93:46:81:0d:04:8b:cd:fb:a4:a7:82:08:78:f9:87:dc:0a:07:
+         91:1f:de:09:fa:00:5a:16:1a:2b:5c:83:10:03:33:2f:ad:8c:
+         9a:eb:94:0f:77:b1:9b:ec:e6:0e:dc:84:dd:35:3f:b5:8a:d2:
+         06:0e:88:d7
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUTJvsldEhSR1dZacaYUZn3UIYZUcwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCSFUxEDAOBgNVBAgMB0h1bmdhcnkxDzANBgNVBAoMBmNv
+VFVSTjELMAkGA1UEAwwCQ0ExGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5ldTAe
+Fw0yMDAzMDUwOTA1MjFaFw0zMDAzMDMwOTA1MjFaMHExCzAJBgNVBAYTAkhVMRAw
+DgYDVQQIDAdIdW5nYXJ5MREwDwYDVQQHDAhEZWJyZWNlbjEPMA0GA1UECgwGY29U
+VVJOMQ8wDQYDVQQDDAZTZXJ2ZXIxGzAZBgkqhkiG9w0BCQEWDG1pc2lAbWFqZC5l
+dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzb9xc1F3xGeWSJYV+s
+z49tlxOHitbxq9/2aU4EV8FNbD13yVANPbaJzawAtQJF5Ex4728YfldOvGJN9t5s
+yHfqxbK0ZS1Gdr9eX/hFeFX0TSCskfBPI8tdQClE3pz3CuZIpIA13cvoApBZ9zH5
+TFD+mO/df2BRLUQKFKJXllE2P3Nm20VfvZ30gjrOq3VP0JBtQ9F7L3cxiNsvSqlO
+YjnHFH857+IItxinbPjZNdWj+GT1AlEiG456xUSu37EXC3HfCYKJSXDFm6DzPAJI
+deeB+SRRViQ7/7ho0xMuovTRcDOpetYX/cqlaxN0yc62Jk8B/+u6tfmhcIDaEd+j
+e08CAwEAAaNTMFEwHQYDVR0OBBYEFDjB5XfTAWt6p9gYa1DW+g7W2bRPMB8GA1Ud
+IwQYMBaAFBwnXkA5jOxxx+3pKlbJnt9I6oJCMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBAKM3VWhoAp+v1rE4s9i/MCczbyFMCe7PJNLrzxx6FZht
+EJTgSh+IXEOQCXjBpoIGFvKM0TrFO5lnNTwAv5+iauczhYOIcojk0oMcbEmSX1GA
+DZIPmU3LKhhNaLe20d5UInGIjQRFxRM0jVJ69yrny7JBIHvvqtBYk7XmtfqLIqPt
+p4GbylD30L1f8lJti6+vZDadbYHOUCm329Csox14d5Apo4QQaRPpR/zhHsJ0VWER
+ZS134cqfLW8vdvZpvAlQmrBIBaJT5pNGgQ0Ei837pKeCCHj5h9wKB5Ef3gn6AFoW
+GitcgxADMy+tjJrrlA93sZvs5g7chN01P7WK0gYOiNc=
+-----END CERTIFICATE-----

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC82/cXNRd8Rnlk
+iWFfrM+PbZcTh4rW8avf9mlOBFfBTWw9d8lQDT22ic2sALUCReRMeO9vGH5XTrxi
+TfbebMh36sWytGUtRna/Xl/4RXhV9E0grJHwTyPLXUApRN6c9wrmSKSANd3L6AKQ
+Wfcx+UxQ/pjv3X9gUS1EChSiV5ZRNj9zZttFX72d9II6zqt1T9CQbUPRey93MYjb
+L0qpTmI5xxR/Oe/iCLcYp2z42TXVo/hk9QJRIhuOesVErt+xFwtx3wmCiUlwxZug
+8zwCSHXngfkkUVYkO/+4aNMTLqL00XAzqXrWF/3KpWsTdMnOtiZPAf/rurX5oXCA
+2hHfo3tPAgMBAAECggEALGPXVBEakA9QgRz5Ui+gKaoslF6Ld7IeH+ofHkNPDRRR
+mLELFFHIa5tASGlyIjKjUoYqYQZ0y7ip9sE0gVs4U1dPWI2mKlohlyFrlUNe4XUm
+m8N0GfPAChDE/+48FNDMMwxn/eqrUz4ZPCypOYnLMk5lTBvX0J/D7/Yem3nSzwt1
+qkZoijxZH5IvJAJkBWvucRuJ8XxHzOAo2V2Y+wTdilcJhfCvqGC0rkydjaN6TtRW
+HWKvAOa7hEegNBbZhHhKfw5ovQwj9Cnr2+8gaTSw5gVaZNnhCO+TlUfQHIBH9rmt
+82SHu1QoYSGMvkjlrrKhRYHrx+4P4TXoZ6eB1hl3QQKBgQDmwUOkh6qwL2dtcrF1
+bVdRZjb1bw6L8qZAgUkcA1IaLVUlhjEJZGXAoPbLn6Vq+jfOvaYLmzEaLcpn3pfx
+Hwcb1vnNW7dlXC1vpIWXPZP4IPJV4XsL1AgoEj6mgETHxvC+4cLc2gaMY5o5TzUv
+VdV/A7SIqxAyPccXt1u/eITfNwKBgQDRhVTTJiBsGGjOetfgNqNGxpkKB6W4cET9
+EyC1c7Lh40lioA2G8lzhFCdK9VZ+cAT51Bmkr5jq29EyMafSy3e4+PG8ZLHVL0ll
+qBY4vSzHQNcGvUgh+15g6ISgCbM0eSsAea3LY+fmchz6mBS6DhyMkYPSbV+7YvHJ
+PSnfTkTgqQKBgQCO+SQOJzjs3RI6UBv/4/V8K9bVjy/2Kiw0P2arAqu2KGxfSZvM
+c/ZPuevwEkSN2ecGI59kBY4Q6FpGrTZ7YXwoFbTFNpSVKt3EFK3pHXA3B0LfT0vL
+8l3zZgqHY2Y6WdsEiiEQcc4o4fXGmHsdjxMvFX6gR01Ls9dNrIAeTHAXVQKBgGoL
+Q72C5JIRYKpw/mYbAVTHG5o5+KR7Hk/AqKNuJbGyqefi/jW44U2CN8j2l4pzA/G2
+aiwyPAFStHTlMP29waC7Tw59IIy33Dw5cNXS2aEXrj1Y+/NHGKOPy+B8SFlcomkh
+LNduf2bhhs1Gv+bTUZvL4p5UgUmEcL/b1x+Qq8fRAoGBAIpNCp4W+TsPUJcQKoWm
+L61RVr5GaHv7/qxQvYaXIVCq8/gZAbJi3/A9ieTrF72uuOZ+ajzFHDUiiDs19y67
+mCvCchPgqzLy9iSs6mm8fmS6kJnWn04I+7DOfe7kScUnD5WkyNaTYAeOqvdWzl/i
+B1hQJJ9GzZG5Rztlotm5m/JY
+-----END PRIVATE KEY-----

@@ -0,0 +1 @@
+../ca/CA/cacert.pem
\ No newline at end of file

@@ -0,0 +1,24 @@
+[Unit]
+Description=Coturn STUN/TURN Server
+Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
+After=network.target
+After=network-online.target
+After=remote-fs.target
+Wants=network-online.target
+
+[Service]
+User=turnserver
+Group=turnserver
+Type=forking
+RuntimeDirectory=turnserver
+PIDFile=/run/turnserver/turnserver.pid
+ExecStart=/usr/bin/turnserver --daemon -c /etc/turnserver.conf --pidfile /run/turnserver/turnserver.pid
+#FixMe: turnserver exit faster than it is finshing the setup and ready for handling the connection.
+ExecStartPost=/bin/sleep 2
+Restart=on-failure
+InaccessibleDirectories=/home
+PrivateTmp=yes
+
+[Install]
+WantedBy=multi-user.target
+Alias=turnserver.service

@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDzjCCArYCCQD3YHhln4EqhDANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3JlZWsxKzApBgNVBAoT
-IlJGQzU3NjYgVFVSTiBTZXJ2ZXIgcHVibGljIHByb2plY3QxFDASBgNVBAsTC2Rl
-dmVsb3BtZW50MQ0wCwYDVQQDEwRPbGVnMSIwIAYJKoZIhvcNAQkBFhNtb20wNDAy
-NjdAZ21haWwuY29tMCAXDTEyMTEyNzAwNDEwNVoYDzIxMTIxMTAzMDA0MTA1WjCB
-pzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3Jl
-ZWsxKzApBgNVBAoTIlJGQzU3NjYgVFVSTiBTZXJ2ZXIgcHVibGljIHByb2plY3Qx
-FDASBgNVBAsTC2RldmVsb3BtZW50MQ0wCwYDVQQDEwRPbGVnMSIwIAYJKoZIhvcN
-AQkBFhNtb20wNDAyNjdAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA3huHvPYyvNZBK91bP3O1dBdOj93YQ3812BTcRMjEYnvSyyEosxFd
-dEnILgDiFK//pFnDtwm7FxOCtVwRQ0+8qGTH4vH0EIpKTBsaafKH3L9CYe40pwcm
-BJHvclOa4vl2Ghi09+M0UEHdokkM77K9rpXx7aZILoICkqnoAuBe0TY8D5PBXinM
-gtk7HlrvANxSmPHAAaGQ5t/+jfTWVH1UYCpogTgCKYPbNi+joKu6oEz+qRKAqDYd
-FY6/Qpiv7reYiNiVhM7HGNY27FkKDJDBhsmZRmtTIEdYFfcWPZvv69L7Rf1skOXF
-Vm5/to3HArJJF+lz6YGj0C3pE6dZt6sUmQIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
-AQAhXgGdXXf0dMPdkfl4jv4dqFNSmax6wmeNc+oJC9qIFVDLsdAaAWXZ+pZHYIMR
-UN8mQobsIZdfPQ0gs8CgUwrKziAjA92y2Q/I7vsg83qRLhysGC5etYMD/wlySDDS
-AJKraevDPTEdmfNstCblubNG2PIeqV1isWtPMqB2dMsCeyzJXVyfD0QcABzFv4Fs
-MMy7JI7MsctNh1tjV/0TsddDMeMLs22rix5fS8MZ6uunFzIuJ0MshFNehXFuvz0B
-uNmn0k7djUm3h+2Avs3YGCo/8GtqHapc/lva/9gT+iEW0e7i0Ru5Jhar66VMzJqv
-+wEhQafC77d3vWHtXQU8dYmM
------END CERTIFICATE-----

@@ -0,0 +1 @@
+../ca/turn_client_cert.pem
\ No newline at end of file

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA3huHvPYyvNZBK91bP3O1dBdOj93YQ3812BTcRMjEYnvSyyEo
-sxFddEnILgDiFK//pFnDtwm7FxOCtVwRQ0+8qGTH4vH0EIpKTBsaafKH3L9CYe40
-pwcmBJHvclOa4vl2Ghi09+M0UEHdokkM77K9rpXx7aZILoICkqnoAuBe0TY8D5PB
-XinMgtk7HlrvANxSmPHAAaGQ5t/+jfTWVH1UYCpogTgCKYPbNi+joKu6oEz+qRKA
-qDYdFY6/Qpiv7reYiNiVhM7HGNY27FkKDJDBhsmZRmtTIEdYFfcWPZvv69L7Rf1s
-kOXFVm5/to3HArJJF+lz6YGj0C3pE6dZt6sUmQIDAQABAoIBAH5ITN8FZEe10gws
-qUrkcRD2h3aI/gMyetzGz45UUERmfq17xvY5M1eA884kNmbowoMhfoO9hqBSOYkA
-Ndh9p5he5L+GLeyRlDi9WEFQ4iqCnC2uEEW/bMBAcVIhcvkGOT4ROiOPDRlsuaUh
-v7cxe2OeYZVra7L1vJzC+eVYyNBN5CgK8w08MPEkupQS9+Jvr0QWCikRz187cG45
-EiDMrBKyJNE9lY6u4P8gJ+/NgaASWP/D3kbsjiQ2OwSGLrwDAvWC7Bx2GK3/0goA
-btp7YGaWvp+mE5V91cOW+PfweC5Do4MjOr4ToNkczW0AxKE5o94yo56h+II5bX6N
-z65VvtkCgYEA/Sq/3S2yup/Oodzj003KG4skWYFrj7KXeXgm7RZcpNwkd8JaFXJ/
-Cwl7/3bkRv6RHLmXX/2hcNWlxq3u6Efs1EjtycdArU68kO01vLdExJYIzHKmHikV
-n+T4hukxGDzObxn3lH1KcOodh/x572Uufn79dewoZCPzH8t/jiMOWGcCgYEA4JfN
-66Kq/oDookqenM9Ij5l6zeeNwzMjIlkU2eG0DAH0KdsBN/hTGGGRQVBk03YREQmK
-crEhGAZxzfrX5fK11UVG3C2pqAtrVe6FuD32vFUpP1MO0ftSA889NoEwGdNZV4pV
-Mk0+6xVCNOatj2inMXlQq5s68WfCzkiWD7uLCv8CgYBcwuYsF4tuYBGpMzNzAAS2
-1OPLu+T6cPiZdFHm+xOVAGiITPkO9LXiCGabsydvb+UhvkrdzCP0IQQt6RsplvkK
-y3H9RfnHxprHC3NuI0SaN1Mf/j4pvOoEfTQm0pi/hcAp6zzQ9ptpBg8t/W98LPm9
-NbCPHamrD5UMqFajcOrXrwKBgD8D2M8IcRm/aYY/kYlFz4Ia+g3Trj7alj0I6YTI
-gw/rbGph/FGL5ySsG2lL+T4rnlY9aw8LC9IF3OCCRRlLpCEWsu8MENIJgjA2IGa1
-XAkzi8MstrfL4BMZjn9AeBKG7kZVldnrOoATEuRs5L2cC20iMLQ1dbBOAKaITzJS
-2IxZAoGBAKqwr/uennxJrnMtpjLBgcphoU3aXJZvzzDqlOaqzJp6Xmbese4sDEe0
-hvVHreigDzOnGnqL/vSjTDWaLqS/O1iE7p+UrGIkZj/Zl6Jk54OX6AHmWE2LhdlU
-FYgIQKX7fuocpF1Dpe7xEeVwvdp+UqbDzHQg1CWGe1cBPYDYIkSH
------END RSA PRIVATE KEY-----

@@ -0,0 +1 @@
+../ca/turn_client_pkey.pem
\ No newline at end of file

@@ -0,0 +1 @@
+../ca/turn_server_cert.pem
\ No newline at end of file

@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDsDCCApgCCQCmgrJCiQlGOTANBgkqhkiG9w0BAQUFADCBmDELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3JlZWsxHDAaBgNVBAoT
-E1RVUk4gU2VydmVyIHByb2plY3QxFDASBgNVBAsTC0RldmVsb3BtZW50MQ0wCwYD
-VQQDEwRPbGVnMSIwIAYJKoZIhvcNAQkBFhNtb20wNDAyNjdAZ21haWwuY29tMCAX
-DTEyMTEyNTA4MjAxNloYDzIxMTIxMTAxMDgyMDE2WjCBmDELMAkGA1UEBhMCVVMx
-CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxXYWxudXQgQ3JlZWsxHDAaBgNVBAoTE1RV
-Uk4gU2VydmVyIHByb2plY3QxFDASBgNVBAsTC0RldmVsb3BtZW50MQ0wCwYDVQQD
-EwRPbGVnMSIwIAYJKoZIhvcNAQkBFhNtb20wNDAyNjdAZ21haWwuY29tMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv6bYkERhZ43RjW4EuqCaTq5g+D+l
-JI/GwlVzdzQ3+F4clMQDR1kp1nX+9AvwjCXz3AYwY1H9CqjmjGM4R9uNJJseK/aJ
-d2DUFADkF+7I674XwX8U2Fy5on9jqWq3jdbb8eg/awcTBdrNLWNPquwfS2KVdooj
-9yPkqnO0c3ko1/OzIQCcs09O3l/MPt+aOsHk3B9l79ZRs3zWkylI+we0Fnc+7tZE
-psCztA+KCCoiJf7NenOvVhdKg7D1AXuzJ/P/Euvc3+CIiS9HI4pWLopY1k+HydLe
-IcopqSbg9CRIKe1HOL8YTvCm2ZoTqgijwWUlGtwEDf2xxUQX/TLYiW8JFQIDAQAB
-MA0GCSqGSIb3DQEBBQUAA4IBAQATbrBOLV4e8Qmsby9+srxXsdbNc60PmDZ4WiZ1
-IElfWmzM7wGXm9sJg1PX/7T24R1tbwZGLIhZnkhecG372GChULZJ9Pdjh0Ab2nK5
-LRKHXTpjp/xOJvx0JMCIIyRnGZT1nABPOk8uEjNW8PaU6yhQ4f5nKaSOgYGRCln6
-dcy5vylCsyD9Q7GXs0KOC38XD+Ycv6VLX4zKJ2Yum50Wt643nLjG9RlGT3FXWJ1K
-HUbPC5TO6bcYLdiTjaYr+X8xC/x6h/Ngdo/16w7fRmQQ4uS+TVXrg8ITmI71KX/I
-m7C9jbsubwzrhW84oZXYf+o/0ATtEAhiVLnHifKCCYikqfVj
------END CERTIFICATE-----

@@ -1,9 +1,9 @@
 # Coturn TURN SERVER configuration file
 #
-# Boolean values note: where boolean value is supposed to be used,
-# you can use '0', 'off', 'no', 'false', 'f' as 'false, 
-# and you can use '1', 'on', 'yes', 'true', 't' as 'true' 
-# If the value is missed, then it means 'true'.
+# Boolean values note: where a boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false, 
+# and you can use '1', 'on', 'yes', 'true', or 't' as 'true' 
+# If the value is missing, then it means 'true' by default.
 #
 
 # Listener interface device (optional, Linux only).
@@ -22,10 +22,10 @@
 # port(s), too - if allowed by configuration. The TURN server 
 # "automatically" recognizes the type of traffic. Actually, two listening
 # endpoints (the "plain" one and the "tls" one) are equivalent in terms of
-# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
-# For secure TCP connections, we currently support SSL version 3 and 
+# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, Coturn currently supports
 # TLS version 1.0, 1.1 and 1.2.
-# For secure UDP connections, we support DTLS version 1.
+# For secure UDP connections, Coturn supports DTLS version 1.
 #
 #tls-listening-port=5349
 
@@ -44,6 +44,14 @@
 # Default (or zero) value means "TLS listening port plus one".
 #
 #alt-tls-listening-port=0
+
+# Some network setups will require using a TCP reverse proxy in front
+# of the STUN server. If the proxy port option is set a single listener
+# is started on the given port that accepts connections using the
+# haproxy proxy protocol v2.
+# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+#
+#tcp-proxy-port=5555
 	
 # Listener IP address of relay server. Multiple listeners can be specified.
 # If no IP(s) specified in the config file or in the command line options, 
@@ -133,8 +141,8 @@
 #
 # If this parameter is not set, then the default OS-dependent 
 # thread pattern algorithm will be employed. Usually the default
-# algorithm is the most optimal, so you have to change this option
-# only if you want to make some fine tweaks. 
+# algorithm is optimal, so you have to change this option
+# if you want to make some fine tweaks. 
 #
 # In the older systems (Linux kernel before 3.9),
 # the number of UDP threads is always one thread per network listening
@@ -155,7 +163,7 @@
 	
 # Uncomment to run TURN server in 'extra' verbose mode.
 # This mode is very annoying and produces lots of output.
-# Not recommended under any normal circumstances.
+# Not recommended under normal circumstances.
 #	
 #Verbose
 
@@ -169,11 +177,11 @@
 #
 #lt-cred-mech
 
-# This option is opposite to lt-cred-mech. 
+# This option is the opposite of lt-cred-mech. 
 # (TURN Server with no-auth option allows anonymous access).
 # If neither option is defined, and no users are defined,
 # then no-auth is default. If at least one user is defined, 
-# in this file or in command line or in usersdb file, then
+# in this file, in command line or in usersdb file, then
 # lt-cred-mech is default.
 #
 #no-auth
@@ -193,34 +201,33 @@
 # turn password -> base64(hmac(secret key, usercombo))
 #
 # This allows TURN credentials to be accounted for a specific user id.
-# If you don't have a suitable id, the timestamp alone can be used.
-# This option is just turning on secret-based authentication.
-# The actual value of the secret is defined either by option static-auth-secret,
+# If you don't have a suitable id, then the timestamp alone can be used.
+# This option is enabled by turning on secret-based authentication.
+# The actual value of the secret is defined either by the option static-auth-secret,
 # or can be found in the turn_secret table in the database (see below).
 # 
 # Read more about it:
 #  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
 #  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
 #
-# Be aware that use-auth-secret overrides some part of lt-cred-mech.
-# Notice that this feature depends internally on lt-cred-mech, so if you set
-# use-auth-secret then it enables internally automatically lt-cred-mech option
-# like if you enable both.
-#
-# You can use only one of the to auth mechanisms in the same time because,
-# both mechanism use the username and password validation in different way.
+# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
+# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
+# this option then it automatically enables lt-cred-mech internally
+# as if you had enabled both.
 #
-# This way be aware that you can't use both auth mechnaism in the same time!
-# Use in config either the lt-cred-mech or the use-auth-secret
+# Note that you can use only one auth mechanism at the same time! This is because,
+# both mechanisms conduct username and password validation in different ways.
+# 
+# Use either lt-cred-mech or use-auth-secret in the conf
 # to avoid any confusion.
 #
 #use-auth-secret
 
 # 'Static' authentication secret value (a string) for TURN REST API only. 
 # If not set, then the turn server
-# will try to use the 'dynamic' value in turn_secret table
-# in user database (if present). The database-stored  value can be changed on-the-fly
-# by a separate program, so this is why that other mode is 'dynamic'.
+# will try to use the 'dynamic' value in the turn_secret table
+# in the user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that mode is considered 'dynamic'.
 #
 #static-auth-secret=north
 
@@ -234,10 +241,10 @@
 #
 #oauth
 
-# 'Static' user accounts for long term credentials mechanism, only.
+# 'Static' user accounts for the long term credentials mechanism, only.
 # This option cannot be used with TURN REST API.
 # 'Static' user accounts are NOT dynamically checked by the turnserver process, 
-# so that they can NOT be changed while the turnserver is running.
+# so they can NOT be changed while the turnserver is running.
 #
 #user=username1:key1
 #user=username2:key2
@@ -263,83 +270,83 @@
 
 # SQLite database file name.
 #
-# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
 # /var/lib/turn/turndb.
 # 
 #userdb=/var/db/turndb
 
-# PostgreSQL database connection string in the case that we are using PostgreSQL
+# PostgreSQL database connection string in the case that you are using PostgreSQL
 # as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API. 
 # See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
 # versions connection string format, see 
 # http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
 # for 9.x and newer connection string formats.
 #
 #psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
 
-# MySQL database connection string in the case that we are using MySQL
+# MySQL database connection string in the case that you are using MySQL
 # as the user database.
-# This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
 #
 # Optional connection string parameters for the secure communications (SSL): 
 # ca, capath, cert, key, cipher 
 # (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the 
 # command options description).
 #
-# Use string format as below (space separated parameters, all optional):
+# Use the string format below (space separated parameters, all optional):
 #
 #mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
 
-# If you want to use in the MySQL connection string the password in encrypted format,
-# then set in this option the MySQL password encryption secret key file.
+# If you want to use an encrypted password in the MySQL connection string,
+# then set the MySQL password encryption secret key file with this option.
 #
-# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format! 
-# If you want to use cleartext password then do not set this option!
+# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format! 
+# If you want to use a cleartext password then do not set this option!
 #
-# This is the file path which contain secret key of aes encryption while using password encryption.
+# This is the file path for the aes encrypted secret key used for password encryption.
 #
 #secret-key-file=/path/
 
-# MongoDB database connection string in the case that we are using MongoDB
+# MongoDB database connection string in the case that you are using MongoDB
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
-# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+# and it can store the secret value for secret-based timed authentication in TURN REST API. 
+# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
 #
 #mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
 
-# Redis database connection string in the case that we are using Redis
+# Redis database connection string in the case that you are using Redis
 # as the user database.
 # This database can be used for long-term credential mechanism
-# and it can store the secret value for secret-based timed authentication in TURN RESP API. 
-# Use string format as below (space separated parameters, all optional):
+# and it can store the secret value for secret-based timed authentication in TURN REST API. 
+# Use the string format below (space separated parameters, all optional):
 #
 #redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
 # Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
 # This database keeps allocations status information, and it can be also used for publishing
 # and delivering traffic and allocation event notifications.
 # The connection string has the same parameters as redis-userdb connection string. 
-# Use string format as below (space separated parameters, all optional):
+# Use the string format below (space separated parameters, all optional):
 #
 #redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
 
 # The default realm to be used for the users when no explicit 
-# origin/realm relationship was found in the database, or if the TURN
+# origin/realm relationship is found in the database, or if the TURN
 # server is not using any database (just the commands-line settings
 # and the userdb file). Must be used with long-term credentials 
 # mechanism or with TURN REST API.
 #
-# Note: If default realm is not specified at all, then realm falls back to the host domain name.
-#       If domain name is empty string, or '(None)', then it is initialized to am empty string.
+# Note: If the default realm is not specified, then realm falls back to the host domain name.
+#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
 #
 #realm=mycompany.org
 
-# The flag that sets the origin consistency 
-# check: across the session, all requests must have the same
+# This flag sets the origin consistency 
+# check. Across the session, all requests must have the same
 # main ORIGIN attribute value (if the ORIGIN was
 # initially used by the session).
 #
@@ -359,7 +366,7 @@
 
 # Max bytes-per-second bandwidth a TURN session is allowed to handle
 # (input and output network streams are treated separately). Anything above
-# that limit will be dropped or temporary suppressed (within
+# that limit will be dropped or temporarily suppressed (within
 # the available buffer limits).
 # This option can also be set through the database, for a particular realm.
 #
@@ -403,9 +410,9 @@
 #no-tcp-relay
 
 # Uncomment if extra security is desired,
-# with nonce value having limited lifetime.
+# with nonce value having a limited lifetime.
 # By default, the nonce value is unique for a session,
-# and has unlimited lifetime. 
+# and has an unlimited lifetime. 
 # Set this option to limit the nonce lifetime. 
 # It defaults to 600 secs (10 min) if no value is provided. After that delay, 
 # the client will get 438 error and will have to re-authenticate itself.
@@ -435,6 +442,7 @@
 # Certificate file.
 # Use an absolute path or path relative to the 
 # configuration file.
+# Use PEM file format.
 #
 #cert=/usr/local/etc/turn_server_cert.pem
 
@@ -457,7 +465,7 @@
 
 # CA file in OpenSSL format. 
 # Forces TURN server to verify the client SSL certificates.
-# By default it is not set: there is no default value and the client
+# By default this is not set: there is no default value and the client
 # certificate is not checked.
 #
 # Example:
@@ -471,30 +479,30 @@
 #
 #ec-curve-name=prime256v1
 
-# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
+# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
 #
 #dh566
 
-# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
+# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
 #
-#dh2066
+#dh1066
 
 # Use custom DH TLS key, stored in PEM format in the file.
 # Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
 #
 #dh-file=<DH-PEM-file-name>
 
 # Flag to prevent stdout log messages.
-# By default, all log messages are going to both stdout and to 
-# the configured log file. With this option everything will be 
-# going to the configured log only (unless the log file itself is stdout).
+# By default, all log messages go to both stdout and to 
+# the configured log file. With this option everything will 
+# go to the configured log only (unless the log file itself is stdout).
 #
 #no-stdout-log
 
 # Option to set the log file name.
 # By default, the turnserver tries to open a log file in 
-# /var/log, /var/tmp, /tmp and current directories directories
-# (which open operation succeeds first that file will be used).
+# /var/log, /var/tmp, /tmp and the current directory
+# (Whichever file open operation succeeds first will be used).
 # With this option you can set the definite log file name.
 # The special names are "stdout" and "-" - they will force everything 
 # to the stdout. Also, the "syslog" name will force everything to
@@ -515,14 +523,14 @@
 #simple-log
 
 # Option to set the "redirection" mode. The value of this option
-# will be the address of the alternate server for UDP & TCP service in form of 
+# will be the address of the alternate server for UDP & TCP service in the form of 
 # <ip>[:<port>]. The server will send this value in the attribute
 # ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
 # Client will receive only values with the same address family
 # as the client network endpoint address family. 
-# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description. 
+# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality. 
 # The client must use the obtained value for subsequent TURN communications.
-# If more than one --alternate-server options are provided, then the functionality
+# If more than one --alternate-server option is provided, then the functionality
 # can be more accurately described as "load-balancing" than a mere "redirection". 
 # If the port number is omitted, then the default port 
 # number 3478 for the UDP/TCP protocols will be used.
@@ -532,7 +540,7 @@
 # [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . 
 # Multiple alternate servers can be set. They will be used in the
 # round-robin manner. All servers in the pool are considered of equal weight and 
-# the load will be distributed equally. For example, if we have 4 alternate servers, 
+# the load will be distributed equally. For example, if you have 4 alternate servers, 
 # then each server will receive 25% of ALLOCATE requests. A alternate TURN server 
 # address can be used more than one time with the alternate-server option, so this 
 # can emulate "weighting" of the servers.
@@ -559,6 +567,15 @@
 #
 #stun-only
 
+# Option to hide software version. Enhance security when used in production.
+# Revealing the specific software version of the agent through the
+# SOFTWARE attribute might allow them to become more vulnerable to
+# attacks against software that is known to contain security holes.
+# Implementers SHOULD make usage of the SOFTWARE attribute a
+# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
+#
+#no-software-attribute
+
 # Option to suppress STUN functionality, only TURN requests will be processed.
 # Run as TURN server only, all STUN requests will be ignored.
 # By default, this option is NOT set.
@@ -622,19 +639,19 @@
 # Allocate Address Family according 
 # If enabled then TURN server allocates address family according  the TURN 
 # Client <=> Server communication address family.
-# (By default coTURN works according RFC 6156.)
+# (By default Coturn works according RFC 6156.)
 # !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
 #
 #keep-address-family
 
 
 # User name to run the process. After the initialization, the turnserver process
-# will make an attempt to change the current user ID to that user.
+# will attempt to change the current user ID to that user.
 #
 #proc-user=<user-name>
 
 # Group name to run the process. After the initialization, the turnserver process
-# will make an attempt to change the current group ID to that group.
+# will attempt to change the current group ID to that group.
 #
 #proc-group=<group-name>
 
@@ -654,8 +671,8 @@
 #cli-port=5766
 
 # CLI access password. Default is empty (no password).
-# For the security reasons, it is recommended to use the encrypted
-# for of the password (see the -P command in the turnadmin utility).
+# For the security reasons, it is recommended that you use the encrypted
+# form of the password (see the -P command in the turnadmin utility).
 #
 # Secure form for password 'qwerty':
 #
@@ -685,7 +702,7 @@
 #web-admin-listen-on-workers
 
 # Server relay. NON-STANDARD AND DANGEROUS OPTION. 
-# Only for those applications when we want to run 
+# Only for those applications when you want to run 
 # server applications on the relay endpoints.
 # This option eliminates the IP permissions check on 
 # the packets incoming to the relay endpoints.

@@ -0,0 +1 @@
+../ca/turn_server_pkey.pem
\ No newline at end of file

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAv6bYkERhZ43RjW4EuqCaTq5g+D+lJI/GwlVzdzQ3+F4clMQD
-R1kp1nX+9AvwjCXz3AYwY1H9CqjmjGM4R9uNJJseK/aJd2DUFADkF+7I674XwX8U
-2Fy5on9jqWq3jdbb8eg/awcTBdrNLWNPquwfS2KVdooj9yPkqnO0c3ko1/OzIQCc
-s09O3l/MPt+aOsHk3B9l79ZRs3zWkylI+we0Fnc+7tZEpsCztA+KCCoiJf7NenOv
-VhdKg7D1AXuzJ/P/Euvc3+CIiS9HI4pWLopY1k+HydLeIcopqSbg9CRIKe1HOL8Y
-TvCm2ZoTqgijwWUlGtwEDf2xxUQX/TLYiW8JFQIDAQABAoIBADUPHCXUyKLCwKFH
-NEf27sGZxX71H+NfaseioLT/3/8DDyagncfDB7I4OL2YEKC8YScpD3xv1n59BFcZ
-oRtDzW+1AkVpm+VRCWYAWSXHFhkuJ6WKaVr9UOeMHStqQCcktP/kLKqU6s9UJDnM
-pOHNPVzBjl+jHxHs/gGyxuKxSH2Anwkrzpiv5j0obKFnw3QtAqeZRs1NlvPtYt2S
-eihZWr8r8LqylPk9ga9MYmO79Yr+EPVaqd6bmz4MpZJ4/7LEjx03Q6azdMCPhFNY
-cYzPIDZFEj81Zj/tqA2MU/uTTUUrcXint4dHRJs34m5N68PV1Y1XhhH6FG0+X711
-ZymudoECgYEA/ChS5zmmOoLoaq2441+PzQbDP45qR6+G4slHwC8RDZhsYw0hQnp9
-n44Qagpt74J4FjxT20BdE714DZP32IqagUwatWRQ+z3UoGafkJSNc5JSEogwZ65C
-nC8RI1pPHLEvE8IzBJiqUA1kbMOMfTYW694wdN9JVZang05/AXaJzm8CgYEAwpJ8
-nJRR9JFweHRrRgnrVk0Qi+ABbN9T/nhPXYab2vjBfeBOTA1Mob0M3zMJDCnL2i+D
-K1GzE6WaYHElr45j2Wfphd/rRTk74WR4BaPpTCGaAhBQNn0ufqUkKsCPEAlTU+nG
-iyXP4OvdMPjEBckjbKm/mlX7m0njSHAY6SWNorsCgYEAi8Yubk3efwChpMC3hBIs
-vBHLmSdwclwyAPRh+X4djdO4AQ/+J8OObytond86IVHJD0pRkW+UKKUWLzCeakIq
-cxGknHgHC72yZ1d7i8FMx4uMQwmLC23lLn5ImbgtslHlLqavcRTPE6DY0hFzhtS8
-z/JSGfbLx83C/V49uKnkqbECgYA6h1oYt70XdpCAi3ShcuZp5XCuwslq+JsJlyM4
-nP9RFTcPKGQlGHMOzBGNKor0L7Z0gYpRg5f8tvoDPMX7UzfR9CIY9UyOXDMZD+HS
-wIWzMwBi0olueqV7zy1b9uSSDFwWh+IDhXJM1GaLDqnYm7KeQ0mxoV+4TLej2KSF
-rZg3dQKBgQCVrVxFV8jHBsRsH5PzMx6pUSAollmuyte9mGU1MIE7EZf+LEQIAjGZ
-9jvtAILYVJXwVZv1/zNxldUfBNuWc95ft+Gg7FEN0p0uLpdYNXQUcXuJaJ9tJ1td
-ZfvRcrUXdFNKYt9/yaGeHVaIQfp4W1faZD7OnII7EOVkUKyv/qNGAA==
------END RSA PRIVATE KEY-----

@@ -32,5 +32,5 @@ fi
 
 export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/
 
-PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -S -i turn_server_cert.pem -k turn_server_pkey.pem -E turn_server_cert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -g -u bolt -w kwyjibo -s -X $@ 127.0.0.1
+PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -S -i turn_server_cert.pem -k turn_server_pkey.pem -E cacert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -g -u bolt -w kwyjibo -s -X $@ 127.0.0.1
 

@@ -36,4 +36,4 @@ fi
 export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
 export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/
 
-PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=turn_server_cert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --cli-password=secret --db=var/db/turndb $@
+PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers --max-bps=3000000 -f -m 10 --min-port=32355 --max-port=65535 --user=ninefingers:youhavetoberealistic --user=bolt:kwyjibo -r bolt.co --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --CA-file=cacert.pem --log-file=stdout -v --cipher-list="ALL:!eNULL:!aNULL:!NULL" --cli-password=secret --db=var/db/turndb $@

@@ -32,5 +32,5 @@ fi
 
 export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/
 
-PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -t -S -i turn_server_cert.pem -k turn_server_pkey.pem -E turn_server_cert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -X -g -u bolt -w kwyjibo -s $@ 127.0.0.1
+PATH=examples/bin/:../bin:./bin/:${PATH} turnutils_uclient -t -S -i turn_server_cert.pem -k turn_server_pkey.pem -E cacert.pem -n 1000 -m 10 -l 170 -e 127.0.0.1 -X -g -u bolt -w kwyjibo -s $@ 127.0.0.1
 

@@ -2,7 +2,7 @@
 
 # Run it from the root of the coturn source tree
 
-V=4.5.1.0
+V=4.5.1.3
 
 PACKDIR=`pwd`/../coturn-releases/
 SRCDIR=`pwd`
@@ -16,7 +16,8 @@ mkdir tmp
 cd tmp
 mkdir ${DDIR}
 cp -R ${SRCDIR}/* ${DDIR}/
-tar cvfz ../${DDIR}.tar.gz ${DDIR}
+#tell tar to not include the metadata
+COPYFILE_DISABLE=1 tar cvfz ../${DDIR}.tar.gz ${DDIR}
 cd ..
 rm -rf tmp
 

@@ -15,7 +15,7 @@ Unpack the archive:
 
  $ tar xvfz turnserver-<...>.tar.gz
  
-Read the INSTALl file:
+Read the INSTALL file:
 
  $ cat INSTALL
  

@@ -1,17 +1,17 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "29 January 2019" "" ""
+.TH TURN 1 "29 April 2020" "" ""
 .SH GENERAL INFORMATION
 
-\fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 
-the user accounts (add/remove users, generate 
-TURN keys for the users). For security reasons, we do not recommend 
-storing passwords openly. The better option is to use pre\-processed "keys" 
-which are then used for authentication. These keys are generated by \fIturnadmin\fP. 
-Turnadmin is a link to \fIturnserver\fP binary, but \fIturnadmin\fP performs different 
+\fIturnadmin\fP is a TURN administration tool. This tool can be used to manage
+the user accounts (add/remove users, generate
+TURN keys for the users). For security reasons, we do not recommend
+storing passwords openly. The better option is to use pre\-processed "keys"
+which are then used for authentication. These keys are generated by \fIturnadmin\fP.
+Turnadmin is a link to \fIturnserver\fP binary, but \fIturnadmin\fP performs different
 functions.
 .PP
 Options note: \fIturnadmin\fP has long and short option names, for most options.
-Some options have only long form, some options have only short form. Their syntax 
+Some options have only long form, some options have only short form. Their syntax
 somewhat different, if an argument is required:
 .PP
 The short form must be used as this (for example):
@@ -46,23 +46,28 @@ is equivalent to:
 
 .fam T
 .fi
-You have always the use the \fB\-r\fP <realm> option with commands for long term credentials \- 
+You have always the use the \fB\-r\fP <realm> option with commands for long term credentials \-
 because data for multiple realms can be stored in the same database.
 .PP
 =====================================
 .SS  NAME
 \fB
 \fBturnadmin \fP\- a TURN relay administration tool.
 \fB
-.SS  SYNOPSIS  
+.SS  SYNOPSIS
+.nf
+.fam C
+
+$ \fIturnadmin\fP [\fIcommand\fP] [\fIoptions\fP]
 
-$ \fIturnadmin\fP [command] [options]
-.PP
 $ \fIturnadmin\fP [ \fB\-h\fP | \fB\-\-help\fP]
+
+.fam T
+.fi
+.fam T
+.fi
 .SS  DESCRIPTION
 
-.TP
-.B
 Commands:
 .TP
 .B
@@ -71,7 +76,7 @@ Generate and print to the standard
 output an encrypted form of a password (for web admin user or CLI).
 The value then can be used as a safe key for the password
 storage on disk or in the database. Every invocation for the same password
-produces a different result. The for mat of the encrypted password is:
+produces a different result. The format of the encrypted password is:
 $5$<\.\.\.salt\.\.\.>$<\.\.\.sha256(salt+password)\.\.\.>. Salt is 16 characters,
 the sha256 output is 64 characters. Character 5 is the algorithm id (sha256).
 Only sha256 is supported as the hash function.
@@ -104,7 +109,7 @@ List long\-term users in the database.
 \fB\-L\fP, \fB\-\-list\-admin\fP
 List admin users in the database.
 .PP
-\fB\-s\fP, \fB\-\-set\-secret\fP=<value> Add shared secret for TURN RESP API
+\fB\-s\fP, \fB\-\-set\-secret\fP=<value> Add shared secret for TURN REST API
 .TP
 .B
 \fB\-S\fP, \fB\-\-show\-secret\fP
@@ -135,15 +140,14 @@ List origin\-to\-realm relations.
 Set realm params: max\-bps, total\-quota, user\-quota.
 .TP
 .B
-\fB\-G\fP, \fB\-\-list\-realm\-options\fP
+\fB\-G\fP, \fB\-\-list\-realm\fP\-\fIoptions\fP
 List realm params.
 .TP
 .B
 \fB\-E\fP, \fB\-\-generate\-encrypted\-password\-aes\fP
-Generate and print to the standard output 
+Generate and print to the standard output
 an encrypted form of password with AES\-128
-.TP
-.B
+.PP
 Options with required values:
 .TP
 .B
@@ -210,13 +214,12 @@ Set value of realm's total\-quota parameter.
 .TP
 .B
 \fB\-\-user\-quota\fP
-Set value of realm's user\-quota parameter. 
+Set value of realm's user\-quota parameter.
 .TP
 .B
 \fB\-h\fP, \fB\-\-help\fP
 Help.
-.TP
-.B
+.PP
 Command examples:
 .PP
 Generate an encrypted form of a password:
@@ -282,16 +285,14 @@ $ \fIturnadmin\fP \fB\-\-file\-key\-path\fP <key\-file> \fB\-v\fP <encrypted>
 .PP
 
 .RS
-.TP
-.B
 Help:
 .PP
 $ \fIturnadmin\fP \fB\-h\fP
 .PP
 =======================================
 .SS  DOCS
 
-After installation, run the command:
+After installation, run the \fIcommand\fP:
 .PP
 $ man \fIturnadmin\fP
 .PP

@@ -1,18 +1,18 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "29 January 2019" "" ""
+.TH TURN 1 "29 April 2020" "" ""
 .SH GENERAL INFORMATION
 
-The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
-messaging library. Also, some extra programs provided, for testing\-only 
-purposes. 
+The \fBTURN Server\fP project contains the source code of a TURN server and TURN client
+messaging library. Also, some extra programs provided, for testing\-only
+purposes.
 .PP
 See the INSTALL file for the building instructions.
 .PP
 After the build, you will have the following binary images:
 .TP
 .B
 1.
-\fIturnserver\fP: \fBTURN Server\fP relay. 
+\fIturnserver\fP: \fBTURN Server\fP relay.
 The compiled binary image of the \fBTURN Server\fP program is located in bin/ sub\-directory.
 .TP
 .B
@@ -35,15 +35,15 @@ turnutils_stunclient. See README.turnutils and \fIturnutils\fP man page.
 6.
 turnutils_rfc5769check. See README.turnutils and \fIturnutils\fP man page.
 .PP
-In the "examples/scripts" sub\-directory, you will find the examples of command lines to be used 
+In the "examples/scripts" sub\-directory, you will find the examples of command lines to be used
 to run the programs. The scripts are meant to be run from examples/ sub\-directory, for example:
 .PP
 $ cd examples
 $ ./scripts/secure_relay.sh
 .SH RUNNING THE TURN SERVER
 
 Options note: \fIturnserver\fP has long and short option names, for most options.
-Some options have only long form, some options have only short form. Their syntax 
+Some options have only long form, some options have only short form. Their syntax
 somewhat different, if an argument is required:
 .PP
 The short form must be used as this (for example):
@@ -94,10 +94,8 @@ $ \fIturnserver\fP \fB\-h\fP
 .fi
 .fam T
 .fi
-.SS  DESCRIPTION                                           
+.SS  DESCRIPTION
 
-.TP
-.B
 Config file settings:
 .TP
 .B
@@ -108,10 +106,10 @@ Do not use configuration file, use only command line parameters.
 \fB\-c\fP
 Configuration file name (default \- turnserver.conf).
 The format of config file can be seen in
-the supplied examples/etc/turnserver.conf example file. Long 
-names of the \fIoptions\fP are used as the configuration 
-items names in the file. If not an absolute path is supplied, 
-then the file is searched in the following directories: 
+the supplied examples/etc/turnserver.conf example file. Long
+names of the \fIoptions\fP are used as the configuration
+items names in the file. If not an absolute path is supplied,
+then the file is searched in the following directories:
 .RS
 .IP \(bu 3
 current directory
@@ -126,8 +124,7 @@ upper directory level etc/
 .IP \(bu 3
 installation directory /etc
 .RE
-.TP
-.B
+.PP
 User database settings:
 .TP
 .B
@@ -139,18 +136,18 @@ SQLite user database file name (default \- /var/db/turndb or
 \fB\-e\fP, \fB\-\-psql\-userdb\fP
 User database connection string for PostgreSQL.
 This database can be used for long\-term credentials mechanism,
-and it can store the secret value 
-for secret\-based timed authentication in TURN RESP API.
+and it can store the secret value
+for secret\-based timed authentication in TURN REST API.
 The connection string format is like that:
 .RS
 .PP
-"host=<host> dbname=<dbname> user=<db\-user> password=<db\-user\-password> connect_timeout=<seconds>" 
+"host=<host> dbname=<dbname> user=<db\-user> password=<db\-user\-password> connect_timeout=<seconds>"
 (for 8.x or newer Postgres).
 .PP
 Or:
 .PP
-"postgresql://username:password@hostname:port/databasename" 
-(for 9.x or newer Postgres). 
+"postgresql://username:password@hostname:port/databasename"
+(for 9.x or newer Postgres).
 .PP
 See the INSTALL file for more explanations and examples.
 .PP
@@ -159,23 +156,23 @@ Also, see http://www.PostgreSQL.org for full PostgreSQL documentation.
 .TP
 .B
 \fB\-M\fP, \fB\-\-mysql\-userdb\fP
-User database connection string for MySQL or MariaDB. 
+User database connection string for MySQL or MariaDB.
 This database can be used for long\-term credentials mechanism,
-and it can store the secret value for 
-secret\-based timed authentication in TURN RESP API.
+and it can store the secret value for
+secret\-based timed authentication in TURN REST API.
 The connection string format is like that:
 .RS
 .PP
 "host=<host> dbname=<dbname> user=<db\-user> password=<db\-user\-password> connect_timeout=<seconds> read_timeout=<seconds>"
 .PP
 See the INSTALL file for more explanations and examples.
 .PP
-Also, see http://www.mysql.org or http://mariadb.org 
+Also, see http://www.mysql.org or http://mariadb.org
 for full MySQL documentation.
 .PP
-Optional connection string parameters for the secure communications (SSL): 
-ca, capath, cert, key, cipher 
-(see http://dev.mysql.com/doc/refman/5.1/en/ssl\-options.html for the 
+Optional connection string parameters for the secure communications (SSL):
+ca, capath, cert, key, cipher
+(see http://dev.mysql.com/doc/refman/5.1/en/ssl\-options.html for the
 command \fIoptions\fP description).
 .RE
 .TP
@@ -184,15 +181,15 @@ command \fIoptions\fP description).
 This is the file path which contain secret key of aes encryption while using MySQL password encryption.
 If you want to use in the MySQL connection string the password in encrypted format,
 then set in this option the file path of the secret key. The key which is used to encrypt MySQL password.
-Warning: If this option is set, then MySQL password must be set in "mysql\-userdb" option in encrypted format! 
+Warning: If this option is set, then MySQL password must be set in "mysql\-userdb" option in encrypted format!
 If you want to use cleartext password then do not set this option!
 .TP
 .B
 \fB\-J\fP, \fB\-\-mongo\-userdb\fP
-User database connection string for MongoDB. 
+User database connection string for MongoDB.
 This database can be used for long\-term credentials mechanism,
-and it can store the secret value 
-for secret\-based timed authentication in TURN RESP API.
+and it can store the secret value
+for secret\-based timed authentication in TURN REST API.
 The connection string format is like that:
 .RS
 .PP
@@ -206,10 +203,10 @@ for full MongoDB documentation.
 .TP
 .B
 \fB\-N\fP, \fB\-\-redis\-userdb\fP
-User database connection string for Redis. 
+User database connection string for Redis.
 This database can be used for long\-term credentials mechanism,
-and it can store the secret 
-value for secret\-based timed authentication in TURN RESP API.
+and it can store the secret
+value for secret\-based timed authentication in TURN REST API.
 The connection string format is like that:
 .RS
 .PP
@@ -219,8 +216,7 @@ See the INSTALL file for more explanations and examples.
 .PP
 Also, see http://redis.io for full Redis documentation.
 .RE
-.TP
-.B
+.PP
 Flags:
 .TP
 .B
@@ -234,15 +230,13 @@ Extra verbose mode, very annoying and not recommended.
 .B
 \fB\-o\fP, \fB\-\-daemon\fP
 Run server as daemon.
-.TP
-.B
-\fB\-\-prod\fP
-Production mode: hide the software version.
+.PP
+\fB\-\-no\-software\-attribute\fP Production mode: hide the software version.
 .TP
 .B
 \fB\-f\fP, \fB\-\-fingerprint\fP
 Use fingerprints in the TURN messages. If an incoming request
-contains a fingerprint, then TURN server will always add 
+contains a fingerprint, then TURN server will always add
 fingerprints to the messages in this session, regardless of the
 per\-server setting.
 .TP
@@ -252,17 +246,17 @@ Use long\-term credentials mechanism (this one you need for WebRTC usage).
 .TP
 .B
 \fB\-z\fP, \fB\-\-no\-auth\fP
-Do not use any credentials mechanism, allow anonymous access. 
-Opposite to \fB\-a\fP and \fB\-A\fP \fIoptions\fP. This is default option when no 
+Do not use any credentials mechanism, allow anonymous access.
+Opposite to \fB\-a\fP and \fB\-A\fP \fIoptions\fP. This is default option when no
 authentication\-related \fIoptions\fP are set.
 By default, no credential mechanism is used \-
 any user is allowed.
 .TP
 .B
 \fB\-\-use\-auth\-secret\fP
 TURN REST API flag.
-Flag that sets a special WebRTC authorization option 
-that is based upon authentication secret. The feature purpose 
+Flag that sets a special WebRTC authorization option
+that is based upon authentication secret. The feature purpose
 is to support "\fBTURN Server\fP REST API" as described in
 the TURN REST API section below.
 This option uses timestamp as part of combined username:
@@ -281,11 +275,11 @@ Support oAuth authentication, as in the third\-party STUN/TURN RFC 7635.
 .TP
 .B
 \fB\-\-dh566\fP
-Use 566 bits predefined DH TLS key. Default size of the key is 1066.
+Use 566 bits predefined DH TLS key. Default size of the key is 2066.
 .TP
 .B
-\fB\-\-dh2066\fP
-Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
+\fB\-\-dh1066\fP
+Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
 .TP
 .B
 \fB\-\-no\-tlsv1\fP
@@ -317,19 +311,19 @@ Do not start DTLS client listeners.
 .TP
 .B
 \fB\-\-no\-udp\-relay\fP
-Do not allow UDP relay endpoints defined in RFC 5766, 
+Do not allow UDP relay endpoints defined in RFC 5766,
 use only TCP relay endpoints as defined in RFC 6062.
 .TP
 .B
 \fB\-\-no\-tcp\-relay\fP
-Do not allow TCP relay endpoints defined in RFC 6062, 
-use only UDP relay endpoints as defined in RFC 5766. 
+Do not allow TCP relay endpoints defined in RFC 6062,
+use only UDP relay endpoints as defined in RFC 5766.
 .TP
 .B
 \fB\-\-no\-stdout\-log\fP
 Flag to prevent stdout log messages.
 By default, all log messages are going to both stdout and to
-the configured log file. With this option everything will be going to 
+the configured log file. With this option everything will be going to
 the log file only (unless the log file itself is stdout).
 .TP
 .B
@@ -349,25 +343,25 @@ By default, the clients are allowed anonymous access to the STUN Binding functio
 .TP
 .B
 \fB\-S\fP, \fB\-\-stun\-only\fP
-Run as STUN server only, all TURN requests will be ignored. 
+Run as STUN server only, all TURN requests will be ignored.
 Option to suppress TURN functionality, only STUN requests will be processed.
 .TP
 .B
 \fB\-\-no\-stun\fP
-Run as TURN server only, all STUN requests will be ignored. 
+Run as TURN server only, all STUN requests will be ignored.
 Option to suppress STUN functionality, only TURN requests will be processed.
 .TP
 .B
 \fB\-\-allow\-loopback\-peers\fP
 Allow peers on the loopback addresses (127.x.x.x and ::1).
-Allow it only for testing in a development environment! 
-In production it adds a possible security vulnerability, 
-and so due to security reasons, it is not allowed 
+Allow it only for testing in a development environment!
+In production it adds a possible security vulnerability,
+and so due to security reasons, it is not allowed
 using it together with empty cli\-password.
 .TP
 .B
 \fB\-\-no\-multicast\-peers\fP
-Disallow peers on well\-known broadcast addresses 
+Disallow peers on well\-known broadcast addresses
 (224.0.0.0 and above, and FFXX:*).
 .TP
 .B
@@ -381,33 +375,32 @@ See also \fIoptions\fP \fB\-\-cli\-ip\fP and \fB\-\-cli\-port\fP.
 .TP
 .B
 \fB\-\-server\-relay\fP
-Server relay. NON\-STANDARD AND DANGEROUS OPTION. 
-Only for those applications when we want to run 
+Server relay. NON\-STANDARD AND DANGEROUS OPTION.
+Only for those applications when we want to run
 server applications on the relay endpoints.
-This option eliminates the IP permissions check 
+This option eliminates the IP permissions check
 on the packets incoming to the relay endpoints.
 See http://tools.ietf.org/search/rfc5766#section\-17.2.3 .
 .TP
 .B
 \fB\-\-udp\-self\-balance\fP
 (recommended for older Linuxes only)
 Automatically balance UDP traffic over auxiliary servers
-(if configured). The load balancing is using the 
-ALTERNATE\-SERVER mechanism. The TURN client must support 
+(if configured). The load balancing is using the
+ALTERNATE\-SERVER mechanism. The TURN client must support
 300 ALTERNATE\-SERVER response for this functionality.
 .TP
 .B
 \fB\-\-check\-origin\-consistency\fP
-The flag that sets the origin consistency 
+The flag that sets the origin consistency
 check: across the session, all requests must have the same
 main ORIGIN attribute value (if the ORIGIN was
 initially used by the session).
 .TP
 .B
 \fB\-h\fP
 Help.
-.TP
-.B
+.PP
 Options with values:
 .TP
 .B
@@ -434,17 +427,17 @@ This MUST not be changed for production purposes.
 .B
 \fB\-d\fP, \fB\-\-listening\-device\fP
 Listener interface device.
-(NOT RECOMMENDED. Optional functionality, Linux only). 
-The \fIturnserver\fP process must have root privileges to bind the 
-listening endpoint to a device. If \fIturnserver\fP must run as a 
+(NOT RECOMMENDED. Optional functionality, Linux only).
+The \fIturnserver\fP process must have root privileges to bind the
+listening endpoint to a device. If \fIturnserver\fP must run as a
 process without root privileges, then just do not use this setting.
 .TP
 .B
 \fB\-L\fP, \fB\-\-listening\-ip\fP
-Listener IP address of relay server. 
+Listener IP address of relay server.
 Multiple listeners can be specified, for example:
 \fB\-L\fP ip1 \fB\-L\fP ip2 \fB\-L\fP ip3
-If no \fBIP\fP(s) specified, then all IPv4 and 
+If no \fBIP\fP(s) specified, then all IPv4 and
 IPv6 system IPs will be used for listening.
 The same \fBip\fP(s) can be used as both listening and relay \fBip\fP(s).
 .TP
@@ -458,11 +451,11 @@ Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP
 \fB\-\-tls\-listening\-port\fP
 TURN listener port for TLS and DTLS listeners (Default: 5349).
 Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
-\fBport\fP(s), too \- if allowed by configuration. The TURN server 
+\fBport\fP(s), too \- if allowed by configuration. The TURN server
 "automatically" recognizes the type of traffic. Actually, two listening
 endpoints (the "plain" one and the "tls" one) are equivalent in terms of
 functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
-For secure TCP connections, we currently support SSL version 3 and 
+For secure TCP connections, we currently support SSL version 3 and
 TLS versions 1.0, 1.1, 1.2.
 For secure UDP connections, we support DTLS version 1.
 .TP
@@ -483,6 +476,12 @@ Alternative listening port for TLS and DTLS protocols.
 Default (or zero) value means "TLS listening port plus one".
 .TP
 .B
+\fB\-\-tcp\-proxy\-port\fP
+Support connections from TCP loadbalancer on this port. The loadbalancer
+should use the binary proxy protocol.
+(https://www.haproxy.org/download/1.8/doc/proxy\-protocol.txt)
+.TP
+.B
 \fB\-\-aux\-server\fP
 Auxiliary STUN/TURN server listening endpoint.
 Aux servers have almost full TURN and STUN functionality.
@@ -501,37 +500,37 @@ to client requests.
 .TP
 .B
 \fB\-i\fP, \fB\-\-relay\-device\fP
-Relay interface device for relay sockets 
+Relay interface device for relay sockets
 (NOT RECOMMENDED. Optional, Linux only).
 .TP
 .B
 \fB\-E\fP, \fB\-\-relay\-ip\fP
-Relay address (the local IP address that 
-will be used to relay the packets to the 
+Relay address (the local IP address that
+will be used to relay the packets to the
 peer). Multiple relay addresses may be used:
 \fB\-E\fP ip1 \fB\-E\fP ip2 \fB\-E\fP ip3
 The same \fBIP\fP(s) can be used as both listening \fBIP\fP(s) and relay \fBIP\fP(s).
-If no relay \fBIP\fP(s) specified, then the \fIturnserver\fP will apply the 
-default policy: it will decide itself which relay addresses to be 
-used, and it will always be using the client socket IP address as 
-the relay IP address of the TURN session (if the requested relay 
+If no relay \fBIP\fP(s) specified, then the \fIturnserver\fP will apply the
+default policy: it will decide itself which relay addresses to be
+used, and it will always be using the client socket IP address as
+the relay IP address of the TURN session (if the requested relay
 address family is the same as the family of the client socket).
 .TP
 .B
 \fB\-X\fP, \fB\-\-external\-ip\fP
 \fBTURN Server\fP public/private address mapping, if the server is behind NAT.
 In that situation, if a \fB\-X\fP is used in form "\fB\-X\fP <ip>" then that ip will be reported
 as relay IP address of all allocations. This scenario works only in a simple case
-when one single relay address is be used, and no CHANGE_REQUEST functionality is 
+when one single relay address is be used, and no CHANGE_REQUEST functionality is
 required. That single relay address must be mapped by NAT to the 'external' IP.
 The "external\-ip" value, if not empty, is returned in XOR\-RELAYED\-ADDRESS field.
 For that 'external' IP, NAT must forward ports directly (relayed port 12345
 must be always mapped to the same 'external' port 12345).
 In more complex case when more than one IP address is involved,
 that option must be used several times, each entry must
 have form "\fB\-X\fP <public\-ip/private\-ip>", to map all involved addresses.
-CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work 
-correctly, if the addresses are mapped properly, even when the TURN server itself 
+CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work
+correctly, if the addresses are mapped properly, even when the TURN server itself
 is behind A NAT.
 By default, this value is empty, and no address mapping is used.
 .TP
@@ -540,54 +539,54 @@ By default, this value is empty, and no address mapping is used.
 Number of the relay threads to handle the established connections
 (in addition to authentication thread and the listener thread).
 If explicitly set to 0 then application runs relay process in a single thread,
-in the same thread with the listener process (the authentication thread will 
-still be a separate thread). If not set, then a default optimal algorithm 
+in the same thread with the listener process (the authentication thread will
+still be a separate thread). If not set, then a default optimal algorithm
 will be employed (OS\-dependent). In the older Linux systems
-(before Linux kernel 3.9), the number of UDP threads is always one threads 
+(before Linux kernel 3.9), the number of UDP threads is always one threads
 per network listening endpoint \- unless "\fB\-m\fP 0" or "\fB\-m\fP 1" is set.
 .TP
 .B
 \fB\-\-min\-port\fP
-Lower bound of the UDP port range for relay 
+Lower bound of the UDP port range for relay
 endpoints allocation.
 Default value is 49152, according to RFC 5766.
 .TP
 .B
 \fB\-\-max\-port\fP
-Upper bound of the UDP port range for relay 
+Upper bound of the UDP port range for relay
 endpoints allocation.
 Default value is 65535, according to RFC 5766.
 .TP
 .B
 \fB\-u\fP, \fB\-\-user\fP
-Long\-term security mechanism credentials user account, 
-in the column\-separated form username:key. 
+Long\-term security mechanism credentials user account,
+in the column\-separated form username:key.
 Multiple user accounts may be used in the command line.
 The key is either the user password, or
 the key is generated
 by \fIturnadmin\fP command. In the second case,
 the key must be prepended with 0x symbols.
-The key is calculated over the user name, 
+The key is calculated over the user name,
 the user realm, and the user password.
 This setting may not be used with TURN REST API.
 .TP
 .B
 \fB\-r\fP, \fB\-\-realm\fP
-The default realm to be used for the users when no explicit 
+The default realm to be used for the users when no explicit
 origin/realm relationship was found in the database, or if the TURN
 server is not using any database (just the commands\-line settings
-and the userdb file). Must be used with long\-term credentials 
+and the userdb file). Must be used with long\-term credentials
 mechanism or with TURN REST API.
 .TP
 .B
 \fB\-C\fP, \fB\-\-rest\-api\-separator\fP
-This is the timestamp/username separator symbol 
+This is the timestamp/username separator symbol
 (character) in TURN REST API. The default value is :.
 .TP
 .B
 \fB\-q\fP, \fB\-\-user\-quota\fP
-Per\-user allocations quota: how many concurrent 
-allocations a user can create. This option can also be set 
+Per\-user allocations quota: how many concurrent
+allocations a user can create. This option can also be set
 through the database, for a particular realm.
 .TP
 .B
@@ -598,9 +597,9 @@ This option can also be set through the database, for a particular realm.
 .B
 \fB\-s\fP, \fB\-\-max\-bps\fP
 Max bytes\-per\-second bandwidth a TURN session is allowed to handle
-(input and output network streams are treated separately). Anything above 
+(input and output network streams are treated separately). Anything above
 that limit will be dropped or temporary suppressed (within the
-available buffer limits). This option can also be set through the 
+available buffer limits). This option can also be set through the
 database, for a particular realm.
 .TP
 .B
@@ -613,11 +612,25 @@ separately).
 .B
 \fB\-\-static\-auth\-secret\fP
 Static authentication secret value (a string) for TURN REST API only.
-If not set, then the turn server will try to use the dynamic value 
+If not set, then the turn server will try to use the dynamic value
 in turn_secret table in user database (if present). The database\-stored
 value can be changed on\-the\-fly by a separate program, so this is why
 that other mode is dynamic. Multiple shared secrets can be used
 (both in the database and in the "static" fashion).
+.RS
+.TP
+.B
+\fB\-\-no\-auth\-pings\fP
+Disable periodic health checks to 'dynamic' auth secret tables.
+.TP
+.B
+\fB\-\-no\-dynamic\-ip\-list\fP
+Do not use dynamic allowed/denied peer ip list.
+.TP
+.B
+\fB\-\-no\-dynamic\-realms\fP
+Do not use dynamic realm assignment and \fIoptions\fP.
+.RE
 .TP
 .B
 \fB\-\-server\-name\fP
@@ -627,17 +640,17 @@ The default value is the realm name.
 .TP
 .B
 \fB\-\-cert\fP
-Certificate file, PEM format. Same file 
-search rules applied as for the configuration 
-file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP 
+Certificate file, PEM format. Same file
+search rules applied as for the configuration
+file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP
 are specified, then this parameter is not needed.
 Default value is turn_server_cert.pem.
 .TP
 .B
 \fB\-\-pkey\fP
-Private key file, PEM format. Same file 
-search rules applied as for the configuration 
-file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP 
+Private key file, PEM format. Same file
+search rules applied as for the configuration
+file. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fP
 are specified, then this parameter is not needed.
 Default value is turn_server_pkey.pem.
 .TP
@@ -652,94 +665,94 @@ Default value is "DEFAULT".
 .TP
 .B
 \fB\-\-CA\-file\fP
-CA file in OpenSSL format. 
+CA file in OpenSSL format.
 Forces TURN server to verify the client SSL certificates.
 By default, no CA is set and no client certificate check is performed.
 .TP
 .B
 \fB\-\-ec\-curve\-name\fP
-Curve name for EC ciphers, if supported by OpenSSL 
-library (TLS and DTLS). The default value is prime256v1, 
+Curve name for EC ciphers, if supported by OpenSSL
+library (TLS and DTLS). The default value is prime256v1,
 if pre\-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
 an optimal curve will be automatically calculated, if not defined
 by this option.
 .TP
 .B
 \fB\-\-dh\-file\fP
 Use custom DH TLS key, stored in PEM format in the file.
-Flags \fB\-\-dh566\fP and \fB\-\-dh2066\fP are ignored when the DH key is taken from a file.
+Flags \fB\-\-dh566\fP and \fB\-\-dh1066\fP are ignored when the DH key is taken from a file.
 .TP
 .B
 \fB\-l\fP, \fB\-\-log\-file\fP
 Option to set the full path name of the log file.
-By default, the \fIturnserver\fP tries to open a log file in 
-/var/log/\fIturnserver\fP, /var/log, /var/tmp, /tmp and . (current) 
-directories (which file open operation succeeds 
-first that file will be used). With this option you can set the 
+By default, the \fIturnserver\fP tries to open a log file in
+/var/log/\fIturnserver\fP, /var/log, /var/tmp, /tmp and . (current)
+directories (which file open operation succeeds
+first that file will be used). With this option you can set the
 definite log file name.
-The special names are "stdout" and "\-" \- they will force everything 
+The special names are "stdout" and "\-" \- they will force everything
 to the stdout. Also, "syslog" name will redirect everything into
-the system log (syslog), as if the option "\fB\-\-syslog\fP" was set. 
-In the runtime, the logfile can be reset with the SIGHUP signal 
+the system log (syslog), as if the option "\fB\-\-syslog\fP" was set.
+In the runtime, the logfile can be reset with the SIGHUP signal
 to the \fIturnserver\fP process.
 .TP
 .B
 \fB\-\-alternate\-server\fP
 Option to set the "redirection" mode. The value of this option
-will be the address of the alternate server for UDP & TCP service in form of 
+will be the address of the alternate server for UDP & TCP service in form of
 <ip>[:<port>]. The server will send this value in the attribute
 ALTERNATE\-SERVER, with error 300, on ALLOCATE request, to the client.
 Client will receive only values with the same address family
-as the client network endpoint address family. 
-See RFC 5389 and RFC 5766 for ALTERNATE\-SERVER functionality description. 
+as the client network endpoint address family.
+See RFC 5389 and RFC 5766 for ALTERNATE\-SERVER functionality description.
 The client must use the obtained value for subsequent TURN communications.
 If more than one \fB\-\-alternate\-server\fP \fIoptions\fP are provided, then the functionality
-can be more accurately described as "load\-balancing" than a mere "redirection". 
-If the port number is omitted, then the default port 
+can be more accurately described as "load\-balancing" than a mere "redirection".
+If the port number is omitted, then the default port
 number 3478 for the UDP/TCP protocols will be used.
-Colon (:) characters in IPv6 addresses may conflict with the syntax of 
-the option. To alleviate this conflict, literal IPv6 addresses are enclosed 
-in square brackets in such resource identifiers, for example: 
-[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . 
+Colon (:) characters in IPv6 addresses may conflict with the syntax of
+the option. To alleviate this conflict, literal IPv6 addresses are enclosed
+in square brackets in such resource identifiers, for example:
+[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
 Multiple alternate servers can be set. They will be used in the
-round\-robin manner. All servers in the pool are considered of equal weight and 
-the load will be distributed equally. For example, if we have 4 alternate servers, 
-then each server will receive 25% of ALLOCATE requests. An alternate TURN server 
-address can be used more than one time with the alternate\-server option, so this 
-can emulate "weighting" of the servers. 
+round\-robin manner. All servers in the pool are considered of equal weight and
+the load will be distributed equally. For example, if we have 4 alternate servers,
+then each server will receive 25% of ALLOCATE requests. An alternate TURN server
+address can be used more than one time with the alternate\-server option, so this
+can emulate "weighting" of the servers.
 .TP
 .B
 \fB\-\-tls\-alternate\-server\fP
-Option to set alternative server for TLS & DTLS services in form of 
-<ip>:<port>. If the port number is omitted, then the default port 
-number 5349 for the TLS/DTLS protocols will be used. See the 
+Option to set alternative server for TLS & DTLS services in form of
+<ip>:<port>. If the port number is omitted, then the default port
+number 5349 for the TLS/DTLS protocols will be used. See the
 previous option for the functionality description.
 .TP
 .B
 \fB\-O\fP, \fB\-\-redis\-statsdb\fP
-Redis status and statistics database connection string, if used (default \- empty, 
-no Redis stats DB used). This database keeps allocations status information, and it can 
+Redis status and statistics database connection string, if used (default \- empty,
+no Redis stats DB used). This database keeps allocations status information, and it can
 be also used for publishing and delivering traffic and allocation event notifications.
 This database option can be used independently of \fB\-\-redis\-userdb\fP option,
-and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or 
+and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or
 PostgreSQL can be used for the user database.
 The connection string has the same parameters as redis\-userdb connection string.
 .TP
 .B
 \fB\-\-max\-allocate\-timeout\fP
-Max time, in seconds, allowed for full allocation establishment. 
+Max time, in seconds, allowed for full allocation establishment.
 Default is 60 seconds.
 .PP
 \fB\-\-denied\-peer\-ip\fP=<IPaddr[\fB\-IPaddr\fP]>
 .PP
-\fB\-\-allowed\-peer\-ip\fP=<IPaddr[\fB\-IPaddr\fP]> Options to ban or allow specific ip addresses or ranges 
-of ip addresses. If an ip address is specified as both allowed and denied, then 
+\fB\-\-allowed\-peer\-ip\fP=<IPaddr[\fB\-IPaddr\fP]> Options to ban or allow specific ip addresses or ranges
+of ip addresses. If an ip address is specified as both allowed and denied, then
 the ip address is considered to be allowed. This is useful when you wish to ban
 a range of ip addresses, except for a few specific ips within that range.
 This can be used when you do not want users of the turn server to be able to access
-machines reachable by the turn server, but would otherwise be unreachable from the 
-internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer 
-IP ranges can also be dynamically changed in the database. 
+machines reachable by the turn server, but would otherwise be unreachable from the
+internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer
+IP ranges can also be dynamically changed in the database.
 The allowed/denied addresses (white/black lists) rules are very simple:
 .RS
 .IP 1) 4
@@ -777,9 +790,9 @@ Client <=> Server communication address family.
 \fB\-\-cli\-ip\fP
 Local system IP address to be used for CLI management interface.
 The \fIturnserver\fP process can be accessed for management with telnet,
-at this IP address and on the CLI port (see the next parameter). 
+at this IP address and on the CLI port (see the next parameter).
 Default value is 127.0.0.1. You can use telnet or putty (in telnet mode)
-to access the CLI management interface. 
+to access the CLI management interface.
 .TP
 .B
 \fB\-\-cli\-port\fP
@@ -833,24 +846,24 @@ This is a set of notes for the WebRTC users:
 .IP 1) 4
 WebRTC uses long\-term authentication mechanism, so you have to use \fB\-a\fP
 option (or \fB\-\-lt\-cred\-mech\fP). WebRTC relaying will not work with anonymous
-access. With \fB\-a\fP option, do not forget to set the 
-default realm (\fB\-r\fP option). You will also have to set up the user accounts, 
+access. With \fB\-a\fP option, do not forget to set the
+default realm (\fB\-r\fP option). You will also have to set up the user accounts,
 for that you have a number of \fIoptions\fP:
 .PP
 .nf
 .fam C
         a) command\-line options (\-u).
 
-        b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to 
-        set keys with turnadmin utility (see docs and wiki for turnadmin). 
+        b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to
+        set keys with turnadmin utility (see docs and wiki for turnadmin).
         You cannot use open passwords in the database.
 
-        c) Redis key/value pair(s), if Redis is used. You key use either keys or 
-        open passwords with Redis; see turndb/testredisdbsetup.sh file.  
+        c) Redis key/value pair(s), if Redis is used. You key use either keys or
+        open passwords with Redis; see turndb/testredisdbsetup.sh file.
 
         d) You also can use the TURN REST API. You will need shared secret(s) set
         either  through the command line option, or through the config file, or through
-        the database table or Redis key/value pairs.  
+        the database table or Redis key/value pairs.
 
 .fam T
 .fi
@@ -868,19 +881,19 @@ number range.
 .SH TURN REST API
 
 In WebRTC, the browser obtains the TURN connection information from the web
-server. This information is a secure information \- because it contains the 
-necessary TURN credentials. As these credentials are transmitted over the 
+server. This information is a secure information \- because it contains the
+necessary TURN credentials. As these credentials are transmitted over the
 public networks, we have a potential security breach.
 .PP
-If we have to transmit a valuable information over the public network, 
-then this information has to have a limited lifetime. Then the guy who 
-obtains this information without permission will be able to perform 
+If we have to transmit a valuable information over the public network,
+then this information has to have a limited lifetime. Then the guy who
+obtains this information without permission will be able to perform
 only limited damage.
 .PP
-This is how the idea of TURN REST API \- time\-limited TURN credentials \- 
-appeared. This security mechanism is based upon the long\-term credentials 
-mechanism. The main idea of the REST API is that the web server provides 
-the credentials to the client, but those credentials can be used only 
+This is how the idea of TURN REST API \- time\-limited TURN credentials \-
+appeared. This security mechanism is based upon the long\-term credentials
+mechanism. The main idea of the REST API is that the web server provides
+the credentials to the client, but those credentials can be used only
 limited time by an application that has to create a TURN server connection.
 .PP
 The "classic" long\-term credentials mechanism (LTCM) is described here:
@@ -891,23 +904,23 @@ http://tools.ietf.org/html/rfc5389#section\-15.4
 .PP
 For authentication, each user must know two things: the username and the
 password. Optionally, the user must supply the ORIGIN value, so that the
-server can figure out the realm to be used for the user. The nonce and 
-the realm values are supplied by the TURN server. But LTCM is not saying 
-anything about the nature and about the persistence of the username and 
+server can figure out the realm to be used for the user. The nonce and
+the realm values are supplied by the TURN server. But LTCM is not saying
+anything about the nature and about the persistence of the username and
 of the password; and this is used by the REST API.
 .PP
-In the TURN REST API, there is no persistent passwords for users. A user has 
-just the username. The password is always temporary, and it is generated by 
-the web server on\-demand, when the user accesses the WebRTC page. And, 
-actually, a temporary one\-time session only, username is provided to the user, 
-too. 
+In the TURN REST API, there is no persistent passwords for users. A user has
+just the username. The password is always temporary, and it is generated by
+the web server on\-demand, when the user accesses the WebRTC page. And,
+actually, a temporary one\-time session only, username is provided to the user,
+too.
 .PP
 The temporary user is generated as:
 .PP
 temporary\-username="timestamp" + ":" + "username"
 .PP
-where username is the persistent user name, and the timestamp format is just 
-seconds sinse 1970 \- the same value as \fBtime\fP(NULL) function returns.
+where username is the persistent user name, and the timestamp format is just
+seconds since 1970 \- the same value as \fBtime\fP(NULL) function returns.
 .PP
 The temporary password is obtained as HMAC\-SHA1 function over the temporary
 username, with shared secret as the HMAC key, and then the result is encoded:
@@ -918,7 +931,7 @@ Both the TURN server and the web server know the same shared secret. How the
 shared secret is distributed among the involved entities is left to the WebRTC
 deployment details \- this is beyond the scope of the TURN REST API.
 .PP
-So, a timestamp is used for the temporary password calculation, and this 
+So, a timestamp is used for the temporary password calculation, and this
 timestamp can be retrieved from the temporary username. This information
 is valuable, but only temporary, while the timestamp is not expired. Without
 knowledge of the shared secret, a new temporary password cannot be generated.
@@ -933,7 +946,7 @@ For developers, we are going to describe it step\-by\-step below:
 .RS
 .IP \(bu 3
 a new TURN client sends a request command to the TURN server. Optionally,
-it adds the ORIGIN field to it. 
+it adds the ORIGIN field to it.
 .IP \(bu 3
 TURN server sees that this is a new client and the message is not
 authenticated.
@@ -956,13 +969,13 @@ the client uses username, realm and password to produce a key:
 (SASLprep is described here: http://tools.ietf.org/html/rfc4013)
 .IP \(bu 3
 the client forms a new request, adds username, realm and nonce to the
-request. Then, the client calculates and adds the integrity field to 
+request. Then, the client calculates and adds the integrity field to
 the request. This is the trickiest part of the process, and it is
-described in the end of section 15.4: 
+described in the end of section 15.4:
 http://tools.ietf.org/html/rfc5389#section\-15.4
 .IP \(bu 3
 the client, optionally, adds the fingerprint field. This may be also
-a tricky procedure, described in section 15.5 of the same document. 
+a tricky procedure, described in section 15.5 of the same document.
 WebRTC usually uses fingerprinted TURN messages.
 .IP \(bu 3
 the TURN server receives the request, reads the username.
@@ -975,65 +988,65 @@ then the TURN server calculates the key.
 then the TURN server calculates the integrity field.
 .IP \(bu 3
 then the TURN server compares the calculated integrity field with the
-received one \- they must be the same. If the integrity fields differ, 
+received one \- they must be the same. If the integrity fields differ,
 then the request is rejected.
 .RE
 .PP
-In subsequent communications, the client may go with exactly the same 
-sequence, but for optimization usually the client, having already 
-information about realm and nonce, pre\-calculates the integrity string 
-for each request, so that the 401 error response becomes unnecessary. 
-The TURN server may use "\fB\-\-stale\-nonce\fP" option for extra security: in 
+In subsequent communications, the client may go with exactly the same
+sequence, but for optimization usually the client, having already
+information about realm and nonce, pre\-calculates the integrity string
+for each request, so that the 401 error response becomes unnecessary.
+The TURN server may use "\fB\-\-stale\-nonce\fP" option for extra security: in
 some time, the nonce expires and the client will obtain 438 error response
 with the new nonce, and the client will have to start using the new nonce.
 .PP
-In subsequent communications, the sever and the client will always assume 
-the same password \- the original password becomes the session parameter and 
+In subsequent communications, the server and the client will always assume
+the same password \- the original password becomes the session parameter and
 is never expiring. So the password is not changing while the session is valid
-and unexpired. So, if the session is properly maintained, it may go forever, 
-even if the user password has been already changed (in the database). The 
-session simply is using the old password. Once the session got disconnected, 
-the client will have to use the new password to re\-connect (if the password 
+and unexpired. So, if the session is properly maintained, it may go forever,
+even if the user password has been already changed (in the database). The
+session simply is using the old password. Once the session got disconnected,
+the client will have to use the new password to re\-connect (if the password
 has been changed).
 .PP
 An example when a new shared secret is generated every hour by the TURN server
 box and then supplied to the web server, remotely, is provided in the script
 examples/scripts/restapi/shared_secret_maintainer.pl .
 .PP
-A very important thing is that the nonce must be totally random and it must be 
-different for different clients and different sessions. 
+A very important thing is that the nonce must be totally random and it must be
+different for different clients and different sessions.
 .PP
 ===================================
 .SH DATABASES
 
 For the user database, the \fIturnserver\fP has the following \fIoptions\fP:
 .IP 1) 4
 Users can be set in the command line, with multiple \fB\-u\fP or \fB\-\-user\fP \fIoptions\fP.
-Obviously, only a few users can be set that way, and their credentials are fixed 
+Obviously, only a few users can be set that way, and their credentials are fixed
 for the \fIturnserver\fP process lifetime.
 .IP 2) 4
 Users can be stored in SQLite DB. The default SQLite database file is /var/db/turndb
 or /usr/local/var/db/turndb or /var/lib/turn/turndb.
 .IP 3) 4
 Users can be stored in PostgreSQL database, if the \fIturnserver\fP was compiled with PostgreSQL
 support. Each time \fIturnserver\fP checks user credentials, it reads the database (asynchronously,
-of course, so that the current flow of packets is not delayed in any way), so any change in the 
-database content is immediately visible by the \fIturnserver\fP. This is the way if you need the 
+of course, so that the current flow of packets is not delayed in any way), so any change in the
+database content is immediately visible by the \fIturnserver\fP. This is the way if you need the
 best scalability. The schema for the database can be found in schema.sql file.
-For long\-term credentials, you have to set the "keys" for the users; the "keys" are generated 
-by the \fIturnadmin\fP utility. For the key generation, you need username, password and the realm. 
-All users in the database must use the same realm value; if down the road you will decide 
-to change the realm name, then you will have to re\-generate all user keys (that can be done 
+For long\-term credentials, you have to set the "keys" for the users; the "keys" are generated
+by the \fIturnadmin\fP utility. For the key generation, you need username, password and the realm.
+All users in the database must use the same realm value; if down the road you will decide
+to change the realm name, then you will have to re\-generate all user keys (that can be done
 in a batch script). See the file turndb/testsqldbsetup.sql as an example.
 .IP 4) 4
 The same is true for MySQL database. The same schema file is applicable.
-The same considerations are applicable. 
+The same considerations are applicable.
 .IP 5) 4
 The same is true for the Redis database, but the Redis database has aa different schema \-
-it can be found (in the form of explanation) in schema.userdb.redis. 
-Also, in Redis you can store both "keys" and open passwords (for long term credentials) \- 
-the "open password" option is less secure but more convenient for low\-security environments. 
-See the file turndb/testredisdbsetup.sh as an example. 
+it can be found (in the form of explanation) in schema.userdb.redis.
+Also, in Redis you can store both "keys" and open passwords (for long term credentials) \-
+the "open password" option is less secure but more convenient for low\-security environments.
+See the file turndb/testredisdbsetup.sh as an example.
 .IP 6) 4
 If a database is used, then users can be divided into multiple independent realms. Each realm
 can be administered separately, and each realm can have its own set of users and its own
@@ -1050,21 +1063,21 @@ The simplest choice is not to use it. Do not set \fB\-\-redis\-statsdb\fP option
 will be simply ignored.
 .IP 2) 4
 If you choose to use it, then set the \fB\-\-redis\-statsdb\fP option. This may be the same database
-as in \fB\-\-redis\-userdb\fP option, or it may be a different database. You may want to use different 
+as in \fB\-\-redis\-userdb\fP option, or it may be a different database. You may want to use different
 database for security or convenience reasons. Also, you can use different database management
-systems for the user database and for the ststus and statistics database. For example, you can use 
+systems for the user database and for the ststus and statistics database. For example, you can use
 MySQL as the user database, and you can use redis for the statistics. Or you can use Redis for both.
 .PP
 So, we have 6 choices for the user management, and 2 choices for the statistics management. These
-two are totally independent. So, you have overall 6*2=12 ways to handle persistent information, 
+two are totally independent. So, you have overall 6*2=12 ways to handle persistent information,
 choose any for your convenience.
 .PP
-You do not have to handle the database information "manually" \- the \fIturnadmin\fP program can handle 
+You do not have to handle the database information "manually" \- the \fIturnadmin\fP program can handle
 everything for you. For PostgreSQL and MySQL you will just have to create an empty database
-with schema.sql SQL script. With Redis, you do not have to do even that \- just run \fIturnadmin\fP and 
-it will set the users for you (see the \fIturnadmin\fP manuals). If you are using SQLite, then the 
-\fIturnserver\fP or \fIturnadmin\fP will initialize the empty database, for you, when started. The 
-TURN server installation process creates an empty initialized SQLite database in the default 
+with schema.sql SQL script. With Redis, you do not have to do even that \- just run \fIturnadmin\fP and
+it will set the users for you (see the \fIturnadmin\fP manuals). If you are using SQLite, then the
+\fIturnserver\fP or \fIturnadmin\fP will initialize the empty database, for you, when started. The
+TURN server installation process creates an empty initialized SQLite database in the default
 location (/var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb, depending on the system).
 .PP
 =================================
@@ -1083,7 +1096,7 @@ does not include the ALPN information into the ServerHello.
 In the lib/ sub\-directory the build process will create TURN client messaging library.
 In the include/ sub\-directory, the necessary include files will be placed.
 The C++ wrapper for the messaging functionality is located in TurnMsgLib.h header.
-An example of C++ code can be found in stunclient.c file. 
+An example of C++ code can be found in stunclient.c file.
 .PP
 =================================
 .SH DOCS
@@ -1098,13 +1111,13 @@ $ man \fB\-M\fP man \fIturnserver\fP
 .PP
 to see the man page.
 .PP
-In the docs/html subdirectory of the original archive tree, you will find the client library 
+In the docs/html subdirectory of the original archive tree, you will find the client library
 reference. After the installation, it will be placed in PREFIX/share/doc/\fIturnserver\fP/html.
 .PP
 =================================
 .SH LOGS
 
-When the \fBTURN Server\fP starts, it makes efforts to create a log file turn_<pid>.log 
+When the \fBTURN Server\fP starts, it makes efforts to create a log file turn_<pid>.log
 in the following directories:
 .RS
 .IP \(bu 3
@@ -1119,7 +1132,7 @@ in the following directories:
 current directory
 .RE
 .PP
-If all efforts failed (due to the system permission settings) then all 
+If all efforts failed (due to the system permission settings) then all
 log messages are sent only to the standard output of the process.
 .PP
 This behavior can be controlled by \fB\-\-log\-file\fP, \fB\-\-syslog\fP and \fB\-\-no\-stdout\-log\fP
@@ -1129,7 +1142,7 @@ This behavior can be controlled by \fB\-\-log\-file\fP, \fB\-\-syslog\fP and \fB
 .SH HTTPS MANAGEMENT INTERFACE
 
 The \fIturnserver\fP process provides an HTTPS Web access as statistics and basic
-management interface. The \fIturnserver\fP listens to incoming HTTPS admin 
+management interface. The \fIturnserver\fP listens to incoming HTTPS admin
 connections on the same ports as the main TURN/STUN listener. The Web admin
 pages are basic and self\-explanatory.
 .PP
@@ -1151,11 +1164,11 @@ in "help" command output in the telnet CLI.
 =================================
 .SH CLUSTERS
 
-\fBTURN Server\fP can be a part of the cluster installation. But, to support the "even port" functionality 
-(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same 
-\fBTURN Server\fP instance, so it requires some networking setup massaging for the cluster. The reason is that 
-the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible 
-to design a scheme with the application\-level requests forwarding (and we may do that later) but 
+\fBTURN Server\fP can be a part of the cluster installation. But, to support the "even port" functionality
+(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same
+\fBTURN Server\fP instance, so it requires some networking setup massaging for the cluster. The reason is that
+the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible
+to design a scheme with the application\-level requests forwarding (and we may do that later) but
 it would affect the performance.
 .PP
 =================================

@@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "29 January 2019" "" ""
+.TH TURN 1 "29 April 2020" "" ""
 .SH GENERAL INFORMATION
 
 A set of turnutils_* programs provides some utility functionality to be used
@@ -51,12 +51,12 @@ addresses should be configured to be able to work properly!
 .TP
 .B
 6.
-\fIturnutils_oauth\fP: a utility that provides OAuth access_token 
-\fBgeneration\fP(AEAD encryption), validation and decryption. This utility inputs 
-all the keys and lifetimes and any related information that needed for 
-creation and validationi of an access_token. It outputs a JSON with all OAuth 
-PoP parameters that need to pass to the client. Output is generated accoriding 
-RFC7635 Appendix B, Figure 8. 
+\fIturnutils_oauth\fP: a utility that provides OAuth access_token
+\fBgeneration\fP(AEAD encryption), validation and decryption. This utility inputs
+all the keys and lifetimes and any related information that needed for
+creation and validationi of an access_token. It outputs a JSON with all OAuth
+PoP parameters that need to pass to the client. Output is generated accoriding
+RFC7635 Appendix B, Figure 8.
 .PP
 For more details, and for the access_token structure, read rfc7635, and see
 script in examples/scripts/oauth.sh.
@@ -480,15 +480,15 @@ $ \fIturnutils_oauth\fP [\fIoptions\fP]
 .fi
 .SS  DESCRIPTION
 
-\fIturnutils_oauth\fP utilitiy provides help in OAuth access_token encryption and/or 
-decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps 
-for an Auth Server in access_token creation, and also for debugging purposes it 
-helps the access_token validation and decryption. This utility inputs all the 
-keys and lifetimes and any related information that are needed for encryption 
-or decryption of an access_token. It outputs a JSON with all OAuth PoP 
-parameters that need to pass to the client. Output is generated accoriding 
-RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server 
-service, but be awere that this utility does not generate "session key" / 
+\fIturnutils_oauth\fP utilitiy provides help in OAuth access_token encryption and/or
+decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps
+for an Auth Server in access_token creation, and also for debugging purposes it
+helps the access_token validation and decryption. This utility inputs all the
+keys and lifetimes and any related information that are needed for encryption
+or decryption of an access_token. It outputs a JSON with all OAuth PoP
+parameters that need to pass to the client. Output is generated accoriding
+RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server
+service, but be awere that this utility does not generate "session key" /
 "mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key".
 For more details, and for the access_token structure, read rfc7635, and see
 the example in examples/scripts/oauth.sh.

@@ -1,57 +1,57 @@
 GENERAL INFORMATION
 
-turnadmin is a TURN administration tool. This tool can be used to manage 
-the user accounts (add/remove users, generate 
-TURN keys for the users). For security reasons, we do not recommend 
-storing passwords openly. The better option is to use pre-processed "keys" 
-which are then used for authentication. These keys are generated by turnadmin. 
-Turnadmin is a link to turnserver binary, but turnadmin performs different 
+turnadmin is a TURN administration tool. This tool can be used to manage
+the user accounts (add/remove users, generate
+TURN keys for the users). For security reasons, we do not recommend
+storing passwords openly. The better option is to use pre-processed "keys"
+which are then used for authentication. These keys are generated by turnadmin.
+Turnadmin is a link to turnserver binary, but turnadmin performs different
 functions.
 
 Options note: turnadmin has long and short option names, for most options.
-Some options have only long form, some options have only short form. Their syntax 
+Some options have only long form, some options have only short form. Their syntax
 somewhat different, if an argument is required:
 
 The short form must be used as this (for example):
 
   $ turnadmin -u <username> ...
-  
+
 The long form equivalent must use the "=" character:
 
   $ turnadmin --user=<username> ...
-  
+
 If this is a flag option (no argument required) then their usage are the same, for example:
 
  $ turnadmin -k ...
- 
+
 is equivalent to:
 
  $ turnadmin --key ...
 
-You have always the use the -r <realm> option with commands for long term credentials - 
+You have always the use the -r <realm> option with commands for long term credentials -
 because data for multiple realms can be stored in the same database.
- 
+
 =====================================
 
   NAME
 
-turnadmin - a TURN relay administration tool. 
-  
-  SYNOPSIS  
+turnadmin - a TURN relay administration tool.
+
+  SYNOPSIS
 
 $ turnadmin [command] [options]
 
 $ turnadmin [ -h | --help]
 
   DESCRIPTION
-  
-Commands:  
+
+Commands:
 
 -P, --generate-encrypted-password	Generate and print to the standard
 output an encrypted form of a password (for web admin user or CLI).
 The value then can be used as a safe key for the password
 storage on disk or in the database. Every invocation for the same password
-produces a different result. The for mat of the encrypted password is:
+produces a different result. The format of the encrypted password is:
 $5$<...salt...>$<...sha256(salt+password)...>. Salt is 16 characters,
 the sha256 output is 64 characters. Character 5 is the algorithm id (sha256).
 Only sha256 is supported as the hash function.
@@ -70,13 +70,13 @@ Only sha256 is supported as the hash function.
 
 -L, --list-admin		List admin users in the database.
 
--s, --set-secret=<value> Add shared secret for TURN RESP API
+-s, --set-secret=<value> Add shared secret for TURN REST API
 
 -S, --show-secret	Show stored shared secrets for TURN REST API
 
 -X, --delete-secret=<value> Delete a shared secret.
 	--delete-all_secrets	Delete all shared secrets for REST API.
-	
+
 -O, --add-origin		Add origin-to-realm relation.
 
 -R, --del-origin		Delete origin-to-realm relation.
@@ -86,10 +86,10 @@ Only sha256 is supported as the hash function.
 -g, --set-realm-option		Set realm params: max-bps, total-quota, user-quota.
 
 -G, --list-realm-options	List realm params.
--E, --generate-encrypted-password-aes	Generate and print to the standard output 
+-E, --generate-encrypted-password-aes	Generate and print to the standard output
 					an encrypted form of password with AES-128
-  
-Options with required values:  
+
+Options with required values:
 
 -b, --db, --userdb	SQLite user database file name (default - /var/db/turndb or
 			/usr/local/var/db/turndb or /var/lib/turn/turndb).
@@ -111,10 +111,10 @@ Options with required values:
 -o, --origin		Origin
 --max-bps		Set value of realm's max-bps parameter.
 --total-quota	Set value of realm's total-quota parameter.
---user-quota	Set value of realm's user-quota parameter. 
+--user-quota	Set value of realm's user-quota parameter.
 -h, --help		Help.
 
-Command examples:  
+Command examples:
 
 Generate an encrypted form of a password:
 
@@ -123,11 +123,11 @@ $ turnadmin -P -p <password>
 Generate a key:
 
 $ turnadmin -k -u <username> -r <realm> -p <password>
-  
+
 Add/update a user in the in the database:
 
 $ turnadmin -a [-b <userdb-file> | -e <db-connection-string> | -M <db-connection-string> | -N <db-connection-string> ] -u <username> -r <realm> -p <password>
-  
+
 Delete a user from the database:
 
 $ turnadmin -d [-b <userdb-file> | -e <db-connection-string> | -M <db-connection-string> | -N <db-connection-string> ] -u <username> -r <realm>
@@ -176,13 +176,13 @@ Verify/decrypt encrypted password:
 
 $ turnadmin --file-key-path <key-file> -v <encrypted>
 
-   
-Help:  
+
+Help:
 
 $ turnadmin -h
 
 =======================================
- 
+
   DOCS
 
 After installation, run the command:
@@ -258,13 +258,13 @@ to see the man page.
 	Erik Johnston <erikj@openmarket.com>
 
 	Roman Lisagor <roman@demonware.net>
-	
+
 	Vladimir Tsanev <tsachev@gmail.com>
-	
+
 	Po-sheng Lin <personlin118@gmail.com>
-	
+
 	Peter Dunkley <peter.dunkley@acision.com>
-	
+
 	Mutsutoshi Yoshimoto <mutsutoshi.yoshimoto@mixi.co.jp>
 
 	Federico Pinna <fpinna@vivocha.com>

@@ -1,181 +1,181 @@
 GENERAL INFORMATION
 
-The TURN Server project contains the source code of a TURN server and TURN client 
-messaging library. Also, some extra programs provided, for testing-only 
-purposes. 
+The TURN Server project contains the source code of a TURN server and TURN client
+messaging library. Also, some extra programs provided, for testing-only
+purposes.
 
 See the INSTALL file for the building instructions.
 
 After the build, you will have the following binary images:
 
-1.	turnserver: TURN Server relay. 
+1.	turnserver: TURN Server relay.
 The compiled binary image of the TURN Server program is located in bin/ sub-directory.
 
 2.	turnadmin: TURN administration tool. See README.turnadmin and turnadmin man page.
-  
+
 3.	turnutils_uclient. See README.turnutils and turnutils man page.
 
 4.	turnutils_peer. See README.turnutils and turnutils man page.
-   
+
 5.	turnutils_stunclient. See README.turnutils and turnutils man page.
-  
+
 6.	turnutils_rfc5769check. See README.turnutils and turnutils man page.
 
-In the "examples/scripts" sub-directory, you will find the examples of command lines to be used 
+In the "examples/scripts" sub-directory, you will find the examples of command lines to be used
 to run the programs. The scripts are meant to be run from examples/ sub-directory, for example:
 
 $ cd examples
 $ ./scripts/secure_relay.sh
-  
+
 RUNNING THE TURN SERVER
 
 Options note: turnserver has long and short option names, for most options.
-Some options have only long form, some options have only short form. Their syntax 
+Some options have only long form, some options have only short form. Their syntax
 somewhat different, if an argument is required:
 
 The short form must be used as this (for example):
 
   $ turnserver -L 12.34.56.78
-  
+
 The long form equivalent must use the "=" character:
 
   $ turnserver --listening-ip=12.34.56.78
-  
+
 If this is a flag option (no argument required) then their usage are the same, for example:
 
  $ turnserver -a
- 
+
 is equivalent to:
 
  $ turnserver --lt-cred-mech
-  
+
 =====================================
 
   NAME
-  
+
 turnserver - a TURN relay server implementation.
-  
+
   SYNOPSIS
-  
+
 $ turnserver [-n | -c <config-file> ] [flags] [ --userdb=<userdb-file> | --psql-userdb=<db-conn-string> | --mysql-userdb=<db-conn-string>  | --mongo-userdb=<db-conn-string>  | --redis-userdb=<db-conn-string> ] [-z | --no-auth | -a | --lt-cred-mech ] [options]
 $ turnserver -h
-  
-  DESCRIPTION						
-  
-Config file settings:  
+
+  DESCRIPTION
+
+Config file settings:
 
 -n		Do not use configuration file, use only command line parameters.
 
 -c		Configuration file name (default - turnserver.conf).
 		The format of config file can be seen in
-		the supplied examples/etc/turnserver.conf example file. Long 
-		names of the options are used as the configuration 
-		items names in the file. If not an absolute path is supplied, 
-		then the file is searched in the following directories: 
+		the supplied examples/etc/turnserver.conf example file. Long
+		names of the options are used as the configuration
+		items names in the file. If not an absolute path is supplied,
+		then the file is searched in the following directories:
 		  * current directory
 		  * current directory etc/ sub-directory
 		  * upper directory level etc/
-		  * /etc/ 
+		  * /etc/
 		  * /usr/local/etc/
 		  * installation directory /etc
 
-User database settings:  
+User database settings:
 
 -b, --db, --userdb	SQLite user database file name (default - /var/db/turndb or
 		/usr/local/var/db/turndb or /var/lib/turn/turndb).
-				  
+
 -e, --psql-userdb	User database connection string for PostgreSQL.
 		This database can be used for long-term credentials mechanism,
-		and it can store the secret value 
-		for secret-based timed authentication in TURN RESP API.
+		and it can store the secret value
+		for secret-based timed authentication in TURN REST API.
 		The connection string format is like that:
-		 
-		"host=<host> dbname=<dbname> user=<db-user> password=<db-user-password> connect_timeout=<seconds>" 
+
+		"host=<host> dbname=<dbname> user=<db-user> password=<db-user-password> connect_timeout=<seconds>"
 		(for 8.x or newer Postgres).
-		
+
 		Or:
-		
-		"postgresql://username:password@hostname:port/databasename" 
-		(for 9.x or newer Postgres). 
+
+		"postgresql://username:password@hostname:port/databasename"
+		(for 9.x or newer Postgres).
 
 		See the INSTALL file for more explanations and examples.
-		
+
 		Also, see http://www.PostgreSQL.org for full PostgreSQL documentation.
-				  
--M, --mysql-userdb	User database connection string for MySQL or MariaDB. 
+
+-M, --mysql-userdb	User database connection string for MySQL or MariaDB.
 		This database can be used for long-term credentials mechanism,
-		and it can store the secret value for 
-		secret-based timed authentication in TURN RESP API.
+		and it can store the secret value for
+		secret-based timed authentication in TURN REST API.
 		The connection string format is like that:
-		 
+
 		"host=<host> dbname=<dbname> user=<db-user> password=<db-user-password> connect_timeout=<seconds> read_timeout=<seconds>"
 
 		See the INSTALL file for more explanations and examples.
-		
-		Also, see http://www.mysql.org or http://mariadb.org 
+
+		Also, see http://www.mysql.org or http://mariadb.org
 		for full MySQL documentation.
-		
-		Optional connection string parameters for the secure communications (SSL): 
-		ca, capath, cert, key, cipher 
-		(see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the 
+
+		Optional connection string parameters for the secure communications (SSL):
+		ca, capath, cert, key, cipher
+		(see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
 		command options description).
-		
+
 --secret-key-file 	This is the file path which contain secret key of aes encryption while using MySQL password encryption.
 			If you want to use in the MySQL connection string the password in encrypted format,
 			then set in this option the file path of the secret key. The key which is used to encrypt MySQL password.
-			Warning: If this option is set, then MySQL password must be set in "mysql-userdb" option in encrypted format! 
+			Warning: If this option is set, then MySQL password must be set in "mysql-userdb" option in encrypted format!
 			If you want to use cleartext password then do not set this option!
--J, --mongo-userdb	User database connection string for MongoDB. 
+-J, --mongo-userdb	User database connection string for MongoDB.
 		This database can be used for long-term credentials mechanism,
-		and it can store the secret value 
-		for secret-based timed authentication in TURN RESP API.
+		and it can store the secret value
+		for secret-based timed authentication in TURN REST API.
 		The connection string format is like that:
-		 
+
 		"mongodb://username:password@host:port/database?options"
 
 		See the INSTALL file for more explanations and examples.
-		
+
 		Also, see http://docs.mongodb.org/manual/
 		for full MongoDB documentation.
-		
--N, --redis-userdb	User database connection string for Redis. 
+
+-N, --redis-userdb	User database connection string for Redis.
 		This database can be used for long-term	credentials mechanism,
-		and it can store the secret 
-		value for secret-based timed authentication in TURN RESP API.
+		and it can store the secret
+		value for secret-based timed authentication in TURN REST API.
 		The connection string format is like that:
-		 
+
 		"ip=<ip-addr> dbname=<db-number> password=<db-password> connect_timeout=<seconds>"
 
 		See the INSTALL file for more explanations and examples.
-		
+
 		Also, see http://redis.io for full Redis documentation.
 
-Flags:   
+Flags:
 
 -v, --verbose		Moderate verbose mode.
 
 -V, --Verbose		Extra verbose mode, very annoying and not recommended.
 
 -o, --daemon		Run server as daemon.
 
---prod       	 	Production mode: hide the software version.
+--no-software-attribute	Production mode: hide the software version.
 
 -f, --fingerprint	Use fingerprints in the TURN messages. If an incoming request
-			contains a fingerprint, then TURN server will always add 
+			contains a fingerprint, then TURN server will always add
 			fingerprints to the messages in this session, regardless of the
 			per-server setting.
 
 -a, --lt-cred-mech	Use long-term credentials mechanism (this one you need for WebRTC usage).
 
--z, --no-auth		Do not use any credentials mechanism, allow anonymous access. 
-			Opposite to -a and -A options. This is default option when no 
+-z, --no-auth		Do not use any credentials mechanism, allow anonymous access.
+			Opposite to -a and -A options. This is default option when no
 			authentication-related options are set.
 			By default, no credential mechanism is used -
 			any user is allowed.
 
 --use-auth-secret	TURN REST API flag.
-			Flag that sets a special WebRTC authorization option 
-			that is based upon authentication secret. The feature purpose 
+			Flag that sets a special WebRTC authorization option
+			that is based upon authentication secret. The feature purpose
 			is to support "TURN Server REST API" as described in
 			the TURN REST API section below.
 			This option uses timestamp as part of combined username:
@@ -187,12 +187,12 @@ Flags:
 			This option is just turns on secret-based authentication.
 			The actual value of the secret is defined either by option static-auth-secret,
 			or can be found in the turn_secret table in the database.
-			
+
 --oauth			Support oAuth authentication, as in the third-party STUN/TURN RFC 7635.
-			
---dh566			Use 566 bits predefined DH TLS key. Default size of the key is 1066.
 
---dh2066		Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
+--dh566			Use 566 bits predefined DH TLS key. Default size of the key is 2066.
+
+--dh1066		Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
 
 --no-tlsv1		Do not allow TLSv1/DTLSv1 protocol.
 
@@ -208,67 +208,67 @@ Flags:
 
 --no-dtls		Do not start DTLS client listeners.
 
---no-udp-relay		Do not allow UDP relay endpoints defined in RFC 5766, 
+--no-udp-relay		Do not allow UDP relay endpoints defined in RFC 5766,
 			use only TCP relay endpoints as defined in RFC 6062.
 
---no-tcp-relay		Do not allow TCP relay endpoints defined in RFC 6062, 
-			use only UDP relay endpoints as defined in RFC 5766. 
+--no-tcp-relay		Do not allow TCP relay endpoints defined in RFC 6062,
+			use only UDP relay endpoints as defined in RFC 5766.
 
 --no-stdout-log		Flag to prevent stdout log messages.
 			By default, all log messages are going to both stdout and to
-			the configured log file. With this option everything will be going to 
+			the configured log file. With this option everything will be going to
 			the log file only (unless the log file itself is stdout).
-			
+
 --syslog		With this flag, all log will be redirected to the system log (syslog).
 
 --simple-log		This flag means that no log file rollover will be used, and the log file
 			name will be constructed as-is, without PID and date appendage.
 			This option can be used, for example, together with the logrotate tool.
-				
+
 --secure-stun		Require authentication of the STUN Binding request.
 			By default, the clients are allowed anonymous access to the STUN Binding functionality.
 
--S, --stun-only		Run as STUN server only, all TURN requests will be ignored. 
+-S, --stun-only		Run as STUN server only, all TURN requests will be ignored.
 			Option to suppress TURN functionality, only STUN requests will be processed.
 
---no-stun		Run as TURN server only, all STUN requests will be ignored. 
+--no-stun		Run as TURN server only, all STUN requests will be ignored.
 			Option to suppress STUN functionality, only TURN requests will be processed.
 
 --allow-loopback-peers	Allow peers on the loopback addresses (127.x.x.x and ::1).
-             Allow it only for testing in a development environment! 
-             In production it adds a possible security vulnerability, 
-             and so due to security reasons, it is not allowed 
+             Allow it only for testing in a development environment!
+             In production it adds a possible security vulnerability,
+             and so due to security reasons, it is not allowed
              using it together with empty cli-password.
 
---no-multicast-peers	Disallow peers on well-known broadcast addresses 
+--no-multicast-peers	Disallow peers on well-known broadcast addresses
 			(224.0.0.0 and above, and FFXX:*).
 
 --mobility		Mobility with ICE (MICE) specs support.
 
 --no-cli		Turn OFF the CLI support. By default it is always ON.
 			See also options --cli-ip and --cli-port.
-				
---server-relay		Server relay. NON-STANDARD AND DANGEROUS OPTION. 
-			Only for those applications when we want to run 
+
+--server-relay		Server relay. NON-STANDARD AND DANGEROUS OPTION.
+			Only for those applications when we want to run
 			server applications on the relay endpoints.
-			This option eliminates the IP permissions check 
+			This option eliminates the IP permissions check
 			on the packets incoming to the relay endpoints.
 			See http://tools.ietf.org/search/rfc5766#section-17.2.3 .
-				
+
 --udp-self-balance	(recommended for older Linuxes only)
 			Automatically balance UDP traffic over auxiliary servers
-			(if configured). The load balancing is using the 
-			ALTERNATE-SERVER mechanism. The TURN client must support 
+			(if configured). The load balancing is using the
+			ALTERNATE-SERVER mechanism. The TURN client must support
 			300 ALTERNATE-SERVER response for this functionality.
-			
---check-origin-consistency	The flag that sets the origin consistency 
+
+--check-origin-consistency	The flag that sets the origin consistency
 			check: across the session, all requests must have the same
 			main ORIGIN attribute value (if the ORIGIN was
 			initially used by the session).
 
 -h			Help.
-    
-Options with values:  
+
+Options with values:
 
 --stale-nonce[=<value>]		Use extra security with nonce value having
 							limited lifetime, in seconds (default 600 secs).
@@ -284,15 +284,15 @@ Options with values:
 					This MUST not be changed for production purposes.
 
 -d, --listening-device	Listener interface device.
-			(NOT RECOMMENDED. Optional functionality, Linux only). 
-			The turnserver process must have root privileges to bind the 
-			listening endpoint to a device. If turnserver must run as a 
+			(NOT RECOMMENDED. Optional functionality, Linux only).
+			The turnserver process must have root privileges to bind the
+			listening endpoint to a device. If turnserver must run as a
 			process without root privileges, then just do not use this setting.
 
--L, --listening-ip	Listener IP address of relay server. 
+-L, --listening-ip	Listener IP address of relay server.
 			Multiple listeners can be specified, for example:
 			-L ip1 -L ip2 -L ip3
-			If no IP(s) specified, then all IPv4 and 
+			If no IP(s) specified, then all IPv4 and
 			IPv6 system IPs will be used for listening.
 			The same ip(s) can be used as both listening and relay ip(s).
 
@@ -302,11 +302,11 @@ Options with values:
 
 --tls-listening-port	TURN listener port for TLS and DTLS listeners (Default: 5349).
 			Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
-			port(s), too - if allowed by configuration. The TURN server 
+			port(s), too - if allowed by configuration. The TURN server
 			"automatically" recognizes the type of traffic. Actually, two listening
 			endpoints (the "plain" one and the "tls" one) are equivalent in terms of
 			functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
-			For secure TCP connections, we currently support SSL version 3 and 
+			For secure TCP connections, we currently support SSL version 3 and
 			TLS versions 1.0, 1.1, 1.2.
 			For secure UDP connections, we support DTLS version 1.
 
@@ -321,218 +321,228 @@ Options with values:
 
 --alt-tls-listening-port	Alternative listening port for TLS and DTLS protocols.
 			Default (or zero) value means "TLS listening port plus one".
+
+--tcp-proxy-port	Support connections from TCP loadbalancer on this port. The loadbalancer
+			should use the binary proxy protocol.
+			(https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
 				
 --aux-server		Auxiliary STUN/TURN server listening endpoint.
 			Aux servers have almost full TURN and STUN functionality.
 			The (minor) limitations are:
 				1) Auxiliary servers do not have alternative ports and
 				they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
 				2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
-					
+
 			Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
 			There may be multiple aux-server options, each will be used for listening
 			to client requests.
 
--i, --relay-device	Relay interface device for relay sockets 
+-i, --relay-device	Relay interface device for relay sockets
 			(NOT RECOMMENDED. Optional, Linux only).
 
--E, --relay-ip		Relay address (the local IP address that 
-			will be used to relay the packets to the 
+-E, --relay-ip		Relay address (the local IP address that
+			will be used to relay the packets to the
 			peer). Multiple relay addresses may be used:
 			-E ip1 -E ip2 -E ip3
 			The same IP(s) can be used as both listening IP(s) and relay IP(s).
-			If no relay IP(s) specified, then the turnserver will apply the 
-			default policy: it will decide itself which relay addresses to be 
-			used, and it will always be using the client socket IP address as 
-			the relay IP address of the TURN session (if the requested relay 
+			If no relay IP(s) specified, then the turnserver will apply the
+			default policy: it will decide itself which relay addresses to be
+			used, and it will always be using the client socket IP address as
+			the relay IP address of the TURN session (if the requested relay
 			address family is the same as the family of the client socket).
 
 -X, --external-ip	TURN Server public/private address mapping, if the server is behind NAT.
 			In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
 			as relay IP address of all allocations. This scenario works only in a simple case
-			when one single relay address is be used, and no CHANGE_REQUEST functionality is 
+			when one single relay address is be used, and no CHANGE_REQUEST functionality is
 			required. That single relay address must be mapped by NAT to the 'external' IP.
 			The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
 			For that 'external' IP, NAT must forward ports directly (relayed port 12345
 			must be always mapped to the same 'external' port 12345).
 			In more complex case when more than one IP address is involved,
 			that option must be used several times, each entry must
 			have form "-X <public-ip/private-ip>", to map all involved addresses.
-			CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work 
-			correctly, if the addresses are mapped properly, even when the TURN server itself 
+			CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will work
+			correctly, if the addresses are mapped properly, even when the TURN server itself
 			is behind A NAT.
 			By default, this value is empty, and no address mapping is used.
-				
+
 -m, --relay-threads	Number of the relay threads to handle the established connections
 			(in addition to authentication thread and the listener thread).
 			If explicitly set to 0 then application runs relay process in a single thread,
-			in the same thread with the listener process (the authentication thread will 
-			still be a separate thread). If not set, then a default optimal algorithm 
+			in the same thread with the listener process (the authentication thread will
+			still be a separate thread). If not set, then a default optimal algorithm
 			will be employed (OS-dependent). In the older Linux systems
-			(before Linux kernel 3.9), the number of UDP threads is always one threads 
+			(before Linux kernel 3.9), the number of UDP threads is always one threads
 			per network listening endpoint - unless "-m 0" or "-m 1" is set.
 
---min-port		Lower bound of the UDP port range for relay 
+--min-port		Lower bound of the UDP port range for relay
 			endpoints allocation.
 			Default value is 49152, according to RFC 5766.
 
---max-port		Upper bound of the UDP port range for relay 
+--max-port		Upper bound of the UDP port range for relay
 			endpoints allocation.
 			Default value is 65535, according to RFC 5766.
 
--u, --user		Long-term security mechanism credentials user account, 
-			in the column-separated form username:key. 
+-u, --user		Long-term security mechanism credentials user account,
+			in the column-separated form username:key.
 			Multiple user accounts may be used in the command line.
 			The key is either the user password, or
 			the key is generated
 			by turnadmin command. In the second case,
 			the key must be prepended with 0x symbols.
-			The key is calculated over the user name, 
+			The key is calculated over the user name,
 			the user realm, and the user password.
 			This setting may not be used with TURN REST API.
 
--r, --realm		The default realm to be used for the users when no explicit 
+-r, --realm		The default realm to be used for the users when no explicit
 			origin/realm relationship was found in the database, or if the TURN
 			server is not using any database (just the commands-line settings
-			and the userdb file). Must be used with long-term credentials 
+			and the userdb file). Must be used with long-term credentials
 			mechanism or with TURN REST API.
 
--C, --rest-api-separator	This is the timestamp/username separator symbol 
+-C, --rest-api-separator	This is the timestamp/username separator symbol
 			(character) in TURN REST API. The default value is :.
 
--q, --user-quota	Per-user allocations quota: how many concurrent 
-			allocations a user can create. This option can also be set 
+-q, --user-quota	Per-user allocations quota: how many concurrent
+			allocations a user can create. This option can also be set
 			through the database, for a particular realm.
 
 -Q, --total-quota	Total allocations quota: global limit on concurrent allocations.
 			This option can also be set through the database, for a particular realm.
 
 -s, --max-bps		Max bytes-per-second bandwidth a TURN session is allowed to handle
-			(input and output network streams are treated separately). Anything above 
+			(input and output network streams are treated separately). Anything above
 			that limit will be dropped or temporary suppressed (within the
-			available buffer limits). This option can also be set through the 
+			available buffer limits). This option can also be set through the
 			database, for a particular realm.
-			
+
 -B, --bps-capacity	Maximum server capacity.
 			Total bytes-per-second bandwidth the TURN server is allowed to allocate
 			for the sessions, combined (input and output network streams are treated
 			separately).
 
 --static-auth-secret	Static authentication secret value (a string) for TURN REST API only.
-			If not set, then the turn server will try to use the dynamic value 
+			If not set, then the turn server will try to use the dynamic value
 			in turn_secret table in user database (if present). The database-stored
 			value can be changed on-the-fly by a separate program, so this is why
 			that other mode is dynamic. Multiple shared secrets can be used
 			(both in the database and in the "static" fashion).
+
+ --no-auth-pings			Disable periodic health checks to 'dynamic' auth secret tables.
+
+ --no-dynamic-ip-list	Do not use dynamic allowed/denied peer ip list.
+
+ --no-dynamic-realms	Do not use dynamic realm assignment and options.
 			
 --server-name		Server name used for
 			the oAuth authentication purposes.
 			The default value is the realm name.
 
---cert			Certificate file, PEM format. Same file 
-			search rules applied as for the configuration 
-			file. If both --no-tls and --no-dtls options 
+--cert			Certificate file, PEM format. Same file
+			search rules applied as for the configuration
+			file. If both --no-tls and --no-dtls options
 			are specified, then this parameter is not needed.
 			Default value is turn_server_cert.pem.
 
---pkey		     	Private key file, PEM format. Same file 
-			search rules applied as for the configuration 
-			file. If both --no-tls and --no-dtls options 
+--pkey		     	Private key file, PEM format. Same file
+			search rules applied as for the configuration
+			file. If both --no-tls and --no-dtls options
 			are specified, then this parameter is not needed.
 			Default value is turn_server_pkey.pem.
-			
+
 --pkey-pwd		If the private key file is encrypted, then this password to be used.
 
 --cipher-list		Allowed OpenSSL cipher list for TLS/DTLS connections.
 			Default value is "DEFAULT".
-				
---CA-file		CA file in OpenSSL format. 
+
+--CA-file		CA file in OpenSSL format.
 			Forces TURN server to verify the client SSL certificates.
 			By default, no CA is set and no client certificate check is performed.
 
---ec-curve-name		Curve name for EC ciphers, if supported by OpenSSL 
-			library (TLS and DTLS). The default value is prime256v1, 
+--ec-curve-name		Curve name for EC ciphers, if supported by OpenSSL
+			library (TLS and DTLS). The default value is prime256v1,
 			if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
 			an optimal curve will be automatically calculated, if not defined
 			by this option.
 
 --dh-file		Use custom DH TLS key, stored in PEM format in the file.
-			Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
+			Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file.
 
 -l, --log-file		Option to set the full path name of the log file.
-			By default, the turnserver tries to open a log file in 
-			/var/log/turnserver, /var/log, /var/tmp, /tmp and . (current) 
-			directories (which file open operation succeeds 
-			first that file will be used). With this option you can set the 
+			By default, the turnserver tries to open a log file in
+			/var/log/turnserver, /var/log, /var/tmp, /tmp and . (current)
+			directories (which file open operation succeeds
+			first that file will be used). With this option you can set the
 			definite log file name.
-			The special names are "stdout" and "-" - they will force everything 
+			The special names are "stdout" and "-" - they will force everything
 			to the stdout. Also, "syslog" name will redirect everything into
-			the system log (syslog), as if the option "--syslog" was set. 
-			In the runtime, the logfile can be reset with the SIGHUP signal 
+			the system log (syslog), as if the option "--syslog" was set.
+			In the runtime, the logfile can be reset with the SIGHUP signal
 			to the turnserver process.
-				
+
 --alternate-server	Option to set the "redirection" mode. The value of this option
-			will be the address of the alternate server for UDP & TCP service in form of 
+			will be the address of the alternate server for UDP & TCP service in form of
 			<ip>[:<port>]. The server will send this value in the attribute
 			ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
 			Client will receive only values with the same address family
-			as the client network endpoint address family. 
-			See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description. 
+			as the client network endpoint address family.
+			See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
 			The client must use the obtained value for subsequent TURN communications.
 			If more than one --alternate-server options are provided, then the functionality
-			can be more accurately described as "load-balancing" than a mere "redirection". 
-			If the port number is omitted, then the default port 
+			can be more accurately described as "load-balancing" than a mere "redirection".
+			If the port number is omitted, then the default port
 			number 3478 for the UDP/TCP protocols will be used.
-			Colon (:) characters in IPv6 addresses may conflict with the syntax of 
-			the option. To alleviate this conflict, literal IPv6 addresses are enclosed 
-			in square brackets in such resource identifiers, for example: 
-			[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 . 
+			Colon (:) characters in IPv6 addresses may conflict with the syntax of
+			the option. To alleviate this conflict, literal IPv6 addresses are enclosed
+			in square brackets in such resource identifiers, for example:
+			[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
 			Multiple alternate servers can be set. They will be used in the
-			round-robin manner. All servers in the pool are considered of equal weight and 
-			the load will be distributed equally. For example, if we have 4 alternate servers, 
-			then each server will receive 25% of ALLOCATE requests. An alternate TURN server 
-			address can be used more than one time with the alternate-server option, so this 
-			can emulate "weighting" of the servers. 
-
---tls-alternate-server	Option to set alternative server for TLS & DTLS services in form of 
-			<ip>:<port>. If the port number is omitted, then the default port 
-			number 5349 for the TLS/DTLS protocols will be used. See the 
+			round-robin manner. All servers in the pool are considered of equal weight and
+			the load will be distributed equally. For example, if we have 4 alternate servers,
+			then each server will receive 25% of ALLOCATE requests. An alternate TURN server
+			address can be used more than one time with the alternate-server option, so this
+			can emulate "weighting" of the servers.
+
+--tls-alternate-server	Option to set alternative server for TLS & DTLS services in form of
+			<ip>:<port>. If the port number is omitted, then the default port
+			number 5349 for the TLS/DTLS protocols will be used. See the
 			previous option for the functionality description.
 
--O, --redis-statsdb	Redis status and statistics database connection string, if used (default - empty, 
-			no Redis stats DB used). This database keeps allocations status information, and it can 
+-O, --redis-statsdb	Redis status and statistics database connection string, if used (default - empty,
+			no Redis stats DB used). This database keeps allocations status information, and it can
 			be also used for publishing and delivering traffic and allocation event notifications.
 			This database option can be used independently of --redis-userdb option,
-			and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or 
+			and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB or
 			PostgreSQL can be used for the user database.
 			The connection string has the same parameters as redis-userdb connection string.
 
---max-allocate-timeout	Max time, in seconds, allowed for full allocation establishment. 
+--max-allocate-timeout	Max time, in seconds, allowed for full allocation establishment.
 			Default is 60 seconds.
 
 --denied-peer-ip=<IPaddr[-IPaddr]>
 
---allowed-peer-ip=<IPaddr[-IPaddr]> Options to ban or allow specific ip addresses or ranges 
-			of ip addresses. If an ip address is specified as both allowed and denied, then 
+--allowed-peer-ip=<IPaddr[-IPaddr]> Options to ban or allow specific ip addresses or ranges
+			of ip addresses. If an ip address is specified as both allowed and denied, then
 			the ip address is considered to be allowed. This is useful when you wish to ban
 			a range of ip addresses, except for a few specific ips within that range.
 			This can be used when you do not want users of the turn server to be able to access
-			machines reachable by the turn server, but would otherwise be unreachable from the 
-			internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer 
-			IP ranges can also be dynamically changed in the database. 
+			machines reachable by the turn server, but would otherwise be unreachable from the
+			internet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peer
+			IP ranges can also be dynamically changed in the database.
 			The allowed/denied addresses (white/black lists) rules are very simple:
-			1) If there is no rule for an address, then it is allowed; 
+			1) If there is no rule for an address, then it is allowed;
 			2) If there is an "allowed" rule that fits the address then it is allowed - no matter what;
 			3) If there is no "allowed" rule that fits the address, and if there is a "denied" rule that
 			fits the address, then it is denied.
 
 --pidfile 		File name to store the pid of the process.
 			Default is /var/run/turnserver.pid (if superuser account is used) or
 			/var/tmp/turnserver.pid .
-				
+
 --proc-user		User name to run the process. After the initialization, the turnserver process
 			will make an attempt to change the current user ID to that user.
-	
+
 --proc-group		Group name to run the process. After the initialization, the turnserver process
 			will make an attempt to change the current group ID to that group.
 
@@ -542,10 +552,10 @@ Options with values:
 
 --cli-ip		Local system IP address to be used for CLI management interface.
 			The turnserver process can be accessed for management with telnet,
-			at this IP address and on the CLI port (see the next parameter). 
+			at this IP address and on the CLI port (see the next parameter).
 			Default value is 127.0.0.1. You can use telnet or putty (in telnet mode)
-			to access the CLI management interface. 
-					
+			to access the CLI management interface.
+
 --cli-port		CLI management interface listening port. Default is 5766.
 
 --cli-password		CLI access password. Default is empty (no password).
@@ -574,59 +584,59 @@ LOAD BALANCE AND PERFORMANCE TUNING
 This topic is covered in the wiki page:
 
 https://github.com/coturn/coturn/wiki/turn_performance_and_load_balance
-	 
+
 ===================================
 
 WEBRTC USAGE
 
 This is a set of notes for the WebRTC users:
 
-1) WebRTC uses long-term authentication mechanism, so you have to use -a 
+1) WebRTC uses long-term authentication mechanism, so you have to use -a
 option (or --lt-cred-mech). WebRTC relaying will not work with anonymous
-access. With -a option, do not forget to set the 
-default realm (-r option). You will also have to set up the user accounts, 
+access. With -a option, do not forget to set the
+default realm (-r option). You will also have to set up the user accounts,
 for that you have a number of options:
 
 	a) command-line options (-u).
-	
-	b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to 
-	set keys with turnadmin utility (see docs and wiki for turnadmin). 
+
+	b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to
+	set keys with turnadmin utility (see docs and wiki for turnadmin).
 	You cannot use open passwords in the database.
 
-	c) Redis key/value pair(s), if Redis is used. You key use either keys or 
-	open passwords with Redis; see turndb/testredisdbsetup.sh file.  
-	
+	c) Redis key/value pair(s), if Redis is used. You key use either keys or
+	open passwords with Redis; see turndb/testredisdbsetup.sh file.
+
 	d) You also can use the TURN REST API. You will need shared secret(s) set
 	either	through the command line option, or through the config file, or through
-	the database table or Redis key/value pairs.  
+	the database table or Redis key/value pairs.
 
 2) Usually WebRTC uses fingerprinting (-f).
 
 3) -v option may be nice to see the connected clients.
 
 4) -X is needed if you are running your TURN server behind a NAT.
 
-5) --min-port and --max-port may be needed if you want to limit the relay endpoints ports 
+5) --min-port and --max-port may be needed if you want to limit the relay endpoints ports
 number range.
 
 ===================================
 
 TURN REST API
 
 In WebRTC, the browser obtains the TURN connection information from the web
-server. This information is a secure information - because it contains the 
-necessary TURN credentials. As these credentials are transmitted over the 
+server. This information is a secure information - because it contains the
+necessary TURN credentials. As these credentials are transmitted over the
 public networks, we have a potential security breach.
 
-If we have to transmit a valuable information over the public network, 
-then this information has to have a limited lifetime. Then the guy who 
-obtains this information without permission will be able to perform 
+If we have to transmit a valuable information over the public network,
+then this information has to have a limited lifetime. Then the guy who
+obtains this information without permission will be able to perform
 only limited damage.
 
-This is how the idea of TURN REST API - time-limited TURN credentials - 
-appeared. This security mechanism is based upon the long-term credentials 
-mechanism. The main idea of the REST API is that the web server provides 
-the credentials to the client, but those credentials can be used only 
+This is how the idea of TURN REST API - time-limited TURN credentials -
+appeared. This security mechanism is based upon the long-term credentials
+mechanism. The main idea of the REST API is that the web server provides
+the credentials to the client, but those credentials can be used only
 limited time by an application that has to create a TURN server connection.
 
 The "classic" long-term credentials mechanism (LTCM) is described here:
@@ -637,23 +647,23 @@ http://tools.ietf.org/html/rfc5389#section-15.4
 
 For authentication, each user must know two things: the username and the
 password. Optionally, the user must supply the ORIGIN value, so that the
-server can figure out the realm to be used for the user. The nonce and 
-the realm values are supplied by the TURN server. But LTCM is not saying 
-anything about the nature and about the persistence of the username and 
+server can figure out the realm to be used for the user. The nonce and
+the realm values are supplied by the TURN server. But LTCM is not saying
+anything about the nature and about the persistence of the username and
 of the password; and this is used by the REST API.
 
-In the TURN REST API, there is no persistent passwords for users. A user has 
-just the username. The password is always temporary, and it is generated by 
-the web server on-demand, when the user accesses the WebRTC page. And, 
-actually, a temporary one-time session only, username is provided to the user, 
-too. 
+In the TURN REST API, there is no persistent passwords for users. A user has
+just the username. The password is always temporary, and it is generated by
+the web server on-demand, when the user accesses the WebRTC page. And,
+actually, a temporary one-time session only, username is provided to the user,
+too.
 
 The temporary user is generated as:
 
 temporary-username="timestamp" + ":" + "username"
 
-where username is the persistent user name, and the timestamp format is just 
-seconds sinse 1970 - the same value as time(NULL) function returns.
+where username is the persistent user name, and the timestamp format is just
+seconds since 1970 - the same value as time(NULL) function returns.
 
 The temporary password is obtained as HMAC-SHA1 function over the temporary
 username, with shared secret as the HMAC key, and then the result is encoded:
@@ -664,7 +674,7 @@ Both the TURN server and the web server know the same shared secret. How the
 shared secret is distributed among the involved entities is left to the WebRTC
 deployment details - this is beyond the scope of the TURN REST API.
 
-So, a timestamp is used for the temporary password calculation, and this 
+So, a timestamp is used for the temporary password calculation, and this
 timestamp can be retrieved from the temporary username. This information
 is valuable, but only temporary, while the timestamp is not expired. Without
 knowledge of the shared secret, a new temporary password cannot be generated.
@@ -677,94 +687,94 @@ Once the temporary username and password are obtained by the client (browser)
 application, then the rest is just 'classic" long-term credentials mechanism.
 For developers, we are going to describe it step-by-step below:
 
-  - a new TURN client sends a request command to the TURN server. Optionally, 
-  it adds the ORIGIN field to it. 
-  - TURN server sees that this is a new client and the message is not 
+  - a new TURN client sends a request command to the TURN server. Optionally,
+  it adds the ORIGIN field to it.
+  - TURN server sees that this is a new client and the message is not
   	authenticated.
-  - the TURN server generates a random nonce string, and return the 
+  - the TURN server generates a random nonce string, and return the
   	error 401 to the client, with nonce and realm included. If the ORIGIN
   	field was present in the client request, it may affect the realm value
   	that the server chooses for the client.
-  - the client sees the 401 error and it extracts two values from 
+  - the client sees the 401 error and it extracts two values from
   	the error response: the nonce and the realm.
   - the client uses username, realm and password to produce a key:
 
          key = MD5(username ":" realm ":" SASLprep(password))
  (SASLprep is described here: http://tools.ietf.org/html/rfc4013)
- 
-  - the client forms a new request, adds username, realm and nonce to the 
-  	request. Then, the client calculates and adds the integrity field to 
+
+  - the client forms a new request, adds username, realm and nonce to the
+  	request. Then, the client calculates and adds the integrity field to
   	the request. This is the trickiest part of the process, and it is
-  	 described in the end of section 15.4: 
+  	 described in the end of section 15.4:
   	http://tools.ietf.org/html/rfc5389#section-15.4
-  - the client, optionally, adds the fingerprint field. This may be also 
-  	a tricky procedure, described in section 15.5 of the same document. 
+  - the client, optionally, adds the fingerprint field. This may be also
+  	a tricky procedure, described in section 15.5 of the same document.
   	WebRTC usually uses fingerprinted TURN messages.
   - the TURN server receives the request, reads the username.
-  - then the TURN server checks that the nonce and the realm in the request 
+  - then the TURN server checks that the nonce and the realm in the request
   	are the valid ones.
   - then the TURN server calculates the key.
   - then the TURN server calculates the integrity field.
-  - then the TURN server compares the calculated integrity field with the 
-  	received one - they must be the same. If the integrity fields differ, 
+  - then the TURN server compares the calculated integrity field with the
+  	received one - they must be the same. If the integrity fields differ,
   	then the request is rejected.
 
-In subsequent communications, the client may go with exactly the same 
-sequence, but for optimization usually the client, having already 
-information about realm and nonce, pre-calculates the integrity string 
-for each request, so that the 401 error response becomes unnecessary. 
-The TURN server may use "--stale-nonce" option for extra security: in 
+In subsequent communications, the client may go with exactly the same
+sequence, but for optimization usually the client, having already
+information about realm and nonce, pre-calculates the integrity string
+for each request, so that the 401 error response becomes unnecessary.
+The TURN server may use "--stale-nonce" option for extra security: in
 some time, the nonce expires and the client will obtain 438 error response
 with the new nonce, and the client will have to start using the new nonce.
 
-In subsequent communications, the sever and the client will always assume 
-the same password - the original password becomes the session parameter and 
+In subsequent communications, the server and the client will always assume
+the same password - the original password becomes the session parameter and
 is never expiring. So the password is not changing while the session is valid
-and unexpired. So, if the session is properly maintained, it may go forever, 
-even if the user password has been already changed (in the database). The 
-session simply is using the old password. Once the session got disconnected, 
-the client will have to use the new password to re-connect (if the password 
+and unexpired. So, if the session is properly maintained, it may go forever,
+even if the user password has been already changed (in the database). The
+session simply is using the old password. Once the session got disconnected,
+the client will have to use the new password to re-connect (if the password
 has been changed).
 
 An example when a new shared secret is generated every hour by the TURN server
 box and then supplied to the web server, remotely, is provided in the script
 examples/scripts/restapi/shared_secret_maintainer.pl .
 
-A very important thing is that the nonce must be totally random and it must be 
-different for different clients and different sessions. 
-	 
+A very important thing is that the nonce must be totally random and it must be
+different for different clients and different sessions.
+
 ===================================
 
 DATABASES
 
 For the user database, the turnserver has the following options:
 
-1) Users can be set in the command line, with multiple -u or --user options. 
-Obviously, only a few users can be set that way, and their credentials are fixed 
+1) Users can be set in the command line, with multiple -u or --user options.
+Obviously, only a few users can be set that way, and their credentials are fixed
 for the turnserver process lifetime.
 
 2) Users can be stored in SQLite DB. The default SQLite database file is /var/db/turndb
 or /usr/local/var/db/turndb or /var/lib/turn/turndb.
 
 3) Users can be stored in PostgreSQL database, if the turnserver was compiled with PostgreSQL
 support. Each time turnserver checks user credentials, it reads the database (asynchronously,
-of course, so that the current flow of packets is not delayed in any way), so any change in the 
-database content is immediately visible by the turnserver. This is the way if you need the 
+of course, so that the current flow of packets is not delayed in any way), so any change in the
+database content is immediately visible by the turnserver. This is the way if you need the
 best scalability. The schema for the database can be found in schema.sql file.
-For long-term credentials, you have to set the "keys" for the users; the "keys" are generated 
-by the turnadmin utility. For the key generation, you need username, password and the realm. 
-All users in the database must use the same realm value; if down the road you will decide 
-to change the realm name, then you will have to re-generate all user keys (that can be done 
+For long-term credentials, you have to set the "keys" for the users; the "keys" are generated
+by the turnadmin utility. For the key generation, you need username, password and the realm.
+All users in the database must use the same realm value; if down the road you will decide
+to change the realm name, then you will have to re-generate all user keys (that can be done
 in a batch script). See the file turndb/testsqldbsetup.sql as an example.
 
-4) The same is true for MySQL database. The same schema file is applicable. 
-The same considerations are applicable. 
+4) The same is true for MySQL database. The same schema file is applicable.
+The same considerations are applicable.
 
 5) The same is true for the Redis database, but the Redis database has aa different schema -
-it can be found (in the form of explanation) in schema.userdb.redis. 
-Also, in Redis you can store both "keys" and open passwords (for long term credentials) - 
-the "open password" option is less secure but more convenient for low-security environments. 
-See the file turndb/testredisdbsetup.sh as an example. 
+it can be found (in the form of explanation) in schema.userdb.redis.
+Also, in Redis you can store both "keys" and open passwords (for long term credentials) -
+the "open password" option is less secure but more convenient for low-security environments.
+See the file turndb/testredisdbsetup.sh as an example.
 
 6) If a database is used, then users can be divided into multiple independent realms. Each realm
 can be administered separately, and each realm can have its own set of users and its own
@@ -777,25 +787,25 @@ sessions anonymously. But in most cases (like WebRTC) that will not work.
 
 For the status and statistics database, there are two choices:
 
-1) The simplest choice is not to use it. Do not set --redis-statsdb option, and this functionality 
+1) The simplest choice is not to use it. Do not set --redis-statsdb option, and this functionality
 will be simply ignored.
 
 2) If you choose to use it, then set the --redis-statsdb option. This may be the same database
-as in --redis-userdb option, or it may be a different database. You may want to use different 
+as in --redis-userdb option, or it may be a different database. You may want to use different
 database for security or convenience reasons. Also, you can use different database management
-systems for the user database and for the ststus and statistics database. For example, you can use 
+systems for the user database and for the ststus and statistics database. For example, you can use
 MySQL as the user database, and you can use redis for the statistics. Or you can use Redis for both.
 
 So, we have 6 choices for the user management, and 2 choices for the statistics management. These
-two are totally independent. So, you have overall 6*2=12 ways to handle persistent information, 
+two are totally independent. So, you have overall 6*2=12 ways to handle persistent information,
 choose any for your convenience.
 
-You do not have to handle the database information "manually" - the turnadmin program can handle 
+You do not have to handle the database information "manually" - the turnadmin program can handle
 everything for you. For PostgreSQL and MySQL you will just have to create an empty database
-with schema.sql SQL script. With Redis, you do not have to do even that - just run turnadmin and 
-it will set the users for you (see the turnadmin manuals). If you are using SQLite, then the 
-turnserver or turnadmin will initialize the empty database, for you, when started. The 
-TURN server installation process creates an empty initialized SQLite database in the default 
+with schema.sql SQL script. With Redis, you do not have to do even that - just run turnadmin and
+it will set the users for you (see the turnadmin manuals). If you are using SQLite, then the
+turnserver or turnadmin will initialize the empty database, for you, when started. The
+TURN server installation process creates an empty initialized SQLite database in the default
 location (/var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb, depending on the system).
 
 =================================
@@ -816,7 +826,7 @@ LIBRARIES
 In the lib/ sub-directory the build process will create TURN client messaging library.
 In the include/ sub-directory, the necessary include files will be placed.
 The C++ wrapper for the messaging functionality is located in TurnMsgLib.h header.
-An example of C++ code can be found in stunclient.c file. 
+An example of C++ code can be found in stunclient.c file.
 
 =================================
 
@@ -832,14 +842,14 @@ $ man -M man turnserver
 
 to see the man page.
 
-In the docs/html subdirectory of the original archive tree, you will find the client library 
+In the docs/html subdirectory of the original archive tree, you will find the client library
 reference. After the installation, it will be placed in PREFIX/share/doc/turnserver/html.
 
 =================================
 
 LOGS
 
-When the TURN Server starts, it makes efforts to create a log file turn_<pid>.log 
+When the TURN Server starts, it makes efforts to create a log file turn_<pid>.log
 in the following directories:
 
 	* /var/log
@@ -848,7 +858,7 @@ in the following directories:
 	* /tmp
 	* current directory
 
-If all efforts failed (due to the system permission settings) then all 
+If all efforts failed (due to the system permission settings) then all
 log messages are sent only to the standard output of the process.
 
 This behavior can be controlled by --log-file, --syslog and --no-stdout-log
@@ -859,7 +869,7 @@ options.
 HTTPS MANAGEMENT INTERFACE
 
 The turnserver process provides an HTTPS Web access as statistics and basic
-management interface. The turnserver listens to incoming HTTPS admin 
+management interface. The turnserver listens to incoming HTTPS admin
 connections on the same ports as the main TURN/STUN listener. The Web admin
 pages are basic and self-explanatory.
 
@@ -883,11 +893,11 @@ in "help" command output in the telnet CLI.
 
 CLUSTERS
 
-TURN Server can be a part of the cluster installation. But, to support the "even port" functionality 
-(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same 
-TURN Server instance, so it requires some networking setup massaging for the cluster. The reason is that 
-the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible 
-to design a scheme with the application-level requests forwarding (and we may do that later) but 
+TURN Server can be a part of the cluster installation. But, to support the "even port" functionality
+(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same
+TURN Server instance, so it requires some networking setup massaging for the cluster. The reason is that
+the RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possible
+to design a scheme with the application-level requests forwarding (and we may do that later) but
 it would affect the performance.
 
 =================================
@@ -925,7 +935,7 @@ new STUN RFC 5389
 TURN RFC 5766
 
 TURN-TCP extension RFC 6062
- 
+
 TURN IPv6 extension RFC 6156
 
 STUN/TURN test vectors RFC 5769
@@ -971,13 +981,13 @@ https://groups.google.com/forum/?fromgroups=#!forum/turn-server-project-rfc5766-
 	Erik Johnston <erikj@openmarket.com>
 
 	Roman Lisagor <roman@demonware.net>
-	
+
 	Vladimir Tsanev <tsachev@gmail.com>
-	
+
 	Po-sheng Lin <personlin118@gmail.com>
-	
+
 	Peter Dunkley <peter.dunkley@acision.com>
-	
+
 	Mutsutoshi Yoshimoto <mutsutoshi.yoshimoto@mixi.co.jp>
 
 	Federico Pinna <fpinna@vivocha.com>

@@ -37,12 +37,12 @@ according RFC5780. This utility discovers the actual NAT Mapping and Filtering
 behavior, etc. Be aware that on TURN server side two different listening IP
 addresses should be configured to be able to work properly!
 
-6.	turnutils_oauth: a utility that provides OAuth access_token 
-generation(AEAD encryption), validation and decryption. This utility inputs 
-all the keys and lifetimes and any related information that needed for 
-creation and validationi of an access_token. It outputs a JSON with all OAuth 
-PoP parameters that need to pass to the client. Output is generated accoriding 
-RFC7635 Appendix B, Figure 8. 
+6.	turnutils_oauth: a utility that provides OAuth access_token
+generation(AEAD encryption), validation and decryption. This utility inputs
+all the keys and lifetimes and any related information that needed for
+creation and validationi of an access_token. It outputs a JSON with all OAuth
+PoP parameters that need to pass to the client. Output is generated accoriding
+RFC7635 Appendix B, Figure 8.
 
 For more details, and for the access_token structure, read rfc7635, and see
 script in examples/scripts/oauth.sh.
@@ -312,15 +312,15 @@ $ turnutils_oauth [options]
 
   DESCRIPTION
 
-turnutils_oauth utilitiy provides help in OAuth access_token encryption and/or 
-decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps 
-for an Auth Server in access_token creation, and also for debugging purposes it 
-helps the access_token validation and decryption. This utility inputs all the 
-keys and lifetimes and any related information that are needed for encryption 
-or decryption of an access_token. It outputs a JSON with all OAuth PoP 
-parameters that need to pass to the client. Output is generated accoriding 
-RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server 
-service, but be awere that this utility does not generate "session key" / 
+turnutils_oauth utilitiy provides help in OAuth access_token encryption and/or
+decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps
+for an Auth Server in access_token creation, and also for debugging purposes it
+helps the access_token validation and decryption. This utility inputs all the
+keys and lifetimes and any related information that are needed for encryption
+or decryption of an access_token. It outputs a JSON with all OAuth PoP
+parameters that need to pass to the client. Output is generated accoriding
+RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server
+service, but be awere that this utility does not generate "session key" /
 "mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key".
 For more details, and for the access_token structure, read rfc7635, and see
 the example in examples/scripts/oauth.sh.

@@ -2,10 +2,9 @@
 
 # Common settings script.
 
-TURNVERSION=4.5.1.1
+TURNVERSION=4.5.1.3
 BUILDDIR=~/rpmbuild
 ARCH=`uname -p`
-TURNSERVER_GIT_URL=https://github.com/coturn/coturn.git
 
 WGETOPTIONS="--no-check-certificate"
 RPMOPTIONS="-ivh --force"

@@ -18,18 +18,11 @@ fi
 
 # TURN
 
+#create archive from local folder
 cd ${BUILDDIR}/tmp
 rm -rf turnserver-${TURNVERSION}
-git clone ${TURNSERVER_GIT_URL} --branch ${TURNVERSION} turnserver-${TURNVERSION}
-ER=$?
-if ! [ ${ER} -eq 0 ] ; then
-	git clone ${TURNSERVER_GIT_URL} turnserver-${TURNVERSION}
-	ER=$?
-	if ! [ ${ER} -eq 0 ] ; then
-    	cd ${CPWD}
-    	exit -1
-    fi
-fi
+mkdir -p ${BUILDDIR}/tmp/turnserver-${TURNVERSION}
+cp -R ${CPWD}/.. ${BUILDDIR}/tmp/turnserver-${TURNVERSION}
 
 tar zcf ${BUILDDIR}/SOURCES/turnserver-${TURNVERSION}.tar.gz turnserver-${TURNVERSION}
 ER=$?
@@ -38,6 +31,7 @@ if ! [ ${ER} -eq 0 ] ; then
     exit -1
 fi
 
+#build package from archive
 rpmbuild -ta ${BUILDDIR}/SOURCES/turnserver-${TURNVERSION}.tar.gz
 ER=$?
 if ! [ ${ER} -eq 0 ] ; then

@@ -1,5 +1,5 @@
 Name:		turnserver
-Version:	4.5.1.1
+Version:	4.5.1.3
 Release:	0%{dist}
 Summary:	Coturn TURN Server
 
@@ -197,6 +197,8 @@ fi
 %{_datadir}/%{name}/testmongosetup.sh
 %{_datadir}/%{name}/testsqldbsetup.sql
 %dir %{_datadir}/%{name}/etc
+%{_datadir}/%{name}/etc/cacert.pem
+%{_datadir}/%{name}/etc/coturn.service
 %{_datadir}/%{name}/etc/turn_server_cert.pem
 %{_datadir}/%{name}/etc/turn_server_pkey.pem
 %{_datadir}/%{name}/etc/turnserver.conf

@@ -279,7 +279,7 @@ int addr_bind(evutil_socket_t fd, const ioa_addr* addr, int reusable, int debug,
 				int err = errno;
 				perror("bind");
 				char str[129];
-				addr_to_string(addr,(u08bits*)str);
+				addr_to_string(addr,(uint8_t*)str);
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "Trying to bind fd %d to <%s>: errno=%d\n", fd, str, err);
 			}
 		}
@@ -439,6 +439,7 @@ int set_raw_socket_tos(evutil_socket_t fd, int family, int tos)
 int is_stream_socket(int st) {
 	switch(st) {
 	case TCP_SOCKET:
+	case TCP_SOCKET_PROXY:
 	case TLS_SOCKET:
 	case TENTATIVE_TCP_SOCKET:
 	case SCTP_SOCKET:
@@ -760,7 +761,7 @@ void set_execdir(void)
   /* On some systems, this may give us the execution path */
   char *_var = getenv("_");
   if(_var && *_var) {
-    _var = turn_strdup(_var);
+    _var = strdup(_var);
     char *edir=_var;
     if(edir[0]!='.') 
       edir = strstr(edir,"/");
@@ -769,9 +770,9 @@ void set_execdir(void)
     else
       edir = dirname(_var);
     if(c_execdir)
-      turn_free(c_execdir,strlen(c_execdir)+1);
-    c_execdir = turn_strdup(edir);
-    turn_free(_var,strlen(_var)+1);
+      free(c_execdir);
+    c_execdir = strdup(edir);
+    free(_var);
   }
 }
 
@@ -786,7 +787,7 @@ void print_abs_file_name(const char *msg1, const char *msg2, const char *fn)
       if(fn[0]=='/') {
 	STRCPY(absfn,fn);
       } else {
-	if(fn[0]=='.' && fn[1]=='/')
+	if(fn[0]=='.' && fn[1] && fn[1]=='/')
 	  fn+=2;
 	if(!getcwd(absfn,sizeof(absfn)-1))
 	  absfn[0]=0;
@@ -815,7 +816,7 @@ char* find_config_file(const char *config_file, int print_file_name)
 			FILE *f = fopen(config_file, "r");
 			if (f) {
 				fclose(f);
-				full_path_to_config_file = turn_strdup(config_file);
+				full_path_to_config_file = strdup(config_file);
 			}
 		} else {
 			int i = 0;
@@ -824,7 +825,7 @@ char* find_config_file(const char *config_file, int print_file_name)
 			while (config_file_search_dirs[i]) {
 				size_t dirlen = strlen(config_file_search_dirs[i]);
 				size_t fnsz = sizeof(char) * (dirlen + cflen + 10);
-				char *fn = (char*)turn_malloc(fnsz+1);
+				char *fn = (char*)malloc(fnsz+1);
 				strncpy(fn, config_file_search_dirs[i], fnsz);
 				strncpy(fn + dirlen, config_file, fnsz-dirlen);
 				fn[fnsz]=0;
@@ -836,13 +837,13 @@ char* find_config_file(const char *config_file, int print_file_name)
 					full_path_to_config_file = fn;
 					break;
 				}
-				turn_free(fn,fnsz+1);
+				free(fn);
 				if(config_file_search_dirs[i][0]!='/' && 
 				   config_file_search_dirs[i][0]!='.' &&
 				   c_execdir && c_execdir[0]) {
 					size_t celen = strlen(c_execdir);
 					fnsz = sizeof(char) * (dirlen + cflen + celen + 10);
-					fn = (char*)turn_malloc(fnsz+1);
+					fn = (char*)malloc(fnsz+1);
 					strncpy(fn,c_execdir,fnsz);
 					size_t fnlen=strlen(fn);
 					if(fnlen<fnsz) {
@@ -867,7 +868,7 @@ char* find_config_file(const char *config_file, int print_file_name)
 					    break;
 					  }
 					}
-					turn_free(fn,fnsz+1);
+					free(fn);
 				}
 				++i;
 			}
@@ -893,15 +894,15 @@ void ignore_sigpipe(void)
 	}
 }
 
-static u64bits turn_getRandTime(void) {
+static uint64_t turn_getRandTime(void) {
   struct timespec tp={0,0};
 #if defined(CLOCK_REALTIME)
   clock_gettime(CLOCK_REALTIME, &tp);
 #else
   tp.tv_sec = time(NULL);
 #endif
-  u64bits current_time = (u64bits)(tp.tv_sec);
-  u64bits current_mstime = (u64bits)(current_time + (tp.tv_nsec));
+  uint64_t current_time = (uint64_t)(tp.tv_sec);
+  uint64_t current_mstime = (uint64_t)(current_time + (tp.tv_nsec));
 
   return current_mstime;
 }
@@ -950,17 +951,17 @@ char *base64_encode(const unsigned char *data,
 
     *output_length = 4 * ((input_length + 2) / 3);
 
-    char *encoded_data = (char*)turn_malloc(*output_length+1);
+    char *encoded_data = (char*)malloc(*output_length+1);
     if (encoded_data == NULL) return NULL;
 
     size_t i,j;
     for (i = 0, j = 0; i < input_length;) {
 
-        u32bits octet_a = i < input_length ? data[i++] : 0;
-        u32bits octet_b = i < input_length ? data[i++] : 0;
-        u32bits octet_c = i < input_length ? data[i++] : 0;
+        uint32_t octet_a = i < input_length ? data[i++] : 0;
+        uint32_t octet_b = i < input_length ? data[i++] : 0;
+        uint32_t octet_c = i < input_length ? data[i++] : 0;
 
-        u32bits triple = (octet_a << 0x10) + (octet_b << 0x08) + octet_c;
+        uint32_t triple = (octet_a << 0x10) + (octet_b << 0x08) + octet_c;
 
         encoded_data[j++] = encoding_table[(triple >> 3 * 6) & 0x3F];
         encoded_data[j++] = encoding_table[(triple >> 2 * 6) & 0x3F];
@@ -978,8 +979,8 @@ char *base64_encode(const unsigned char *data,
 
 void build_base64_decoding_table() {
 
-    decoding_table = (char*)turn_malloc(256);
-    ns_bzero(decoding_table,256);
+    decoding_table = (char*)malloc(256);
+    bzero(decoding_table,256);
 
     int i;
     for (i = 0; i < 64; i++)
@@ -998,7 +999,7 @@ unsigned char *base64_decode(const char *data,
     if (data[input_length - 1] == '=') (*output_length)--;
     if (data[input_length - 2] == '=') (*output_length)--;
 
-    unsigned char *decoded_data = (unsigned char*)turn_malloc(*output_length);
+    unsigned char *decoded_data = (unsigned char*)malloc(*output_length);
     if (decoded_data == NULL) return NULL;
 
     int i;
@@ -1031,67 +1032,13 @@ unsigned char *base64_decode(const char *data,
 
 ////////////////// SSL /////////////////////
 
-static const char* turn_get_method(const SSL_METHOD *method, const char* mdefault)
-{
-	{
-		if(!method)
-			return mdefault;
-		else {
-			if(method == SSLv23_server_method()) {
-					return "SSLv23";
-			} else if(method == SSLv23_client_method()) {
-					return "SSLv23";
-			} else if(method == TLSv1_server_method()) {
-					return "TLSv1.0";
-			} else if(method == TLSv1_client_method()) {
-				return "TLSv1.0";
-#if TLSv1_1_SUPPORTED
-			} else if(method == TLSv1_1_server_method()) {
-					return "TLSv1.1";
-			} else if(method == TLSv1_1_client_method()) {
-				return "TLSv1.1";
-#if TLSv1_2_SUPPORTED
-			} else if(method == TLSv1_2_server_method()) {
-					return "TLSv1.2";
-			} else if(method == TLSv1_2_client_method()) {
-				return "TLSv1.2";
-#endif
-#endif
-#if DTLS_SUPPORTED
-
-			} else if(method == DTLSv1_server_method()) {
-				return "DTLSv1.0";
-			} else if(method == DTLSv1_client_method()) {
-				return "DTLSv1.0";
-
-#if DTLSv1_2_SUPPORTED
-			} else if(method == DTLSv1_2_server_method()) {
-				return "DTLSv1.2";
-			} else if(method == DTLSv1_2_client_method()) {
-				return "DTLSv1.2";
-#endif
-#endif
-			} else {
-				if(mdefault)
-					return mdefault;
-				return "UNKNOWN";
-			}
-		}
-	}
-}
-
 const char* turn_get_ssl_method(SSL *ssl, const char* mdefault)
 {
 	const char* ret = "unknown";
 	if(!ssl) {
 		ret = mdefault;
 	} else {
-		const SSL_METHOD *method = SSL_get_ssl_method(ssl);
-		if(!method) {
-			ret = mdefault;
-		} else {
-			ret = turn_get_method(method, mdefault);
-		}
+		ret = SSL_get_version(ssl);
 	}
 
 	return ret;
@@ -1114,21 +1061,21 @@ void convert_oauth_key_data_raw(const oauth_key_data_raw *raw, oauth_key_data *o
 {
 	if(raw && oakd) {
 
-		ns_bzero(oakd,sizeof(oauth_key_data));
+		bzero(oakd,sizeof(oauth_key_data));
 
 		oakd->timestamp = (turn_time_t)raw->timestamp;
 		oakd->lifetime = raw->lifetime;
 
-		ns_bcopy(raw->as_rs_alg,oakd->as_rs_alg,sizeof(oakd->as_rs_alg));
-		ns_bcopy(raw->kid,oakd->kid,sizeof(oakd->kid));
+		bcopy(raw->as_rs_alg,oakd->as_rs_alg,sizeof(oakd->as_rs_alg));
+		bcopy(raw->kid,oakd->kid,sizeof(oakd->kid));
 
 		if(raw->ikm_key[0]) {
 			size_t ikm_key_size = 0;
 			char *ikm_key = (char*)base64_decode(raw->ikm_key,strlen(raw->ikm_key),&ikm_key_size);
 			if(ikm_key) {
-				ns_bcopy(ikm_key,oakd->ikm_key,ikm_key_size);
+				bcopy(ikm_key,oakd->ikm_key,ikm_key_size);
 				oakd->ikm_key_size = ikm_key_size;
-				turn_free(ikm_key,ikm_key_size);
+				free(ikm_key);
 			}
 		}
 	}

@@ -135,8 +135,8 @@ typedef enum _TURN_TLS_TYPE TURN_TLS_TYPE;
 struct _oauth_key_data_raw {
 	char kid[OAUTH_KID_SIZE+1];
 	char ikm_key[OAUTH_KEY_SIZE+1];
-	u64bits timestamp;
-	u32bits lifetime;
+	uint64_t timestamp;
+	uint32_t lifetime;
 	char as_rs_alg[OAUTH_ALG_SIZE+1];
 	char realm[STUN_MAX_REALM_SIZE+1];
 };

@@ -246,16 +246,16 @@ redis_context_handle redisLibeventAttach(struct event_base *base, char *ip0, int
   }
 
   /* Create container for context and r/w events */
-  e = (struct redisLibeventEvents*)turn_malloc(sizeof(struct redisLibeventEvents));
-  ns_bzero(e,sizeof(struct redisLibeventEvents));
+  e = (struct redisLibeventEvents*)malloc(sizeof(struct redisLibeventEvents));
+  bzero(e,sizeof(struct redisLibeventEvents));
 
   e->allocated = 1;
   e->context = ac;
   e->base = base;
-  e->ip = turn_strdup(ip);
+  e->ip = strdup(ip);
   e->port = port;
   if(pwd)
-	  e->pwd = turn_strdup(pwd);
+	  e->pwd = strdup(pwd);
   e->db = db;
 
   /* Register functions to start/stop listening for events */
@@ -277,7 +277,7 @@ redis_context_handle redisLibeventAttach(struct event_base *base, char *ip0, int
   		     e);
 
   if (e->rev == NULL || e->wev == NULL) {
-	  turn_free(e, sizeof(struct redisLibeventEvents));
+	  free(e);
 	  return NULL;
   }
   

@@ -98,7 +98,7 @@ int turn_mutex_unlock(const turn_mutex *mutex) {
 int turn_mutex_init(turn_mutex* mutex) {
   if(mutex) {
     mutex->data=MAGIC_CODE;
-    mutex->mutex=turn_malloc(sizeof(pthread_mutex_t));
+    mutex->mutex=malloc(sizeof(pthread_mutex_t));
     pthread_mutex_init((pthread_mutex_t*)mutex->mutex,NULL);
     return 0;
   } else {
@@ -116,13 +116,13 @@ int turn_mutex_init_recursive(turn_mutex* mutex) {
 			if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE) < 0) {
 				perror("Cannot set type on mutex attr");
 			} else {
-				mutex->mutex = turn_malloc(sizeof(pthread_mutex_t));
+				mutex->mutex = malloc(sizeof(pthread_mutex_t));
 				mutex->data = MAGIC_CODE;
 				if ((ret = pthread_mutex_init((pthread_mutex_t*) mutex->mutex,
 						&attr)) < 0) {
 					perror("Cannot init mutex");
 					mutex->data = 0;
-					turn_free(mutex->mutex,sizeof(pthread_mutex_t));
+					free(mutex->mutex);
 					mutex->mutex = NULL;
 				}
 			}
@@ -136,7 +136,7 @@ int turn_mutex_destroy(turn_mutex* mutex) {
   if(mutex && mutex->mutex && mutex->data == MAGIC_CODE) {
     int ret = 0;
     ret = pthread_mutex_destroy((pthread_mutex_t*)(mutex->mutex));
-    turn_free(mutex->mutex, sizeof(pthread_mutex_t));
+    free(mutex->mutex);
     mutex->mutex=NULL;
     mutex->data=0;
     return ret;
@@ -148,7 +148,7 @@ int turn_mutex_destroy(turn_mutex* mutex) {
 ///////////////////////// LOG ///////////////////////////////////
 
 #if defined(TURN_LOG_FUNC_IMPL)
-extern void TURN_LOG_FUNC_IMPL(TURN_LOG_LEVEL level, const s08bits* format, va_list args);
+extern void TURN_LOG_FUNC_IMPL(TURN_LOG_LEVEL level, const char* format, va_list args);
 #endif
 
 static int no_stdout_log = 0;
@@ -158,7 +158,7 @@ void set_no_stdout_log(int val)
 	no_stdout_log = val;
 }
 
-void turn_log_func_default(TURN_LOG_LEVEL level, const s08bits* format, ...)
+void turn_log_func_default(TURN_LOG_LEVEL level, const char* format, ...)
 {
 #if !defined(TURN_LOG_FUNC_IMPL)
 	{
@@ -194,13 +194,13 @@ void turn_log_func_default(TURN_LOG_LEVEL level, const s08bits* format, ...)
 	}
 }
 
-void addr_debug_print(int verbose, const ioa_addr *addr, const s08bits* s)
+void addr_debug_print(int verbose, const ioa_addr *addr, const char* s)
 {
 	if (verbose) {
 		if (!addr) {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "%s: EMPTY\n", s);
 		} else {
-			s08bits addrbuf[INET6_ADDRSTRLEN];
+			char addrbuf[INET6_ADDRSTRLEN];
 			if (!s)
 				s = "";
 			if (addr->ss.sa_family == AF_INET) {
@@ -296,11 +296,11 @@ static void set_log_file_name_func(char *base, char *f, size_t fsz)
 	}
 
 	char logdate[125];
-	char *tail=turn_strdup(".log");
+	char *tail=strdup(".log");
 
 	get_date(logdate,sizeof(logdate));
 
-	char *base1=turn_strdup(base);
+	char *base1=strdup(base);
 
 	int len=(int)strlen(base1);
 
@@ -319,12 +319,12 @@ static void set_log_file_name_func(char *base, char *f, size_t fsz)
 		if(base1[len]=='/')
 			break;
 		else if(base1[len]=='.') {
-			turn_free(tail,strlen(tail)+1);
-			tail=turn_strdup(base1+len);
+			free(tail);
+			tail=strdup(base1+len);
 			base1[len]=0;
 			if(strlen(tail)<2) {
-				turn_free(tail,strlen(tail)+1);
-				tail = turn_strdup(".log");
+				free(tail);
+				tail = strdup(".log");
 			}
 			break;
 		}
@@ -338,8 +338,8 @@ static void set_log_file_name_func(char *base, char *f, size_t fsz)
 	  snprintf(f, FILE_STR_LEN, "%s%s%s", base1,logdate,tail);
 	}
 
-	turn_free(base1,strlen(base1)+1);
-	turn_free(tail,strlen(tail)+1);
+	free(base1);
+	free(tail);
 }
 
 static void sighup_callback_handler(int signum)
@@ -370,7 +370,7 @@ static void set_rtpfile(void)
 				no_stdout_log = 1;
 			} else {
 				set_log_file_name(log_fn_base,log_fn);
-				_rtpfile = fopen(log_fn, "w");
+				_rtpfile = fopen(log_fn, "a");
 				if(_rtpfile)
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", log_fn);
 			}
@@ -393,36 +393,41 @@ static void set_rtpfile(void)
 		else
 			snprintf(logtail, FILE_STR_LEN, "turn_%d_", (int)getpid());
 
-		snprintf(logbase, FILE_STR_LEN, "/var/log/turnserver/%s", logtail);
+		if (snprintf(logbase, FILE_STR_LEN, "/var/log/turnserver/%s", logtail)<0)
+			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "String truncation occured.\n");
 
 		set_log_file_name(logbase, logf);
 
-		_rtpfile = fopen(logf, "w");
+		_rtpfile = fopen(logf, "a");
 		if(_rtpfile)
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
 		else {
-			snprintf(logbase, FILE_STR_LEN, "/var/log/%s", logtail);
+			if (snprintf(logbase, FILE_STR_LEN, "/var/log/%s", logtail)<0)
+				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "String truncation occured.\n");
 
 			set_log_file_name(logbase, logf);
-			_rtpfile = fopen(logf, "w");
+			_rtpfile = fopen(logf, "a");
 			if(_rtpfile)
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
 			else {
-				snprintf(logbase, FILE_STR_LEN, "/var/tmp/%s", logtail);
+				if (snprintf(logbase, FILE_STR_LEN, "/var/tmp/%s", logtail)<0)
+					TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "String truncation occured.\n");
+
 				set_log_file_name(logbase, logf);
-				_rtpfile = fopen(logf, "w");
+				_rtpfile = fopen(logf, "a");
 				if(_rtpfile)
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
 				else {
-					snprintf(logbase, FILE_STR_LEN, "/tmp/%s", logtail);
+					if (snprintf(logbase, FILE_STR_LEN, "/tmp/%s", logtail)<0)
+						TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "String truncation occured.\n");
 					set_log_file_name(logbase, logf);
-					_rtpfile = fopen(logf, "w");
+					_rtpfile = fopen(logf, "a");
 					if(_rtpfile)
 						TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
 					else {
 						snprintf(logbase, FILE_STR_LEN, "%s", logtail);
 						set_log_file_name(logbase, logf);
-						_rtpfile = fopen(logf, "w");
+						_rtpfile = fopen(logf, "a");
 						if(_rtpfile)
 							TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "log file opened: %s\n", logf);
 						else {
@@ -556,7 +561,7 @@ int get_default_protocol_port(const char* scheme, size_t slen)
 				return 21;
 			if(!memcmp("svn",scheme,3))
 				return 3690;
-			if(!memcmp("ssh",scheme,4))
+			if(!memcmp("ssh",scheme,3))
 				return 22;
 			if(!memcmp("sip",scheme,3))
 				return 5060;
@@ -615,7 +620,7 @@ int get_canonic_origin(const char* o, char *co, int sz)
 					const char *host = evhttp_uri_get_host(uri);
 					if(host && host[0]) {
 						char otmp[STUN_MAX_ORIGIN_SIZE+STUN_MAX_ORIGIN_SIZE];
-						ns_bcopy(scheme,otmp,schlen);
+						bcopy(scheme,otmp,schlen);
 						otmp[schlen]=0;
 
 						{
@@ -663,215 +668,11 @@ int get_canonic_origin(const char* o, char *co, int sz)
 
 //////////////////////////////////////////////////////////////////
 
-#ifdef __cplusplus
-#if defined(TURN_MEMORY_DEBUG)
-
-#include <map>
-#include <set>
-#include <string>
-
-static volatile int tmm_init = 0;
-static pthread_mutex_t tm;
-
-typedef void* ptrtype;
-typedef std::set<ptrtype> ptrs_t;
-typedef std::map<std::string,ptrs_t> str_to_ptrs_t;
-typedef std::map<ptrtype,std::string> ptr_to_str_t;
-
-static str_to_ptrs_t str_to_ptrs;
-static ptr_to_str_t ptr_to_str;
-
-static void tm_init(void) {
-  if(!tmm_init) {
-    pthread_mutex_init(&tm,NULL);
-    tmm_init = 1;
-  }
-}
-
-static void add_tm_ptr(void *ptr, const char *id) {
-
-  UNUSED_ARG(ptr);
-  UNUSED_ARG(id);
-
-  if(!ptr)
-    return;
-
-  std::string sid(id);
-
-  str_to_ptrs_t::iterator iter;
-
-  pthread_mutex_lock(&tm);
-
-  iter = str_to_ptrs.find(sid);
-
-  if(iter == str_to_ptrs.end()) {
-    std::set<ptrtype> sp;
-    sp.insert(ptr);
-    str_to_ptrs[sid]=sp;
-  } else {
-	iter->second.insert(ptr);
-  }
-
-  ptr_to_str[ptr]=sid;
-
-  pthread_mutex_unlock(&tm);
-}
-
-static void del_tm_ptr(void *ptr, const char *id) {
-
-  UNUSED_ARG(ptr);
-  UNUSED_ARG(id);
-
-  if(!ptr)
-    return;
-
-  pthread_mutex_lock(&tm);
-
-  ptr_to_str_t::iterator pts_iter = ptr_to_str.find(ptr);
-  if(pts_iter == ptr_to_str.end()) {
-
-	  printf("Tring to free unknown pointer (1): %s\n",id);
-
-  } else {
-
-    std::string sid = pts_iter->second;
-    ptr_to_str.erase(pts_iter);
-
-    str_to_ptrs_t::iterator iter = str_to_ptrs.find(sid);
-
-    if(iter == str_to_ptrs.end()) {
-
-    	printf("Tring to free unknown pointer (2): %s\n",id);
-
-    } else {
-
-      iter->second.erase(ptr);
-
-    }
-  }
-
-  pthread_mutex_unlock(&tm);
-}
-
-static void tm_id(char *id, const char* function, int line) {
-  sprintf(id,"%s:%d",function,line);
-}
-
-#define TM_START() char id[128];tm_id(id,function,line);tm_init()
-
-extern "C" void* debug_ptr_add_func(void *ptr, const char* function, int line) {
-
-	TM_START();
-
-	add_tm_ptr(ptr,id);
-
-	return ptr;
-}
-
-extern "C" void debug_ptr_del_func(void *ptr, const char* function, int line) {
-
-	TM_START();
-
-	del_tm_ptr(ptr,id);
-}
-
-extern "C" void tm_print_func(void);
-void tm_print_func(void) {
-  pthread_mutex_lock(&tm);
-  printf("=============================================\n");
-  for(str_to_ptrs_t::const_iterator iter=str_to_ptrs.begin();iter != str_to_ptrs.end();++iter) {
-	  if(iter->second.size())
-		  printf("%s: %s: %d\n",__FUNCTION__,iter->first.c_str(),(int)(iter->second.size()));
-  }
-  printf("=============================================\n");
-  pthread_mutex_unlock(&tm);
-} 
-
-extern "C" void *turn_malloc_func(size_t sz, const char* function, int line);
-void *turn_malloc_func(size_t sz, const char* function, int line) {
-
-  TM_START();
-
-  void *ptr = malloc(sz);
-  
-  add_tm_ptr(ptr,id);
-
-  return ptr;
-}
-
-extern "C" void *turn_realloc_func(void *ptr, size_t old_sz, size_t new_sz, const char* function, int line);
-void *turn_realloc_func(void *ptr, size_t old_sz, size_t new_sz, const char* function, int line) {
-
-  UNUSED_ARG(old_sz);
-
-  TM_START();
-
-  if(ptr)
-	  del_tm_ptr(ptr,id);
-
-  ptr = realloc(ptr,new_sz);
-
-  add_tm_ptr(ptr,id);
-
-  return ptr;
-}
-
-extern "C" void turn_free_func(void *ptr, size_t sz, const char* function, int line);
-void turn_free_func(void *ptr, size_t sz, const char* function, int line) {
-
-  UNUSED_ARG(sz);
-
-  TM_START();
-
-  del_tm_ptr(ptr,id);
-
-  free(ptr);
-}
-
-extern "C" void turn_free_simple(void *ptr);
-void turn_free_simple(void *ptr) {
-
-  tm_init();
-
-  del_tm_ptr(ptr,__FUNCTION__);
-
-  free(ptr);
-}
-
-extern "C" void *turn_calloc_func(size_t number, size_t size, const char* function, int line);
-void *turn_calloc_func(size_t number, size_t size, const char* function, int line) {
-  
-  TM_START();
-
-  void *ptr = calloc(number,size);
-
-  add_tm_ptr(ptr,id);
-
-  return ptr;
-}
-
-extern "C" char *turn_strdup_func(const char* s, const char* function, int line);
-char *turn_strdup_func(const char* s, const char* function, int line) {
-
-  TM_START();
-
-  char *ptr = strdup(s);
-
-  add_tm_ptr(ptr,id);
-
-  return ptr;
-}
-
-#endif
-#endif
-
-////////////////////////////////
-
-int is_secure_string(const u08bits *string, int sanitizesql)
+int is_secure_string(const uint8_t *string, int sanitizesql)
 {
 	int ret = 0;
 	if(string) {
-		unsigned char *s0 = (unsigned char*)turn_strdup((const char*)string);
+		unsigned char *s0 = (unsigned char*)strdup((const char*)string);
 		unsigned char *s = s0;
 		while(*s) {
 			*s = (unsigned char)tolower((int)*s);
@@ -885,7 +686,7 @@ int is_secure_string(const u08bits *string, int sanitizesql)
 		} else {
 			ret = 1;
 		}
-		turn_free(s,strlen((char*)s));
+		free(s);
 	}
 	return ret;
 }

@@ -61,9 +61,9 @@ void set_no_stdout_log(int val);
 void set_log_to_syslog(int val);
 void set_simple_log(int val);
 
-void turn_log_func_default(TURN_LOG_LEVEL level, const s08bits* format, ...);
+void turn_log_func_default(TURN_LOG_LEVEL level, const char* format, ...);
 
-void addr_debug_print(int verbose, const ioa_addr *addr, const s08bits* s);
+void addr_debug_print(int verbose, const ioa_addr *addr, const char* s);
 
 /* Log */
 
@@ -78,7 +78,7 @@ void rollover_logfile(void);
 
 ///////////////////////////////////////////////////////
 
-int is_secure_string(const u08bits *string, int sanitizesql);
+int is_secure_string(const uint8_t *string, int sanitizesql);
 
 ///////////////////////////////////////////////////////
 

@@ -34,7 +34,7 @@
 
 int stun_init_buffer(stun_buffer *buf) {
   if(!buf) return -1;
-  ns_bzero(buf->buf,sizeof(buf->buf));
+  bzero(buf->buf,sizeof(buf->buf));
   buf->len=0;
   buf->offset=0;
   buf->coffset=0;
@@ -82,7 +82,7 @@ int stun_is_success_response(const stun_buffer* buf) {
   return stun_is_success_response_str(buf->buf, (size_t)(buf->len));
 }
 
-int stun_is_error_response(const stun_buffer* buf, int *err_code, u08bits *err_msg, size_t err_msg_size) {
+int stun_is_error_response(const stun_buffer* buf, int *err_code, uint8_t *err_msg, size_t err_msg_size) {
   return stun_is_error_response_str(buf->buf, (size_t)(buf->len), err_code, err_msg, err_msg_size);
 }
 
@@ -95,36 +95,36 @@ int stun_is_indication(const stun_buffer* buf) {
   return IS_STUN_INDICATION(stun_get_msg_type(buf));
 }
 
-u16bits stun_get_method(const stun_buffer* buf) {
+uint16_t stun_get_method(const stun_buffer* buf) {
 	return stun_get_method_str(buf->buf, (size_t)(buf->len));
 }
 
-u16bits stun_get_msg_type(const stun_buffer* buf) {
-  if(!buf) return (u16bits)-1;
+uint16_t stun_get_msg_type(const stun_buffer* buf) {
+  if(!buf) return (uint16_t)-1;
   return stun_get_msg_type_str(buf->buf,(size_t)buf->len);
 }
 
 ////////////////////////////////////////////////////////////
 
-static void stun_init_command(u16bits message_type, stun_buffer* buf) {
+static void stun_init_command(uint16_t message_type, stun_buffer* buf) {
   buf->len=stun_get_size(buf);
   stun_init_command_str(message_type, buf->buf, (size_t*)(&(buf->len)));
 }
 
-void stun_init_request(u16bits method, stun_buffer* buf) {
+void stun_init_request(uint16_t method, stun_buffer* buf) {
   stun_init_command(stun_make_request(method), buf);
 }
 
-void stun_init_indication(u16bits method, stun_buffer* buf) {
+void stun_init_indication(uint16_t method, stun_buffer* buf) {
   stun_init_command(stun_make_indication(method), buf);
 }
 
-void stun_init_success_response(u16bits method, stun_buffer* buf, stun_tid* id) {
+void stun_init_success_response(uint16_t method, stun_buffer* buf, stun_tid* id) {
   buf->len=stun_get_size(buf);
   stun_init_success_response_str(method, buf->buf, (size_t*)(&(buf->len)), id);
 }
 
-void stun_init_error_response(u16bits method, stun_buffer* buf, u16bits error_code, const u08bits *reason, stun_tid* id) {
+void stun_init_error_response(uint16_t method, stun_buffer* buf, uint16_t error_code, const uint8_t *reason, stun_tid* id) {
   buf->len=stun_get_size(buf);
   stun_init_error_response_str(method, buf->buf, (size_t*)(&(buf->len)), error_code, reason, id);
 }
@@ -137,11 +137,11 @@ int stun_get_command_message_len(const stun_buffer* buf) {
 
 ///////////////////////////////////////////////////////////////////////////////
 
-int stun_init_channel_message(u16bits chnumber, stun_buffer* buf, int length, int do_padding) {
+int stun_init_channel_message(uint16_t chnumber, stun_buffer* buf, int length, int do_padding) {
   return stun_init_channel_message_str(chnumber, buf->buf, (size_t*)(&(buf->len)), length, do_padding);
 }
 
-int stun_is_channel_message(stun_buffer* buf, u16bits* chnumber, int is_padding_mandatory) {
+int stun_is_channel_message(stun_buffer* buf, uint16_t* chnumber, int is_padding_mandatory) {
   if(!buf) return 0;
   size_t blen = (size_t)buf->len;
   int ret = stun_is_channel_message_str(buf->buf, &blen, chnumber, is_padding_mandatory);
@@ -153,15 +153,15 @@ int stun_is_channel_message(stun_buffer* buf, u16bits* chnumber, int is_padding_
 
 ///////////////////////////////////////////////////////////////////////////////
 
-int stun_set_allocate_request(stun_buffer* buf, u32bits lifetime, int af4, int af6, u08bits transport, int mobile, const char *rt, int ep) {
+int stun_set_allocate_request(stun_buffer* buf, uint32_t lifetime, int af4, int af6, uint8_t transport, int mobile, const char *rt, int ep) {
   return stun_set_allocate_request_str(buf->buf, (size_t*)(&(buf->len)), lifetime, af4, af6, transport, mobile, rt, ep);
 }
 
 int stun_set_allocate_response(stun_buffer* buf, stun_tid* tid, 
 			       const ioa_addr *relayed_addr1, const ioa_addr *relayed_addr2,
 			       const ioa_addr *reflexive_addr,
-			       u32bits lifetime, u32bits max_lifetime, int error_code, const u08bits *reason,
-			       u64bits reservation_token, char *mobile_id) {
+			       uint32_t lifetime, uint32_t max_lifetime, int error_code, const uint8_t *reason,
+			       uint64_t reservation_token, char *mobile_id) {
 
   return stun_set_allocate_response_str(buf->buf, (size_t*)(&(buf->len)), tid, 
 					relayed_addr1, relayed_addr2, reflexive_addr,
@@ -172,13 +172,13 @@ int stun_set_allocate_response(stun_buffer* buf, stun_tid* tid,
 
 ///////////////////////////////////////////////////////////////////////////////
 
-u16bits stun_set_channel_bind_request(stun_buffer* buf, 
-				       const ioa_addr* peer_addr, u16bits channel_number) {
+uint16_t stun_set_channel_bind_request(stun_buffer* buf, 
+				       const ioa_addr* peer_addr, uint16_t channel_number) {
 
   return stun_set_channel_bind_request_str(buf->buf,(size_t*)(&(buf->len)), peer_addr, channel_number);
 }
 
-void stun_set_channel_bind_response(stun_buffer* buf, stun_tid* tid, int error_code, const u08bits *reason) {
+void stun_set_channel_bind_response(stun_buffer* buf, stun_tid* tid, int error_code, const uint8_t *reason) {
   stun_set_channel_bind_response_str(buf->buf, (size_t*)(&(buf->len)), tid, error_code, reason);
 }
 
@@ -192,15 +192,15 @@ stun_attr_ref stun_attr_get_next(const stun_buffer* buf, stun_attr_ref prev) {
   return stun_attr_get_next_str(buf->buf, (size_t)(buf->len), prev);
 }
 
-int stun_attr_add(stun_buffer* buf, u16bits attr, const s08bits* avalue, int alen) {
-  return stun_attr_add_str(buf->buf, (size_t*)(&(buf->len)), attr, (const u08bits *)avalue, alen);
+int stun_attr_add(stun_buffer* buf, uint16_t attr, const char* avalue, int alen) {
+  return stun_attr_add_str(buf->buf, (size_t*)(&(buf->len)), attr, (const uint8_t *)avalue, alen);
 }
 
-int stun_attr_add_channel_number(stun_buffer* buf, u16bits chnumber) {
+int stun_attr_add_channel_number(stun_buffer* buf, uint16_t chnumber) {
   return stun_attr_add_channel_number_str(buf->buf, (size_t *)(&(buf->len)), chnumber);
 }
 
-int stun_attr_add_addr(stun_buffer *buf,u16bits attr_type, const ioa_addr* ca) {
+int stun_attr_add_addr(stun_buffer *buf,uint16_t attr_type, const ioa_addr* ca) {
   return stun_attr_add_addr_str(buf->buf,(size_t*)(&(buf->len)), attr_type, ca);
 }
 
@@ -210,22 +210,22 @@ int stun_attr_get_addr(const stun_buffer *buf, stun_attr_ref attr, ioa_addr* ca,
   return stun_attr_get_addr_str(buf->buf, (size_t)(buf->len), attr, ca, default_addr);
 }
 
-int stun_attr_get_first_addr(const stun_buffer *buf, u16bits attr_type, ioa_addr* ca, 
+int stun_attr_get_first_addr(const stun_buffer *buf, uint16_t attr_type, ioa_addr* ca, 
 			     const ioa_addr *default_addr) {
 
   return stun_attr_get_first_addr_str(buf->buf, (size_t)(buf->len), attr_type, ca, default_addr);
 }
 
 int stun_attr_add_even_port(stun_buffer* buf, uint8_t value) {
   if(value) value=0x80;
-  return stun_attr_add(buf,STUN_ATTRIBUTE_EVEN_PORT,(const s08bits*)&value,1);
+  return stun_attr_add(buf,STUN_ATTRIBUTE_EVEN_PORT,(const char*)&value,1);
 }
 
-u16bits stun_attr_get_first_channel_number(const stun_buffer *buf) {
+uint16_t stun_attr_get_first_channel_number(const stun_buffer *buf) {
   return stun_attr_get_first_channel_number_str(buf->buf, (size_t)(buf->len));
 }
 
-stun_attr_ref stun_attr_get_first_by_type(const stun_buffer* buf, u16bits attr_type) {
+stun_attr_ref stun_attr_get_first_by_type(const stun_buffer* buf, uint16_t attr_type) {
   return stun_attr_get_first_by_type_str(buf->buf, (size_t)(buf->len), attr_type);
 }
 
@@ -236,7 +236,7 @@ void stun_set_binding_request(stun_buffer* buf) {
 }
 
 int stun_set_binding_response(stun_buffer* buf, stun_tid* tid, 
-			      const ioa_addr *reflexive_addr, int error_code, const u08bits *reason) {
+			      const ioa_addr *reflexive_addr, int error_code, const uint8_t *reason) {
   return stun_set_binding_response_str(buf->buf, (size_t*)(&(buf->len)), tid, 
 				       reflexive_addr, error_code, reason,
 				       0,0);

@@ -40,11 +40,11 @@ extern "C" {
 ///////////////////////////////////////////////////////////////
 
 typedef struct _stun_buffer {
-  u08bits	channel[STUN_CHANNEL_HEADER_LENGTH];
-  u08bits	buf[STUN_BUFFER_SIZE];
+  uint8_t	channel[STUN_CHANNEL_HEADER_LENGTH];
+  uint8_t	buf[STUN_BUFFER_SIZE];
   size_t	len;
-  u16bits	offset;
-  u08bits	coffset;
+  uint16_t	offset;
+  uint8_t	coffset;
 } stun_buffer;
 
 //////////////////////////////////////////////////////////////
@@ -63,65 +63,65 @@ int stun_is_command_message(const stun_buffer* buf);
 int stun_is_request(const stun_buffer* buf);
 int stun_is_response(const stun_buffer* buf);
 int stun_is_success_response(const stun_buffer* buf);
-int stun_is_error_response(const stun_buffer* buf, int *err_code, u08bits *err_msg, size_t err_msg_size);
+int stun_is_error_response(const stun_buffer* buf, int *err_code, uint8_t *err_msg, size_t err_msg_size);
 int stun_is_indication(const stun_buffer* buf);
-u16bits stun_get_method(const stun_buffer* buf);
-u16bits stun_get_msg_type(const stun_buffer* buf);
+uint16_t stun_get_method(const stun_buffer* buf);
+uint16_t stun_get_msg_type(const stun_buffer* buf);
 
 ///////////////////////////////////////////////////////////////
 
-void stun_init_request(u16bits method, stun_buffer* buf);
-void stun_init_indication(u16bits method, stun_buffer* buf);
-void stun_init_success_response(u16bits method, stun_buffer* buf, stun_tid* id);
-void stun_init_error_response(u16bits method, stun_buffer* buf, u16bits error_code, const u08bits *reason, stun_tid* id);
+void stun_init_request(uint16_t method, stun_buffer* buf);
+void stun_init_indication(uint16_t method, stun_buffer* buf);
+void stun_init_success_response(uint16_t method, stun_buffer* buf, stun_tid* id);
+void stun_init_error_response(uint16_t method, stun_buffer* buf, uint16_t error_code, const uint8_t *reason, stun_tid* id);
 
 ///////////////////////////////////////////////////////////////
 
-int stun_attr_add(stun_buffer* buf, u16bits attr, const s08bits* avalue, int alen);
-int stun_attr_add_channel_number(stun_buffer* buf, u16bits chnumber);
-int stun_attr_add_addr(stun_buffer *buf,u16bits attr_type, const ioa_addr* ca);
+int stun_attr_add(stun_buffer* buf, uint16_t attr, const char* avalue, int alen);
+int stun_attr_add_channel_number(stun_buffer* buf, uint16_t chnumber);
+int stun_attr_add_addr(stun_buffer *buf,uint16_t attr_type, const ioa_addr* ca);
 
 stun_attr_ref stun_attr_get_first(const stun_buffer* buf);
-stun_attr_ref stun_attr_get_first_by_type(const stun_buffer* buf, u16bits attr_type);
+stun_attr_ref stun_attr_get_first_by_type(const stun_buffer* buf, uint16_t attr_type);
 stun_attr_ref stun_attr_get_next(const stun_buffer* buf, stun_attr_ref prev);
 int stun_attr_get_addr(const stun_buffer *buf, stun_attr_ref attr, ioa_addr* ca, const ioa_addr *default_addr);
 int stun_attr_add_even_port(stun_buffer* buf, uint8_t value);
 
-int stun_attr_get_first_addr(const stun_buffer *buf, u16bits attr_type, ioa_addr* ca, const ioa_addr *default_addr);
-u16bits stun_attr_get_first_channel_number(const stun_buffer *buf);
+int stun_attr_get_first_addr(const stun_buffer *buf, uint16_t attr_type, ioa_addr* ca, const ioa_addr *default_addr);
+uint16_t stun_attr_get_first_channel_number(const stun_buffer *buf);
 
 ///////////////////////////////////////////////////////////////
 
 int stun_get_command_message_len(const stun_buffer* buf);
 
 ///////////////////////////////////////////////////////////////
 
-int stun_init_channel_message(u16bits chnumber, stun_buffer* buf, int length, int do_padding);
-int stun_is_channel_message(stun_buffer* buf, u16bits* chnumber, int is_padding_madatory);
+int stun_init_channel_message(uint16_t chnumber, stun_buffer* buf, int length, int do_padding);
+int stun_is_channel_message(stun_buffer* buf, uint16_t* chnumber, int is_padding_madatory);
 
 ///////////////////////////////////////////////////////////////
 
-int stun_set_allocate_request(stun_buffer* buf, u32bits lifetime, int af4, int af6, u08bits transport, int mobile, const char* rt, int ep);
+int stun_set_allocate_request(stun_buffer* buf, uint32_t lifetime, int af4, int af6, uint8_t transport, int mobile, const char* rt, int ep);
 int stun_set_allocate_response(stun_buffer* buf, stun_tid* tid, 
 			       const ioa_addr *relayed_addr1, const ioa_addr *relayed_addr2,
 			       const ioa_addr *reflexive_addr,
-			       u32bits lifetime, u32bits max_lifetime,
-			       int error_code, const u08bits *reason,
-			       u64bits reservation_token, char *mobile_id);
+			       uint32_t lifetime, uint32_t max_lifetime,
+			       int error_code, const uint8_t *reason,
+			       uint64_t reservation_token, char *mobile_id);
 
 ///////////////////////////////////////////////////////////////
 
 void stun_set_binding_request(stun_buffer* buf);
 int stun_set_binding_response(stun_buffer* buf, stun_tid* tid, 
-			      const ioa_addr *reflexive_addr, int error_code, const u08bits *reason);
+			      const ioa_addr *reflexive_addr, int error_code, const uint8_t *reason);
 
 void stun_prepare_binding_request(stun_buffer* buf);
 int stun_is_binding_response(const stun_buffer* buf);
 
 ///////////////////////////////////////////////////////////////
 
-u16bits stun_set_channel_bind_request(stun_buffer* buf, const ioa_addr* peer_addr, u16bits channel_number);
-void stun_set_channel_bind_response(stun_buffer* buf, stun_tid* tid, int error_code, const u08bits *reason);
+uint16_t stun_set_channel_bind_request(stun_buffer* buf, const ioa_addr* peer_addr, uint16_t channel_number);
+void stun_set_channel_bind_response(stun_buffer* buf, stun_tid* tid, int error_code, const uint8_t *reason);
 
 ///////////////////////////////////////////////////////////////
 

@@ -81,7 +81,7 @@ static int stunclient_send(int sockfd, ioa_addr *local_addr, int *local_port, io
 
 	if (response_port >= 0) {
 		turn::StunAttrResponsePort rpa;
-		rpa.setResponsePort((u16bits)response_port);
+		rpa.setResponsePort((uint16_t)response_port);
 		try {
 			req.addAttr(rpa);
 		} catch(turn::WrongStunAttrFormatException &ex1) {
@@ -159,7 +159,7 @@ static int stunclient_receive(int sockfd, ioa_addr *local_addr, ioa_addr *reflex
 	{
 		int len = 0;
 		stun_buffer buf;
-		u08bits *ptr = buf.buf;
+		uint8_t *ptr = buf.buf;
 		int recvd = 0;
 		const int to_recv = sizeof(buf.buf);
 		struct timeval tv;
@@ -353,13 +353,13 @@ static int stunclient_send(stun_buffer *buf, int sockfd, ioa_addr *local_addr, i
 	stun_prepare_binding_request(buf);
 
 	if (response_port >= 0) {
-		stun_attr_add_response_port_str((u08bits*) (buf->buf), (size_t*) &(buf->len), (u16bits) response_port);
+		stun_attr_add_response_port_str((uint8_t*) (buf->buf), (size_t*) &(buf->len), (uint16_t) response_port);
 	}
 	if (change_ip || change_port) {
-		stun_attr_add_change_request_str((u08bits*) buf->buf, (size_t*) &(buf->len), change_ip, change_port);
+		stun_attr_add_change_request_str((uint8_t*) buf->buf, (size_t*) &(buf->len), change_ip, change_port);
 	}
 	if (padding) {
-		if(stun_attr_add_padding_str((u08bits*) buf->buf, (size_t*) &(buf->len), 1500)<0) {
+		if(stun_attr_add_padding_str((uint8_t*) buf->buf, (size_t*) &(buf->len), 1500)<0) {
 			printf("%s: ERROR: Cannot add padding\n",__FUNCTION__);
 		}
 	}
@@ -393,7 +393,7 @@ static int stunclient_receive(stun_buffer *buf, int sockfd, ioa_addr *local_addr
 
 	{
 		int len = 0;
-		u08bits *ptr = buf->buf;
+		uint8_t *ptr = buf->buf;
 		int recvd = 0;
 		const int to_recv = sizeof(buf->buf);
 		struct timeval tv;
@@ -444,11 +444,11 @@ static int stunclient_receive(stun_buffer *buf, int sockfd, ioa_addr *local_addr
 								} else {
 									printf("Not received mapped address attribute.\n");
 								}
-								stun_attr_get_addr_str((u08bits *) buf->buf, (size_t) buf->len, sar, other_addr, NULL);
+								stun_attr_get_addr_str((uint8_t *) buf->buf, (size_t) buf->len, sar, other_addr, NULL);
 								sar = stun_attr_get_first_by_type_str(buf->buf, buf->len, STUN_ATTRIBUTE_RESPONSE_ORIGIN);
 								if (sar) {
 									ioa_addr response_origin;
-									stun_attr_get_addr_str((u08bits *) buf->buf, (size_t) buf->len, sar, &response_origin, NULL);
+									stun_attr_get_addr_str((uint8_t *) buf->buf, (size_t) buf->len, sar, &response_origin, NULL);
 									addr_debug_print(1, &response_origin, "Response origin: ");
 								}
 								addr_debug_print(1, other_addr, "Other addr: ");
@@ -463,7 +463,7 @@ static int stunclient_receive(stun_buffer *buf, int sockfd, ioa_addr *local_addr
 					}
 				} else {
 					int err_code = 0;
-					u08bits err_msg[1025] = "\0";
+					uint8_t err_msg[1025] = "\0";
 					size_t err_msg_size = sizeof(err_msg);
 					if (stun_is_error_response(buf, &err_code, err_msg, err_msg_size)) {
 						printf("The response is an error %d (%s)\n", err_code, (char*) err_msg);
@@ -592,14 +592,14 @@ static void init(int first, ioa_addr *local_addr, ioa_addr *remote_addr, int *lo
 	addr_set_any(local_addr);
 
 	if(local_addr_string[0]) {
-		if(make_ioa_addr((const u08bits*)local_addr_string, 0, local_addr)<0) {
+		if(make_ioa_addr((const uint8_t*)local_addr_string, 0, local_addr)<0) {
 			err(-1,NULL);
 		}
 	}
 	if (!first) *local_port=-1;
 	*rfc5780 = 0;
 
-	if (make_ioa_addr((const u08bits*)remote_param, port, remote_addr) < 0)
+	if (make_ioa_addr((const uint8_t*)remote_param, port, remote_addr) < 0)
 	err(-1, NULL);
 }
 
@@ -631,8 +631,8 @@ int main(int argc, char **argv)
 	set_logfile("stdout");
 	set_system_parameters(0);
 
-	ns_bzero(local_addr_string, sizeof(local_addr_string));
-	ns_bzero(local2_addr_string, sizeof(local2_addr_string));
+	bzero(local_addr_string, sizeof(local_addr_string));
+	bzero(local2_addr_string, sizeof(local2_addr_string));
 	addr_set_any(&remote_addr);
 	addr_set_any(&other_addr);
 	addr_set_any(&reflexive_addr);
@@ -791,7 +791,7 @@ int main(int argc, char **argv)
 		addr_set_any(&local2_addr);
 
 		if(local2_addr_string[0]) {
-			if(make_ioa_addr((const u08bits*)local2_addr_string, 0, &local2_addr)<0) {
+			if(make_ioa_addr((const uint8_t*)local2_addr_string, 0, &local2_addr)<0) {
 				err(-1,NULL);
 			}
 		}

@@ -62,14 +62,14 @@ static int setup_ikm_key(const char *kid,
                         const char *as_rs_alg, 
                         oauth_key *key) { 
 
-        ns_bzero(key,sizeof(*key));
+        bzero(key,sizeof(*key));
 
         oauth_key_data okd;
-        ns_bzero(&okd,sizeof(okd));
+        bzero(&okd,sizeof(okd));
 
         {
                 oauth_key_data_raw okdr;
-                ns_bzero(&okdr,sizeof(okdr));
+                bzero(&okdr,sizeof(okdr));
 
                 STRCPY(okdr.kid,kid);
                 STRCPY(okdr.ikm_key,ikm_key);
@@ -103,7 +103,7 @@ static int encode_token(const char* server_name,
 
 
         oauth_token ot;
-        ns_bzero(&ot,sizeof(ot));
+        bzero(&ot,sizeof(ot));
 
         const size_t mac_key_length=strlen(mac_key);
         ot.enc_block.key_length = (uint16_t)mac_key_length;
@@ -112,12 +112,12 @@ static int encode_token(const char* server_name,
         ot.enc_block.lifetime = token_lifetime;
 
         encoded_oauth_token etoken;
-        ns_bzero(&etoken,sizeof(etoken));
+        bzero(&etoken,sizeof(etoken));
 
         // TODO: avoid this hack
         if (!*gcm_nonce) gcm_nonce=NULL;
 
-        if (encode_oauth_token((const u08bits *) server_name, &etoken, &key, &ot,(const u08bits *) gcm_nonce) < 0) {
+        if (encode_oauth_token((const uint8_t *) server_name, &etoken, &key, &ot,(const uint8_t *) gcm_nonce) < 0) {
                 fprintf(stderr, "%s: cannot encode oauth token\n",
                                 __FUNCTION__);
                 return -1;
@@ -135,16 +135,16 @@ static int validate_decode_token(const char* server_name,
                         const char* base64encoded_etoken, oauth_token* dot) {
 
         
-        ns_bzero((dot),sizeof(*dot));
+        bzero((dot),sizeof(*dot));
 
         encoded_oauth_token etoken;
-        ns_bzero(&etoken,sizeof(etoken));
+        bzero(&etoken,sizeof(etoken));
 
         const size_t base64encoded_etoken_length=strlen(base64encoded_etoken);
         const unsigned char *tmp = base64_decode(base64encoded_etoken,base64encoded_etoken_length,&etoken.size);
         memcpy(etoken.token,tmp,etoken.size);
                         
-        if (decode_oauth_token((const u08bits *) server_name, &etoken, &key, dot) < 0) {
+        if (decode_oauth_token((const uint8_t *) server_name, &etoken, &key, dot) < 0) {
                 fprintf(stderr, "%s: cannot decode oauth token\n",
                                 __FUNCTION__);
                 return -1;

@@ -68,11 +68,11 @@ static int udp_create_server_socket(server_type* server,
   if(!server) return -1;
 
   evutil_socket_t udp_fd = -1;
-  ioa_addr *server_addr = (ioa_addr*)turn_malloc(sizeof(ioa_addr));
+  ioa_addr *server_addr = (ioa_addr*)malloc(sizeof(ioa_addr));
 
   STRCPY(server->ifname,ifname);
 
-  if(make_ioa_addr((const u08bits*)local_address, port, server_addr)<0) return -1;
+  if(make_ioa_addr((const uint8_t*)local_address, port, server_addr)<0) return -1;
   
   udp_fd = socket(server_addr->ss.sa_family, RELAY_DGRAM_SOCKET_TYPE, RELAY_DGRAM_SOCKET_PROTOCOL);
   if (udp_fd < 0) {
@@ -102,11 +102,11 @@ static int udp_create_server_socket(server_type* server,
 
 static server_type* init_server(int verbose, const char* ifname, char **local_addresses, size_t las, int port) {
 
-  server_type* server=(server_type*)turn_malloc(sizeof(server_type));
+  server_type* server=(server_type*)malloc(sizeof(server_type));
 
   if(!server) return server;
 
-  ns_bzero(server,sizeof(server_type));
+  bzero(server,sizeof(server_type));
 
   server->verbose=verbose;
 
@@ -123,7 +123,7 @@ static server_type* init_server(int verbose, const char* ifname, char **local_ad
 static int clean_server(server_type* server) {
   if(server) {
     if(server->event_base) event_base_free(server->event_base);
-    turn_free(server,sizeof(server_type));
+    free(server);
   }
   return 0;
 }

@@ -74,7 +74,7 @@ static void MongoFree(MONGO * info) {
 	if(info) {
 		if(info->uri) mongoc_uri_destroy(info->uri);
 		if(info->client) mongoc_client_destroy(info->client);
-		turn_free(info, sizeof(MONGO));
+		free(info);
 	}
 }
 
@@ -88,7 +88,9 @@ static MONGO * get_mongodb_connection(void) {
 		mongoc_init();
 		mongoc_log_set_handler(&mongo_logger, NULL);
 
-		mydbconnection = (MONGO *) turn_malloc(sizeof(MONGO));
+		mydbconnection = (MONGO *) malloc(sizeof(MONGO));
+		bzero(mydbconnection, sizeof(MONGO));
+
 		mydbconnection->uri = mongoc_uri_new(pud->userdb);
 
 		if (!mydbconnection->uri) {
@@ -144,7 +146,7 @@ static mongoc_collection_t * mongo_get_collection(const char * name) {
 
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////
 
-static int mongo_get_auth_secrets(secrets_list_t *sl, u08bits *realm) {
+static int mongo_get_auth_secrets(secrets_list_t *sl, uint8_t *realm) {
   mongoc_collection_t * collection = mongo_get_collection("turn_secret"); 
 
 	if(!collection)
@@ -186,7 +188,7 @@ static int mongo_get_auth_secrets(secrets_list_t *sl, u08bits *realm) {
   return ret;
 }
   
-static int mongo_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
+static int mongo_get_user_key(uint8_t *usname, uint8_t *realm, hmackey_t key) {
   mongoc_collection_t * collection = mongo_get_collection("turnusers_lt"); 
 
 	if(!collection)
@@ -221,7 +223,7 @@ static int mongo_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
 					TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key format: string length=%d (must be %d): user %s\n", (int)length, (int)sz, usname);
 				} else {
 					char kval[sizeof(hmackey_t) + sizeof(hmackey_t) + 1];
-					ns_bcopy(value, kval, sz);
+					bcopy(value, kval, sz);
 					kval[sz] = 0;
 					if(convert_string_key_to_binary(kval, key, sz / 2) < 0) {
 						TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key: %s, user %s\n", kval, usname);
@@ -239,7 +241,7 @@ static int mongo_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
   return ret;
 }
 
-static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
+static int mongo_get_oauth_key(const uint8_t *kid, oauth_key_data_raw *key) {
 
 	mongoc_collection_t * collection = mongo_get_collection("oauth_key");
 
@@ -264,7 +266,7 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 
 	int ret = -1;
 
-	ns_bzero(key,sizeof(oauth_key_data_raw));
+	bzero(key,sizeof(oauth_key_data_raw));
 	STRCPY(key->kid,kid);
 
 	if (!cursor) {
@@ -285,10 +287,10 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 				STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length));
 			}
 			if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "timestamp") && BSON_ITER_HOLDS_INT64(&iter)) {
-				key->timestamp = (u64bits)bson_iter_int64(&iter);
+				key->timestamp = (uint64_t)bson_iter_int64(&iter);
 			}
 			if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "lifetime") && BSON_ITER_HOLDS_INT32(&iter)) {
-				key->lifetime = (u32bits)bson_iter_int32(&iter);
+				key->lifetime = (uint32_t)bson_iter_int32(&iter);
 			}
 			ret = 0;
 		}
@@ -300,7 +302,7 @@ static int mongo_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 	return ret;
 }
   
-static int mongo_set_user_key(u08bits *usname, u08bits *realm, const char *key) {
+static int mongo_set_user_key(uint8_t *usname, uint8_t *realm, const char *key) {
   mongoc_collection_t * collection = mongo_get_collection("turnusers_lt"); 
 
 	if(!collection)
@@ -363,7 +365,7 @@ static int mongo_set_oauth_key(oauth_key_data_raw *key) {
   return ret;
 }
   
-static int mongo_del_user(u08bits *usname, u08bits *realm) {
+static int mongo_del_user(uint8_t *usname, uint8_t *realm) {
   mongoc_collection_t * collection = mongo_get_collection("turnusers_lt");
 
 	if(!collection)
@@ -386,7 +388,7 @@ static int mongo_del_user(u08bits *usname, u08bits *realm) {
   return ret;
 }
 
-static int mongo_del_oauth_key(const u08bits *kid) {
+static int mongo_del_oauth_key(const uint8_t *kid) {
 
   mongoc_collection_t * collection = mongo_get_collection("oauth_key");
 
@@ -409,12 +411,12 @@ static int mongo_del_oauth_key(const u08bits *kid) {
   return ret;
 }
   
-static int mongo_list_users(u08bits *realm, secrets_list_t *users, secrets_list_t *realms)
+static int mongo_list_users(uint8_t *realm, secrets_list_t *users, secrets_list_t *realms)
 {
   const char * collection_name = "turnusers_lt";
   mongoc_collection_t * collection = mongo_get_collection(collection_name);
 
-  u08bits realm0[STUN_MAX_REALM_SIZE+1] = "\0";
+  uint8_t realm0[STUN_MAX_REALM_SIZE+1] = "\0";
   if(!realm) realm=realm0;
 
   if(!collection)
@@ -524,7 +526,7 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
     bson_iter_t iter;
     while (mongoc_cursor_next(cursor, &item)) {
 
-    	ns_bzero(key,sizeof(oauth_key_data_raw));
+    	bzero(key,sizeof(oauth_key_data_raw));
     	if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "kid") && BSON_ITER_HOLDS_UTF8(&iter)) {
     		STRCPY(key->kid,bson_iter_utf8(&iter, &length));
     	}
@@ -538,10 +540,10 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
     		STRCPY(key->ikm_key,bson_iter_utf8(&iter, &length));
     	}
     	if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "timestamp") && BSON_ITER_HOLDS_INT64(&iter)) {
-    		key->timestamp = (u64bits)bson_iter_int64(&iter);
+    		key->timestamp = (uint64_t)bson_iter_int64(&iter);
     	}
     	if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "lifetime") && BSON_ITER_HOLDS_INT32(&iter)) {
-    		key->lifetime = (u32bits)bson_iter_int32(&iter);
+    		key->lifetime = (uint32_t)bson_iter_int32(&iter);
     	}
     	if(kids) {
     		add_to_secrets_list(kids,key->kid);
@@ -572,11 +574,11 @@ static int mongo_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
   return ret;
 }
   
-static int mongo_list_secrets(u08bits *realm, secrets_list_t *secrets, secrets_list_t *realms)
+static int mongo_list_secrets(uint8_t *realm, secrets_list_t *secrets, secrets_list_t *realms)
 {
 	mongoc_collection_t * collection = mongo_get_collection("turn_secret");
 
-	u08bits realm0[STUN_MAX_REALM_SIZE+1] = "\0";
+	uint8_t realm0[STUN_MAX_REALM_SIZE+1] = "\0";
 	if(!realm) realm=realm0;
 
 	if(!collection)
@@ -644,7 +646,7 @@ static int mongo_list_secrets(u08bits *realm, secrets_list_t *secrets, secrets_l
 	return ret;
 }
   
-static int mongo_del_secret(u08bits *secret, u08bits *realm) {
+static int mongo_del_secret(uint8_t *secret, uint8_t *realm) {
   mongoc_collection_t * collection = mongo_get_collection("turn_secret"); 
 
 	if(!collection)
@@ -663,7 +665,7 @@ static int mongo_del_secret(u08bits *secret, u08bits *realm) {
   return 0;
 }
   
-static int mongo_set_secret(u08bits *secret, u08bits *realm) {
+static int mongo_set_secret(uint8_t *secret, uint8_t *realm) {
   mongoc_collection_t * collection = mongo_get_collection("turn_secret"); 
 
 	if(!collection)
@@ -686,7 +688,7 @@ static int mongo_set_secret(u08bits *secret, u08bits *realm) {
   }
 }
 
-static int mongo_set_permission_ip(const char *kind, u08bits *realm, const char* ip, int del)
+static int mongo_set_permission_ip(const char *kind, uint8_t *realm, const char* ip, int del)
 {
 	char sub_collection_name[129];
 	snprintf(sub_collection_name,sizeof(sub_collection_name)-1,"%s_peer_ip",kind);
@@ -698,7 +700,7 @@ static int mongo_set_permission_ip(const char *kind, u08bits *realm, const char*
 
 	int ret = -1;
 
-	u08bits realm0[STUN_MAX_REALM_SIZE+1] = "\0";
+	uint8_t realm0[STUN_MAX_REALM_SIZE+1] = "\0";
 	if(!realm) realm=realm0;
 
 	bson_t query, doc, child;
@@ -732,7 +734,7 @@ static int mongo_set_permission_ip(const char *kind, u08bits *realm, const char*
 	return ret;
 }
   
-static int mongo_add_origin(u08bits *origin, u08bits *realm)
+static int mongo_add_origin(uint8_t *origin, uint8_t *realm)
 {
 	mongoc_collection_t * collection = mongo_get_collection("realm");
 
@@ -741,7 +743,7 @@ static int mongo_add_origin(u08bits *origin, u08bits *realm)
     
 	int ret = -1;
 
-	u08bits realm0[STUN_MAX_REALM_SIZE+1] = "\0";
+	uint8_t realm0[STUN_MAX_REALM_SIZE+1] = "\0";
 	if(!realm) realm=realm0;
   
 	bson_t query, doc, child;
@@ -763,7 +765,7 @@ static int mongo_add_origin(u08bits *origin, u08bits *realm)
 	return ret;
 }
   
-static int mongo_del_origin(u08bits *origin)
+static int mongo_del_origin(uint8_t *origin)
 {
   mongoc_collection_t * collection = mongo_get_collection("realm"); 
 
@@ -790,14 +792,14 @@ static int mongo_del_origin(u08bits *origin)
   return ret;
 }
   
-static int mongo_list_origins(u08bits *realm, secrets_list_t *origins, secrets_list_t *realms)
+static int mongo_list_origins(uint8_t *realm, secrets_list_t *origins, secrets_list_t *realms)
 {
 	mongoc_collection_t * collection = mongo_get_collection("realm");
 
 	if(!collection)
 		return -1;
 
-	u08bits realm0[STUN_MAX_REALM_SIZE+1] = "\0";
+	uint8_t realm0[STUN_MAX_REALM_SIZE+1] = "\0";
 	if(!realm) realm=realm0;
 
 	bson_t query, child;
@@ -868,7 +870,7 @@ static int mongo_list_origins(u08bits *realm, secrets_list_t *origins, secrets_l
 	return ret;
 }
   
-static int mongo_set_realm_option_one(u08bits *realm, unsigned long value, const char* opt) {
+static int mongo_set_realm_option_one(uint8_t *realm, unsigned long value, const char* opt) {
   mongoc_collection_t * collection = mongo_get_collection("realm"); 
 
 	if(!collection)
@@ -880,7 +882,7 @@ static int mongo_set_realm_option_one(u08bits *realm, unsigned long value, const
   bson_init(&doc);
   
   size_t klen = 9 + strlen(opt);
-  char * _k = (char *)turn_malloc(klen);
+  char * _k = (char *)malloc(klen);
   strcpy(_k, "options.");
   strcat(_k, opt);
   
@@ -893,7 +895,7 @@ static int mongo_set_realm_option_one(u08bits *realm, unsigned long value, const
     BSON_APPEND_INT32(&child, _k, 1);
     bson_append_document_end(&doc, &child);
   }
-  turn_free(_k,klen);
+  free(_k);
   
   int ret = -1;
   
@@ -908,7 +910,7 @@ static int mongo_set_realm_option_one(u08bits *realm, unsigned long value, const
   return ret;
 }
   
-static int mongo_list_realm_options(u08bits *realm) {
+static int mongo_list_realm_options(uint8_t *realm) {
   mongoc_collection_t * collection = mongo_get_collection("realm"); 
 
 	if(!collection)
@@ -1089,7 +1091,7 @@ static void mongo_reread_realms(secrets_list_t * realms_list) {
 		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
 				"Error querying MongoDB collection 'realm'\n");
 	} else {
-		ur_string_map *o_to_realm_new = ur_string_map_create(turn_free_simple);
+		ur_string_map *o_to_realm_new = ur_string_map_create(free);
 
 		const bson_t * item;
 		uint32_t length;
@@ -1100,7 +1102,7 @@ static void mongo_reread_realms(secrets_list_t * realms_list) {
 			if (bson_iter_init(&iter, item) && bson_iter_find(&iter, "realm")
 					&& BSON_ITER_HOLDS_UTF8(&iter)) {
 
-				char * _realm = turn_strdup(bson_iter_utf8(&iter, &length));
+				char * _realm = strdup(bson_iter_utf8(&iter, &length));
 
 				get_realm(_realm);
 
@@ -1117,14 +1119,14 @@ static void mongo_reread_realms(secrets_list_t * realms_list) {
 					if (bson_iter_init(&origin_iter, &origin_array)) {
 						while (bson_iter_next(&origin_iter)) {
 							if (BSON_ITER_HOLDS_UTF8(&origin_iter)) {
-								char* _origin =	turn_strdup(bson_iter_utf8(&origin_iter, &length));
-								char *rval = turn_strdup(_realm);
+								char* _origin =	strdup(bson_iter_utf8(&origin_iter, &length));
+								char *rval = strdup(_realm);
 								ur_string_map_value_type value =
 										(ur_string_map_value_type) (rval);
 								ur_string_map_put(o_to_realm_new,
 										(const ur_string_map_key_type) _origin,
 										value);
-								turn_free(_origin,strlen(_origin)+1);
+								free(_origin);
 							}
 						}
 					}
@@ -1173,7 +1175,7 @@ static void mongo_reread_realms(secrets_list_t * realms_list) {
 						}
 					}
 				}
-				turn_free(_realm,strlen(_realm)+1);
+				free(_realm);
 			}
 		}
 		update_o_to_realm(o_to_realm_new);
@@ -1186,7 +1188,7 @@ static void mongo_reread_realms(secrets_list_t * realms_list) {
 
 /////////////////////////////////////////////////
 
-static int mongo_get_admin_user(const u08bits *usname, u08bits *realm, password_t pwd)
+static int mongo_get_admin_user(const uint8_t *usname, uint8_t *realm, password_t pwd)
 {
 	mongoc_collection_t * collection = mongo_get_collection("admin_user");
 
@@ -1234,7 +1236,7 @@ static int mongo_get_admin_user(const u08bits *usname, u08bits *realm, password_
 	return ret;
 }
 
-static int mongo_set_admin_user(const u08bits *usname, const u08bits *realm, const password_t pwd)
+static int mongo_set_admin_user(const uint8_t *usname, const uint8_t *realm, const password_t pwd)
 {
 	mongoc_collection_t * collection = mongo_get_collection("admin_user");
 
@@ -1264,7 +1266,7 @@ static int mongo_set_admin_user(const u08bits *usname, const u08bits *realm, con
 	return ret;
 }
 
-static int mongo_del_admin_user(const u08bits *usname)
+static int mongo_del_admin_user(const uint8_t *usname)
 {
 	mongoc_collection_t * collection = mongo_get_collection("admin_user");
 
@@ -1349,6 +1351,15 @@ static int mongo_list_admin_users(int no_print)
 	return ret;
 }
 
+static void mongo_disconnect(void) {
+	MONGO * mongoconnection = (MONGO *) pthread_getspecific(connection_key);
+	if (mongoconnection) {
+		MongoFree(mongoconnection);
+		mongoconnection = NULL;
+	}
+	TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "MongoDB connection was closed.\n");
+}
+
 //////////////////////////////////////////////////////////
 
 static const turn_dbdriver_t driver = {
@@ -1376,7 +1387,8 @@ static const turn_dbdriver_t driver = {
   &mongo_get_admin_user,
   &mongo_set_admin_user,
   &mongo_del_admin_user,
-  &mongo_list_admin_users
+  &mongo_list_admin_users,
+  &mongo_disconnect
 };
 
 const turn_dbdriver_t * get_mongo_dbdriver(void) {

@@ -61,16 +61,16 @@ typedef struct _Myconninfo Myconninfo;
 
 static void MyconninfoFree(Myconninfo *co) {
 	if(co) {
-		if(co->host) turn_free(co->host,strlen(co->host)+1);
-		if(co->dbname) turn_free(co->dbname, strlen(co->dbname)+1);
-		if(co->user) turn_free(co->user, strlen(co->user)+1);
-		if(co->password) turn_free(co->password, strlen(co->password)+1);
-		if(co->key) turn_free(co->key, strlen(co->key)+1);
-		if(co->ca) turn_free(co->ca, strlen(co->ca)+1);
-		if(co->cert) turn_free(co->cert, strlen(co->cert)+1);
-		if(co->capath) turn_free(co->capath, strlen(co->capath)+1);
-		if(co->cipher) turn_free(co->cipher, strlen(co->cipher)+1);
-		ns_bzero(co,sizeof(Myconninfo));
+		if(co->host) free(co->host);
+		if(co->dbname) free(co->dbname);
+		if(co->user) free(co->user);
+		if(co->password) free(co->password);
+		if(co->key) free(co->key);
+		if(co->ca) free(co->ca);
+		if(co->cert) free(co->cert);
+		if(co->capath) free(co->capath);
+		if(co->cipher) free(co->cipher);
+		bzero(co,sizeof(Myconninfo));
 	}
 }
 
@@ -103,10 +103,10 @@ char* decryptPassword(char* in, const unsigned char* mykey){
 
 
 static Myconninfo *MyconninfoParse(char *userdb, char **errmsg) {
-	Myconninfo *co = (Myconninfo*)turn_malloc(sizeof(Myconninfo));
-	ns_bzero(co,sizeof(Myconninfo));
+	Myconninfo *co = (Myconninfo*)malloc(sizeof(Myconninfo));
+	bzero(co,sizeof(Myconninfo));
 	if(userdb) {
-		char *s0=turn_strdup(userdb);
+		char *s0=strdup(userdb);
 		char *s = s0;
 
 		while(s && *s) {
@@ -123,44 +123,44 @@ static Myconninfo *MyconninfoParse(char *userdb, char **errmsg) {
 				MyconninfoFree(co);
 				co = NULL;
 				if(errmsg) {
-					*errmsg = turn_strdup(s);
+					*errmsg = strdup(s);
 				}
 				break;
 			}
 
 			*seq = 0;
 			if(!strcmp(s,"host"))
-				co->host = turn_strdup(seq+1);
+				co->host = strdup(seq+1);
 			else if(!strcmp(s,"ip"))
-				co->host = turn_strdup(seq+1);
+				co->host = strdup(seq+1);
 			else if(!strcmp(s,"addr"))
-				co->host = turn_strdup(seq+1);
+				co->host = strdup(seq+1);
 			else if(!strcmp(s,"ipaddr"))
-				co->host = turn_strdup(seq+1);
+				co->host = strdup(seq+1);
 			else if(!strcmp(s,"hostaddr"))
-				co->host = turn_strdup(seq+1);
+				co->host = strdup(seq+1);
 			else if(!strcmp(s,"dbname"))
-				co->dbname = turn_strdup(seq+1);
+				co->dbname = strdup(seq+1);
 			else if(!strcmp(s,"db"))
-				co->dbname = turn_strdup(seq+1);
+				co->dbname = strdup(seq+1);
 			else if(!strcmp(s,"database"))
-				co->dbname = turn_strdup(seq+1);
+				co->dbname = strdup(seq+1);
 			else if(!strcmp(s,"user"))
-				co->user = turn_strdup(seq+1);
+				co->user = strdup(seq+1);
 			else if(!strcmp(s,"uname"))
-				co->user = turn_strdup(seq+1);
+				co->user = strdup(seq+1);
 			else if(!strcmp(s,"name"))
-				co->user = turn_strdup(seq+1);
+				co->user = strdup(seq+1);
 			else if(!strcmp(s,"username"))
-				co->user = turn_strdup(seq+1);
+				co->user = strdup(seq+1);
 			else if(!strcmp(s,"password"))
-				co->password = turn_strdup(seq+1);
+				co->password = strdup(seq+1);
 			else if(!strcmp(s,"pwd"))
-				co->password = turn_strdup(seq+1);
+				co->password = strdup(seq+1);
 			else if(!strcmp(s,"passwd"))
-				co->password = turn_strdup(seq+1);
+				co->password = strdup(seq+1);
 			else if(!strcmp(s,"secret"))
-				co->password = turn_strdup(seq+1);
+				co->password = strdup(seq+1);
 			else if(!strcmp(s,"port"))
 				co->port = (unsigned int)atoi(seq+1);
 			else if(!strcmp(s,"p"))
@@ -172,49 +172,49 @@ static Myconninfo *MyconninfoParse(char *userdb, char **errmsg) {
 			else if(!strcmp(s,"read_timeout"))
 				co->read_timeout = (unsigned int)atoi(seq+1);
 			else if(!strcmp(s,"key"))
-				co->key = turn_strdup(seq+1);
+				co->key = strdup(seq+1);
 			else if(!strcmp(s,"ssl-key"))
-				co->key = turn_strdup(seq+1);
+				co->key = strdup(seq+1);
 			else if(!strcmp(s,"ca"))
-				co->ca = turn_strdup(seq+1);
+				co->ca = strdup(seq+1);
 			else if(!strcmp(s,"ssl-ca"))
-				co->ca = turn_strdup(seq+1);
+				co->ca = strdup(seq+1);
 			else if(!strcmp(s,"capath"))
-				co->capath = turn_strdup(seq+1);
+				co->capath = strdup(seq+1);
 			else if(!strcmp(s,"ssl-capath"))
-				co->capath = turn_strdup(seq+1);
+				co->capath = strdup(seq+1);
 			else if(!strcmp(s,"cert"))
-				co->cert = turn_strdup(seq+1);
+				co->cert = strdup(seq+1);
 			else if(!strcmp(s,"ssl-cert"))
-				co->cert = turn_strdup(seq+1);
+				co->cert = strdup(seq+1);
 			else if(!strcmp(s,"cipher"))
-				co->cipher = turn_strdup(seq+1);
+				co->cipher = strdup(seq+1);
 			else if(!strcmp(s,"ssl-cipher"))
-				co->cipher = turn_strdup(seq+1);
+				co->cipher = strdup(seq+1);
 			else {
 				MyconninfoFree(co);
 				co = NULL;
 				if(errmsg) {
-					*errmsg = turn_strdup(s);
+					*errmsg = strdup(s);
 				}
 				break;
 			}
 
 			s = snext;
 		}
 
-		turn_free(s0, strlen(s0)+1);
+		free(s0);
 	}
 
 	if(co) {
 		if(!(co->dbname))
-			co->dbname=turn_strdup("0");
+			co->dbname=strdup("0");
 		if(!(co->host))
-			co->host=turn_strdup("127.0.0.1");
+			co->host=strdup("127.0.0.1");
 		if(!(co->user))
-			co->user=turn_strdup("");
+			co->user=strdup("");
 		if(!(co->password))
-			co->password=turn_strdup("");
+			co->password=strdup("");
 	}
 
 	return co;
@@ -240,13 +240,13 @@ static MYSQL *get_mydb_connection(void) {
 		if(!co) {
 			if(errmsg) {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot open MySQL DB connection <%s>, connection string format error: %s\n",pud->userdb,errmsg);
-				turn_free(errmsg,strlen(errmsg)+1);
+				free(errmsg);
 			} else {
 				TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot open MySQL DB connection <%s>, connection string format error\n",pud->userdb);
 			}
 		} else if(errmsg) {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Cannot open MySQL DB connection <%s>, connection string format error: %s\n",pud->userdb,errmsg);
-			turn_free(errmsg,strlen(errmsg)+1);
+			free(errmsg);
 			MyconninfoFree(co);
 		} else if(!(co->dbname)) {
 			TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "MySQL Database name is not provided: <%s>\n",pud->userdb);
@@ -299,7 +299,7 @@ static MYSQL *get_mydb_connection(void) {
 
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////
 
-static int mysql_get_auth_secrets(secrets_list_t *sl, u08bits *realm) {
+static int mysql_get_auth_secrets(secrets_list_t *sl, uint8_t *realm) {
   int ret = -1;
 	MYSQL * myc = get_mydb_connection();
 	if(myc) {
@@ -323,7 +323,7 @@ static int mysql_get_auth_secrets(secrets_list_t *sl, u08bits *realm) {
 							if(lengths) {
 								size_t sz = lengths[0];
 								char auth_secret[TURN_LONG_STRING_SIZE];
-								ns_bcopy(row[0],auth_secret,sz);
+								bcopy(row[0],auth_secret,sz);
 								auth_secret[sz]=0;
 								add_to_secrets_list(sl,auth_secret);
 							}
@@ -340,7 +340,7 @@ static int mysql_get_auth_secrets(secrets_list_t *sl, u08bits *realm) {
   return ret;
 }
   
-static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
+static int mysql_get_user_key(uint8_t *usname, uint8_t *realm, hmackey_t key) {
   int ret = -1;
 	MYSQL * myc = get_mydb_connection();
 	if(myc) {
@@ -366,7 +366,7 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
 							TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key format: string length=%d (must be %d): user %s\n",(int)lengths[0],(int)sz,usname);
 						} else {
 							char kval[sizeof(hmackey_t)+sizeof(hmackey_t)+1];
-							ns_bcopy(row[0],kval,sz);
+							bcopy(row[0],kval,sz);
 							kval[sz]=0;
 							if(convert_string_key_to_binary(kval, key, sz/2)<0) {
 								TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Wrong key: %s, user %s\n",kval,usname);
@@ -385,7 +385,7 @@ static int mysql_get_user_key(u08bits *usname, u08bits *realm, hmackey_t key) {
   return ret;
 }
 
-static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
+static int mysql_get_oauth_key(const uint8_t *kid, oauth_key_data_raw *key) {
 
 	int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
@@ -409,23 +409,23 @@ static int mysql_get_oauth_key(const u08bits *kid, oauth_key_data_raw *key) {
 					unsigned long *lengths = mysql_fetch_lengths(mres);
 					if(lengths) {
 						STRCPY(key->kid,kid);
-						ns_bcopy(row[0],key->ikm_key,lengths[0]);
+						bcopy(row[0],key->ikm_key,lengths[0]);
 						key->ikm_key[lengths[0]]=0;
 
 						char stimestamp[128];
-						ns_bcopy(row[1],stimestamp,lengths[1]);
+						bcopy(row[1],stimestamp,lengths[1]);
 						stimestamp[lengths[1]]=0;
-						key->timestamp = (u64bits)strtoull(stimestamp,NULL,10);
+						key->timestamp = (uint64_t)strtoull(stimestamp,NULL,10);
 
 						char slifetime[128];
-						ns_bcopy(row[2],slifetime,lengths[2]);
+						bcopy(row[2],slifetime,lengths[2]);
 						slifetime[lengths[2]]=0;
-						key->lifetime = (u32bits)strtoul(slifetime,NULL,10);
+						key->lifetime = (uint32_t)strtoul(slifetime,NULL,10);
 
-						ns_bcopy(row[3],key->as_rs_alg,lengths[3]);
+						bcopy(row[3],key->as_rs_alg,lengths[3]);
 						key->as_rs_alg[lengths[3]]=0;
 
-						ns_bcopy(row[4],key->realm,lengths[4]);
+						bcopy(row[4],key->realm,lengths[4]);
 						key->realm[lengths[4]]=0;
 
 						ret = 0;
@@ -465,26 +465,26 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 					unsigned long *lengths = mysql_fetch_lengths(mres);
 					if(lengths) {
 
-						ns_bcopy(row[0],key->ikm_key,lengths[0]);
+						bcopy(row[0],key->ikm_key,lengths[0]);
 						key->ikm_key[lengths[0]]=0;
 
 						char stimestamp[128];
-						ns_bcopy(row[1],stimestamp,lengths[1]);
+						bcopy(row[1],stimestamp,lengths[1]);
 						stimestamp[lengths[1]]=0;
-						key->timestamp = (u64bits)strtoull(stimestamp,NULL,10);
+						key->timestamp = (uint64_t)strtoull(stimestamp,NULL,10);
 
 						char slifetime[128];
-						ns_bcopy(row[2],slifetime,lengths[2]);
+						bcopy(row[2],slifetime,lengths[2]);
 						slifetime[lengths[2]]=0;
-						key->lifetime = (u32bits)strtoul(slifetime,NULL,10);
+						key->lifetime = (uint32_t)strtoul(slifetime,NULL,10);
 
-						ns_bcopy(row[3],key->as_rs_alg,lengths[3]);
+						bcopy(row[3],key->as_rs_alg,lengths[3]);
 						key->as_rs_alg[lengths[3]]=0;
 
-						ns_bcopy(row[4],key->realm,lengths[4]);
+						bcopy(row[4],key->realm,lengths[4]);
 						key->realm[lengths[4]]=0;
 
-						ns_bcopy(row[5],key->kid,lengths[5]);
+						bcopy(row[5],key->kid,lengths[5]);
 						key->kid[lengths[5]]=0;
 
 						if(kids) {
@@ -519,7 +519,7 @@ static int mysql_list_oauth_keys(secrets_list_t *kids,secrets_list_t *teas,secre
 	return ret;
 }
   
-static int mysql_set_user_key(u08bits *usname, u08bits *realm, const char *key)
+static int mysql_set_user_key(uint8_t *usname, uint8_t *realm, const char *key)
 {
   int ret = -1;
   char statement[TURN_LONG_STRING_SIZE];
@@ -568,7 +568,7 @@ static int mysql_set_oauth_key(oauth_key_data_raw *key)
 	return ret;
 }
   
-static int mysql_del_user(u08bits *usname, u08bits *realm) {
+static int mysql_del_user(uint8_t *usname, uint8_t *realm) {
   int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 	MYSQL * myc = get_mydb_connection();
@@ -584,7 +584,7 @@ static int mysql_del_user(u08bits *usname, u08bits *realm) {
   return ret;
 }
 
-static int mysql_del_oauth_key(const u08bits *kid) {
+static int mysql_del_oauth_key(const uint8_t *kid) {
 	int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 	MYSQL * myc = get_mydb_connection();
@@ -600,12 +600,12 @@ static int mysql_del_oauth_key(const u08bits *kid) {
 	return ret;
 }
   
-static int mysql_list_users(u08bits *realm, secrets_list_t *users, secrets_list_t *realms)
+static int mysql_list_users(uint8_t *realm, secrets_list_t *users, secrets_list_t *realms)
 {
 	int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 
-	u08bits realm0[STUN_MAX_REALM_SIZE+1] = "\0";
+	uint8_t realm0[STUN_MAX_REALM_SIZE+1] = "\0";
 	if(!realm) realm=realm0;
 
 	MYSQL * myc = get_mydb_connection();
@@ -656,11 +656,11 @@ static int mysql_list_users(u08bits *realm, secrets_list_t *users, secrets_list_
   return ret;
 }
   
-static int mysql_list_secrets(u08bits *realm, secrets_list_t *secrets, secrets_list_t *realms)
+static int mysql_list_secrets(uint8_t *realm, secrets_list_t *secrets, secrets_list_t *realms)
 {
 	int ret = -1;
 
-	u08bits realm0[STUN_MAX_REALM_SIZE+1] = "\0";
+	uint8_t realm0[STUN_MAX_REALM_SIZE+1] = "\0";
 	if(!realm) realm=realm0;
 
 	char statement[TURN_LONG_STRING_SIZE];
@@ -717,7 +717,7 @@ static int mysql_list_secrets(u08bits *realm, secrets_list_t *secrets, secrets_l
 	return ret;
 }
   
-static int mysql_del_secret(u08bits *secret, u08bits *realm) {
+static int mysql_del_secret(uint8_t *secret, uint8_t *realm) {
   int ret = -1;
 	donot_print_connection_success=1;
 	char statement[TURN_LONG_STRING_SIZE];
@@ -733,7 +733,7 @@ static int mysql_del_secret(u08bits *secret, u08bits *realm) {
   return ret;
 }
   
-static int mysql_set_secret(u08bits *secret, u08bits *realm) {
+static int mysql_set_secret(uint8_t *secret, uint8_t *realm) {
   int ret = -1;
 	donot_print_connection_success = 1;
 	char statement[TURN_LONG_STRING_SIZE];
@@ -753,11 +753,11 @@ static int mysql_set_secret(u08bits *secret, u08bits *realm) {
   return ret;
 }
 
-static int mysql_set_permission_ip(const char *kind, u08bits *realm, const char* ip, int del)
+static int mysql_set_permission_ip(const char *kind, uint8_t *realm, const char* ip, int del)
 {
 	int ret = -1;
 
-	u08bits realm0[STUN_MAX_REALM_SIZE+1] = "\0";
+	uint8_t realm0[STUN_MAX_REALM_SIZE+1] = "\0";
 	if(!realm) realm=realm0;
 
 	donot_print_connection_success = 1;
@@ -784,7 +784,7 @@ static int mysql_set_permission_ip(const char *kind, u08bits *realm, const char*
 	return ret;
 }
   
-static int mysql_add_origin(u08bits *origin, u08bits *realm) {
+static int mysql_add_origin(uint8_t *origin, uint8_t *realm) {
   int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 	MYSQL * myc = get_mydb_connection();
@@ -803,7 +803,7 @@ static int mysql_add_origin(u08bits *origin, u08bits *realm) {
   return ret;
 }
   
-static int mysql_del_origin(u08bits *origin) {
+static int mysql_del_origin(uint8_t *origin) {
   int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 	MYSQL * myc = get_mydb_connection();
@@ -822,11 +822,11 @@ static int mysql_del_origin(u08bits *origin) {
   return ret;
 }
   
-static int mysql_list_origins(u08bits *realm, secrets_list_t *origins, secrets_list_t *realms)
+static int mysql_list_origins(uint8_t *realm, secrets_list_t *origins, secrets_list_t *realms)
 {
 	int ret = -1;
 
-	u08bits realm0[STUN_MAX_REALM_SIZE+1] = "\0";
+	uint8_t realm0[STUN_MAX_REALM_SIZE+1] = "\0";
 	if(!realm) realm=realm0;
 
 	donot_print_connection_success = 1;
@@ -882,7 +882,7 @@ static int mysql_list_origins(u08bits *realm, secrets_list_t *origins, secrets_l
   return ret;
 }
   
-static int mysql_set_realm_option_one(u08bits *realm, unsigned long value, const char* opt) {
+static int mysql_set_realm_option_one(uint8_t *realm, unsigned long value, const char* opt) {
   int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
 	MYSQL * myc = get_mydb_connection();
@@ -907,7 +907,7 @@ static int mysql_set_realm_option_one(u08bits *realm, unsigned long value, const
   return ret;
 }
   
-static int mysql_list_realm_options(u08bits *realm) {
+static int mysql_list_realm_options(uint8_t *realm) {
   int ret = -1;
 	donot_print_connection_success = 1;
 	char statement[TURN_LONG_STRING_SIZE];
@@ -999,11 +999,11 @@ static int mysql_get_ip_list(const char *kind, ip_range_list_t * list) {
 							if(lengths) {
 								size_t sz = lengths[0];
 								char kval[TURN_LONG_STRING_SIZE];
-								ns_bcopy(row[0],kval,sz);
+								bcopy(row[0],kval,sz);
 								kval[sz]=0;
 								sz = lengths[1];
 								char rval[TURN_LONG_STRING_SIZE];
-								ns_bcopy(row[1],rval,sz);
+								bcopy(row[1],rval,sz);
 								rval[sz]=0;
 								add_ip_list_range(kval,rval,list);
 							}
@@ -1031,7 +1031,7 @@ static void mysql_reread_realms(secrets_list_t * realms_list) {
 				MYSQL_RES *mres = mysql_store_result(myc);
 				if(mres && mysql_field_count(myc)==2) {
 
-					ur_string_map *o_to_realm_new = ur_string_map_create(turn_free_simple);
+					ur_string_map *o_to_realm_new = ur_string_map_create(free);
 
 					for(;;) {
 						MYSQL_ROW row = mysql_fetch_row(mres);
@@ -1043,9 +1043,9 @@ static void mysql_reread_realms(secrets_list_t * realms_list) {
 								if(lengths) {
 									size_t sz = lengths[0];
 									char oval[513];
-									ns_bcopy(row[0],oval,sz);
+									bcopy(row[0],oval,sz);
 									oval[sz]=0;
-									char *rval=turn_strdup(row[1]);
+									char *rval=strdup(row[1]);
 									get_realm(rval);
 									ur_string_map_value_type value = (ur_string_map_value_type)rval;
 									ur_string_map_put(o_to_realm_new, (const ur_string_map_key_type) oval, value);
@@ -1106,15 +1106,15 @@ static void mysql_reread_realms(secrets_list_t * realms_list) {
 							if(lengths) {
 								char rval[513];
 								size_t sz = lengths[0];
-								ns_bcopy(row[0],rval,sz);
+								bcopy(row[0],rval,sz);
 								rval[sz]=0;
 								char oval[513];
 								sz = lengths[1];
-								ns_bcopy(row[1],oval,sz);
+								bcopy(row[1],oval,sz);
 								oval[sz]=0;
 								char vval[513];
 								sz = lengths[2];
-								ns_bcopy(row[2],vval,sz);
+								bcopy(row[2],vval,sz);
 								vval[sz]=0;
 								realm_params_t* rp = get_realm(rval);
 								if(!strcmp(oval,"max-bps"))
@@ -1140,7 +1140,7 @@ static void mysql_reread_realms(secrets_list_t * realms_list) {
 
 /////////////////////////////////////////////////////
 
-static int mysql_get_admin_user(const u08bits *usname, u08bits *realm, password_t pwd)
+static int mysql_get_admin_user(const uint8_t *usname, uint8_t *realm, password_t pwd)
 {
   int ret = -1;
 
@@ -1176,7 +1176,7 @@ static int mysql_get_admin_user(const u08bits *usname, u08bits *realm, password_
   return ret;
 }
 
-static int mysql_set_admin_user(const u08bits *usname, const u08bits *realm, const password_t pwd)
+static int mysql_set_admin_user(const uint8_t *usname, const uint8_t *realm, const password_t pwd)
 {
   int ret = -1;
   char statement[TURN_LONG_STRING_SIZE];
@@ -1200,7 +1200,7 @@ static int mysql_set_admin_user(const u08bits *usname, const u08bits *realm, con
   return ret;
 }
 
-static int mysql_del_admin_user(const u08bits *usname)
+static int mysql_del_admin_user(const uint8_t *usname)
 {
 	int ret = -1;
 	char statement[TURN_LONG_STRING_SIZE];
@@ -1261,6 +1261,15 @@ static int mysql_list_admin_users(int no_print)
 	return ret;
 }
 
+static void mysql_disconnect(void) {
+	MYSQL *mydbconnection = (MYSQL*)pthread_getspecific(connection_key);
+	if (mydbconnection) {
+		mysql_close(mydbconnection);
+		mydbconnection=NULL;
+	}
+	TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "MySQL connection was closed.\n");
+}
+
 //////////////////////////////////////////////////////
 
 static const turn_dbdriver_t driver = {
@@ -1288,7 +1297,8 @@ static const turn_dbdriver_t driver = {
   &mysql_get_admin_user,
   &mysql_set_admin_user,
   &mysql_del_admin_user,
-  &mysql_list_admin_users
+  &mysql_list_admin_users,
+  &mysql_disconnect
 };
 
 const turn_dbdriver_t * get_mysql_dbdriver(void) {