From 42853774128ef3f656d0dd31bbb5509cd01647f0 Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Tue, 13 Dec 2022 14:00:45 +0100 Subject: [PATCH 1/3] charts/coturn: add TLS cipher configuration, comply with BSI TR-02102-2 by default. --- charts/coturn/templates/configmap-coturn-conf-template.yaml | 3 +++ charts/coturn/values.yaml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/charts/coturn/templates/configmap-coturn-conf-template.yaml b/charts/coturn/templates/configmap-coturn-conf-template.yaml index 4a2a4c4c06..b981c3cce9 100644 --- a/charts/coturn/templates/configmap-coturn-conf-template.yaml +++ b/charts/coturn/templates/configmap-coturn-conf-template.yaml @@ -13,6 +13,9 @@ data: {{- if .Values.tls.enabled }} cert=/secrets-tls/tls.crt pkey=/secrets-tls/tls.key + {{- if .Values.tls.ciphers }} + cipher-list={{ .Values.tls.ciphers }} + {{- end }} {{- else }} no-tls {{- end }} diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml index eede1626be..d56986c6e0 100644 --- a/charts/coturn/values.yaml +++ b/charts/coturn/values.yaml @@ -28,6 +28,8 @@ coturnTurnTlsListenPort: 5349 tls: enabled: false + # compliant with BSI TR-02102-2 + ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384' secretRef: reloaderImage: # container image containing https://github.com/Pluies/config-reloader-sidecar From 62cdc0f95a66a97606973694094a1727266a0b44 Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Tue, 13 Dec 2022 14:05:12 +0100 Subject: [PATCH 2/3] changelog: update. --- changelog.d/2-features/coturn-tls | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 changelog.d/2-features/coturn-tls diff --git a/changelog.d/2-features/coturn-tls b/changelog.d/2-features/coturn-tls new file mode 100644 index 0000000000..f193fb9c19 --- /dev/null +++ b/changelog.d/2-features/coturn-tls @@ -0,0 +1,4 @@ +The coturn Helm chart now has a `.tls.ciphers` option to allow setting +the cipher list for TLS connections, when TLS is enabled. By default, +this option is set to a cipher list which is compliant with [BSI +TR-02102-2](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf). From b91f398d42f05a055a295d75918155d1009b5d49 Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Wed, 14 Dec 2022 10:13:11 +0100 Subject: [PATCH 3/3] ci: hello, concourse!