add parameter to handle cipher list, switch Diffie Hellman to true

3589818e · Fabien Combernous · ef7e7653 · 3589818e · 3589818e · 3589818e
Commit 3589818e authored 3 years ago by Fabien Combernous
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -34,6 +34,8 @@ The following parameters are available in the `coturn` class:
 * [`tls_listening_port`](#tls_listening_port)
 * [`cert`](#cert)
 * [`private_key`](#private_key)
+* [`cipher_list`](#cipher_list)
+* [`dh2066`](#dh2066)
 * [`fingerprint`](#fingerprint)
 * [`lt_cred_mech`](#lt_cred_mech)
 * [`use_auth_secret`](#use_auth_secret)
@@ -105,6 +107,23 @@ The private key file use with TLS.

 Default value: ``undef``

+##### <a name="cipher_list"></a>`cipher_list`
+
+Data type: `String[1]`
+
+Allowed OpenSSL cipher list for TLS/DTLS connections.
+The default value gives a list of ciphers that the Nmap ssl-enum-ciphers script notes A in january 2022.
+
+Default value: `'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS'`
+
+##### <a name="dh2066"></a>`dh2066`
+
+Data type: `Boolean`
+
+Use 2066 bits predefined DH TLS key, size of the key is 1066.
+
+Default value: ``true``
+
 ##### <a name="fingerprint"></a>`fingerprint`

 Data type: `Boolean`
@@ -205,11 +224,9 @@ Default value: ``false``

 ##### <a name="dh2066"></a>`dh2066`

-Data type: `Boolean`
-
 Use 2066 bits predefined DH TLS key. Default size of the key is 1066.

-Default value: ``false``
+Default value: ``true``

 ##### <a name="tlsv1"></a>`tlsv1`


--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -16,13 +16,18 @@
 #   TURN listener port for UDP and TCP (plain).
 # @param tls_listening_port
 #    TURN listener port for TLS
-#    The TURN server "automatically" recognizes the type of traffic. 
+#    The TURN server "automatically" recognizes the type of traffic.
 #    Actually, two listening endpoints (the "plain" one and the "tls" one) are equivalent
 #    in terms of functionality. Keeping both endpoints satisfy the RFC 5766 specs.
 # @param cert
 #   The certificate file use with TLS.
 # @param private_key
 #   The private key file use with TLS.
+# @param cipher_list
+#   Allowed OpenSSL cipher list for TLS/DTLS connections.
+#   The default value gives a list of ciphers that the Nmap ssl-enum-ciphers script notes A in january 2022.
+# @param dh2066
+#   Use 2066 bits predefined DH TLS key, size of the key is 1066.
 # @param fingerprint
 #   Use fingerprints in the TURN messages
 # @param lt_cred_mech
@@ -93,13 +98,14 @@ class coturn (
  Boolean                     $no_stdout_log      = false,
  Boolean                     $no_loopback_peers  = false,   # Only on Coturn below v4.5.1.0!
  Boolean                     $no_multicast_peers = false,
-  Boolean $dh2066 = false,
+  Boolean $dh2066 = true,
  Boolean $tlsv1 = false,
  Boolean $tlsv1_1 = false,
  String[1] $proc_user = 'turnserver',
  String[1] $proc_group = 'turnserver',
  Boolean $simple_log = true,
  Optional[Variant[Stdlib::Absolutepath,Enum['syslog','stdout']]] $log_file = '/var/log/coturn/turnserver.log',
+  String[1] $cipher_list = 'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
 ) {

  $_coturn_package = 'coturn' # Ubuntu 18.04 ==> Coturn v4.5.0.7

--- a/templates/turnserver.conf.epp
+++ b/templates/turnserver.conf.epp
@@ -40,6 +40,7 @@ stale-nonce=<%= $coturn::stale_nonce -%>
 <% if $coturn::no_loopback_peers == true { %>no-loopback-peers<% } %>
 <% if $coturn::no_multicast_peers == true { %>no-multicast-peers<% } %>
 <% if $coturn::dh2066 == true { %>dh2066<% } %>
+cipher-list='<%= $coturn::cipher_list -%>'
 <% if $coturn::tlsv1 == false { %>no-tlsv1<% } %>
 <% if $coturn::tlsv1_1 == false { %>no-tlsv1_1<% } %>
 <% if $coturn::simple_log == true { %>simple-log<% } %>