From fcb9e9618a30ebc8ff7ad7ddac202562beb8fa42 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Fri, 16 Apr 2021 09:29:32 +0300
Subject: [PATCH] Make Coturn TLSv1/v1.1 configurable

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999
---
 CHANGELOG.md                                     | 14 ++++++++++++++
 roles/matrix-coturn/defaults/main.yml            |  3 +++
 roles/matrix-coturn/templates/turnserver.conf.j2 |  4 ++++
 3 files changed, 21 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 326c2103c..37988c94c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,17 @@
+# 2021-04-16
+
+## Disabling TLSv1 and TLSv1.1 for Coturn
+
+To improve security, we've [removed TLSv1 and TLSv1.1 support](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/999) from our default [Coturn](https://github.com/coturn/coturn) configuration.
+
+If you need to support old clients, you can re-enable both (or whichever one you need) with the following configuration:
+
+```yaml
+matrix_coturn_tls_v1_enabled: true
+matrix_coturn_tls_v1_1_enabled: true
+```
+
+
 # 2021-04-05
 
 ## Automated local Postgres backup support
diff --git a/roles/matrix-coturn/defaults/main.yml b/roles/matrix-coturn/defaults/main.yml
index 9eccfde25..63c4511fa 100644
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@@ -73,3 +73,6 @@ matrix_coturn_total_quota: null
 matrix_coturn_tls_enabled: false
 matrix_coturn_tls_cert_path: ~
 matrix_coturn_tls_key_path: ~
+
+matrix_coturn_tls_v1_enabled: false
+matrix_coturn_tls_v1_1_enabled: false
diff --git a/roles/matrix-coturn/templates/turnserver.conf.j2 b/roles/matrix-coturn/templates/turnserver.conf.j2
index 285320dc2..ba662587d 100644
--- a/roles/matrix-coturn/templates/turnserver.conf.j2
+++ b/roles/matrix-coturn/templates/turnserver.conf.j2
@@ -16,8 +16,12 @@ no-cli
 {% if matrix_coturn_tls_enabled %}
 cert={{ matrix_coturn_tls_cert_path }}
 pkey={{ matrix_coturn_tls_key_path }}
+{% if not matrix_coturn_tls_v1_enabled %}
 no-tlsv1
+{% endif %}
+{% if not matrix_coturn_tls_v1_1_enabled %}
 no-tlsv1_1
+{% endif %}
 {% else %}
 no-tls
 no-dtls