Skip to first unread message
Panagiotis Maraveas
Aug 2, 2018, 4:57:16 AM8/2/18
to TURN Server (Open-Source project)
Hi to all,
Recently we developed a webrtc platform and configured CoTurn as a TURN server between internal network and public internet. We configured port 80 as the TLS port in order to achieve better compatibility in corporate client networks (yes yes i know it could be 443, but what can i say), configured correctly wildcard certificate and disabled with no-udp, udp traffic and no-stun STUN responses. Also on turn URI in webrtc we configured tcp relay option so checked via wireshark on both peers and indeed tcp is what it works. Everything working as expected so far. Our company passes a PCI compliance scan on our public services every 3 months and this is where our problem starts. If you open from a web browser the url https://<our turn server ip>:80 it will open an html page showing that we have not configured database admin table to enable web admin interface (intentionally because we do not want admin interface accessible from anywhere). As we searched through the web and man page of turnserver, we found that the web admin interface works from the very same port that the turn server operates (in this case port 80) and according to what traffic sends the client (stun, turn, https), the turnserver responds accordingly. The problem is that because PCI scanner tries and detects http responses on this port, it detects 2 vulnerabilities. First is the no session cookie secure attribute and the second one is the no http security header. These are options that you can be enabled in a web server (for example Apache), but on CoTurn there is no such option in the configuration. As we can understand, the only solution to our problem is to disable the web admin interface, aka disable http responses completely on that port. In order to be PCI compliant, we need to solve this before the next scan (it will be in about 2 months from today). So the question is if there is a way to disable web admin interface (even from turnserver CLI options) or at least configure port 80 only for TURN server and nothing else (for example no-admin, we already have no-stun).
If there is no way at current version, are there any plans of adding that on next versions?
Any help really appreciated.
Thank you
Mihály Mészáros
Aug 2, 2018, 5:02:41 AM8/2/18
to TURN Server (Open-Source project)
I am working on a patch to disable it by default and more.
It is not yet public and I can't give you an ETA yet.
In the mid time there is a PR on github that you could use: https://github.com/coturn/coturn/pull/129
It is not yet public and I can't give you an ETA yet.
In the mid time there is a PR on github that you could use: https://github.com/coturn/coturn/pull/129
Panagiotis Maraveas
Aug 2, 2018, 5:23:21 AM8/2/18
to TURN Server (Open-Source project)
Thank you so much. This is exactly what we need.
Your answer is highly appreciated!!
Reply all
Reply to author
Forward
0 new messages