coturn
Experience with FIPS compliance for Coturn server
Has anyone deployed Coturn in FIPS-compliant environments or achieved FIPS 140-3? Looking for:
- Implementation approaches
- Configuration requirements
- Alternative solutions if Coturn cannot meet compliance needs
Particularly interested in deployments within regulated industries like in government.
We have recently run into an issue that the Coturn only supports accepting MD5-hashed keys which is not FIPS compliant. RFC8489 updates STUN to use SHA256 to replace MD5, but it seems Coturn hasn't picked up this update yet.
Are there any plans on updating Coturn to comply with RFC8489?
Update: We have discussed this issue with our security and compliance department, and they have determined that using MD5 for hashing to support digest authentication is allowed in combination with FIPS-2. Regarding FIPS-3, their initial assessment is that it should still be allowed; however, this is something they will be looking into more next year.
My work deploys coturn in a FIPS environment.
We had to file an exception for the use of MD5 for protocol / standards compatibility.
Keep in mind that even if coturn supported RFC8489, no web browser (at least in 2022-ish) supported it that I'm aware of.
Obviously browsers implement newer standards all the time, so this is not the situation forever, but you can't turn off the MD5 functionality until all of your supported clients are compliant with RFC8489, so most likely you will need to file an exception for the use of MD5 for compatibility.
