2.1.1 Pseudo-TLS over TCP

Office

When TCP is used as a transport, the TURN server is deployed to listen on port 443, the Secure Sockets Layer (SSL)/TLS port. If a protocol client is attempting to communicate with a TURN server deployed in this fashion, it sends a pseudo-TLS message to the TURN server to begin the session. The pseudo-TLS messages are useful if a firewall or Web proxy, doing packet inspection for TLS messages, is sitting between the protocol client and TURN server. The TURN server MUST support pseudo-TLS.

The protocol client begins the exchange by sending the pseudo-TLS ClientHello message. If the protocol client sends this message, it MUST be the first message and the protocol client MUST NOT send any additional messages until the TURN server has responded with a pseudo-TLS ServerHello message followed by a pseudo-TLS ServerHelloDone message. If the TURN server receives a pseudo-TLS ClientHello message, it MUST respond with a ServerHello followed by a ServerHelloDone message. The ServerHello and ServerHelloDone messages MUST be sent in the same TLS record. These messages appear next in this protocol.

The ClientHello, ServerHello, and ServerHelloDone messages passed in the exchange are known as Handshake messages within the TLS record protocol. The TLS record protocol is described in [RFC2246] section 6, while Handshake messages are described in [RFC2246] section 7.3.

Pseudo-TLS record containing ClientHello message


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Content Type

Record Version  Major

Record Version Minor

Record Length …

Handshake Type

Handshake Length …

Handshake Version Major

Handshake Version Minor

Time Stamp …

Random Value

(28 bytes)

Random Value …

Session ID Length

Cipher Suites Length

Cipher Suites

Compression Methods Length

Compression Methods

Content Type (1 byte): The Record Layer protocol type. This field MUST be set to "0x16" for the Handshake.

Record Version Major (1 byte): The Major version of TLS for this record. This field MUST be set to "0x03" (TLS 1.0).

Record Version Minor (1 byte): The Minor version of TLS for this record. This field MUST be set to "0x01" (TLS 1.0).

Record Length (2 bytes): The length of the TLS record. This field MUST be set to "0x00 0x2D".

Handshake Type (1 byte): The Handshake message type. This field MUST be set to "0x01" for a ClientHello message.

Handshake Length (3 bytes): The length of the Handshake message. This field MUST be set to "0x00 0x00 0x29".

Handshake Version Major (1 byte): The Major version of TLS for the message. This field MUST be set to "0x03" (TLS 1.0).

Handshake Version Minor (1 byte): The Minor version of TLS for the message. This field MUST be set to "0x01" (TLS 1.0).

Time Stamp (4 bytes): The current time and date in seconds since midnight starting January 1, 1970, Coordinated Universal Time (UTC), ignoring leap seconds. The protocol client SHOULD fill this field with the correct time. The TURN server SHOULD ignore this field.

Random Value (28 bytes): 28 bytes of randomly generated data.

Session ID Length (1 byte): The length of the session ID vector. This field MUST be set to "0x00".

Cipher Suites Length (2 bytes): The length of the cipher suite vector. This field MUST be set to "0x00 0x02".

Cipher Suites (2 bytes): The cipher suite the protocol client is requesting. This field MUST be set to "0x00 0x18".

Compression Methods Length (1 byte): The length of the compression method vector. This field MUST be set to "0x01".

Compression Methods (1 byte): The compression methods that the protocol client is requesting. This field MUST be set to "0x00".

Pseudo-TLS record containing ServerHello and ServerHelloDone messages


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Content Type

Record Version Major

Record Version Minor

Record Length …

Handshake Type

Handshake Length …

Handshake Version Major

Handshake Version Minor

Time Stamp …

Random Value

(28 bytes)

Random Value …

Session ID Length

Session ID (32 bytes)

Cipher Suites

Compression Methods

Handshake Type

Handshake Length

Content Type (1 byte): The Record Layer protocol type. This field MUST be set to "0x16" for the Handshake.

Record Version Major (1 byte): The Major version of TLS for this record. This field MUST be set to "0x03" (TLS 1.0).

Record Version Minor (1 byte): The Minor version of TLS for this record. This field MUST be set to "0x01" (TLS 1.0).

Record Length (2 bytes): The length of the TLS record. This field MUST be set to "0x00 0x4E".

Handshake Type (1 byte): The Handshake message type. This field MUST be set to "0x02" for a Server Hello message.

Handshake Length (3 bytes): The length of the Handshake message. This field MUST be set to "0x00 0x00 0x46".

Handshake Version Major (1 byte): The Major version of TLS for the message. This field MUST be set to "0x03" (TLS 1.0).

Handshake Version Minor (1 byte): The Minor version of TLS for the message. This field MUST be set to "0x01" (TLS 1.0).

Time Stamp (4 bytes): The current time and date in seconds since midnight starting January 1, 1970, UTC, ignoring leap seconds. The TURN server SHOULD fill this field with the correct time. The protocol client SHOULD ignore this field.

Random Value (28 bytes): 28 bytes of randomly generated data.

Session ID Length (1 byte): The length of the session ID vector. This field MUST be set to "0x20".

Session ID (32 bytes): 32 bytes used to identify the TLS session. The TURN server does not track the TLS session id, so the protocol client SHOULD ignore this field.

Cipher Suites (2 bytes): The cipher suite the TURN server has selected. This field MUST be set to "0x00 0x18".

Compression Methods (1 byte): The compression method that the TURN server has selected. This field MUST be set to "0x00".

Handshake Type (1 byte): The Handshake message type. This field MUST be set to "0x0E" for a ServerHelloDone message.

Handshake Length (3 bytes): The length of the Handshake message. This field MUST be set to "0x00 0x00 0x00".

Show: