Re: [Turnserver-devel] Unencrypted data on TLS connection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Thomas,

Do you use TURN-TCP ?

When TLS is used, only for the control connection is using TLS (i.e. 
between client and server). Data from server to external peer is not 
secured (by the server). With TURN-UDP data (channel or data indication) 
go through the way the client connect to the server (UDP, TCP or TLS).

When using TURN-TCP, you can only obtain TCP-based allocation address 
(and not TLS) so data received on the data connections is not encrypted. 
TLS is just here to "secure" the allocation process.

 From TURN-TCP:
    In order to actually send data on the new connection or otherwise
    utilize it in any way, the client establishes a new TCP connection to
    its TURN server.  Once established, it issues a ConnectionBind
    request to the server over this new connection.  That request echoes
    back the connection identifier to the TURN server.  The TURN server
    uses it to correlate the two connections.  As a consequence, the TCP
    connection to the peer is associated with a TCP connection to the
    client one-to-one.  The two connections are now data connections.  At
    this point, if the server receives data from the peer, it forwards
    that data towards the client, without any kind of encapsulation.  Any
    data received by the TURN server from the client over the client data
    connection is forwarded to the peer, again without encapsulation or
    framing of any kind.  Once a connection has been bound using the
    ConnectionBind request, TURN messaging is no longer permitted on the
    connection.

Regards,
--
Seb

Le 04/06/12 17:26, Thomas Milligan a écrit :
>
> Hello
>
> AS a TLS client, I can establish the control and data connections, but 
> once I have securely bound to the peer on the data connection, I 
> receive data from the peer that is not encrypted.  This causes TLS to 
> immediately terminate the connection.
>
> Should the TurnServer be sending non-encryped data on a secure connection?
>
> thanks
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Turnserver-devel mailing list
> Tur...@li...
> https://lists.sourceforge.net/lists/listinfo/turnserver-devel