2004-03-17 Dan Razzell <[email protected]>
* tlsX509.c: Add support for long serial numbers per RFC 3280.
Format is now hexadecimal.
Correctly convert certificate Distinguished Names
to Tcl string representation. Eliminates use of
deprecated OpenSSL function. Format is now compliant
with RFC 2253. [Request #915315]
2004-02-17 Dan Razzell <[email protected]>
TLS 1.5.0 RELEASE
2004-02-12 Dan Razzell <[email protected]>
* tls.c: Allow verify callback to return empty result.
* tls.htm: Document callback behaviors.
2004-02-11 Dan Razzell <[email protected]>
* remote.tcl: Complete private key name changes from 2001-06-21.
2004-02-03 Dan Razzell <res[email protected]>
* Makefile.in: Removed circular dependency.
* tlsInt.h: Make function declarations explicit.
* tls.c: Fix type match and unused variable warnings.
* tlsBIO.c: Fix type match warning.
2003-12-15 Dan Razzell <[email protected]>
* tests/tlsIO.test: updated version to 1.5.
2003-10-07 Dan Razzell <[email protected]>
* tests/ciphers.test: updated list of tested ciphers to correspond
* with those available from OpenSSL. [Request #811981]
2003-10-07 Dan Razzell <[email protected]>
* tls.c: added CONST with intent similar to those from 2002-02-04.
2003-07-07 Jeff Hobbs <[email protected]>
* tls.c (Tls_Init): added tls::misc command provided by
* tlsX509.c: Wojciech Kocjan (wojciech kocjan.org)
* tests/keytest1.tcl: to expose more low-level SSL commands
2003-05-15 Dan Razzell <[email protected]>
* tls.c: add support for binding a password callback to the socket.
Now each socket can have its own command and password callbacks instead
of being forced to have all password management pass through a common
procedure. The common password procedure is retained for compatibility
but its use should be DEPRECATED.
Add version command to return OpenSSL version string.
Remove unstable workarounds needed for verify in obsolete versions of
Fix memory leak. [Request #640660]
More casts to eliminate compiler warnings.
* tls.htm: document password callback.
Correct technical and typographic errors.
* README.txt: identify versions of OpenSSL which fix known problems.
General warning of security problems in older versions of OpenSSL.
2002-02-04 Jeff Hobbs <[email protected]>
* tls.c: added support for local certificate status check, as well
as returning the # of bits in the session key. [Patch #505698] (rose)
* tlsBIO.c: added CONSTs to satisfy Tcl 8.4 sources. This may
give warnings when compiled against 8.3, but they can be ignored.
* tests/simpleServer.tcl: point to updated client/server key files.
* tests/ciphers.test: updated to load tls from build dir.
* Makefile.in: removed strncasecmp from default object set. This
is only needed on the Mac, and Tcl stubs provides it.
* configure: regen'ed.
* configure.in: updated to 1.5.0 for next release.
Changed default openssl location to /usr/local/ssl (this is where
openssl 0.9.6c installs by default).
Changed to use public Tcl headers (private not needed).
2001-06-21 Jeff Hobbs <[email protected]>
TLS 1.4.1 RELEASE
* configure: added configure to CVS
* configure.in: moved to patchlevel 1.4.1
* Makefile.in: corrected 'dist' target
* tests/certs/cacert.pem: replaced by new ca.pem
* tests/certs/skey.pem: replaced by new server.key
* tests/certs/ckey.pem: replaced by new client.key
* tests/certs/README.txt: new set of test certificates with some
README info on their generation.
* tests/ciphers.test: updated ciphers expected with default
* tests/tclIO.test: updated to use new names for certs/keys.
2001-03-14 Jeff Hobbs <[email protected]>
* tls.c (Tls_Init): add do/while for random number initialization
to work around some OSes quirks. ([email protected])
2000-09-07 Jeff Hobbs <[email protected]>
* tlsIO.c (Tls_ChannelType): set typeName field of channel type to
"tls" (this got lost in move to dynamic version compatability
2000-08-23 Jeff Hobbs <[email protected]>
TLS 1.4 RELEASED
* Makefile.in (dist): create dist target for archive distributions
* tests/tlsIO.test (tlsIO-8.1): added a delay on the accept close
to make the test work with OpenSSL on Windows (doesn't affect
* tls.htm: updated with notes for 1.4.
2000-08-21 Jeff Hobbs <[email protected]>
* tests/tlsIO.test: require at least tls1.4 in test suite.
2000-08-18 Jeff Hobbs <[email protected]>
* tls.c (Tls_Init): added call to RAND_seed to seed the SSL random
number generator. Without this, OpenSSL 0.9.5 chokes, and in any
case it is a big security hole to do without it.
* configure.in (OPENSSL): added NO_IDEA and NO_RC5 defines by
default when compiling with OpenSSL.
* tlsInt.h: added err.h include
* tlsIO.c: corrected pedantic cast errors.
2000-08-16 Jeff Hobbs <[email protected]>
* tests/ciphers.test: improved ability to change constraint
setting for whether user compiled against RSA or OpenSSL libs.
* tls.c (Tls_Init): corrected interpretation of version number
(patchlevel and release/serial were swapped).
2000-08-15 Jeff Hobbs <[email protected]>
* README.txt: added notes about need to use 8.2.0+.
* tlsIO.c: corrected structure initialization to work when
compiling with 8.2. Now compiles with 8.2+ and tested to work
with 8.2+ and dynamically adjust to the version of Tcl it was
loaded into. TLS will fail the test suite with Tcl 8.2-8.3.1.
* tests/all.tcl: added catch around ::tcltest::normalizePath
because it doesn't exist in pre-8.3 tcltest.
* tests/simpleServer.tcl: added simple client/server test scripts
that use test certs and can do simple stress tests.
2000-08-14 Jeff Hobbs <[email protected]>
* tls.c: changed around to only working with 8.2.0+ (8.3.2+
preferred), with runtime checks for pre- and post-io-rewrite.
* tls.c (Tls_Init): changed it to require 8.3.2 when Tcl_InitStubs
was called because we don't want people using TLS with the
original stacked channel implementation.
2000-07-26 Jeff Hobbs <[email protected]>
* merged all changes from tls-1-3-io-rewrite back into main branch
* tests/tlsIO.test: updated comments, fixed a pcCrash case that
was due to debug assertion in Windows SSL.
* tls.c (ImportObjCmd): removed unnecessary use of 'bio' arg.
(Tls_Init): check return value of SSL_library_init. Also lots of
whitespace cleanup (more like Tcl Eng style guide), but not all
code was cleaned up.
* tlsBIO.c: minor whitespace cleanup
* tlsIO.c: minor whitespace cleanup.
(TlsInputProc, TlsOutputProc): Added ERR_clear_error before calls
to BIO_read or BIO_write, because we could otherwise end up
pulling an error off the stack that didn't belong to us. Also
cleanup up excessive use of gotos.
2000-07-20 Jeff Hobbs <[email protected]>
* tests/tlsIO.test: corrected various tests to be correct for TLS
stacked channels (as opposed to the standard sockets the test
suite was adopted from). Key differences are that TLS cannot
operate in one process without all channels being non-blocking, or
the handshake will block, and handshaking must be forced in some
cases. Also, handshakes don't seem to complete unless the client
has placed at least one byte for the server to read in the channel.
* tests/remote.tcl: corrected the finding of tests certificates
* tlsIO.c (TlsCloseProc): removed deleting of timer handler as
that is handled by Tls_Clean.
* tls.tcl (tls::_accept): corrected the internal _accept to
trickle callback errors to the user.
* Makefile.in: made the install-binaries target regenerate the
pkgIndex.tcl correctly. The test target probably shouldn't screw
it up, but this is to be on the safe side.
2000-07-17 Jeff Hobbs <[email protected]>
* configure.in: updated version to 1.4
2000-07-13 Jeff Hobbs <[email protected]>
* tests/tlsIO.test: enabled tests 2.10, 7. (there is no 3),
which now pass. Added some comments to other failing tests.
2000-07-11 Jeff Hobbs <[email protected]>
* tlsIO.c: changed all the channel procs to start with Tls* for
better parity when comparing with Transform channel procs.
Rewrote TlsWatchProc, added TlsNotifyProc according to the new
channel design, which also leaves TlsChannelHandler unused.
* tlsBIO.c (BioCtrl): changed BIO_CTRL_FLUSH case to use
Tcl_WriteRaw instead of Tcl_Flush (to operate on correct channel
in the stack instead of starting at the top again). Would
otherwise cause a recursive stack bomb when implicit handshaking
* tests/tlsIO.test: removed changes made to test suite (all tests
that ran before now pass correctly), and changed some accept proc
args to reflect that a sock is an arg, not a file.
2000-07-10 Jeff Hobbs <[email protected]>
* tlsBIO.c (BioWrite, BioRead): changed Tcl_Read/Write to
* tls.c: added use of Tcl_GetTopChannel after Tcl_GetChannel and
got return value from Tcl_StackChannel.
* tests/tlsIO.test: added some handshaking that shouldn't be
necessary, but we crash otherwise (needs more testing).
* tlsIO.c: added support for "corrected" stacked channels. All
the above channels are in TCL_CHANNEL_VERSION_2 #ifdefs.
2000-06-05 Scott Stanton <[email protected]>
* Makefile.in: Fixed broken test target.
* tls.c: Cleaned up declarations of Tls_Clean to avoid errors on
2000-06-05 Brent Welch <[email protected]>
* tls.c, tlsIO.c: Split Tls_Free into Tls_Clean, which does
the SSL cleanup, and the Tcl_Free call. It is important to shutdown
the SSL state "synchronously" during a stacked flush.
2000-06-01 Scott Stanton <[email protected]>
* tlsIO.c: Restored call to Tcl_NotifyChannel from ChannelHandler
to ensure that events propagate from the lower driver. This may
result in an infinite loop in some cases, so this is not a total
fix. This may be sufficient for now, however. [Bug: 5623]
2000-06-01 Scott Stanton <[email protected]>
* tlsIO.c: Restore the previous version. Fixed the CloseProc so
it unregisters the channel handler on the superceded channel
instead of the upper channel. Also removed the call to
Tcl_NotifyChannel in the ChannelHandler because this will result
in an infinite loop if data is ever buffered in the BIO
structure. [Bug: 5623]
2000-05-31 Brent Welch <[email protected]>
* tls.c: Change the ChannelHandler to be registered on the main
channel as oppsed to the "parent", or superceeded, channel. This
is because the socket driver notifies the main channel, and there
are times with the main channel gets closed, but the superceded
one is not yet closed. If the channel handler gets triggered in
this half-open state it is associated with the superceeded
channedl, but uses its private pointer to the main channel, which
is mostly destroyed. Eliminated the redundant call to
Tcl_NotifyChannel from TlsWatchProc. [Bug: 5623]