| ︙ | | | ︙ | |
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
[opt_def -session_id [arg binary_string]]
Specifies the session id to resume a session. Not supported yet.
[opt_def -ssl2 [arg bool]]
Enable use of SSL v2. The default is [const false]. Note: Recent versions of
OpenSSL no longer support SSLv2, so this may not have any effect. See the
[cmd tls::protocols] command for supported protocols.
|
|
|
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
[opt_def -session_id [arg binary_string]]
Specifies the session id to resume a session. Not supported yet.
[opt_def -ssl2 [arg bool]]
Enable use of SSL v2. The default is [const false]. Note: Recent versions of
OpenSSL no longer support SSLv2, so this may not have any effect. See the
[cmd tls::protocols] command for supported protocols.
[opt_def -ssl3 [arg bool]]
Enable use of SSL v3. The default is [const false]. Note: Recent versions
of OpenSSL may have this disabled at compile time, so this may not have any
effect. See the [cmd tls::protocols] command for supported protocols.
[opt_def -tls1 [arg bool]]
Enable use of TLS v1. The default is [const true]. Note: TLS 1.0 needs
|
| ︙ | | | ︙ | |
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
|
On Linux and Unix systems with OpenSSL already installed, if the CA
certificates are stored in the standard locations, or if the [var SSL_CERT_DIR]
or [var SSL_CERT_FILE] environment variables are set, then [option -cadir],
[option -cadir], and [option -castore] aren't needed.
[item]
If OpenSSL is not installed in the default location, or when using Mac OS
or Windows and OpenSSL is installed, the [var SSL_CERT_DIR] and/or
[var SSL_CERT_FILE] environment variables or the one of the [option -cadir],
[option -cadir], or [option -castore] options must be defined.
[item]
On Windows, starting in OpenSSL 3.2, it is now possible to access the
built-in Windows Certificate Store from OpenSSL. This can be achieved by
setting the [option -castore] option to "[const org.openssl.winstore://]".
|
|
|
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
|
On Linux and Unix systems with OpenSSL already installed, if the CA
certificates are stored in the standard locations, or if the [var SSL_CERT_DIR]
or [var SSL_CERT_FILE] environment variables are set, then [option -cadir],
[option -cadir], and [option -castore] aren't needed.
[item]
If OpenSSL is not installed in the default location, or when using Mac OS
or Windows and OpenSSL is installed, the [var SSL_CERT_DIR] and/or
[var SSL_CERT_FILE] environment variables or the one of the [option -cadir],
[option -cadir], or [option -castore] options must be defined.
[item]
On Windows, starting in OpenSSL 3.2, it is now possible to access the
built-in Windows Certificate Store from OpenSSL. This can be achieved by
setting the [option -castore] option to "[const org.openssl.winstore://]".
|
| ︙ | | | ︙ | |
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
|
[subsection "Values for Command Callback"]
The callback for the [option -command] option is invoked at several points during the
OpenSSL handshake and during routine operations. See below for the possible
arguments passed to the callback script. Values returned from the callback are
ignored.
|
|
|
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
|
[subsection "Values for Command Callback"]
The callback for the [option -command] option is invoked at several points during the
OpenSSL handshake and during routine operations. See below for the possible
arguments passed to the callback script. Values returned from the callback are
ignored.
[list_begin options]
[opt_def error [arg "channelId message"]]
This form of callback is invoked whenever an error occurs during the initial
connection, handshake, or I/O operations. The [arg message] argument can be
from the Tcl_ErrnoMsg, OpenSSL function [fun ERR_reason_error_string()],
or a custom message. This callback is new for TclTLS 1.8.
|
| ︙ | | | ︙ | |
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
|
Descriptive message string which may be generated either by
[fun SSL_state_string_long()] or [fun SSL_alert_desc_string_long()],
depending on the context.
[def [arg type]]
For alerts, the possible values are: [const warning],
[const fatal], and [const unknown]. For others, [const info] is used.
This argument is new for TclTLS 1.8.
[list_end]
[opt_def message [arg "channelId direction version content_type message"]]
This form of callback is invoked by the OpenSSL function
[fun SSL_set_msg_callback()] whenever a message is sent or received during the
initial connection, handshake, or I/O operations. It is only available when
|
|
|
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
|
Descriptive message string which may be generated either by
[fun SSL_state_string_long()] or [fun SSL_alert_desc_string_long()],
depending on the context.
[def [arg type]]
For alerts, the possible values are: [const warning],
[const fatal], and [const unknown]. For others, [const info] is used.
This argument is new for TclTLS 1.8.
[list_end]
[opt_def message [arg "channelId direction version content_type message"]]
This form of callback is invoked by the OpenSSL function
[fun SSL_set_msg_callback()] whenever a message is sent or received during the
initial connection, handshake, or I/O operations. It is only available when
|
| ︙ | | | ︙ | |
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
|
[subsection "Values for Password Callback"]
The callback for the [option -password] option is invoked by TclTLS whenever OpenSSL needs
to obtain a password. See below for the possible arguments passed to the
callback script. The user provided password is expected to be returned by the
callback.
|
|
|
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
|
[subsection "Values for Password Callback"]
The callback for the [option -password] option is invoked by TclTLS whenever OpenSSL needs
to obtain a password. See below for the possible arguments passed to the
callback script. The user provided password is expected to be returned by the
callback.
[list_begin options]
[opt_def password [arg "rwflag size"]]
Invoked when loading or storing an encrypted PEM certificate. The arguments are:
[list_begin definitions]
|
| ︙ | | | ︙ | |
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
|
The callback for the [option -validatecommand] option is invoked during the handshake
process in order for the application to validate the provided value(s). See
below for the possible arguments passed to the callback script. If not
specified, OpenSSL will accept all valid certificates and extensions. To reject
the value and abort the connection, the callback should return 0. To accept the
value and continue the connection, it should return 1. To reject the value, but
continue the connection, it should return 2. This callback is new for TclTLS 1.8.
|
|
|
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
|
The callback for the [option -validatecommand] option is invoked during the handshake
process in order for the application to validate the provided value(s). See
below for the possible arguments passed to the callback script. If not
specified, OpenSSL will accept all valid certificates and extensions. To reject
the value and abort the connection, the callback should return 0. To accept the
value and continue the connection, it should return 1. To reject the value, but
continue the connection, it should return 2. This callback is new for TclTLS 1.8.
[list_begin options]
[opt_def alpn [arg "channelId protocol match"]]
For servers, this form of callback is invoked when the client ALPN extension is
received. If [arg match] is true, then [arg protocol] is the first
[option -alpn] protocol option in common to both the client and server.
If not, the first client specified protocol is used. This callback is called
|
| ︙ | | | ︙ | |