607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
|
<dt><i class="arg">direction</i></dt>
<dd><p>Direction is either <b class="const">Sent</b> or <b class="const">Received</b>.</p></dd>
<dt><i class="arg">version</i></dt>
<dd><p>Version is the protocol version.</p></dd>
<dt><i class="arg">content_type</i></dt>
<dd><p>Content type is the message content type.</p></dd>
<dt><i class="arg">message</i></dt>
<dd><p>Message is more info from the <b class="const">SSL_trace</b> API.
This argument is new for TclTLS 1.8.</p></dd>
</dl></dd>
<dt><b class="option">session</b> <i class="arg">channelId session_id session_ticket lifetime</i></dt>
<dd><p>This form of callback is invoked by the OpenSSL function
<b class="function">SSL_CTX_sess_set_new_cb()</b> whenever a new session id is sent by the
server during the initial connection and handshake and also during the session
if the <b class="option">-post_handshake</b> option is set to true. This callback is new for
TclTLS 1.8. The arguments are:</p>
<dl class="doctools_definitions">
<dt><i class="arg">session_id</i></dt>
<dd><p>Session Id is the current session identifier</p></dd>
<dt><i class="arg">session_ticket</i></dt>
<dd><p>Ticket is the session ticket info</p></dd>
<dt><i class="arg">lifetime</i></dt>
<dd><p>Lifetime is the ticket lifetime in seconds.</p></dd>
</dl></dd>
<dt><b class="option">verify</b> <i class="arg">channelId depth cert status error</i></dt>
<dd><p>This callback was moved to the <b class="option">-verify_callback</b> in TclTLS 1.8.</p></dd>
</dl>
</div>
<div id="subsection4" class="doctools_subsection"><h3><a name="subsection4">Values for Password Callback</a></h3>
<p>The callback for the <b class="option">-password</b> option is invoked by TclTLS whenever OpenSSL needs
to obtain a password. See below for the possible arguments passed to the
callback script. The user provided password is expected to be returned by the
callback.</p>
|
|
<
|
|
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
|
<dt><i class="arg">direction</i></dt>
<dd><p>Direction is either <b class="const">Sent</b> or <b class="const">Received</b>.</p></dd>
<dt><i class="arg">version</i></dt>
<dd><p>Version is the protocol version.</p></dd>
<dt><i class="arg">content_type</i></dt>
<dd><p>Content type is the message content type.</p></dd>
<dt><i class="arg">message</i></dt>
<dd><p>Message is more info from the <b class="const">SSL_trace</b> API.</p></dd>
</dl></dd>
<dt><b class="option">session</b> <i class="arg">channelId session_id session_ticket lifetime</i></dt>
<dd><p>This form of callback is invoked by the OpenSSL function
<b class="function">SSL_CTX_sess_set_new_cb()</b> whenever a new session id is sent by the
server during the initial connection and handshake and also during the session
if the <b class="option">-post_handshake</b> option is set to true. This callback is new for
TclTLS 1.8. The arguments are:</p>
<dl class="doctools_definitions">
<dt><i class="arg">session_id</i></dt>
<dd><p>Session Id is the current session identifier</p></dd>
<dt><i class="arg">session_ticket</i></dt>
<dd><p>Ticket is the session ticket info</p></dd>
<dt><i class="arg">lifetime</i></dt>
<dd><p>Lifetime is the ticket lifetime in seconds.</p></dd>
</dl></dd>
<dt><b class="option">verify</b> <i class="arg">channelId depth cert status error</i></dt>
<dd><p>This callback was moved to <b class="option">-validatecommand</b> in TclTLS 1.8.</p></dd>
</dl>
</div>
<div id="subsection4" class="doctools_subsection"><h3><a name="subsection4">Values for Password Callback</a></h3>
<p>The callback for the <b class="option">-password</b> option is invoked by TclTLS whenever OpenSSL needs
to obtain a password. See below for the possible arguments passed to the
callback script. The user provided password is expected to be returned by the
callback.</p>
|
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
|
<b class="option">-validatecommand</b> option is set to <b class="cmd">tls::validate_command</b>.</p>
<p><em>The use of the variable <b class="variable">tls::debug</b> is not recommended.
It may be removed from future releases.</em></p>
</div>
<div id="section6" class="doctools_section"><h2><a name="section6">Debug Examples</a></h2>
<p>These examples use the default Unix platform SSL certificates. For standard
installations, -cadir and -cafile should not be needed. If your certificates
are in non-standard locations, update -cadir or use -cafile as needed.</p>
<p>Example #1: Use HTTP package</p>
<pre class="doctools_example">
package require http
package require tls
set url "https://www.tcl.tk/"
http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command]
# Check for error
set token [http::geturl $url]
if {[http::status $token] ne "ok"} {
puts [format "Error %s" [http::status $token]]
}
# Get web page
set data [http::data $token]
puts [string length $data]
# Cleanup
::http::cleanup $token
</pre>
<p>Example #2: Use raw socket</p>
<pre class="doctools_example">
package require tls
set url "www.tcl-lang.org"
set port 443
set ch [tls::socket -autoservername 1 -servername $url -request 1 -require 1 -alpn {http/1.1} -cadir /etc/ssl/certs -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command $url $port]
chan configure $ch -buffersize 65536
tls::handshake $ch
puts $ch "GET / HTTP/1.1"
flush $ch
after 500
set data [read $ch]
array set status [tls::status $ch]
|
|
|
|
|
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
|
<b class="option">-validatecommand</b> option is set to <b class="cmd">tls::validate_command</b>.</p>
<p><em>The use of the variable <b class="variable">tls::debug</b> is not recommended.
It may be removed from future releases.</em></p>
</div>
<div id="section6" class="doctools_section"><h2><a name="section6">Debug Examples</a></h2>
<p>These examples use the default Unix platform SSL certificates. For standard
installations, -cadir and -cafile should not be needed. If your certificates
are in non-standard locations, specify -cadir or -cafile as needed.</p>
<p>Example #1: Use HTTP package</p>
<pre class="doctools_example">
package require http
package require tls
set url "https://www.tcl.tk/"
http::register https 443 [list ::tls::socket -autoservername 1 -require 1 -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command]
# Check for error
set token [http::geturl $url]
if {[http::status $token] ne "ok"} {
puts [format "Error %s" [http::status $token]]
}
# Get web page
set data [http::data $token]
puts [string length $data]
# Cleanup
::http::cleanup $token
</pre>
<p>Example #2: Use raw socket</p>
<pre class="doctools_example">
package require tls
set url "www.tcl-lang.org"
set port 443
set ch [tls::socket -autoservername 1 -servername $url -require 1 -alpn {http/1.1} -command ::tls::callback -password ::tls::password -validatecommand ::tls::validate_command $url $port]
chan configure $ch -buffersize 65536
tls::handshake $ch
puts $ch "GET / HTTP/1.1"
flush $ch
after 500
set data [read $ch]
array set status [tls::status $ch]
|
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
|
installations, -cadir and -cafile should not be needed. If your certificates
are in non-standard locations, set -cadir or use -cafile as needed.</p>
<p>Example #3: Get web page</p>
<pre class="doctools_example">
package require http
package require tls
set url "https://www.tcl.tk/"
http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs]
# Check for error
set token [http::geturl $url]
if {[http::status $token] ne "ok"} {
puts [format "Error %s" [http::status $token]]
}
# Get web page
set data [http::data $token]
puts $data
# Cleanup
::http::cleanup $token
</pre>
<p>Example #4: Download file</p>
<pre class="doctools_example">
package require http
package require tls
set url "https://wiki.tcl-lang.org/sitemap.xml"
set filename [file tail $url]
http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs]
# Get file
set ch [open $filename wb]
set token [::http::geturl $url -blocksize 65536 -channel $ch]
# Cleanup
close $ch
::http::cleanup $token
</pre>
|
|
|
|
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
|
installations, -cadir and -cafile should not be needed. If your certificates
are in non-standard locations, set -cadir or use -cafile as needed.</p>
<p>Example #3: Get web page</p>
<pre class="doctools_example">
package require http
package require tls
set url "https://www.tcl.tk/"
http::register https 443 [list ::tls::socket -autoservername 1 -require 1]
# Check for error
set token [http::geturl $url]
if {[http::status $token] ne "ok"} {
puts [format "Error %s" [http::status $token]]
}
# Get web page
set data [http::data $token]
puts $data
# Cleanup
::http::cleanup $token
</pre>
<p>Example #4: Download file</p>
<pre class="doctools_example">
package require http
package require tls
set url "https://wiki.tcl-lang.org/sitemap.xml"
set filename [file tail $url]
http::register https 443 [list ::tls::socket -autoservername 1 -require 1]
# Get file
set ch [open $filename wb]
set token [::http::geturl $url -blocksize 65536 -channel $ch]
# Cleanup
close $ch
::http::cleanup $token
</pre>
|