Overview
| Comment: | Set -servername option to host value as default. This means -autoservername defaults to true unless -servername is specified. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk | tls-2.0 |
| Files: | files | file ages | folders |
| SHA3-256: |
2ad29dbaab7a15b0f85d6a17e7f2559b |
| User & Date: | bohagan on 2025-01-02 21:52:49 |
| Other Links: | branch diff | manifest | tags |
Context
|
2025-01-02
| ||
| 23:36 | Changed the default for the -require option to true. check-in: 7a43d021a4 user: bohagan tags: trunk, tls-2.0 | |
| 21:52 | Set -servername option to host value as default. This means -autoservername defaults to true unless -servername is specified. check-in: 2ad29dbaab user: bohagan tags: trunk, tls-2.0 | |
| 19:36 | Created TLS 2.0 branch. Incremented version to 2.0b1 check-in: 7b51585287 user: bohagan tags: trunk, tls-2.0 | |
Changes
Modified doc/tls.html
from [7966a71b8f]
to [c1d9a9463b].
| ︙ | ︙ | |||
179 180 181 182 183 184 185 | and <b class="cmd">tls::import</b> to create the connection. It behaves the same as the native TCL <b class="syscmd">socket</b> command, but also supports the <b class="cmd">tls:import</b> command options with one additional option. It returns the channel handle id for the new socket.</p> <dl class="doctools_options"> <dt><b class="option">-autoservername</b> <i class="arg">bool</i></dt> <dd><p>If <b class="const">true</b>, automatically set the <b class="option">-servername</b> argument to the | | > > | 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 | and <b class="cmd">tls::import</b> to create the connection. It behaves the same as the native TCL <b class="syscmd">socket</b> command, but also supports the <b class="cmd">tls:import</b> command options with one additional option. It returns the channel handle id for the new socket.</p> <dl class="doctools_options"> <dt><b class="option">-autoservername</b> <i class="arg">bool</i></dt> <dd><p>If <b class="const">true</b>, automatically set the <b class="option">-servername</b> argument to the <em>host</em> argument. Prior to TclTLS 2.0, the default is <b class="const">false</b>. Starting in TclTLS 2.0, the default is <b class="const">true</b> unless <b class="option">-servername</b> is also specified.</p></dd> </dl></dd> <dt><a name="3"><b class="cmd">tls::socket</b> <b class="option">-server</b> <i class="arg">command</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">port</i></a></dt> <dd><p>Same as previous, but instead creates a server socket for clients to connect to just like the Tcl <b class="syscmd">socket -server</b> command. It returns the channel handle id for the new socket.</p></dd> <dt><a name="4"><b class="cmd">tls::import</b> <i class="arg">channel</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span></a></dt> <dd><p>Start TLS encryption on TCL channel <i class="arg">channel</i> via a stacked channel. It |
| ︙ | ︙ | |||
276 277 278 279 280 281 282 | and signature algorithms. The default is 1 prior to OpenSSL 3.2 and 2 thereafter. Level 3 and higher disable support for session tickets and only accept cipher suites that provide forward secrecy.</p></dd> <dt><b class="option">-server</b> <i class="arg">bool</i></dt> <dd><p>Specifies whether to act as a server and respond with a server handshake when a client connects and provides a client handshake. The default is <b class="const">false</b>.</p></dd> <dt><b class="option">-servername</b> <i class="arg">hostname</i></dt> | | | | > | 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 | and signature algorithms. The default is 1 prior to OpenSSL 3.2 and 2 thereafter. Level 3 and higher disable support for session tickets and only accept cipher suites that provide forward secrecy.</p></dd> <dt><b class="option">-server</b> <i class="arg">bool</i></dt> <dd><p>Specifies whether to act as a server and respond with a server handshake when a client connects and provides a client handshake. The default is <b class="const">false</b>.</p></dd> <dt><b class="option">-servername</b> <i class="arg">hostname</i></dt> <dd><p>Specify the peer's hostname. This is used to set the TLS Server Name Indication (SNI) extension. Set this to the expected servername in the server's certificate or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will default to the host for the <b class="cmd">tls::socket</b> command.</p></dd> <dt><b class="option">-session_id</b> <i class="arg">binary_string</i></dt> <dd><p>Specifies the session id to resume a session. Not supported yet.</p></dd> <dt><b class="option">-ssl2</b> <i class="arg">bool</i></dt> <dd><p>Enable use of SSL v2. The default is <b class="const">false</b>. Note: Recent versions of OpenSSL no longer support SSLv2, so this may not have any effect. See the <b class="cmd">tls::protocols</b> command for supported protocols.</p></dd> <dt><b class="option">-ssl3</b> <i class="arg">bool</i></dt> |
| ︙ | ︙ |
Modified doc/tls.man
from [260c3c96cc]
to [80320c1989].
| ︙ | ︙ | |||
48 49 50 51 52 53 54 | command options with one additional option. It returns the channel handle id for the new socket. [list_begin options] [opt_def -autoservername [arg bool]] If [const true], automatically set the [option -servername] argument to the | | > > | 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | command options with one additional option. It returns the channel handle id for the new socket. [list_begin options] [opt_def -autoservername [arg bool]] If [const true], automatically set the [option -servername] argument to the [emph host] argument. Prior to TclTLS 2.0, the default is [const false]. Starting in TclTLS 2.0, the default is [const true] unless [option -servername] is also specified. [list_end] [call [cmd tls::socket] [option -server] [arg command] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]] [arg port]] Same as previous, but instead creates a server socket for clients to connect to just like the Tcl [syscmd "socket -server"] command. It returns the channel |
| ︙ | ︙ | |||
171 172 173 174 175 176 177 | only accept cipher suites that provide forward secrecy. [opt_def -server [arg bool]] Specifies whether to act as a server and respond with a server handshake when a client connects and provides a client handshake. The default is [const false]. [opt_def -servername [arg hostname]] | | | | > | 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 | only accept cipher suites that provide forward secrecy. [opt_def -server [arg bool]] Specifies whether to act as a server and respond with a server handshake when a client connects and provides a client handshake. The default is [const false]. [opt_def -servername [arg hostname]] Specify the peer's hostname. This is used to set the TLS Server Name Indication (SNI) extension. Set this to the expected servername in the server's certificate or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will default to the host for the [cmd tls::socket] command. [opt_def -session_id [arg binary_string]] Specifies the session id to resume a session. Not supported yet. [opt_def -ssl2 [arg bool]] Enable use of SSL v2. The default is [const false]. Note: Recent versions of OpenSSL no longer support SSLv2, so this may not have any effect. See the |
| ︙ | ︙ |
Modified doc/tls.n
from [14300cf948]
to [612cb9ac71].
| ︙ | ︙ | |||
329 330 331 332 333 334 335 | native TCL \fBsocket\fR command, but also supports the \fBtls:import\fR command options with one additional option\&. It returns the channel handle id for the new socket\&. .RS .TP \fB-autoservername\fR \fIbool\fR If \fBtrue\fR, automatically set the \fB-servername\fR argument to the | | > > | 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 | native TCL \fBsocket\fR command, but also supports the \fBtls:import\fR command options with one additional option\&. It returns the channel handle id for the new socket\&. .RS .TP \fB-autoservername\fR \fIbool\fR If \fBtrue\fR, automatically set the \fB-servername\fR argument to the \fIhost\fR argument\&. Prior to TclTLS 2\&.0, the default is \fBfalse\fR\&. Starting in TclTLS 2\&.0, the default is \fBtrue\fR unless \fB-servername\fR is also specified\&. .RE .TP \fBtls::socket\fR \fB-server\fR \fIcommand\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIport\fR Same as previous, but instead creates a server socket for clients to connect to just like the Tcl \fBsocket -server\fR command\&. It returns the channel handle id for the new socket\&. .TP |
| ︙ | ︙ | |||
448 449 450 451 452 453 454 | only accept cipher suites that provide forward secrecy\&. .TP \fB-server\fR \fIbool\fR Specifies whether to act as a server and respond with a server handshake when a client connects and provides a client handshake\&. The default is \fBfalse\fR\&. .TP \fB-servername\fR \fIhostname\fR | | | | > | 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 | only accept cipher suites that provide forward secrecy\&. .TP \fB-server\fR \fIbool\fR Specifies whether to act as a server and respond with a server handshake when a client connects and provides a client handshake\&. The default is \fBfalse\fR\&. .TP \fB-servername\fR \fIhostname\fR Specify the peer's hostname\&. This is used to set the TLS Server Name Indication (SNI) extension\&. Set this to the expected servername in the server's certificate or one of the Subject Alternate Names (SAN)\&. Starting in TclTLS 2\&.0, this will default to the host for the \fBtls::socket\fR command\&. .TP \fB-session_id\fR \fIbinary_string\fR Specifies the session id to resume a session\&. Not supported yet\&. .TP \fB-ssl2\fR \fIbool\fR Enable use of SSL v2\&. The default is \fBfalse\fR\&. Note: Recent versions of OpenSSL no longer support SSLv2, so this may not have any effect\&. See the |
| ︙ | ︙ |
Modified library/tls.tcl
from [48423522ec]
to [829959ddc6].
| ︙ | ︙ | |||
261 262 263 264 265 266 267 268 269 270 271 272 273 274 |
# If an "-autoservername" option is found, honor it
if {[info exists argsArray(-autoservername)] && $argsArray(-autoservername)} {
if {![info exists argsArray(-servername)]} {
set argsArray(-servername) $host
lappend iopts -servername $host
}
}
lappend sopts $host $port
}
#
# Create TCP/IP socket
#
set chan [eval $socketCmd $sopts]
| > > > > > > > | 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 |
# If an "-autoservername" option is found, honor it
if {[info exists argsArray(-autoservername)] && $argsArray(-autoservername)} {
if {![info exists argsArray(-servername)]} {
set argsArray(-servername) $host
lappend iopts -servername $host
}
}
# Use host as SNI server name without -autoservername and -servername args
if {![info exists argsArray(-autoservername)] &&
![info exists argsArray(-servername)]} {
set argsArray(-servername) $host
lappend iopts -servername $host
}
lappend sopts $host $port
}
#
# Create TCP/IP socket
#
set chan [eval $socketCmd $sopts]
|
| ︙ | ︙ |