Overview
| Comment: | Added set security level option to set all relevant parameters including cipher suite, encryption algorithms, supported ECC curves, supported signature algorithms, DH parameter sizes, certificate key sizes and signature algorithms in one operation. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | status_x509 |
| Files: | files | file ages | folders |
| SHA3-256: |
32ce5d6220b9b2698d7792e84b2bf14b |
| User & Date: | bohagan on 2023-05-26 22:43:22 |
| Other Links: | branch diff | manifest | tags |
Context
|
2023-05-27
| ||
| 03:06 | Removed support for obsolete OpenSSL versions prior to v1.1.1. check-in: 0de7b4fc0a user: bohagan tags: status_x509 | |
|
2023-05-26
| ||
| 22:43 | Added set security level option to set all relevant parameters including cipher suite, encryption algorithms, supported ECC curves, supported signature algorithms, DH parameter sizes, certificate key sizes and signature algorithms in one operation. check-in: 32ce5d6220 user: bohagan tags: status_x509 | |
|
2023-05-24
| ||
| 23:26 | Fixed test cases to run under Windows and added TLS 1.3 support check-in: 69314245a1 user: bohagan tags: status_x509 | |
Changes
Modified doc/tls.html from [4d412f0a7a] to [7e074e8590].
| ︙ | ︙ | |||
176 177 178 179 180 181 182 183 184 185 186 187 188 189 |
<dt><strong>-request </strong><em>bool</em></dt>
<dd>Request a certificate from peer during SSL handshake.
(default is <em>true</em>)</dd>
<dt><strong>-require</strong> <em>bool</em></dt>
<dd>Require a valid certificate from peer during SSL handshake.
If this is set to true, then <strong>-request</strong> must
also be set to true. (default is <em>false</em>)</dd>
<dt><strong>-server</strong> <em>bool</em></dt>
<dd>Handshake as server if true, else handshake as
client. (default is <em>false</em>)</dd>
<dt><strong>-servername</strong> <em>host</em></dt>
<dd>Specify server hostname. Only available if the OpenSSL library
the package is linked against supports the TLS hostname extension
for 'Server Name Indication' (SNI). Use to name the logical host
| > > > > > > > | 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 |
<dt><strong>-request </strong><em>bool</em></dt>
<dd>Request a certificate from peer during SSL handshake.
(default is <em>true</em>)</dd>
<dt><strong>-require</strong> <em>bool</em></dt>
<dd>Require a valid certificate from peer during SSL handshake.
If this is set to true, then <strong>-request</strong> must
also be set to true. (default is <em>false</em>)</dd>
<dt><strong>-securitylevel</strong> <em>integer</em></dt>
<dd>Set security level. Must be 0 to 5. The security level affects
cipher suite encryption algorithms, supported ECC curves,
supported signature algorithms, DH parameter sizes, certificate
key sizes and signature algorithms. The default is 1.
Level 3 and higher disable support for session tickets and only
accept cipher suites that provide forward secrecy.</dd>
<dt><strong>-server</strong> <em>bool</em></dt>
<dd>Handshake as server if true, else handshake as
client. (default is <em>false</em>)</dd>
<dt><strong>-servername</strong> <em>host</em></dt>
<dd>Specify server hostname. Only available if the OpenSSL library
the package is linked against supports the TLS hostname extension
for 'Server Name Indication' (SNI). Use to name the logical host
|
| ︙ | ︙ | |||
267 268 269 270 271 272 273 |
<dl>
<dt><strong>state</strong> <em>state</em></dt>
<dd>State of the connection: initializing, handshake, established</dd>
<dt><strong>server</strong> <em>name</em></dt>
<dd>The name of the connected to server.</dd>
<dt><strong>protocol</strong> <em>version</em></dt>
<dd>The protocol version used for the connection:
| | > > | 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 |
<dl>
<dt><strong>state</strong> <em>state</em></dt>
<dd>State of the connection: initializing, handshake, established</dd>
<dt><strong>server</strong> <em>name</em></dt>
<dd>The name of the connected to server.</dd>
<dt><strong>protocol</strong> <em>version</em></dt>
<dd>The protocol version used for the connection:
SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.</dd>
<dt><strong>securitylevel</strong> <em>level</em></dt>
<dd>The security level used for selection of ciphers, key size, etc.</dd>
<dt><strong>cipher</strong> <em>cipher</em></dt>
<dd>The current cipher in use for the connection.</dd>
<dt><strong>standard_name</strong> <em>name</em></dt>
<dd>The standard RFC name of cipher.</dd>
<dt><strong>bits</strong> <em>n</em></dt>
<dd>The number of processed bits used for cipher.</dd>
<dt><strong>secret_bits</strong> <em>n</em></dt>
|
| ︙ | ︙ |
Modified generic/tls.c from [57a6f16cff] to [0c71e3381c].
| ︙ | ︙ | |||
40 41 42 43 44 45 46 | (((key) == NULL) ? (char *) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) #define REASON() ERR_reason_error_string(ERR_get_error()) static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1, int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile, | | | 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 | (((key) == NULL) ? (char *) NULL : \ Tcl_TranslateFileName(interp, (key), (dsp))) #define REASON() ERR_reason_error_string(ERR_get_error()) static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key, char *certfile, unsigned char *key_asn1, unsigned char *cert_asn1, int key_asn1_len, int cert_asn1_len, char *CAdir, char *CAfile, char *ciphers, char *ciphersuites, int level, char *DHparams); static int TlsLibInit(int uninitialize); #define TLS_PROTO_SSL2 0x01 #define TLS_PROTO_SSL3 0x02 #define TLS_PROTO_TLS1 0x04 #define TLS_PROTO_TLS1_1 0x08 |
| ︙ | ︙ | |||
608 609 610 611 612 613 614 |
objPtr = Tcl_NewStringObj("",0);
for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
if (c == NULL) continue;
/* textual description of the cipher */
if (SSL_CIPHER_description(c, buf, sizeof(buf)) != NULL) {
| | | 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 |
objPtr = Tcl_NewStringObj("",0);
for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
if (c == NULL) continue;
/* textual description of the cipher */
if (SSL_CIPHER_description(c, buf, sizeof(buf)) != NULL) {
Tcl_AppendToObj(objPtr, buf, (int) strlen(buf));
} else {
Tcl_AppendToObj(objPtr, "UNKNOWN\n", 8);
}
}
}
if (use_supported) {
sk_SSL_CIPHER_free(sk);
|
| ︙ | ︙ | |||
802 803 804 805 806 807 808 |
char *model = NULL;
#ifndef OPENSSL_NO_TLSEXT
char *servername = NULL; /* hostname for Server Name Indication */
Tcl_Obj *alpn = NULL;
#endif
int ssl2 = 0, ssl3 = 0;
int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1;
| | | 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 |
char *model = NULL;
#ifndef OPENSSL_NO_TLSEXT
char *servername = NULL; /* hostname for Server Name Indication */
Tcl_Obj *alpn = NULL;
#endif
int ssl2 = 0, ssl3 = 0;
int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1;
int proto = 0, level = -1;
int verify = 0, require = 0, request = 1;
dprintf("Called");
#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_NO_SSL2) && defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_TLS1_3) && defined(NO_SSL3) && !defined(NO_SSL2)
ssl2 = 1;
#endif
|
| ︙ | ︙ | |||
851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 |
if (opt[0] != '-')
break;
OPTSTR("-cadir", CAdir);
OPTSTR("-cafile", CAfile);
OPTSTR("-certfile", certfile);
OPTSTR("-cipher", ciphers);
OPTSTR("-ciphersuites", ciphersuites);
OPTOBJ("-command", script);
OPTSTR("-dhparams", DHparams);
OPTSTR("-keyfile", keyfile);
OPTSTR("-model", model);
OPTOBJ("-password", password);
OPTBOOL("-require", require);
OPTBOOL("-request", request);
OPTBOOL("-server", server);
#ifndef OPENSSL_NO_TLSEXT
OPTSTR("-servername", servername);
OPTOBJ("-alpn", alpn);
#endif
OPTBOOL("-ssl2", ssl2);
OPTBOOL("-ssl3", ssl3);
OPTBOOL("-tls1", tls1);
OPTBOOL("-tls1.1", tls1_1);
OPTBOOL("-tls1.2", tls1_2);
OPTBOOL("-tls1.3", tls1_3);
OPTBYTE("-cert", cert, cert_len);
OPTBYTE("-key", key, key_len);
| > > | | 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 |
if (opt[0] != '-')
break;
OPTSTR("-cadir", CAdir);
OPTSTR("-cafile", CAfile);
OPTSTR("-certfile", certfile);
OPTSTR("-cipher", ciphers);
OPTSTR("-ciphers", ciphers);
OPTSTR("-ciphersuites", ciphersuites);
OPTOBJ("-command", script);
OPTSTR("-dhparams", DHparams);
OPTSTR("-keyfile", keyfile);
OPTSTR("-model", model);
OPTOBJ("-password", password);
OPTBOOL("-require", require);
OPTBOOL("-request", request);
OPTINT("-securitylevel", level);
OPTBOOL("-server", server);
#ifndef OPENSSL_NO_TLSEXT
OPTSTR("-servername", servername);
OPTOBJ("-alpn", alpn);
#endif
OPTBOOL("-ssl2", ssl2);
OPTBOOL("-ssl3", ssl3);
OPTBOOL("-tls1", tls1);
OPTBOOL("-tls1.1", tls1_1);
OPTBOOL("-tls1.2", tls1_2);
OPTBOOL("-tls1.3", tls1_3);
OPTBYTE("-cert", cert, cert_len);
OPTBYTE("-key", key, key_len);
OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -require, -request, -securitylevel, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or -tls1.3");
return TCL_ERROR;
}
if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
if (verify == 0) verify = SSL_VERIFY_NONE;
|
| ︙ | ︙ | |||
949 950 951 952 953 954 955 |
"\": not a TLS channel", NULL);
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
} else {
if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert,
| | | 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 |
"\": not a TLS channel", NULL);
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
} else {
if ((ctx = CTX_Init(statePtr, server, proto, keyfile, certfile, key, cert,
key_len, cert_len, CAdir, CAfile, ciphers, ciphersuites, level, DHparams)) == (SSL_CTX*)0) {
Tls_Free((char *) statePtr);
return TCL_ERROR;
}
}
statePtr->ctx = ctx;
|
| ︙ | ︙ | |||
1145 1146 1147 1148 1149 1150 1151 |
* constructs SSL context (CTX)
*
*-------------------------------------------------------------------
*/
static SSL_CTX *
CTX_Init(State *statePtr, int isServer, int proto, char *keyfile, char *certfile,
unsigned char *key, unsigned char *cert, int key_len, int cert_len, char *CAdir,
| | | 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 |
* constructs SSL context (CTX)
*
*-------------------------------------------------------------------
*/
static SSL_CTX *
CTX_Init(State *statePtr, int isServer, int proto, char *keyfile, char *certfile,
unsigned char *key, unsigned char *cert, int key_len, int cert_len, char *CAdir,
char *CAfile, char *ciphers, char *ciphersuites, int level, char *DHparams) {
Tcl_Interp *interp = statePtr->interp;
SSL_CTX *ctx = NULL;
Tcl_DString ds;
Tcl_DString ds1;
int off = 0;
int load_private_key;
const SSL_METHOD *method;
|
| ︙ | ︙ | |||
1292 1293 1294 1295 1296 1297 1298 |
SSL_CTX_set_options(ctx, SSL_OP_ALL); /* all SSL bug workarounds */
SSL_CTX_set_options(ctx, off); /* disable protocol versions */
#if OPENSSL_VERSION_NUMBER < 0x10101000L
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /* handle new handshakes in background */
#endif
SSL_CTX_sess_set_cache_size(ctx, 128);
| | > > > > > > | 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 |
SSL_CTX_set_options(ctx, SSL_OP_ALL); /* all SSL bug workarounds */
SSL_CTX_set_options(ctx, off); /* disable protocol versions */
#if OPENSSL_VERSION_NUMBER < 0x10101000L
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /* handle new handshakes in background */
#endif
SSL_CTX_sess_set_cache_size(ctx, 128);
/* Set user defined ciphers, cipher suites, and security level */
if (((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) || \
((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites))) {
Tcl_AppendResult(interp, "Set ciphers failed", (char *) NULL);
SSL_CTX_free(ctx);
return (SSL_CTX *)0;
}
/* Set security level */
if (level > -1 && level < 6) {
/* SSL_set_security_level */
SSL_CTX_set_security_level(ctx, level);
}
/* set some callbacks */
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback);
#ifndef BSAFE
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr);
#endif
|
| ︙ | ︙ | |||
1609 1610 1611 1612 1613 1614 1615 |
} else if (SSL_in_init(ssl)) {
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("handshake", -1));
} else {
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("initializing", -1));
}
/* Get server name */
| | > > > > | 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 |
} else if (SSL_in_init(ssl)) {
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("handshake", -1));
} else {
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("initializing", -1));
}
/* Get server name */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("servername", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1));
/* Get protocol */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("protocol", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_version(ssl), -1));
/* Get security level */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("securitylevel", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_get_security_level(ssl)));
/* Get cipher */
cipher = SSL_get_current_cipher(ssl);
if (cipher != NULL) {
char buf[BUFSIZ] = {0};
int bits, alg_bits;
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("cipher", -1));
|
| ︙ | ︙ |
Modified library/tls.tcl from [cf23128cc4] to [2909c139d1].
| ︙ | ︙ | |||
41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
{* -command iopts 1}
{* -dhparams iopts 1}
{* -key iopts 1}
{* -keyfile iopts 1}
{* -password iopts 1}
{* -request iopts 1}
{* -require iopts 1}
{* -autoservername discardOpts 1}
{* -servername iopts 1}
{* -alpn iopts 1}
{* -ssl2 iopts 1}
{* -ssl3 iopts 1}
{* -tls1 iopts 1}
{* -tls1.1 iopts 1}
| > | 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
{* -command iopts 1}
{* -dhparams iopts 1}
{* -key iopts 1}
{* -keyfile iopts 1}
{* -password iopts 1}
{* -request iopts 1}
{* -require iopts 1}
{* -securitylevel iopts 1}
{* -autoservername discardOpts 1}
{* -servername iopts 1}
{* -alpn iopts 1}
{* -ssl2 iopts 1}
{* -ssl3 iopts 1}
{* -tls1 iopts 1}
{* -tls1.1 iopts 1}
|
| ︙ | ︙ |