Overview
| Comment: | Updates to provide error status when setting -cadir, -cafile, and -castore options. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | tls-1.8 |
| Files: | files | file ages | folders |
| SHA3-256: |
568f5bc7ece4297ea588cecf53346fd6 |
| User & Date: | bohagan on 2024-06-23 01:46:39 |
| Other Links: | branch diff | manifest | tags |
Context
|
2024-06-23
| ||
| 03:11 | Documentation updates to add info on certificate validation needs and more debug info. check-in: e4794cbb74 user: bohagan tags: tls-1.8 | |
| 01:46 | Updates to provide error status when setting -cadir, -cafile, and -castore options. check-in: 568f5bc7ec user: bohagan tags: tls-1.8 | |
| 01:39 | Undo change in OpenSSL 1.1.1 which enabled SSL_MODE_AUTO_RETRY. This will avoid hangs in blocking mode after an non-app record is received, but an app record is not yet available. Also enabled SSL_MODE_ENABLE_PARTIAL_WRITE, which allows writes with fewer than all records written to be successful. check-in: 991ab74cdd user: bohagan tags: tls-1.8 | |
Changes
Modified generic/tls.c from [b62ec44bb1] to [bba2dae983].
| ︙ | ︙ | |||
2059 2060 2061 2062 2063 2064 2065 |
{
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (CApath != NULL || CAfile != NULL) {
Tcl_DString ds1;
Tcl_DStringInit(&ds1);
if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) {
| > > > > | | > > > | | > > > | | > > > | | 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 |
{
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (CApath != NULL || CAfile != NULL) {
Tcl_DString ds1;
Tcl_DStringInit(&ds1);
if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) {
Tcl_AppendResult(interp, GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
Tcl_DStringFree(&ds);
Tcl_DStringFree(&ds1);
return NULL;
}
Tcl_DStringFree(&ds);
Tcl_DStringFree(&ds1);
/* Set list of CAs to send to client when requesting a client certificate */
/* https://sourceforge.net/p/tls/bugs/57/ */
/* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */
STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
if (certNames != NULL) {
SSL_CTX_set_client_CA_list(ctx, certNames);
}
Tcl_DStringFree(&ds);
}
#else
/* Set directory containing CA certificates in PEM format. */
if (CApath != NULL) {
if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) {
Tcl_AppendResult(interp, GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
Tcl_DStringFree(&ds);
return NULL;
}
Tcl_DStringFree(&ds);
}
/* Set URI for to a store, which may be a single container or a catalog of containers. */
if (CAstore != NULL) {
if (!SSL_CTX_load_verify_store(ctx, F2N(CAstore, &ds))) {
Tcl_AppendResult(interp, GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
Tcl_DStringFree(&ds);
return NULL;
}
Tcl_DStringFree(&ds);
}
/* Set file of CA certificates in PEM format. */
if (CAfile != NULL) {
if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) {
Tcl_AppendResult(interp, GET_ERR_REASON(), (char *) NULL);
SSL_CTX_free(ctx);
Tcl_DStringFree(&ds);
return NULL;
}
Tcl_DStringFree(&ds);
/* Set list of CAs to send to client when requesting a client certificate */
STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
if (certNames != NULL) {
SSL_CTX_set_client_CA_list(ctx, certNames);
|
| ︙ | ︙ |