Overview
| Comment: | Changed the default for -tls1 and -tls1.1 options to false. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk | tls-2.0 |
| Files: | files | file ages | folders |
| SHA3-256: |
861ff6374c414d248259eca1f68cd41d |
| User & Date: | bohagan on 2025-01-02 23:40:36 |
| Other Links: | branch diff | manifest | tags |
Context
|
2025-01-02
| ||
| 23:58 | More documentation updates in prep for 2.0 release check-in: 44384307bd user: bohagan tags: trunk, tls-2.0 | |
| 23:40 | Changed the default for -tls1 and -tls1.1 options to false. check-in: 861ff6374c user: bohagan tags: trunk, tls-2.0 | |
| 23:36 | Changed the default for the -require option to true. check-in: 7a43d021a4 user: bohagan tags: trunk, tls-2.0 | |
Changes
Modified doc/tls.html
from [7309057c14]
to [5af1eb3236].
| ︙ | ︙ | |||
287 288 289 290 291 292 293 | <dd><p>Specify the peer's hostname. This is used to set the TLS Server Name Indication (SNI) extension. Set this to the expected servername in the server's certificate or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will default to the host for the <b class="cmd">tls::socket</b> command.</p></dd> <dt><b class="option">-session_id</b> <i class="arg">binary_string</i></dt> <dd><p>Specifies the session id to resume a session. Not supported yet.</p></dd> <dt><b class="option">-ssl2</b> <i class="arg">bool</i></dt> | | | | | | | | | | | | | | > | 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 | <dd><p>Specify the peer's hostname. This is used to set the TLS Server Name Indication (SNI) extension. Set this to the expected servername in the server's certificate or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will default to the host for the <b class="cmd">tls::socket</b> command.</p></dd> <dt><b class="option">-session_id</b> <i class="arg">binary_string</i></dt> <dd><p>Specifies the session id to resume a session. Not supported yet.</p></dd> <dt><b class="option">-ssl2</b> <i class="arg">bool</i></dt> <dd><p>Enable use of SSL v2.The default is <b class="const">false</b>. OpenSSL 1.1+ no longer supports SSL v2, so this may not have any effect. See the <b class="cmd">tls::protocols</b> command for supported protocols.</p></dd> <dt><b class="option">-ssl3</b> <i class="arg">bool</i></dt> <dd><p>Enable use of SSL v3. The default is <b class="const">false</b>. Starting in TclTLS 1.8, use of SSL v3 if only available via a compile time option. See the <b class="cmd">tls::protocols</b> command for supported protocols.</p></dd> <dt><b class="option">-tls1</b> <i class="arg">bool</i></dt> <dd><p>Enable use of TLS v1. Starting in TclTLS 2.0, the default is <b class="const">false</b>. Note: TLS 1.0 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. See the <i class="arg">-security_level</i> option.</p></dd> <dt><b class="option">-tls1.1</b> <i class="arg">bool</i></dt> <dd><p>Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is <b class="const">false</b>. Note: TLS 1.1 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. See the <i class="arg">-security_level</i> option.</p></dd> <dt><b class="option">-tls1.2</b> <i class="arg">bool</i></dt> <dd><p>Enable use of TLS v1.2. The default is <b class="const">true</b>.</p></dd> <dt><b class="option">-tls1.3</b> <i class="arg">bool</i></dt> <dd><p>Enable use of TLS v1.3. The default is <b class="const">true</b>. This is only available starting with OpenSSL 1.1.1 and TclTLS 1.7.</p></dd> <dt><b class="option">-validatecommand</b> <i class="arg">callback</i></dt> <dd><p>Specifies the callback command to invoke to validate the peer certificates and other config info during the protocol negotiation phase. This can be used by TCL scripts to perform their own Certificate Validation to supplement the default validation provided by OpenSSL. The script must return a boolean true to continue the negotiation. See <span class="sectref"><a href="#section4">Callback Options</a></span> for more info.</p></dd> </dl></dd> |
| ︙ | ︙ |
Modified doc/tls.man
from [4bcf529b15]
to [ee4eb2acb8].
| ︙ | ︙ | |||
184 185 186 187 188 189 190 | or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will default to the host for the [cmd tls::socket] command. [opt_def -session_id [arg binary_string]] Specifies the session id to resume a session. Not supported yet. [opt_def -ssl2 [arg bool]] | | | | | | | | | | | | | | > | 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 | or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will default to the host for the [cmd tls::socket] command. [opt_def -session_id [arg binary_string]] Specifies the session id to resume a session. Not supported yet. [opt_def -ssl2 [arg bool]] Enable use of SSL v2.The default is [const false]. OpenSSL 1.1+ no longer supports SSL v2, so this may not have any effect. See the [cmd tls::protocols] command for supported protocols. [opt_def -ssl3 [arg bool]] Enable use of SSL v3. The default is [const false]. Starting in TclTLS 1.8, use of SSL v3 if only available via a compile time option. See the [cmd tls::protocols] command for supported protocols. [opt_def -tls1 [arg bool]] Enable use of TLS v1. Starting in TclTLS 2.0, the default is [const false]. Note: TLS 1.0 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. See the [arg -security_level] option. [opt_def -tls1.1 [arg bool]] Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is [const false]. Note: TLS 1.1 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. See the [arg -security_level] option. [opt_def -tls1.2 [arg bool]] Enable use of TLS v1.2. The default is [const true]. [opt_def -tls1.3 [arg bool]] Enable use of TLS v1.3. The default is [const true]. This is only available starting with OpenSSL 1.1.1 and TclTLS 1.7. [opt_def -validatecommand [arg callback]] Specifies the callback command to invoke to validate the peer certificates and other config info during the protocol negotiation phase. This can be used by TCL scripts to perform their own Certificate Validation to supplement the default validation provided by OpenSSL. The script must return a boolean true to continue the negotiation. See [sectref "Callback Options"] for more info. |
| ︙ | ︙ |
Modified doc/tls.n
from [7c52fb51a3]
to [f9c6a0c3c3].
| ︙ | ︙ | |||
461 462 463 464 465 466 467 | or one of the Subject Alternate Names (SAN)\&. Starting in TclTLS 2\&.0, this will default to the host for the \fBtls::socket\fR command\&. .TP \fB-session_id\fR \fIbinary_string\fR Specifies the session id to resume a session\&. Not supported yet\&. .TP \fB-ssl2\fR \fIbool\fR | | | | | | | | | | | | | | > | 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 | or one of the Subject Alternate Names (SAN)\&. Starting in TclTLS 2\&.0, this will default to the host for the \fBtls::socket\fR command\&. .TP \fB-session_id\fR \fIbinary_string\fR Specifies the session id to resume a session\&. Not supported yet\&. .TP \fB-ssl2\fR \fIbool\fR Enable use of SSL v2\&.The default is \fBfalse\fR\&. OpenSSL 1\&.1+ no longer supports SSL v2, so this may not have any effect\&. See the \fBtls::protocols\fR command for supported protocols\&. .TP \fB-ssl3\fR \fIbool\fR Enable use of SSL v3\&. The default is \fBfalse\fR\&. Starting in TclTLS 1\&.8, use of SSL v3 if only available via a compile time option\&. See the \fBtls::protocols\fR command for supported protocols\&. .TP \fB-tls1\fR \fIbool\fR Enable use of TLS v1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&. Note: TLS 1\&.0 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&. See the \fI-security_level\fR option\&. .TP \fB-tls1\&.1\fR \fIbool\fR Enable use of TLS v1\&.1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&. Note: TLS 1\&.1 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&. See the \fI-security_level\fR option\&. .TP \fB-tls1\&.2\fR \fIbool\fR Enable use of TLS v1\&.2\&. The default is \fBtrue\fR\&. .TP \fB-tls1\&.3\fR \fIbool\fR Enable use of TLS v1\&.3\&. The default is \fBtrue\fR\&. This is only available starting with OpenSSL 1\&.1\&.1 and TclTLS 1\&.7\&. .TP \fB-validatecommand\fR \fIcallback\fR Specifies the callback command to invoke to validate the peer certificates and other config info during the protocol negotiation phase\&. This can be used by TCL scripts to perform their own Certificate Validation to supplement the default validation provided by OpenSSL\&. The script must return a boolean true to continue the negotiation\&. See \fBCallback Options\fR for more info\&. |
| ︙ | ︙ |
Modified generic/tls.c
from [51d12a8e04]
to [a490a47cab].
| ︙ | ︙ | |||
1346 1347 1348 1349 1350 1351 1352 |
char *CAstore = NULL;
char *DHparams = NULL;
char *model = NULL;
char *servername = NULL; /* hostname for Server Name Indication */
char *session_id = NULL;
Tcl_Obj *alpn = NULL;
int ssl2 = 0, ssl3 = 0;
| | | 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 |
char *CAstore = NULL;
char *DHparams = NULL;
char *model = NULL;
char *servername = NULL; /* hostname for Server Name Indication */
char *session_id = NULL;
Tcl_Obj *alpn = NULL;
int ssl2 = 0, ssl3 = 0;
int tls1 = 0, tls1_1 = 0, tls1_2 = 1, tls1_3 = 1;
int proto = 0, level = -1;
int verify = 0, require = 1, request = 1, post_handshake = 0;
dprintf("Called");
#if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1)
tls1 = 0;
|
| ︙ | ︙ |