Overview
Comment: | Comment and documentation updates. Added more checks for supported protocol versions. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | errors_and_callbacks |
Files: | files | file ages | folders |
SHA3-256: |
a4c50c7c74b690a1316b5a60a05b6d5b |
User & Date: | bohagan on 2023-07-24 23:12:48 |
Other Links: | branch diff | manifest | tags |
Context
2023-07-28
| ||
16:07 | Refactored Tls_Error handler to not set errorCode. Use error message, return result, or if none, fall-back to OpenSSL error queue. Added clear OpenSSL errors to start of each command function to remove old error messages. check-in: e85a439068 user: bohagan tags: errors_and_callbacks | |
2023-07-24
| ||
23:12 | Comment and documentation updates. Added more checks for supported protocol versions. check-in: a4c50c7c74 user: bohagan tags: errors_and_callbacks | |
2023-07-21
| ||
23:29 | Removed connect or handshake errors trigger background error. Removed Tls_Error call to background error handler when a callback command isn't defined. This would occur during connect/handshake errors. Fixes bug: https://core.tcl-lang.org/tcltls/tktview/2c7b748796 check-in: 6a11f12158 user: bohagan tags: errors_and_callbacks | |
Changes
Modified doc/tls.html
from [652ed627a1]
to [6d8fb07f8c].
︙ | ︙ | |||
292 293 294 295 296 297 298 | <dt><strong>num_extensions</strong> <em>n</em></dt> <dd>Number of certificate extensions.</dd> <dt><strong>extensions</strong> <em>list</em></dt> <dd>List of certificate extension names.</dd> <dt><strong>authorityKeyIdentifier</strong> <em>string</em></dt> <dd>(AKI) Key identifier of the Issuing CA certificate that signed | | | | | > | | 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 | <dt><strong>num_extensions</strong> <em>n</em></dt> <dd>Number of certificate extensions.</dd> <dt><strong>extensions</strong> <em>list</em></dt> <dd>List of certificate extension names.</dd> <dt><strong>authorityKeyIdentifier</strong> <em>string</em></dt> <dd>(AKI) Key identifier of the Issuing CA certificate that signed the SSL certificate as hex string. This value matches the SKI value of the Intermediate CA certificate.</dd> <dt><strong>subjectKeyIdentifier</strong> <em>string</em></dt> <dd>(SKI) Hash of the public key inside the certificate as hex string. Used to identify certificates that contain a particular public key.</dd> <dt><strong>subjectAltName</strong> <em>list</em></dt> <dd>List of all of the alternative domain names, sub domains, and IP addresses that are secured by the certificate.</dd> <dt><strong>ocsp</strong> <em>list</em></dt> <dd>List of all Online Certificate Status Protocol (OCSP) URLs.</dd> <dt><strong>certificate</strong> <em>cert</em></dt> <dd>The PEM encoded certificate.</dd> <dt><strong>signatureAlgorithm</strong> <em>algorithm</em></dt> <dd>Cipher algorithm used for certificate signature.</dd> <dt><strong>signatureValue</strong> <em>string</em></dt> |
︙ | ︙ | |||
343 344 345 346 347 348 349 | <dt><strong>state</strong> <em>state</em></dt> <dd>State of the connection.</dd> <dt><strong>servername</strong> <em>name</em></dt> <dd>The name of the connected to server.</dd> <dt><strong>protocol</strong> <em>version</em></dt> <dd>The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.</dd> | | | | 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 | <dt><strong>state</strong> <em>state</em></dt> <dd>State of the connection.</dd> <dt><strong>servername</strong> <em>name</em></dt> <dd>The name of the connected to server.</dd> <dt><strong>protocol</strong> <em>version</em></dt> <dd>The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.</dd> <dt><strong>renegotiation</strong> <em>boolean</em></dt> <dd>Whether protocol renegotiation is supported or not.</dd> <dt><strong>securitylevel</strong> <em>level</em></dt> <dd>The security level used for selection of ciphers, key size, etc.</dd> <dt><strong>session_reused</strong> <em>boolean</em></dt> <dd>Whether the session has been reused or not.</dd> <dt><strong>is_server</strong> <em>boolean</em></dt> <dd>Whether the connection is configured as a server (1) or client (0).</dd> <dt><strong>compression</strong> <em>mode</em></dt> <dd>Compression method.</dd> <dt><strong>expansion</strong> <em>mode</em></dt> <dd>Expansion method.</dd> </dl> </blockquote> <blockquote> |
︙ | ︙ | |||
390 391 392 393 394 395 396 | <dd>Can the session be resumed or not.</dd> <dt><strong>start_time</strong> <em>seconds</em></dt> <dd>Time since session started in seconds since epoch.</dd> <dt><strong>timeout</strong> <em>seconds</em></dt> <dd>Max duration of session in seconds before time-out.</dd> <dt><strong>lifetime</strong> <em>seconds</em></dt> <dd>Session ticket lifetime hint in seconds.</dd> | | | | | 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 | <dd>Can the session be resumed or not.</dd> <dt><strong>start_time</strong> <em>seconds</em></dt> <dd>Time since session started in seconds since epoch.</dd> <dt><strong>timeout</strong> <em>seconds</em></dt> <dd>Max duration of session in seconds before time-out.</dd> <dt><strong>lifetime</strong> <em>seconds</em></dt> <dd>Session ticket lifetime hint in seconds.</dd> <dt><strong>session_id</strong> <em>binary_string</em></dt> <dd>Unique session id for use in resuming the session.</dd> <dt><strong>session_ticket</strong> <em>binary_string</em></dt> <dd>Unique session ticket for use in resuming the session.</dd> <dt><strong>ticket_app_data</strong> <em>binary_string</em></dt> <dd>Unique session ticket application data.</dd> <dt><strong>master_key</strong> <em>binary_string</em></dt> <dd>Unique session master key.</dd> <dt><strong>session_cache_mode</strong> <em>mode</em></dt> <dd>Server cache mode (client, server, or both).</dd> </dl> </blockquote> |
︙ | ︙ | |||
428 429 430 431 432 433 434 | </dl> <h3><a name="CALLBACK OPTIONS">CALLBACK OPTIONS</a></h3> <p> As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the | > | | 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 | </dl> <h3><a name="CALLBACK OPTIONS">CALLBACK OPTIONS</a></h3> <p> As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the <strong>-command</strong>, <strong>-password</strong>, and <strong>-validate_command</strong> options passed to either of <strong>tls::socket</strong> or <strong>tls::import</strong>. </p> <blockquote> <dl> <dt><strong>-command</strong> <em>callback</em></dt> |
︙ | ︙ | |||
493 494 495 496 497 498 499 | <dd> This form of callback is invoked by the OpenSSL function <code>SSL_CTX_sess_set_new_cb()</code>. Where <em>session_id</em> is the current session identifier, <em>ticket</em> is the session ticket info, and <em>lifetime</em> is the the ticket lifetime in seconds. </dd> | | | | | | < | | 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 | <dd> This form of callback is invoked by the OpenSSL function <code>SSL_CTX_sess_set_new_cb()</code>. Where <em>session_id</em> is the current session identifier, <em>ticket</em> is the session ticket info, and <em>lifetime</em> is the the ticket lifetime in seconds. </dd> <br> </dl> </dd> <br> <dt><strong>-password</strong> <em>callback</em></dt> <dd> Invokes the specified <em>callback</em> script when OpenSSL needs to obtain a password. The callback should return the password as a string. No arguments are appended to the script upon callback. </dd> <br> <dt><strong>-validatecommand</strong> <em>callback</em></dt> <dd> Invokes the specified <em>callback</em> script during handshake in order to validate the provided value(s). To reject the value and abort connection, the callback should return 0. To accept the value, it should return 1. To reject the value, but continue the connection, it should return 2. <br> <br> <dl> <dt> <strong>alpn</strong> <em>protocol</em> </dt> <dd> For servers, this form of callback is invoked when the client ALPN extension is received and the first <b>-alpn</b> specified protocol common to the both the client and server is selected. If none, the first client specified protocol is used. </dd> <br> <dt> <strong>hello</strong> <em>servername</em> </dt> <dd> For servers, this form of callback is invoked during client hello message processing. It is used to select an appropriate certificate to present, and make other configuration adjustments relevant to that server name and its configuration. Called before SNI and ALPN callbacks. </dd> <br> <dt> <strong>sni</strong> <em>servername</em> </dt> <dd> For servers, this form of callback is invoked when the SNI extension from the client is received. This is used when a server supports multiple names, so the right certificate can be used. Called after hello callback but before ALPN callback. </dd> <br> <dt> |
︙ | ︙ | |||
581 582 583 584 585 586 587 | <li>The <em>status</em> argument is an boolean representing the validity of the current certificate. A value of <code>0</code> means the certificate is deemed invalid. A value of <code>1</code> means the certificate is deemed valid.</li> <li>The <em>error</em> argument supplies the message, if any, generated by <code>X509_STORE_CTX_get_error()</code>.</li> </ul> | < < < < | | | | | | | | | | | | | > > | | | | < < < < < < < | | 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 | <li>The <em>status</em> argument is an boolean representing the validity of the current certificate. A value of <code>0</code> means the certificate is deemed invalid. A value of <code>1</code> means the certificate is deemed valid.</li> <li>The <em>error</em> argument supplies the message, if any, generated by <code>X509_STORE_CTX_get_error()</code>.</li> </ul> </dd> <br> </dl> </dd> </dl> </blockquote> <p> Reference implementations of these callbacks are provided in the distribution as <strong>tls::callback</strong>, <strong>tls::password</strong>, and <strong>tls::validate_command</strong> respectively. Note that these are <em>sample</em> implementations only. In a more realistic deployment you would specify your own callback scripts on each TLS channel using the <strong>-command</strong>, <strong>-password</strong>, and <strong>-validate_command</strong> options. </p> <p> The default behavior when the <strong>-command</strong> and <strong>-validate_command</strong> options are not specified is for TLS to process the associated library callbacks internally. The default behavior when the <strong>-password</strong> option is not specified is for TLS to process the associated library callbacks by attempting to call <strong>tls::password</strong>. The difference between these two behaviors is a consequence of maintaining compatibility with earlier implementations. </p> <p> The <strong>tls::debug</strong> variable provides some additional control over these reference callbacks. Its value is zero by default. Higher values produce more diagnostic output, and will also force the verify method in <strong>tls::callback</strong> to accept the certificate, even when it is invalid. </p> <p> <em> The use of the reference callbacks <strong>tls::callback</strong>, <strong>tls::password</strong>, and <strong>tls::validate_command</strong> is not recommended. They may be removed from future releases. </em> </p> <p> <em> The use of the variable <strong>tls::debug</strong> is not recommended. It may be removed from future releases. </em> </p> <h3><a name="DEBUG">DEBUG</a></h3> TLS key logging can be enabled by setting the environment variable <b>SSLKEYLOGFILE</b> to the name of the file to log to. Then whenever TLS key material is generated or received it will be logged to the file. This is useful for logging key data for network logging tools to use to decrypt the data. <h3><a name="HTTPS EXAMPLE">HTTPS EXAMPLE</a></h3> <p>This example uses a sample server.pem provided with the TLS release, courtesy of the <strong>OpenSSL</strong> project.</p> <pre><code> package require http package require tls http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs] set tok [http::geturl https://www.tcl.tk/] </code></pre> <h3><a name="SPECIAL CONSIDERATIONS">SPECIAL CONSIDERATIONS</a></h3> <p>The capabilities of this package can vary enormously based upon how your OpenSSL library was configured and built. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc. Use the <strong>tls::ciphers</strong> and <strong>tls::protocols</strong> commands to obtain the supported versions.</p> <h3><a name="SEE ALSO">SEE ALSO</a></h3> <p><strong>socket</strong>, <strong>fileevent, </strong><a href="http://www.openssl.org/"><strong>OpenSSL</strong></a></p> <hr> |
︙ | ︙ |
Modified generic/tls.c
from [459c02ba4b]
to [8e541b360a].
︙ | ︙ | |||
91 92 93 94 95 96 97 98 99 100 101 | static Tcl_Mutex *locks = NULL; static int locksCount = 0; static Tcl_Mutex init_mx; #endif /* OPENSSL_THREADS */ #endif /* TCL_THREADS */ /********************/ /* Callbacks */ /********************/ | > < | 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 | static Tcl_Mutex *locks = NULL; static int locksCount = 0; static Tcl_Mutex init_mx; #endif /* OPENSSL_THREADS */ #endif /* TCL_THREADS */ /********************/ /* Callbacks */ /********************/ /* *------------------------------------------------------------------- * * Eval Callback Command -- * * Eval callback command and catch any errors * |
︙ | ︙ | |||
154 155 156 157 158 159 160 161 162 163 164 165 166 167 | * monitors SSL connection process * * Results: * None * * Side effects: * Calls callback (if defined) *------------------------------------------------------------------- */ static void InfoCallback(const SSL *ssl, int where, int ret) { State *statePtr = (State*)SSL_get_app_data((SSL *)ssl); Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; | > | 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 | * monitors SSL connection process * * Results: * None * * Side effects: * Calls callback (if defined) * *------------------------------------------------------------------- */ static void InfoCallback(const SSL *ssl, int where, int ret) { State *statePtr = (State*)SSL_get_app_data((SSL *)ssl); Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; |
︙ | ︙ | |||
197 198 199 200 201 202 203 | if (where & SSL_CB_READ) minor = "read"; else if (where & SSL_CB_WRITE) minor = "write"; else if (where & SSL_CB_LOOP) minor = "loop"; else if (where & SSL_CB_EXIT) minor = "exit"; else minor = "unknown"; } | | | 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 | if (where & SSL_CB_READ) minor = "read"; else if (where & SSL_CB_WRITE) minor = "write"; else if (where & SSL_CB_LOOP) minor = "loop"; else if (where & SSL_CB_EXIT) minor = "exit"; else minor = "unknown"; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("info", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(major, -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(minor, -1)); |
︙ | ︙ | |||
253 254 255 256 257 258 259 260 261 262 263 264 265 266 | * failure alert to peer, and terminate handshake. * 1 - the certificate is deemed valid, continue with handshake. * empty string - no change to certificate validation * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason *------------------------------------------------------------------- */ static int VerifyCallback(int ok, X509_STORE_CTX *ctx) { Tcl_Obj *cmdPtr; SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); X509 *cert = X509_STORE_CTX_get_current_cert(ctx); | > | 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 | * failure alert to peer, and terminate handshake. * 1 - the certificate is deemed valid, continue with handshake. * empty string - no change to certificate validation * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * *------------------------------------------------------------------- */ static int VerifyCallback(int ok, X509_STORE_CTX *ctx) { Tcl_Obj *cmdPtr; SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); X509 *cert = X509_STORE_CTX_get_current_cert(ctx); |
︙ | ︙ | |||
275 276 277 278 279 280 281 | if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { return ok; } else { return 1; } } | | | > | 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 | if (statePtr->vflags & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { return ok; } else { return 1; } } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("verify", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(depth)); Tcl_ListObjAppendElement(interp, cmdPtr, Tls_NewX509Obj(interp, cert)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(ok)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj((char*)X509_verify_cert_error_string(err), -1)); statePtr->flags |= TLS_TCL_CALLBACK; /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); ok = EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); statePtr->flags &= ~(TLS_TCL_CALLBACK); return(ok); /* By default, leave verification unchanged. */ } /* *------------------------------------------------------------------- * * Tls_Error -- * * Calls callback with $fd and $msg - so the callback can decide * what to do with errors. * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * *------------------------------------------------------------------- */ void Tls_Error(State *statePtr, char *msg) { Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; |
︙ | ︙ | |||
349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 | * * KeyLogCallback -- * * Write received key data to log file. * * Side effects: * none *------------------------------------------------------------------- */ void KeyLogCallback(const SSL *ssl, const char *line) { char *str = getenv(SSLKEYLOGFILE); FILE *fd; if (str) { fd = fopen(str, "a"); fprintf(fd, "%s\n",line); fclose(fd); } } /* *------------------------------------------------------------------- * * Password Callback -- * * Called when a password is needed to unpack RSA and PEM keys. * Evals any bound password script and returns the result as * the password string. *------------------------------------------------------------------- */ static int PasswordCallback(char *buf, int size, int verify, void *udata) { State *statePtr = (State *) udata; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; | > > | 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 | * * KeyLogCallback -- * * Write received key data to log file. * * Side effects: * none * *------------------------------------------------------------------- */ void KeyLogCallback(const SSL *ssl, const char *line) { char *str = getenv(SSLKEYLOGFILE); FILE *fd; if (str) { fd = fopen(str, "a"); fprintf(fd, "%s\n",line); fclose(fd); } } /* *------------------------------------------------------------------- * * Password Callback -- * * Called when a password is needed to unpack RSA and PEM keys. * Evals any bound password script and returns the result as * the password string. * *------------------------------------------------------------------- */ static int PasswordCallback(char *buf, int size, int verify, void *udata) { State *statePtr = (State *) udata; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; |
︙ | ︙ | |||
390 391 392 393 394 395 396 | strncpy(buf, ret, (size_t) size); return (int)strlen(ret); } else { return -1; } } | | | 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 | strncpy(buf, ret, (size_t) size); return (int)strlen(ret); } else { return -1; } } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->password); Tcl_Preserve((ClientData) interp); Tcl_Preserve((ClientData) statePtr); /* Eval callback and success for ok, abort for error, continue for continue */ Tcl_IncrRefCount(cmdPtr); |
︙ | ︙ | |||
463 464 465 466 467 468 469 | if (statePtr->callback == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } else if (ssl == NULL) { return SSL_TLSEXT_ERR_NOACK; } | | | 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 | if (statePtr->callback == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } else if (ssl == NULL) { return SSL_TLSEXT_ERR_NOACK; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->callback); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1)); /* Session id */ session_id = SSL_SESSION_get_id(session, &ulen); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewByteArrayObj(session_id, (int) ulen)); |
︙ | ︙ | |||
538 539 540 541 542 543 544 | res = SSL_TLSEXT_ERR_NOACK; } if (statePtr->vcmd == (Tcl_Obj*)NULL) { return res; } | | | 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 | res = SSL_TLSEXT_ERR_NOACK; } if (statePtr->vcmd == (Tcl_Obj*)NULL) { return res; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("alpn", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(*out, -1)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { |
︙ | ︙ | |||
604 605 606 607 608 609 610 | #endif /* *------------------------------------------------------------------- * * SNI Callback for Servers -- * | | | | 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 | #endif /* *------------------------------------------------------------------- * * SNI Callback for Servers -- * * Perform server-side SNI hostname selection after receiving SNI extension * in Client Hello. Called after hello callback but before ALPN callback. * * Results: * None * * Side effects: * Calls callback (if defined) * |
︙ | ︙ | |||
638 639 640 641 642 643 644 645 646 | dprintf("Called"); if (ssl == NULL || arg == NULL) { return SSL_TLSEXT_ERR_NOACK; } servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (!servername || servername[0] == '\0') { | > | | | 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 | dprintf("Called"); if (ssl == NULL || arg == NULL) { return SSL_TLSEXT_ERR_NOACK; } /* Only works for TLS 1.2 and earlier */ servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (!servername || servername[0] == '\0') { return SSL_TLSEXT_ERR_NOACK; } if (statePtr->vcmd == (Tcl_Obj*)NULL) { return SSL_TLSEXT_ERR_OK; } /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("sni", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername , -1)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { |
︙ | ︙ | |||
714 715 716 717 718 719 720 | } else if (ssl == NULL || arg == NULL) { return SSL_CLIENT_HELLO_ERROR; } /* Get names */ if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining) || remaining <= 2) { *alert = SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER; | | | | | | | | 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 | } else if (ssl == NULL || arg == NULL) { return SSL_CLIENT_HELLO_ERROR; } /* Get names */ if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining) || remaining <= 2) { *alert = SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER; return SSL_CLIENT_HELLO_ERROR; } /* Extract the length of the supplied list of names. */ len = (*(p++) << 8); len += *(p++); if (len + 2 != remaining) { *alert = SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER; return SSL_CLIENT_HELLO_ERROR; } remaining = len; /* The list in practice only has a single element, so we only consider the first one. */ if (remaining == 0 || *p++ != TLSEXT_NAMETYPE_host_name) { *alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; return SSL_CLIENT_HELLO_ERROR; } remaining--; /* Now we can finally pull out the byte array with the actual hostname. */ if (remaining <= 2) { *alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; return SSL_CLIENT_HELLO_ERROR; } len = (*(p++) << 8); len += *(p++); if (len + 2 > remaining) { *alert = SSL_R_TLSV1_ALERT_INTERNAL_ERROR; return SSL_CLIENT_HELLO_ERROR; } remaining = len; servername = (const char *)p; /* Create command to eval */ cmdPtr = Tcl_DuplicateObj(statePtr->vcmd); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("hello", -1)); Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(servername, (int) len)); /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); if ((code = EvalCallback(interp, statePtr, cmdPtr)) > 1) { |
︙ | ︙ | |||
863 864 865 866 867 868 869 | #endif case TLS_TLS1_3: #if defined(NO_TLS1_3) || defined(OPENSSL_NO_TLS1_3) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLS_method()); | | | 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 | #endif case TLS_TLS1_3: #if defined(NO_TLS1_3) || defined(OPENSSL_NO_TLS1_3) Tcl_AppendResult(interp, protocols[index], ": protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLS_method()); SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); break; #endif default: break; } if (ctx == NULL) { |
︙ | ︙ | |||
960 961 962 963 964 965 966 | } objPtr = Tcl_NewListObj(0, NULL); #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_SSL2], -1)); #endif | | | | | | 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 | } objPtr = Tcl_NewListObj(0, NULL); #if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(NO_SSL2) && !defined(OPENSSL_NO_SSL2) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_SSL2], -1)); #endif #if !defined(NO_SSL3) && !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_SSL3], -1)); #endif #if !defined(NO_TLS1) && !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1], -1)); #endif #if !defined(NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_1], -1)); #endif #if !defined(NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_2], -1)); #endif #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(protocols[TLS_TLS1_3], -1)); #endif Tcl_SetObjResult(interp, objPtr); |
︙ | ︙ | |||
1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 | if (opt[0] != '-') break; OPTOBJ("-alpn", alpn); OPTSTR("-cadir", CAdir); OPTSTR("-cafile", CAfile); OPTSTR("-certfile", certfile); OPTSTR("-cipher", ciphers); OPTSTR("-ciphers", ciphers); OPTSTR("-ciphersuites", ciphersuites); OPTOBJ("-command", script); OPTSTR("-dhparams", DHparams); OPTSTR("-keyfile", keyfile); OPTSTR("-model", model); OPTOBJ("-password", password); OPTBOOL("-post_handshake", post_handshake); | > > < > < < | | | | | | 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 | if (opt[0] != '-') break; OPTOBJ("-alpn", alpn); OPTSTR("-cadir", CAdir); OPTSTR("-cafile", CAfile); OPTBYTE("-cert", cert, cert_len); OPTSTR("-certfile", certfile); OPTSTR("-cipher", ciphers); OPTSTR("-ciphers", ciphers); OPTSTR("-ciphersuites", ciphersuites); OPTOBJ("-command", script); OPTSTR("-dhparams", DHparams); OPTBYTE("-key", key, key_len); OPTSTR("-keyfile", keyfile); OPTSTR("-model", model); OPTOBJ("-password", password); OPTBOOL("-post_handshake", post_handshake); OPTBOOL("-request", request); OPTBOOL("-require", require); OPTINT("-securitylevel", level); OPTBOOL("-server", server); OPTSTR("-servername", servername); OPTSTR("-session_id", session_id); OPTBOOL("-ssl2", ssl2); OPTBOOL("-ssl3", ssl3); OPTBOOL("-tls1", tls1); OPTBOOL("-tls1.1", tls1_1); OPTBOOL("-tls1.2", tls1_2); OPTBOOL("-tls1.3", tls1_3); OPTOBJ("-validatecommand", vcmd); OPTOBJ("-vcmd", vcmd); OPTBAD("option", "-alpn, -cadir, -cafile, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -securitylevel, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (request && post_handshake) verify |= SSL_VERIFY_POST_HANDSHAKE; if (verify == 0) verify = SSL_VERIFY_NONE; proto |= (ssl2 ? TLS_PROTO_SSL2 : 0); proto |= (ssl3 ? TLS_PROTO_SSL3 : 0); proto |= (tls1 ? TLS_PROTO_TLS1 : 0); proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); proto |= (tls1_3 ? TLS_PROTO_TLS1_3 : 0); |
︙ | ︙ | |||
1314 1315 1316 1317 1318 1319 1320 1321 1322 | Tls_Free((char *) statePtr); return TCL_ERROR; } /* Set host server name */ if (servername) { /* Sets the server name indication (SNI) in ClientHello extension */ if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { Tcl_AppendResult(interp, "setting TLS host name extension failed", (char *) NULL); | > | | | | | | 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 | Tls_Free((char *) statePtr); return TCL_ERROR; } /* Set host server name */ if (servername) { /* Sets the server name indication (SNI) in ClientHello extension */ /* Per RFC 6066, hostname is a ASCII encoded string. */ if (!SSL_set_tlsext_host_name(statePtr->ssl, servername) && require) { Tcl_AppendResult(interp, "setting TLS host name extension failed", (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } /* Configure server host name checks in the SSL client. Set DNS hostname to name for peer certificate checks. SSL_set1_host has limitations. */ if (!SSL_add1_host(statePtr->ssl, servername)) { Tcl_AppendResult(interp, "setting DNS host name failed", (char *) NULL); Tls_Free((char *) statePtr); return TCL_ERROR; } } /* Resume session id */ if (session_id && strlen(session_id) <= SSL_MAX_SID_CTX_LENGTH) { /* SSL_set_session() */ if (!SSL_SESSION_set1_id_context(SSL_get_session(statePtr->ssl), session_id, (unsigned int) strlen(session_id))) { |
︙ | ︙ | |||
1408 1409 1410 1411 1412 1413 1414 | /* Server callbacks */ SSL_CTX_set_tlsext_servername_arg(statePtr->ctx, (void *)statePtr); SSL_CTX_set_tlsext_servername_callback(statePtr->ctx, SNICallback); SSL_CTX_set_client_hello_cb(statePtr->ctx, HelloCallback, (void *)statePtr); if (statePtr->protos != NULL) { SSL_CTX_set_alpn_select_cb(statePtr->ctx, ALPNCallback, (void *)statePtr); #ifdef USE_NPN | > | > > > > < > > | > | 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 | /* Server callbacks */ SSL_CTX_set_tlsext_servername_arg(statePtr->ctx, (void *)statePtr); SSL_CTX_set_tlsext_servername_callback(statePtr->ctx, SNICallback); SSL_CTX_set_client_hello_cb(statePtr->ctx, HelloCallback, (void *)statePtr); if (statePtr->protos != NULL) { SSL_CTX_set_alpn_select_cb(statePtr->ctx, ALPNCallback, (void *)statePtr); #ifdef USE_NPN if (tls1_2 == 0 && tls1_3 == 0) { SSL_CTX_set_next_protos_advertised_cb(statePtr->ctx, NPNCallback, (void *)statePtr); } #endif } /* Enable server to send cert request after handshake (TLS 1.3 only) */ /* A write operation must take place for the Certificate Request to be sent to the client, this can be done with SSL_do_handshake(). */ if (request && post_handshake) { SSL_verify_client_post_handshake(statePtr->ssl); } /* Set server mode */ statePtr->flags |= TLS_TCL_SERVER; SSL_set_accept_state(statePtr->ssl); } else { /* Client callbacks */ #ifdef USE_NPN if (statePtr->protos != NULL && tls1_2 == 0 && tls1_3 == 0) { SSL_CTX_set_next_proto_select_cb(statePtr->ctx, ALPNCallback, (void *)statePtr); } #endif /* Session caching */ SSL_CTX_set_session_cache_mode(statePtr->ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE); SSL_CTX_sess_set_new_cb(statePtr->ctx, SessionCallback); /* Enable post handshake Authentication extension. TLS 1.3 only, not http/2. */ if (request && post_handshake) { SSL_set_post_handshake_auth(statePtr->ssl, 1); } /* Set client mode */ SSL_set_connect_state(statePtr->ssl); } SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio); BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE); /* * End of SSL Init |
︙ | ︙ | |||
1625 1626 1627 1628 1629 1630 1631 | #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); #endif break; } ERR_clear_error(); | < > | 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 | #if !defined(NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_3) off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3); #endif break; } ERR_clear_error(); ctx = SSL_CTX_new(method); if (!ctx) { return(NULL); } if (getenv(SSLKEYLOGFILE)) { SSL_CTX_set_keylog_callback(ctx, KeyLogCallback); } |
︙ | ︙ | |||
1657 1658 1659 1660 1661 1662 1663 | #if OPENSSL_VERSION_NUMBER < 0x10101000L SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /* handle new handshakes in background. On by default in OpenSSL 1.1.1. */ #endif SSL_CTX_sess_set_cache_size(ctx, 128); /* Set user defined ciphers, cipher suites, and security level */ if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) { | | | | | | | | 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 | #if OPENSSL_VERSION_NUMBER < 0x10101000L SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); /* handle new handshakes in background. On by default in OpenSSL 1.1.1. */ #endif SSL_CTX_sess_set_cache_size(ctx, 128); /* Set user defined ciphers, cipher suites, and security level */ if ((ciphers != NULL) && !SSL_CTX_set_cipher_list(ctx, ciphers)) { Tcl_AppendResult(interp, "Set ciphers failed: No valid ciphers", (char *) NULL); SSL_CTX_free(ctx); return NULL; } if ((ciphersuites != NULL) && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { Tcl_AppendResult(interp, "Set cipher suites failed: No valid ciphers", (char *) NULL); SSL_CTX_free(ctx); return NULL; } /* Set security level */ if (level > -1 && level < 6) { /* SSL_set_security_level */ SSL_CTX_set_security_level(ctx, level); } |
︙ | ︙ | |||
1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 | chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", NULL); return TCL_ERROR; } statePtr = (State *) Tcl_GetChannelInstanceData(chan); if (objc == 2) { peer = SSL_get_peer_certificate(statePtr->ssl); } else { peer = SSL_get_certificate(statePtr->ssl); } if (peer) { objPtr = Tls_NewX509Obj(interp, peer); | > > | 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 | chan = Tcl_GetTopChannel(chan); if (Tcl_GetChannelType(chan) != Tls_ChannelType()) { Tcl_AppendResult(interp, "bad channel \"", Tcl_GetChannelName(chan), "\": not a TLS channel", NULL); return TCL_ERROR; } statePtr = (State *) Tcl_GetChannelInstanceData(chan); /* Get certificate for peer or self */ if (objc == 2) { peer = SSL_get_peer_certificate(statePtr->ssl); } else { peer = SSL_get_certificate(statePtr->ssl); } if (peer) { objPtr = Tls_NewX509Obj(interp, peer); |
︙ | ︙ | |||
2034 2035 2036 2037 2038 2039 2040 | bits = SSL_CIPHER_get_bits(cipher, &alg_bits); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("bits", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(bits)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("secret_bits", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(alg_bits)); /* alg_bits is actual key secret bits. If use bits and secret (algorithm) bits differ, | | | 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 | bits = SSL_CIPHER_get_bits(cipher, &alg_bits); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("bits", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(bits)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("secret_bits", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(alg_bits)); /* alg_bits is actual key secret bits. If use bits and secret (algorithm) bits differ, the rest of the bits are fixed, i.e. for limited export ciphers (bits < 56) */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("min_version", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_CIPHER_get_version(cipher), -1)); /* Get OpenSSL-specific ID, not IANA ID */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("id", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj((int) SSL_CIPHER_get_id(cipher))); |
︙ | ︙ | |||
2586 2587 2588 2589 2590 2591 2592 | static int initialized = 0; int status = TCL_OK; #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) size_t num_locks; #endif if (uninitialize) { | | | | | | | | | | | | | | | | | | 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644 | static int initialized = 0; int status = TCL_OK; #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) size_t num_locks; #endif if (uninitialize) { if (!initialized) { dprintf("Asked to uninitialize, but we are not initialized"); return(TCL_OK); } dprintf("Asked to uninitialize"); #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexLock(&init_mx); if (locks) { free(locks); locks = NULL; locksCount = 0; } #endif initialized = 0; #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexUnlock(&init_mx); #endif return(TCL_OK); } if (initialized) { dprintf("Called, but using cached value"); return(status); } dprintf("Called"); #if defined(OPENSSL_THREADS) && defined(TCL_THREADS) Tcl_MutexLock(&init_mx); #endif |
︙ | ︙ |
Modified library/tls.tcl
from [3d9455fa97]
to [91a83164bf].
︙ | ︙ | |||
28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | #### iopts: [tls::import] option ### How many arguments the following the option to consume variable socketOptionRules { {0 -async sopts 0} {* -myaddr sopts 1} {0 -myport sopts 1} {* -type sopts 1} {* -cadir iopts 1} {* -cafile iopts 1} {* -cert iopts 1} {* -certfile iopts 1} {* -cipher iopts 1} {* -ciphersuites iopts 1} {* -command iopts 1} {* -dhparams iopts 1} {* -key iopts 1} {* -keyfile iopts 1} {* -password iopts 1} {* -request iopts 1} {* -require iopts 1} {* -securitylevel iopts 1} {* -autoservername discardOpts 1} {* -servername iopts 1} {* -session_id iopts 1} | > > > < > > | 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 | #### iopts: [tls::import] option ### How many arguments the following the option to consume variable socketOptionRules { {0 -async sopts 0} {* -myaddr sopts 1} {0 -myport sopts 1} {* -type sopts 1} {* -alpn iopts 1} {* -cadir iopts 1} {* -cafile iopts 1} {* -cert iopts 1} {* -certfile iopts 1} {* -cipher iopts 1} {* -ciphersuites iopts 1} {* -command iopts 1} {* -dhparams iopts 1} {* -key iopts 1} {* -keyfile iopts 1} {* -password iopts 1} {* -post_handshake iopts 1} {* -request iopts 1} {* -require iopts 1} {* -securitylevel iopts 1} {* -autoservername discardOpts 1} {* -server iopts 1} {* -servername iopts 1} {* -session_id iopts 1} {* -ssl2 iopts 1} {* -ssl3 iopts 1} {* -tls1 iopts 1} {* -tls1.1 iopts 1} {* -tls1.2 iopts 1} {* -tls1.3 iopts 1} {* -validatecommand iopts 1} {* -vcmd iopts 1} } # tls::socket and tls::init options as a humane readable string variable socketOptionsNoServer variable socketOptionsServer # Internal [switch] body to validate options |
︙ | ︙ | |||
305 306 307 308 309 310 311 312 313 314 315 316 317 318 | log 1 "tls::_accept error: ${::errorInfo}" close $chan error $err $::errorInfo $::errorCode } else { log 2 "tls::_accept - called \"$callback\" succeeded" } } # # Sample callback for hooking: - # # error # verify # info # | > | 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 | log 1 "tls::_accept error: ${::errorInfo}" close $chan error $err $::errorInfo $::errorCode } else { log 2 "tls::_accept - called \"$callback\" succeeded" } } # # Sample callback for hooking: - # # error # verify # info # |
︙ | ︙ |