Overview
Comment: | Started adding support for TLSv1.3 |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | enhancement/tls-1.3 |
Files: | files | file ages | folders |
SHA3-256: |
e245d231ee3734908e74c47d17a461aa |
User & Date: | rkeene on 2018-11-07 23:27:43 |
Other Links: | branch diff | manifest | tags |
Context
2018-11-07
| ||
23:51 | Added missing TLSv1.3 support check-in: efc1e122f2 user: rkeene tags: enhancement/tls-1.3 | |
23:27 | Started adding support for TLSv1.3 check-in: e245d231ee user: rkeene tags: enhancement/tls-1.3 | |
2018-10-30
| ||
14:20 | Applied patch from Jinhu to address [94c6a431fee] check-in: afec51b85b user: rkeene tags: trunk | |
Changes
Modified aclocal/tcltls_openssl.m4
from [7fc36028a7]
to [4c01c5e600].
︙ | ︙ | |||
156 157 158 159 160 161 162 163 164 165 166 167 168 169 | AC_LANG_POP([C]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl2], [SSLv2_method], [sslv2], [NO_SSL2]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2]) AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [ AC_LANG_PUSH(C) AC_MSG_CHECKING([for SSL_set_tlsext_host_name]) AC_LINK_IFELSE([AC_LANG_PROGRAM([ #include <openssl/ssl.h> #if (SSLEAY_VERSION_NUMBER >= 0x0907000L) | > | 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 | AC_LANG_POP([C]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl2], [SSLv2_method], [sslv2], [NO_SSL2]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [TLSv1_3_method], [tlsv1.3], [NO_TLS1_3]) AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [ AC_LANG_PUSH(C) AC_MSG_CHECKING([for SSL_set_tlsext_host_name]) AC_LINK_IFELSE([AC_LANG_PROGRAM([ #include <openssl/ssl.h> #if (SSLEAY_VERSION_NUMBER >= 0x0907000L) |
︙ | ︙ |
Modified configure.ac
from [3bb0de7286]
to [9215a3ba47].
︙ | ︙ | |||
106 107 108 109 110 111 112 | if test "$enableval" = "yes"; then tcltls_ssl_tls1_1='force' else tcltls_ssl_tls1_1='false' fi ]) | | > > > > > > > > > > > | 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | if test "$enableval" = "yes"; then tcltls_ssl_tls1_1='force' else tcltls_ssl_tls1_1='false' fi ]) dnl ## TLSv1.2: Enabled by default tcltls_ssl_tls1_2='true' AC_ARG_ENABLE([tlsv1.2], AS_HELP_STRING([--disable-tlsv1.2], [disable TLSv1.2 protocol]), [ if test "$enableval" = "yes"; then tcltls_ssl_tls1_2='force' else tcltls_ssl_tls1_2='false' fi ]) dnl ## TLSv1.3: Enabled by default tcltls_ssl_tls1_3='true' AC_ARG_ENABLE([tlsv1.3], AS_HELP_STRING([--disable-tlsv1.3], [disable TLSv1.3 protocol]), [ if test "$enableval" = "yes"; then tcltls_ssl_tls1_3='force' else tcltls_ssl_tls1_3='false' fi ]) dnl Enable support for a debugging build tcltls_debug='false' AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [enable debugging parameters]), [ if test "$enableval" = "yes"; then tcltls_debug='true' fi |
︙ | ︙ |
Modified tls.c
from [7d9b3af7fe]
to [f0ecc97895].
︙ | ︙ | |||
494 495 496 497 498 499 500 | CiphersObjCmd(clientData, interp, objc, objv) ClientData clientData; /* Not used. */ Tcl_Interp *interp; int objc; Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { | | | | 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 | CiphersObjCmd(clientData, interp, objc, objv) ClientData clientData; /* Not used. */ Tcl_Interp *interp; int objc; Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL }; enum protocol { TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE }; Tcl_Obj *objPtr; SSL_CTX *ctx = NULL; SSL *ssl = NULL; STACK_OF(SSL_CIPHER) *sk; char *cp, buf[BUFSIZ]; int index, verbose = 0; |
︙ | ︙ | |||
556 557 558 559 560 561 562 563 564 565 566 567 568 569 | case TLS_TLS1_2: #if defined(NO_TLS1_2) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), (char *) NULL); return TCL_ERROR; } | > > > > > > > | 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 | case TLS_TLS1_2: #if defined(NO_TLS1_2) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif case TLS_TLS1_3: #if defined(NO_TLS1_3) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_3_method()); break; #endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), (char *) NULL); return TCL_ERROR; } |
︙ | ︙ |
Modified tls.htm
from [9d6687fab1]
to [2335b9e315].
︙ | ︙ | |||
217 218 219 220 221 222 223 224 225 226 227 228 229 230 | <dd>Enable use of SSL v3. (<strong>default</strong>: <em>false</em>)</dd> <dt>-<strong>tls1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1. (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.1 (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.2</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.2 (<strong>default</strong>: <em>true</em>)</dd> </dl> </blockquote> <dl> <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt> <dd>Provided for symmetry to <strong>tls::import</strong>, this unstacks the SSL-enabling of a regular Tcl channel. An error | > > | 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 | <dd>Enable use of SSL v3. (<strong>default</strong>: <em>false</em>)</dd> <dt>-<strong>tls1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1. (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.1 (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.2</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.2 (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.3</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.3 (<strong>default</strong>: <em>true</em>)</dd> </dl> </blockquote> <dl> <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt> <dd>Provided for symmetry to <strong>tls::import</strong>, this unstacks the SSL-enabling of a regular Tcl channel. An error |
︙ | ︙ |
Modified tls.tcl
from [04fbf290ac]
to [75c0c2a68a].
︙ | ︙ | |||
45 46 47 48 49 50 51 52 53 54 55 56 57 58 | {* -autoservername discardOpts 1} {* -servername iopts 1} {* -ssl2 iopts 1} {* -ssl3 iopts 1} {* -tls1 iopts 1} {* -tls1.1 iopts 1} {* -tls1.2 iopts 1} } # tls::socket and tls::init options as a humane readable string variable socketOptionsNoServer variable socketOptionsServer # Internal [switch] body to validate options | > | 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | {* -autoservername discardOpts 1} {* -servername iopts 1} {* -ssl2 iopts 1} {* -ssl3 iopts 1} {* -tls1 iopts 1} {* -tls1.1 iopts 1} {* -tls1.2 iopts 1} {* -tls1.3 iopts 1} } # tls::socket and tls::init options as a humane readable string variable socketOptionsNoServer variable socketOptionsServer # Internal [switch] body to validate options |
︙ | ︙ |