Artifacts Associated With Ticket 2c7b7487966f6597
Ticket change [ba04940b5b] (rid 1526) by oehhar on 2020-09-28 15:26:46:
- foundin initialized to: "trunk"
- icomment:
Currently, a failed TLS negociation for a server socket calles bgerror. I would appreciate, if there would be an option to pass a command prefix to be called in case of an error: ::tcltls::tls_socket -errorcmd [namespace code TLSError] More information and proposal may be seen in the linked TWAPI ticket: [https://sourceforge.net/p/twapi/bugs/189/] Thank you, Harald
- login: "oehhar"
- mimetype: "text/x-fossil-plain"
- private_contact initialized to: "0f366eb3e9e2fcab52b8ebacd197db9047186a5f"
- severity initialized to: "Minor"
- status initialized to: "Open"
- title initialized to: "Control TLS socket server errors"
- type initialized to: "Feature Request"
Ticket change [d28e12627d] (rid 1558) by aspect on 2021-03-02 05:34:06:
- icomment:
This was discussed on the chat yesterday. Errors in negotiation can be received by [tls::handshake], but a bgerror is still produced. This short example demonstrates: package require tls tls::init -cadir /etc/ssl/certs -require true -ssl2 0 -ssl3 0 -tls1 0 -tls1.1 0 proc bgerror {err} { puts "bgerror: $err" } proc do_connect {} { set chan [tls::socket irc.choopa.net 9999] # ensure handshake completes try { while {![tls::handshake $chan]} {puts handshake} } on error {err opts} { puts "handshake error: $err" return false } return true } do_connect puts "synchronous code done" update Output: handshake error: handshake failed: certificate verify failed synchronous code done bgerror: SSL channel "sock556449741e30": error: certificate verify failed Note that without the call to tls::handshake, the same error will be produced on first attempt to read or write the socket. There are calls to Tcl_BackgroundError() in both Tls_Error() and VerifyCallback(). The Tls_Error() invocations all come through stacked channel machinery, so it *may* be possible to instead pass the error back to Tcl. Note the twapi ticket says this isn't an option there, but refers to reflected channels. I'm not sure if transchans will propagate errors from callbacks VerifyCallback() is called by openssl so probably not so simple. If extra plumbing is needed, one suggestion was to use a hash table keyed by the channel ID to mark the presence of a synchronous operation that can return the error. This may need mutex protection. Another question when looking at the code: it seems like tcltls requires/assumes that the tls channel is the top of a channel stack. I'm not sure this is correct, since it might make sense to push another transform on top of tls. It may be worth investigating this.
- login: "aspect"
- mimetype: "text/x-fossil-plain"
- priority changed to: "Immediate"
- resolution changed to: "Open"
- icomment:
Ticket change [582c343024] (rid 1561) by tombert on 2021-05-12 10:12:24:
- icomment:
I can confirm. The BGERROR messages also appear when running the original test examples simpleClient.tcl and simpleServer.tcl.
- login: "tombert"
- mimetype: "text/x-markdown"
- icomment:
Ticket change [4fad39455e] (rid 1604) by oehhar on 2024-01-23 21:43:56:
- icomment:
As currently not solvable due to the stacked channel architecture -> Close
- login: "oehhar"
- mimetype: "text/x-fossil-wiki"
- priority changed to: "Medium"
- resolution changed to: "External_Bug"
- status changed to: "Deferred"
- username: "oehhar"
- icomment:
Ticket change [afbdc4ab60] (rid 1605) by oehhar on 2024-01-23 21:44:30:
- login: "oehhar"
- mimetype: "text/x-markdown"
- status changed to: "Closed"
Ticket change [a09a07e554] (rid 3552) by bohagan on 2024-05-28 00:17:12:
- icomment:
This should be resolved by the changes in [6a11f1215890a7c3].
- login: "bohagan"
- mimetype: "text/x-fossil-plain"
- icomment: