History Of Ticket 2c7b7487966f6597
Bounty program for improvements to Tcl and certain Tcl packages.

Artifacts Associated With Ticket 2c7b7487966f6597

  1. Ticket change [ba04940b5b] (rid 1526) by oehhar on 2020-09-28 15:26:46:

    1. foundin initialized to: "trunk"
    2. icomment:
      Currently, a failed TLS negociation for a server socket calles bgerror.
      
      I would appreciate, if there would be an option to pass a command prefix to be called in case of an error:
      
      ::tcltls::tls_socket -errorcmd [namespace code TLSError]
      
      
      More information and proposal may be seen in the linked TWAPI ticket:
      
      [https://sourceforge.net/p/twapi/bugs/189/]
      
      Thank you,
      Harald
      
    3. login: "oehhar"
    4. mimetype: "text/x-fossil-plain"
    5. private_contact initialized to: "0f366eb3e9e2fcab52b8ebacd197db9047186a5f"
    6. severity initialized to: "Minor"
    7. status initialized to: "Open"
    8. title initialized to: "Control TLS socket server errors"
    9. type initialized to: "Feature Request"
  2. Ticket change [d28e12627d] (rid 1558) by aspect on 2021-03-02 05:34:06:

    1. icomment:
      This was discussed on the chat yesterday.  Errors in negotiation can be received 
      by [tls::handshake], but a bgerror is still produced.  This short example 
      demonstrates:
      
      package require tls
      
      tls::init -cadir /etc/ssl/certs -require true -ssl2 0 -ssl3 0 -tls1 0 -tls1.1 0
      
      proc bgerror {err} {
          puts "bgerror: $err"
      }
      
      proc do_connect {} {
          set chan [tls::socket irc.choopa.net 9999]
      
          # ensure handshake completes
          try {
              while {![tls::handshake $chan]} {puts handshake}
          } on error {err opts} {
              puts "handshake error: $err"
              return false
          }
      
          return true
      }
      
      do_connect
      puts "synchronous code done"
      update
      
      Output:
      
      handshake error: handshake failed: certificate verify failed
      synchronous code done
      bgerror: SSL channel "sock556449741e30": error: certificate verify failed
      
      Note that without the call to tls::handshake, the same error will be produced 
      on first attempt to read or write the socket.
      
      There are calls to Tcl_BackgroundError() in both Tls_Error() and
      VerifyCallback().  The Tls_Error() invocations all come through stacked channel 
      machinery, so it *may* be possible to instead pass the error back to Tcl.  Note 
      the twapi ticket says this isn't an option there, but refers to reflected 
      channels.  I'm not sure if transchans will propagate errors from callbacks
      VerifyCallback() is called by openssl so probably not so simple.
      
      If extra plumbing is needed, one suggestion was to use a hash table keyed by 
      the channel ID to mark the presence of a synchronous operation that can return 
      the error.  This may need mutex protection.
      
      Another question when looking at the code:  it seems like tcltls requires/assumes 
      that the tls channel is the top of a channel stack.  I'm not sure this is 
      correct, since it might make sense to push another transform on top of tls.  It 
      may be worth investigating this.
      
    2. login: "aspect"
    3. mimetype: "text/x-fossil-plain"
    4. priority changed to: "Immediate"
    5. resolution changed to: "Open"
  3. Ticket change [582c343024] (rid 1561) by tombert on 2021-05-12 10:12:24:

    1. icomment:
      I can confirm. The BGERROR messages also appear when running the original test examples simpleClient.tcl and simpleServer.tcl.
      
    2. login: "tombert"
    3. mimetype: "text/x-markdown"