Changes In Branch enhancement/tls-1.3 Through [7978a539fc] Excluding Merge-Ins
This is equivalent to a diff from afec51b85b to 7978a539fc
2019-04-09
| ||
17:04 | Added remaining TLSv1.3 support Closed-Leaf check-in: 569c10f3b2 user: rkeene tags: enhancement/tls-1.3 | |
15:58 | Better handling of the case where the shared and static extensions are the same (AIX) check-in: 9c59fec751 user: rkeene tags: trunk | |
2018-11-08
| ||
00:23 | Note that TLSv1.3 is a lot different in API, this branch is incomplete check-in: 7978a539fc user: rkeene tags: enhancement/tls-1.3 | |
2018-11-07
| ||
23:51 | Added missing TLSv1.3 support check-in: efc1e122f2 user: rkeene tags: enhancement/tls-1.3 | |
23:27 | Started adding support for TLSv1.3 check-in: e245d231ee user: rkeene tags: enhancement/tls-1.3 | |
2018-10-30
| ||
14:20 | Applied patch from Jinhu to address [94c6a431fee] check-in: afec51b85b user: rkeene tags: trunk | |
2018-02-07
| ||
15:37 | Updated to reset "eofchar" and "encoding" when importing channels as well as translation and blocking (part of [f798e2ea12]) check-in: 1d757f7e2d user: rkeene tags: trunk | |
Modified aclocal/tcltls_openssl.m4 from [7fc36028a7] to [b57255617d].
︙ | ︙ | |||
157 158 159 160 161 162 163 164 165 166 167 168 169 170 | TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl2], [SSLv2_method], [sslv2], [NO_SSL2]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2]) AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [ AC_LANG_PUSH(C) AC_MSG_CHECKING([for SSL_set_tlsext_host_name]) AC_LINK_IFELSE([AC_LANG_PROGRAM([ #include <openssl/ssl.h> #if (SSLEAY_VERSION_NUMBER >= 0x0907000L) # include <openssl/conf.h> | > > > > | 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl2], [SSLv2_method], [sslv2], [NO_SSL2]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1]) TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2]) dnl XXX:TODO: Note that OpenSSL 1.1.1 does not export this, still need to figure out how to dnl talk only TLSv1.3 TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [TLSv1_3_method], [tlsv1.3], [NO_TLS1_3]) AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [ AC_LANG_PUSH(C) AC_MSG_CHECKING([for SSL_set_tlsext_host_name]) AC_LINK_IFELSE([AC_LANG_PROGRAM([ #include <openssl/ssl.h> #if (SSLEAY_VERSION_NUMBER >= 0x0907000L) # include <openssl/conf.h> |
︙ | ︙ |
Modified configure.ac from [3bb0de7286] to [9215a3ba47].
︙ | ︙ | |||
106 107 108 109 110 111 112 | if test "$enableval" = "yes"; then tcltls_ssl_tls1_1='force' else tcltls_ssl_tls1_1='false' fi ]) | | > > > > > > > > > > > | 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | if test "$enableval" = "yes"; then tcltls_ssl_tls1_1='force' else tcltls_ssl_tls1_1='false' fi ]) dnl ## TLSv1.2: Enabled by default tcltls_ssl_tls1_2='true' AC_ARG_ENABLE([tlsv1.2], AS_HELP_STRING([--disable-tlsv1.2], [disable TLSv1.2 protocol]), [ if test "$enableval" = "yes"; then tcltls_ssl_tls1_2='force' else tcltls_ssl_tls1_2='false' fi ]) dnl ## TLSv1.3: Enabled by default tcltls_ssl_tls1_3='true' AC_ARG_ENABLE([tlsv1.3], AS_HELP_STRING([--disable-tlsv1.3], [disable TLSv1.3 protocol]), [ if test "$enableval" = "yes"; then tcltls_ssl_tls1_3='force' else tcltls_ssl_tls1_3='false' fi ]) dnl Enable support for a debugging build tcltls_debug='false' AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [enable debugging parameters]), [ if test "$enableval" = "yes"; then tcltls_debug='true' fi |
︙ | ︙ |
Modified tls.c from [7d9b3af7fe] to [b408a25024].
︙ | ︙ | |||
494 495 496 497 498 499 500 | CiphersObjCmd(clientData, interp, objc, objv) ClientData clientData; /* Not used. */ Tcl_Interp *interp; int objc; Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { | | | | 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 | CiphersObjCmd(clientData, interp, objc, objv) ClientData clientData; /* Not used. */ Tcl_Interp *interp; int objc; Tcl_Obj *CONST objv[]; { static CONST84 char *protocols[] = { "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL }; enum protocol { TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE }; Tcl_Obj *objPtr; SSL_CTX *ctx = NULL; SSL *ssl = NULL; STACK_OF(SSL_CIPHER) *sk; char *cp, buf[BUFSIZ]; int index, verbose = 0; |
︙ | ︙ | |||
556 557 558 559 560 561 562 563 564 565 566 567 568 569 | case TLS_TLS1_2: #if defined(NO_TLS1_2) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), (char *) NULL); return TCL_ERROR; } | > > > > > > > | 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 | case TLS_TLS1_2: #if defined(NO_TLS1_2) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_2_method()); break; #endif case TLS_TLS1_3: #if defined(NO_TLS1_3) Tcl_AppendResult(interp, "protocol not supported", NULL); return TCL_ERROR; #else ctx = SSL_CTX_new(TLSv1_3_method()); break; #endif default: break; } if (ctx == NULL) { Tcl_AppendResult(interp, REASON(), (char *) NULL); return TCL_ERROR; } |
︙ | ︙ | |||
733 734 735 736 737 738 739 | char *CAdir = NULL; char *DHparams = NULL; char *model = NULL; #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; /* hostname for Server Name Indication */ #endif int ssl2 = 0, ssl3 = 0; | | > > > | 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 | char *CAdir = NULL; char *DHparams = NULL; char *model = NULL; #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; /* hostname for Server Name Indication */ #endif int ssl2 = 0, ssl3 = 0; int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0; int verify = 0, require = 0, request = 1; dprintf("Called"); #if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL3) && !defined(NO_SSL2) ssl2 = 1; #endif #if defined(NO_TLS1) && defined(NO_TLS1_1) && defined(NO_TLS1_2) && defined(NO_SSL2) && !defined(NO_SSL3) ssl3 = 1; #endif #if defined(NO_TLS1) tls1 = 0; #endif #if defined(NO_TLS1_1) tls1_1 = 0; #endif #if defined(NO_TLS1_2) tls1_2 = 0; #endif #if defined(NO_TLS1_3) tls1_3 = 0; #endif if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?"); return TCL_ERROR; } |
︙ | ︙ | |||
797 798 799 800 801 802 803 804 | #endif OPTBOOL( "-ssl2", ssl2); OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); | > | | 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 | #endif OPTBOOL( "-ssl2", ssl2); OPTBOOL( "-ssl3", ssl3); OPTBOOL( "-tls1", tls1); OPTBOOL( "-tls1.1", tls1_1); OPTBOOL( "-tls1.2", tls1_2); OPTBOOL( "-tls1.3", tls1_3); OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or tls1.3"); return TCL_ERROR; } if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (verify == 0) verify = SSL_VERIFY_NONE; |
︙ | ︙ |
Modified tls.htm from [9d6687fab1] to [2335b9e315].
︙ | ︙ | |||
217 218 219 220 221 222 223 224 225 226 227 228 229 230 | <dd>Enable use of SSL v3. (<strong>default</strong>: <em>false</em>)</dd> <dt>-<strong>tls1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1. (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.1 (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.2</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.2 (<strong>default</strong>: <em>true</em>)</dd> </dl> </blockquote> <dl> <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt> <dd>Provided for symmetry to <strong>tls::import</strong>, this unstacks the SSL-enabling of a regular Tcl channel. An error | > > | 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 | <dd>Enable use of SSL v3. (<strong>default</strong>: <em>false</em>)</dd> <dt>-<strong>tls1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1. (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.1</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.1 (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.2</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.2 (<strong>default</strong>: <em>true</em>)</dd> <dt>-<strong>tls1.3</strong> <em>bool</em></dt> <dd>Enable use of TLS v1.3 (<strong>default</strong>: <em>true</em>)</dd> </dl> </blockquote> <dl> <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt> <dd>Provided for symmetry to <strong>tls::import</strong>, this unstacks the SSL-enabling of a regular Tcl channel. An error |
︙ | ︙ |
Modified tls.tcl from [04fbf290ac] to [75c0c2a68a].
︙ | ︙ | |||
45 46 47 48 49 50 51 52 53 54 55 56 57 58 | {* -autoservername discardOpts 1} {* -servername iopts 1} {* -ssl2 iopts 1} {* -ssl3 iopts 1} {* -tls1 iopts 1} {* -tls1.1 iopts 1} {* -tls1.2 iopts 1} } # tls::socket and tls::init options as a humane readable string variable socketOptionsNoServer variable socketOptionsServer # Internal [switch] body to validate options | > | 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | {* -autoservername discardOpts 1} {* -servername iopts 1} {* -ssl2 iopts 1} {* -ssl3 iopts 1} {* -tls1 iopts 1} {* -tls1.1 iopts 1} {* -tls1.2 iopts 1} {* -tls1.3 iopts 1} } # tls::socket and tls::init options as a humane readable string variable socketOptionsNoServer variable socketOptionsServer # Internal [switch] body to validate options |
︙ | ︙ |