Changes In Branch tls-2.0 Excluding Merge-Ins
This is equivalent to a diff from ca1a846290 to e19f6b3f18
2025-02-09
| ||
18:35 | Fixed typos in documentation Leaf check-in: e19f6b3f18 user: bohagan tags: trunk, tls-2.0 | |
2025-02-08
| ||
21:05 | Corrections to previous commit check-in: b565c0a12a user: bohagan tags: trunk, tls-2.0 | |
2025-01-02
| ||
19:36 | Created TLS 2.0 branch. Incremented version to 2.0b1 check-in: 7b51585287 user: bohagan tags: trunk, tls-2.0 | |
18:05 | Tag as TLS 1.8 release Leaf check-in: ca1a846290 user: bohagan tags: trunk, main | |
08:38 | Fix source dir path for installing docs when not building in source root check-in: 4056acea19 user: apnmbx-wits@yahoo.com tags: trunk, main | |
Modified configure
from [11d1dc89f8]
to [952b8a18ee].
1 2 | #! /bin/sh # Guess values for system-dependent variables and create Makefiles. | | | 1 2 3 4 5 6 7 8 9 10 | #! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.72 for tls 2.0b1. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2023 Free Software Foundation, # Inc. # # # This configure script is free software; the Free Software Foundation |
597 598 599 600 601 602 603 | subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='tls' PACKAGE_TARNAME='tls' | | | | 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 | subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='tls' PACKAGE_TARNAME='tls' PACKAGE_VERSION='2.0b1' PACKAGE_STRING='tls 2.0b1' PACKAGE_BUGREPORT='' PACKAGE_URL='' # Factoring default headers for most tests. ac_includes_default="\ #include <stddef.h> #ifdef HAVE_STDIO_H |
1338 1339 1340 1341 1342 1343 1344 | # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF | | | 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 | # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF 'configure' configures tls 2.0b1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. |
1400 1401 1402 1403 1404 1405 1406 | cat <<\_ACEOF _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in | | | 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 | cat <<\_ACEOF _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of tls 2.0b1:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] |
1526 1527 1528 1529 1530 1531 1532 | cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF | | | 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 | cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF tls configure 2.0b1 generated by GNU Autoconf 2.72 Copyright (C) 2023 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit |
1833 1834 1835 1836 1837 1838 1839 | ac_configure_args_raw=` printf "%s\n" "$ac_configure_args_raw" | sed "$ac_safe_unquote"`;; esac cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. | | | 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 | ac_configure_args_raw=` printf "%s\n" "$ac_configure_args_raw" | sed "$ac_safe_unquote"`;; esac cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by tls $as_me 2.0b1, which was generated by GNU Autoconf 2.72. Invocation command line was $ $0$ac_configure_args_raw _ACEOF exec 5>>config.log { |
10289 10290 10291 10292 10293 10294 10295 | test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" | | | 10289 10290 10291 10292 10293 10294 10295 10296 10297 10298 10299 10300 10301 10302 10303 | test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by tls $as_me 2.0b1, which was generated by GNU Autoconf 2.72. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ |
10344 10345 10346 10347 10348 10349 10350 | _ACEOF ac_cs_config=`printf "%s\n" "$ac_configure_args" | sed "$ac_safe_unquote"` ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"` cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ | | | 10344 10345 10346 10347 10348 10349 10350 10351 10352 10353 10354 10355 10356 10357 10358 | _ACEOF ac_cs_config=`printf "%s\n" "$ac_configure_args" | sed "$ac_safe_unquote"` ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"` cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ tls config.status 2.0b1 configured by $0, generated by GNU Autoconf 2.72, with options \\"\$ac_cs_config\\" Copyright (C) 2023 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." |
Modified configure.ac
from [aade937b37]
to [38d5300d68].
12 13 14 15 16 17 18 | # This initializes the environment with PACKAGE_NAME and PACKAGE_VERSION # set as provided. These will also be added as -D defs in your Makefile # so you can encode the package version directly into the source files. # This will also define a special symbol for Windows (BUILD_<PACKAGE_NAME> # so that we create the export library with the dll. #----------------------------------------------------------------------- | | | 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | # This initializes the environment with PACKAGE_NAME and PACKAGE_VERSION # set as provided. These will also be added as -D defs in your Makefile # so you can encode the package version directly into the source files. # This will also define a special symbol for Windows (BUILD_<PACKAGE_NAME> # so that we create the export library with the dll. #----------------------------------------------------------------------- AC_INIT([tls],[2.0b1]) #-------------------------------------------------------------------- # Call TEA_INIT as the first TEA_ macro to set up initial vars. # This will define a ${TEA_PLATFORM} variable == "unix" or "windows" # as well as PKG_LIB_FILE and PKG_STUB_LIB_FILE. #-------------------------------------------------------------------- |
Modified doc/tls.html
from [fdf809c1ad]
to [1534a80199].
96 97 98 99 100 101 102 | <!-- Generated from file 'tls.man' by tcllib/doctools with format 'html' --> <!-- Copyright &copy; 1999 Matt Newman -- Copyright &copy; 2004 Starfish Systems -- Copyright &copy; 2024 Brian O'Hagan --> <!-- tls.n --> <body><div class="doctools"> | | | | > | | | | | | | | < | > | > > > | | | | | | > > | | | | | > | > | | | | | | > | | > | | > | | | > | > | | | | | | | | | | | | | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 | <!-- Generated from file 'tls.man' by tcllib/doctools with format 'html' --> <!-- Copyright &copy; 1999 Matt Newman -- Copyright &copy; 2004 Starfish Systems -- Copyright &copy; 2024 Brian O'Hagan --> <!-- tls.n --> <body><div class="doctools"> <h1 class="doctools_title">tls(n) 2.0b1 tls "Tcl TLS extension"</h1> <div id="name" class="doctools_section"><h2><a name="name">Name</a></h2> <p>tls - binding to the OpenSSL library for encrypted socket and I/O channel communications</p> </div> <div id="toc" class="doctools_section"><h2><a name="toc">Table Of Contents</a></h2> <ul class="doctools_toc"> <li class="doctools_section"><a href="#toc">Table Of Contents</a></li> <li class="doctools_section"><a href="#synopsis">Synopsis</a></li> <li class="doctools_section"><a href="#section1">Description</a></li> <li class="doctools_section"><a href="#section2">Compatibility</a></li> <li class="doctools_section"><a href="#section3">Commands</a></li> <li class="doctools_section"><a href="#section4">Certificate Validation</a> <ul> <li class="doctools_subsection"><a href="#subsection1">PKI and Certificates</a></li> <li class="doctools_subsection"><a href="#subsection2">Summary of command line options</a></li> <li class="doctools_subsection"><a href="#subsection3">When are command line options needed?</a></li> </ul> </li> <li class="doctools_section"><a href="#section5">Callback Options</a> <ul> <li class="doctools_subsection"><a href="#subsection4">Values for Command Callback</a></li> <li class="doctools_subsection"><a href="#subsection5">Values for Password Callback</a></li> <li class="doctools_subsection"><a href="#subsection6">Values for Validate Command Callback</a></li> </ul> </li> <li class="doctools_section"><a href="#section6">Debug</a></li> <li class="doctools_section"><a href="#section7">Examples</a></li> <li class="doctools_section"><a href="#section8">Special Considerations</a></li> <li class="doctools_section"><a href="#see-also">See Also</a></li> <li class="doctools_section"><a href="#keywords">Keywords</a></li> <li class="doctools_section"><a href="#category">Category</a></li> <li class="doctools_section"><a href="#copyright">Copyright</a></li> </ul> </div> <div id="synopsis" class="doctools_section"><h2><a name="synopsis">Synopsis</a></h2> <div class="doctools_synopsis"> <ul class="doctools_requirements"> <li>package require <b class="pkgname">Tcl 8.5-</b></li> <li>package require <b class="pkgname">tls 2.0b1</b></li> </ul> <ul class="doctools_syntax"> <li><a href="#1"><b class="cmd">tls::init</b> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span></a></li> <li><a href="#2"><b class="cmd">tls::socket</b> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">host</i> <i class="arg">port</i></a></li> <li><a href="#3"><b class="cmd">tls::socket</b> <b class="option">-server</b> <i class="arg">command</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">port</i></a></li> <li><a href="#4"><b class="cmd">tls::import</b> <i class="arg">channel</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span></a></li> <li><a href="#5"><b class="cmd">tls::unimport</b> <i class="arg">channel</i></a></li> <li><a href="#6"><b class="cmd">tls::handshake</b> <i class="arg">channel</i></a></li> <li><a href="#7"><b class="cmd">tls::status</b> <span class="opt">?<b class="option">-local</b>?</span> <i class="arg">channel</i></a></li> <li><a href="#8"><b class="cmd">tls::connection</b> <i class="arg">channel</i></a></li> <li><a href="#9"><b class="cmd">tls::ciphers</b> <span class="opt">?<i class="arg">protocol</i>?</span> <span class="opt">?<i class="arg">verbose</i>?</span> <span class="opt">?<i class="arg">supported</i>?</span></a></li> <li><a href="#10"><b class="cmd">tls::protocols</b></a></li> <li><a href="#11"><b class="cmd">tls::version</b></a></li> </ul> </div> </div> <div id="section1" class="doctools_section"><h2><a name="section1">Description</a></h2> <p>This extension provides TCL script access to secure socket communications using the Transport Layer Security (TLS) protocol. It provides a generic binding to <a href="https://www.openssl.org/">OpenSSL</a>, utilizing the <b class="syscmd">Tcl_StackChannel</b> API in TCL 8.4 or later. These sockets behave exactly the same as channels created using the built-in <b class="syscmd">socket</b> command, but provide additional options for controlling the SSL/TLS session.</p> </div> <div id="section2" class="doctools_section"><h2><a name="section2">Compatibility</a></h2> <p>This extension is compatible with OpenSSL 1.1.1 or later. It requires Tcl version 8.5 or later and will work with Tcl 9.0.</p> </div> <div id="section3" class="doctools_section"><h2><a name="section3">Commands</a></h2> <p>The following are the commands provided by the TcLTLS package. See the <span class="sectref"><a href="#section7">Examples</a></span> for example usage and the "<b class="file">demos</b>" directory for more example usage.</p> <dl class="doctools_definitions"> <dt><a name="1"><b class="cmd">tls::init</b> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span></a></dt> <dd><p>Optional function to set the default options used by <b class="cmd">tls::socket</b>. If you call <b class="cmd">tls::import</b> directly, the values set by this command have no effect. This command supports all of the same options as the <b class="cmd">tls::socket</b> command, though you should limit your options to only the TLS related ones.</p></dd> <dt><a name="2"><b class="cmd">tls::socket</b> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">host</i> <i class="arg">port</i></a></dt> <dd><p>This is a helper function that utilizes the underlying commands <b class="syscmd">socket</b> and <b class="cmd">tls::import</b> to create the connection. It behaves the same as the native TCL <b class="syscmd">socket</b> command, but also supports the <b class="cmd">tls::import</b> command options with one additional option. It returns the channel handle id for the new socket.</p> <dl class="doctools_options"> <dt><b class="option">-autoservername</b> <i class="arg">bool</i></dt> <dd><p>If <b class="const">true</b>, automatically set the <b class="option">-servername</b> argument to the <em>host</em> argument. Prior to TclTLS 2.0, the default is <b class="const">false</b>. Starting in TclTLS 2.0, the default is <b class="const">true</b> unless <b class="option">-servername</b> is also specified.</p></dd> </dl></dd> <dt><a name="3"><b class="cmd">tls::socket</b> <b class="option">-server</b> <i class="arg">command</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">port</i></a></dt> <dd><p>Same as previous, but instead creates a server socket for clients to connect to just like the Tcl <b class="syscmd">socket -server</b> command. It returns the channel handle id for the new socket.</p></dd> <dt><a name="4"><b class="cmd">tls::import</b> <i class="arg">channel</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span></a></dt> <dd><p>Start TLS encryption on TCL channel <i class="arg">channel</i> via a stacked channel. It need not be a socket, but must provide bi-directional flow. Also sets session parameters for SSL handshake. Valid options are:</p> <dl class="doctools_options"> <dt><b class="option">-alpn</b> <i class="arg">list</i></dt> <dd><p>List of protocols to offer during Application-Layer Protocol Negotiation (ALPN). For example: <b class="const">h2</b> and <b class="const">http/1.1</b>, but not <b class="const">h3</b> or <b class="const">quic</b>. This option is new for TclTLS 1.8.</p></dd> <dt><b class="option">-cadir</b> <i class="arg">directory</i></dt> <dd><p>Specifies the directory where the Certificate Authority (CA) certificates are stored. The default is platform specific and can be set at compile time. The default location can be overridden by the <b class="variable">SSL_CERT_DIR</b> environment variable. See <span class="sectref"><a href="#section4">Certificate Validation</a></span> for more details.</p></dd> <dt><b class="option">-cafile</b> <i class="arg">filename</i></dt> <dd><p>Specifies the file with the Certificate Authority (CA) certificates to use in <b class="const">PEM</b> file format. The default is "<b class="file">cert.pem</b>", in the OpenSSL directory. The default file can be overridden by the <b class="variable">SSL_CERT_FILE</b> environment variable. See <span class="sectref"><a href="#section4">Certificate Validation</a></span> for more details.</p></dd> <dt><b class="option">-castore</b> <i class="arg">URI</i></dt> <dd><p>Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers. Starting with OpenSSL 3.2 on MS Windows, set to "<b class="const">org.openssl.winstore://</b>" to use the built-in MS Windows Certificate Store. See <span class="sectref"><a href="#section4">Certificate Validation</a></span> for more details. This option is new for TclTLS 1.8.</p></dd> <dt><b class="option">-certfile</b> <i class="arg">filename</i></dt> <dd><p>Specifies the name of the file with the certificate to use in PEM format as the local (client or server) certificate. It also contains the public key.</p></dd> <dt><b class="option">-cert</b> <i class="arg">string</i></dt> <dd><p>Specifies the certificate to use as a DER encoded string (X.509 DER).</p></dd> <dt><b class="option">-cipher</b> <i class="arg">string</i></dt> <dd><p>Specifies the list of ciphers to use for TLS 1.2 and earlier connections. String is a colon "<b class="const">:</b>" separated list of ciphers. Ciphers can be combined using the "<b class="const">+</b>" character. Prefixes can be used to permanently remove "<b class="const">!</b>", delete "<b class="const">-</b>", or move to the end "<b class="const">+</b>" a specified cipher. Keywords <b class="const">@STRENGTH</b> (sort by algorithm key length), <b class="const">@SECLEVEL=</b><em>n</em> (set security level to n), and <b class="const">DEFAULT</b> (use default cipher list, at start only) can also be specified. See the <a href="https://docs.openssl.org/master/man1/openssl-ciphers/#options">OpenSSL</a> documentation for the full list of valid values.</p></dd> <dt><b class="option">-ciphersuites</b> <i class="arg">string</i></dt> <dd><p>Specifies the list of cipher suites to use for TLS 1.3 as a colon "<b class="const">:</b>" separated list of cipher suite names. See the <a href="https://docs.openssl.org/master/man1/openssl-ciphers/#options">OpenSSL</a> documentation for the full list of valid values. This option is new for TclTLS 1.8.</p></dd> <dt><b class="option">-command</b> <i class="arg">callback</i></dt> <dd><p>Specifies the callback command to be invoked at several points during the handshake to pass errors, tracing information, and protocol messages. See <span class="sectref"><a href="#section5">Callback Options</a></span> for more info.</p></dd> <dt><b class="option">-dhparams</b> <i class="arg">filename</i></dt> <dd><p>Specifies the Diffie-Hellman (DH) parameters file.</p></dd> <dt><b class="option">-keyfile</b> <i class="arg">filename</i></dt> <dd><p>Specifies the private key file. The default is to use the file specified by the <b class="option">-certfile</b> option.</p></dd> <dt><b class="option">-key</b> <i class="arg">string</i></dt> <dd><p>Specifies the private key to use as a DER encoded string (PKCS#1 DER).</p></dd> <dt><b class="option">-model</b> <i class="arg">channel</i></dt> <dd><p>Force this channel to share the same <i class="term">SSL_CTX</i> structure as the specified <i class="arg">channel</i>, and therefore share config, callbacks, etc.</p></dd> <dt><b class="option">-password</b> <i class="arg">callback</i></dt> <dd><p>Specifies the callback command to invoke when OpenSSL needs to obtain a password. This is typically used to unlock the private key of a certificate. The callback should return a password string. This option has changed for TclTLS 1.8. See <span class="sectref"><a href="#section5">Callback Options</a></span> for more info.</p></dd> <dt><b class="option">-post_handshake</b> <i class="arg">bool</i></dt> <dd><p>Allow post-handshake session ticket updates. This option is new for TclTLS 1.8.</p></dd> <dt><b class="option">-request</b> <i class="arg">bool</i></dt> <dd><p>Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is <b class="const">true</b>. Starting in TclTLS 2.0, if set to <b class="const">false</b> and <b class="option">-require</b> is <b class="const">true</b>, then this will be overridden to <b class="const">true</b>. See <span class="sectref"><a href="#section4">Certificate Validation</a></span> for more details.</p></dd> <dt><b class="option">-require</b> <i class="arg">bool</i></dt> <dd><p>Require a valid certificate from the peer during the SSL handshake. If this is set to true, then <b class="option">-request</b> must also be set to true and a either <b class="option">-cadir</b>, <b class="option">-cafile</b>, <b class="option">-castore</b>, or a platform default must be provided in order to validate against. The default in TclTLS 1.8 and earlier versions is <b class="const">false</b> since not all platforms have certificates to validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0, the default is <b class="const">true</b>. See <span class="sectref"><a href="#section4">Certificate Validation</a></span> for more details.</p></dd> <dt><b class="option">-security_level</b> <i class="arg">integer</i></dt> <dd><p>Specifies the security level (value from 0 to 5). The security level affects the allowed cipher suite encryption algorithms, supported ECC curves, supported signature algorithms, DH parameter sizes, certificate key sizes and signature algorithms. The default is 1 prior to OpenSSL 3.2 and 2 thereafter. Level 3 and higher disable support for session tickets and only accept cipher suites that provide forward secrecy. This option is new for TclTLS 1.8.</p></dd> <dt><b class="option">-server</b> <i class="arg">bool</i></dt> <dd><p>Specifies whether to act as a server and respond with a server handshake when a client connects and provides a client handshake. The default is <b class="const">false</b>.</p></dd> <dt><b class="option">-servername</b> <i class="arg">hostname</i></dt> <dd><p>Specify the peer's hostname. This is used to set the TLS Server Name Indication (SNI) extension. Set this to the expected servername in the server's certificate or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will default to the host for the <b class="cmd">tls::socket</b> command.</p></dd> <dt><b class="option">-session_id</b> <i class="arg">binary_string</i></dt> <dd><p>Specifies the session id to resume a session. Not supported yet. This option is new for TclTLS 1.8.</p></dd> <dt><b class="option">-ssl2</b> <i class="arg">bool</i></dt> <dd><p>Enable use of SSL v2.The default is <b class="const">false</b>. OpenSSL 1.1+ no longer supports SSL v2, so this may not have any effect. See the <b class="cmd">tls::protocols</b> command for supported protocols.</p></dd> <dt><b class="option">-ssl3</b> <i class="arg">bool</i></dt> <dd><p>Enable use of SSL v3. The default is <b class="const">false</b>. Starting in TclTLS 1.8, use of SSL v3 if only available via a compile time option. See the <b class="cmd">tls::protocols</b> command for supported protocols.</p></dd> <dt><b class="option">-tls1</b> <i class="arg">bool</i></dt> <dd><p>Enable use of TLS v1. Starting in TclTLS 2.0, the default is <b class="const">false</b>. Note: TLS 1.0 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. See the <b class="option">-security_level</b> option.</p></dd> <dt><b class="option">-tls1.1</b> <i class="arg">bool</i></dt> <dd><p>Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is <b class="const">false</b>. Note: TLS 1.1 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. See the <b class="option">-security_level</b> option.</p></dd> <dt><b class="option">-tls1.2</b> <i class="arg">bool</i></dt> <dd><p>Enable use of TLS v1.2. The default is <b class="const">true</b>.</p></dd> <dt><b class="option">-tls1.3</b> <i class="arg">bool</i></dt> <dd><p>Enable use of TLS v1.3. The default is <b class="const">true</b>. This is only available starting with OpenSSL 1.1.1 and TclTLS 1.7.</p></dd> <dt><b class="option">-validatecommand</b> <i class="arg">callback</i></dt> <dd><p>Specifies the callback command to invoke to validate the peer certificates and other config info during the protocol negotiation phase. This can be used by TCL scripts to perform their own Certificate Validation to supplement the default validation provided by OpenSSL. The script must return a boolean true to continue the negotiation. See <span class="sectref"><a href="#section5">Callback Options</a></span> for more info. This option is new for TclTLS 1.8.</p></dd> </dl></dd> <dt><a name="5"><b class="cmd">tls::unimport</b> <i class="arg">channel</i></a></dt> <dd><p>Compliment to <b class="cmd">tls::import</b>. Used to remove the top level stacked channel from <i class="arg">channel</i>. This unstacks the encryption of a regular TCL channel. An error is thrown if TLS is not the top stacked channel type.</p></dd> <dt><a name="6"><b class="cmd">tls::handshake</b> <i class="arg">channel</i></a></dt> <dd><p>Forces the TLS negotiation handshake to take place immediately, and returns 0 if handshake is still in progress (non-blocking), or 1 if the handshake was successful. If the handshake failed, an error will be returned.</p></dd> <dt><a name="7"><b class="cmd">tls::status</b> <span class="opt">?<b class="option">-local</b>?</span> <i class="arg">channel</i></a></dt> <dd><p>Returns the current status of an SSL channel. The result is a list of key-value pairs describing the SSL, certificate, and certificate verification status. If the SSL handshake has not yet completed, an empty list is returned. If the <b class="option">-local</b> option is specified, then the local certificate is used. Returned values include:</p> <p>SSL Status</p> <dl class="doctools_definitions"> <dt><b class="variable">alpn</b> <i class="arg">protocol</i></dt> <dd><p>The protocol selected after Application-Layer Protocol Negotiation (ALPN). This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">cipher</b> <i class="arg">cipher</i></dt> <dd><p>The current cipher in use for the session.</p></dd> <dt><b class="variable">peername</b> <i class="arg">name</i></dt> <dd><p>The peername from the certificate. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">protocol</b> <i class="arg">version</i></dt> <dd><p>The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">sbits</b> <i class="arg">n</i></dt> <dd><p>The number of bits used for the session key.</p></dd> <dt><b class="variable">signatureHashAlgorithm</b> <i class="arg">algorithm</i></dt> <dd><p>The signature hash algorithm. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">signatureType</b> <i class="arg">type</i></dt> <dd><p>The signature type value. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">verifyDepth</b> <i class="arg">n</i></dt> <dd><p>Maximum depth for the certificate chain verification. Default is -1, to check all. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">verifyMode</b> <i class="arg">list</i></dt> <dd><p>List of certificate verification modes. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">verifyResult</b> <i class="arg">result</i></dt> <dd><p>Certificate verification result. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">ca_names</b> <i class="arg">list</i></dt> <dd><p>List of the Certificate Authorities used to create the certificate. This value is new for TclTLS 1.8.</p></dd> </dl> <p>Certificate Status</p> <dl class="doctools_definitions"> <dt><b class="variable">all</b> <i class="arg">string</i></dt> <dd><p>Dump of all certificate info. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">version</b> <i class="arg">value</i></dt> <dd><p>The certificate version.</p></dd> <dt><b class="variable">serialNumber</b> <i class="arg">string</i></dt> <dd><p>The serial number of the certificate as a hex string. This value was changed from serial in TclTLS 1.8.</p></dd> <dt><b class="variable">signature</b> <i class="arg">algorithm</i></dt> <dd><p>Cipher algorithm used for certificate signature. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">issuer</b> <i class="arg">string</i></dt> <dd><p>The distinguished name (DN) of the certificate issuer.</p></dd> <dt><b class="variable">notBefore</b> <i class="arg">date</i></dt> <dd><p>The beginning date of the certificate validity.</p></dd> <dt><b class="variable">notAfter</b> <i class="arg">date</i></dt> <dd><p>The expiration date of the certificate validity.</p></dd> <dt><b class="variable">subject</b> <i class="arg">string</i></dt> <dd><p>The distinguished name (DN) of the certificate subject. Fields include: Common Name (CN), Organization (O), Locality or City (L), State or Province (S), and Country Name (C).</p></dd> <dt><b class="variable">issuerUniqueID</b> <i class="arg">string</i></dt> <dd><p>The issuer unique id. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">subjectUniqueID</b> <i class="arg">string</i></dt> <dd><p>The subject unique id. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">num_extensions</b> <i class="arg">n</i></dt> <dd><p>Number of certificate extensions. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">extensions</b> <i class="arg">list</i></dt> <dd><p>List of certificate extension names. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">authorityKeyIdentifier</b> <i class="arg">string</i></dt> <dd><p>Authority Key Identifier (AKI) of the Issuing CA certificate that signed the SSL certificate as a hex string. This value matches the SKI value of the Intermediate CA certificate. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">subjectKeyIdentifier</b> <i class="arg">string</i></dt> <dd><p>Subject Key Identifier (SKI) hash of the public key inside the certificate as a hex string. Used to identify certificates that contain a particular public key. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">subjectAltName</b> <i class="arg">list</i></dt> <dd><p>List of all of the Subject Alternative Names (SAN) including domain names, sub domains, and IP addresses that are secured by the certificate. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">ocsp</b> <i class="arg">list</i></dt> <dd><p>List of all Online Certificate Status Protocol (OCSP) URLs that can be used to check the validity of this certificate. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">certificate</b> <i class="arg">cert</i></dt> <dd><p>The PEM encoded certificate.</p></dd> <dt><b class="variable">signatureAlgorithm</b> <i class="arg">algorithm</i></dt> <dd><p>Cipher algorithm used for the certificate signature. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">signatureValue</b> <i class="arg">string</i></dt> <dd><p>Certificate signature as a hex string. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">signatureDigest</b> <i class="arg">version</i></dt> <dd><p>Certificate signing digest as a hex string. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">publicKeyAlgorithm</b> <i class="arg">algorithm</i></dt> <dd><p>Certificate signature public key algorithm. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">publicKey</b> <i class="arg">string</i></dt> <dd><p>Certificate signature public key as a hex string. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">bits</b> <i class="arg">n</i></dt> <dd><p>Number of bits used for certificate signature key. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">self_signed</b> <i class="arg">boolean</i></dt> <dd><p>Whether the certificate signature is self signed. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">sha1_hash</b> <i class="arg">hash</i></dt> <dd><p>The SHA1 hash of the certificate as a hex string. This value is new for TclTLS 1.8.</p></dd> <dt><b class="variable">sha256_hash</b> <i class="arg">hash</i></dt> <dd><p>The SHA256 hash of the certificate as a hex string. This value is new for TclTLS 1.8.</p></dd> </dl></dd> <dt><a name="8"><b class="cmd">tls::connection</b> <i class="arg">channel</i></a></dt> <dd><p>Returns the current connection status of an SSL channel. The result is a list of key-value pairs describing the connection. This command is new for TclTLS 1.8. Returned values include:</p> <p>SSL Status</p> <dl class="doctools_definitions"> <dt><b class="variable">state</b> <i class="arg">state</i></dt> <dd><p>State of the connection.</p></dd> <dt><b class="variable">servername</b> <i class="arg">name</i></dt> <dd><p>The name of the connected to server.</p></dd> <dt><b class="variable">protocol</b> <i class="arg">version</i></dt> |
480 481 482 483 484 485 486 | <dd><p>Unique session ticket application data.</p></dd> <dt><b class="variable">master_key</b> <i class="arg">binary_string</i></dt> <dd><p>Unique session master key.</p></dd> <dt><b class="variable">session_cache_mode</b> <i class="arg">mode</i></dt> <dd><p>Server cache mode (client, server, or both).</p></dd> </dl></dd> <dt><a name="9"><b class="cmd">tls::ciphers</b> <span class="opt">?<i class="arg">protocol</i>?</span> <span class="opt">?<i class="arg">verbose</i>?</span> <span class="opt">?<i class="arg">supported</i>?</span></a></dt> | | | > | > | | | 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 | <dd><p>Unique session ticket application data.</p></dd> <dt><b class="variable">master_key</b> <i class="arg">binary_string</i></dt> <dd><p>Unique session master key.</p></dd> <dt><b class="variable">session_cache_mode</b> <i class="arg">mode</i></dt> <dd><p>Server cache mode (client, server, or both).</p></dd> </dl></dd> <dt><a name="9"><b class="cmd">tls::ciphers</b> <span class="opt">?<i class="arg">protocol</i>?</span> <span class="opt">?<i class="arg">verbose</i>?</span> <span class="opt">?<i class="arg">supported</i>?</span></a></dt> <dd><p>Without any options, it returns a list of all symmetric ciphers for use with the <i class="arg">-cipher</i> option. With <i class="arg">protocol</i>, only the ciphers supported for that protocol are returned. See the <b class="cmd">tls::protocols</b> command for the supported protocols. If <i class="arg">verbose</i> is specified as true then a verbose, human readable list is returned with additional information on the cipher. If <i class="arg">supported</i> is specified as true, then only the ciphers supported for protocol will be listed. The <i class="arg">supported</i> arg is new for TclTLS 1.8.</p></dd> <dt><a name="10"><b class="cmd">tls::protocols</b></a></dt> <dd><p>Returns a list of the supported SSL/TLS protocols. Valid values are: <b class="const">ssl2</b>, <b class="const">ssl3</b>, <b class="const">tls1</b>, <b class="const">tls1.1</b>, <b class="const">tls1.2</b>, and <b class="const">tls1.3</b>. Exact list depends on OpenSSL version and compile time flags. This command is new for TclTLS 1.8.</p></dd> <dt><a name="11"><b class="cmd">tls::version</b></a></dt> <dd><p>Returns the OpenSSL version string.</p></dd> </dl> </div> <div id="section4" class="doctools_section"><h2><a name="section4">Certificate Validation</a></h2> <div id="subsection1" class="doctools_subsection"><h3><a name="subsection1">PKI and Certificates</a></h3> <p>Using the Public Key Infrastructure (PKI), each user creates a private key that only they know about and a public key they can exchange with others for use in encrypting and decrypting data. The process is the sender encrypts their data using their private key and the receiver's public key. The data is then sent to the receiver. In a similar manner, the receiver uses their private key and the sender's public key to decrypt the data. This provides data integrity, to ensure the data can't be viewed or altered during transport. See the <b class="option">-key</b> and <b class="option">-keyfile</b> options for how to specify the private key. Also see the <b class="option">-password</b> option for how to provide the password.</p> <p>In order to provide authentication, i.e. ensuring someone is who they say they are, the public key and user identification info is stored in a X.509 certificate and that certificate is authenticated (i.e. signed) by a Certificate Authority (CA). Users can then exchange these certificates during the TLS initialization process and check them against the root CA certificates to ensure they are valid. This is handled by OpenSSL via the <b class="option">-request</b> and <b class="option">-require</b> options. See the <b class="option">-cadir</b>, <b class="option">-cadir</b>, and <b class="option">-castore</b> options for how to specify where to find the CA certificates. Optionally, in a future release, they can also be checked against the Certificate Revocation List (CRL) of revoked certificates. Certificates can also be self-signed, but they are by default not trusted unless you add them to your certificate store.</p> <p>Typically when visiting web sites, only the client needs to check the server's certificate to ensure it is valid. The server doesn't need to check the client certificate unless you need to authenticate with them to login, etc. See the |
540 541 542 543 544 545 546 | directory. On Linux/Unix systems, this is usually "<b class="file">/etc/ssl/ca-bundle.pem</b>". The default file can be overridden by the <b class="variable">SSL_CERT_FILE</b> environment variable.</p></dd> <dt><b class="option">-castore</b> <i class="arg">URI</i></dt> <dd><p>Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers. Starting with OpenSSL 3.2 on MS Windows, set to "<b class="const">org.openssl.winstore://</b>" | | > | < > > | | | > > | | > > | | 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 | directory. On Linux/Unix systems, this is usually "<b class="file">/etc/ssl/ca-bundle.pem</b>". The default file can be overridden by the <b class="variable">SSL_CERT_FILE</b> environment variable.</p></dd> <dt><b class="option">-castore</b> <i class="arg">URI</i></dt> <dd><p>Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers. Starting with OpenSSL 3.2 on MS Windows, set to "<b class="const">org.openssl.winstore://</b>" to use the built-in MS Windows Certificate Store. Starting in TclTLS 2.0, this is the default if <b class="option">-cadir</b>, <b class="option">-cadir</b>, and <b class="option">-castore</b> are not specified. This store only supports root certificate stores.</p></dd> <dt><b class="option">-request</b> <i class="arg">bool</i></dt> <dd><p>Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is <b class="const">true</b>. Starting in TclTLS 2.0, if set to <b class="const">false</b> and <b class="option">-require</b> is <b class="const">true</b>, then this will be overridden to <b class="const">true</b>. In addition, the client can manually inspect and accept or reject each certificate using the <b class="option">-validatecommand</b> option.</p></dd> <dt><b class="option">-require</b> <i class="arg">bool</i></dt> <dd><p>Require a valid certificate from the peer during the SSL handshake. If this is set to true, then <b class="option">-request</b> must also be set to true and a either <b class="option">-cadir</b>, <b class="option">-cafile</b>, <b class="option">-castore</b>, or a platform default must be provided in order to validate against. The default in TclTLS 1.8 and earlier versions is <b class="const">false</b> since not all platforms have certificates to validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0, the default is <b class="const">true</b>.</p></dd> </dl> </div> <div id="subsection3" class="doctools_subsection"><h3><a name="subsection3">When are command line options needed?</a></h3> <p>In TclTLS 1.8 and earlier versions, certificate validation is <em>NOT</em> enabled by default. This limitation is due to the lack of a common cross platform database of Certificate Authority (CA) provided certificates to validate against. Many Linux systems natively support OpenSSL and thus have these certificates installed as part of the OS, but MacOS and MS Windows do not. Staring in TclTLS 2.0, this has been changed to require certificate validation by default. In order to use the <b class="option">-require</b> option, one of the following must be true:</p> <ul class="doctools_itemized"> <li><p>On Linux and Unix systems with OpenSSL already installed or if the CA certificates are available in PEM format, and if they are stored in the standard locations, or if the <b class="variable">SSL_CERT_DIR</b> or <b class="variable">SSL_CERT_FILE</b> environment variables are set, then <b class="option">-cadir</b>, <b class="option">-cadir</b>, and <b class="option">-castore</b> aren't needed.</p></li> <li><p>If OpenSSL is not installed in the default location, or when using Mac OS or MS Windows and OpenSSL is installed, the <b class="variable">SSL_CERT_DIR</b> and/or <b class="variable">SSL_CERT_FILE</b> environment variables or the one of the <b class="option">-cadir</b>, <b class="option">-cadir</b>, or <b class="option">-castore</b> options must be defined.</p></li> <li><p>On MS Windows, starting in OpenSSL 3.2, it is now possible to access the built-in Windows Certificate Store from OpenSSL. This can utilized by setting the <b class="option">-castore</b> option to "<b class="const">org.openssl.winstore://</b>". In TclTLS 2.0, this is the default value if <b class="option">-cadir</b>, <b class="option">-cadir</b>, and <b class="option">-castore</b> are not specified.</p></li> <li><p>If OpenSSL is not installed or the CA certificates are not available in PEM format, the CA certificates must be downloaded and installed with the user software. The CURL team makes them available at <a href="https://curl.se/docs/caextract.html">CA certificates extracted from Mozilla</a> in the "<b class="file">cacert.pem</b>" file. You must then either set the <b class="variable">SSL_CERT_DIR</b> and/or <b class="variable">SSL_CERT_FILE</b> environment variables or the <b class="option">-cadir</b> or <b class="option">-cafile</b> options to the CA cert file's install location. It is your responsibility to keep this file up to date.</p></li> </ul> </div> </div> <div id="section5" class="doctools_section"><h2><a name="section5">Callback Options</a></h2> <p>As previously described, each channel can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the <b class="option">-command</b>, <b class="option">-password</b>, and <b class="option">-validate_command</b> options passed to either of <b class="cmd">tls::socket</b> or <b class="cmd">tls::import</b>. Unlike previous versions of TclTLS, only if the callback generates an error, will the <b class="syscmd">bgerror</b> command be invoked with the error information.</p> <div id="subsection4" class="doctools_subsection"><h3><a name="subsection4">Values for Command Callback</a></h3> |
694 695 696 697 698 699 700 | continue the connection, it should return 2. This callback is new for TclTLS 1.8.</p> <dl class="doctools_options"> <dt><b class="option">alpn</b> <i class="arg">channelId protocol match</i></dt> <dd><p>For servers, this form of callback is invoked when the client ALPN extension is received. If <i class="arg">match</i> is true, then <i class="arg">protocol</i> is the first <b class="option">-alpn</b> protocol option in common to both the client and server. If not, the first client specified protocol is used. This callback is called | | | | | 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 | continue the connection, it should return 2. This callback is new for TclTLS 1.8.</p> <dl class="doctools_options"> <dt><b class="option">alpn</b> <i class="arg">channelId protocol match</i></dt> <dd><p>For servers, this form of callback is invoked when the client ALPN extension is received. If <i class="arg">match</i> is true, then <i class="arg">protocol</i> is the first <b class="option">-alpn</b> protocol option in common to both the client and server. If not, the first client specified protocol is used. This callback is called after the Hello and SNI callbacks.</p></dd> <dt><b class="option">hello</b> <i class="arg">channelId servername</i></dt> <dd><p>For servers, this form of callback is invoked during client hello message processing. The purpose is so the server can select the appropriate certificate to present to the client, and to make other configuration adjustments relevant to that server name and its configuration. It is called before the SNI and ALPN callbacks.</p></dd> <dt><b class="option">sni</b> <i class="arg">channelId servername</i></dt> <dd><p>For servers, this form of callback is invoked when the Server Name Indication (SNI) extension is received. The <i class="arg">servername</i> argument is the client provided server name specified in the <b class="option">-servername</b> option. The purpose is so when a server supports multiple names, the right certificate can be used. It is called after the Hello callback but before the ALPN callback.</p></dd> <dt><b class="option">verify</b> <i class="arg">channelId depth cert status error</i></dt> <dd><p>This form of callback is invoked by OpenSSL when a new certificate is received from the peer. It allows the client to check the certificate verification results and choose whether to continue or not. It is called for each certificate in the certificate chain. This callback was moved from <b class="option">-command</b> in TclTLS 1.8. The arguments are:</p> |
747 748 749 750 751 752 753 | attempting to call <b class="cmd">tls::password</b>. The difference between these two behaviors is a consequence of maintaining compatibility with earlier implementations.</p> <p><em>The use of the reference callbacks <b class="cmd">tls::callback</b>, <b class="cmd">tls::password</b>, and <b class="cmd">tls::validate_command</b> is not recommended. They may be removed from future releases.</em></p> </div> </div> | | | | | | 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 | attempting to call <b class="cmd">tls::password</b>. The difference between these two behaviors is a consequence of maintaining compatibility with earlier implementations.</p> <p><em>The use of the reference callbacks <b class="cmd">tls::callback</b>, <b class="cmd">tls::password</b>, and <b class="cmd">tls::validate_command</b> is not recommended. They may be removed from future releases.</em></p> </div> </div> <div id="section6" class="doctools_section"><h2><a name="section6">Debug</a></h2> <p>For most debugging needs, the <b class="option">-callback</b> option can be used to provide sufficient insight and information on the TLS handshake and progress. If further troubleshooting insight is needed, the compile time option <b class="option">--enable-debug</b> can be used to get detailed execution flow status.</p> <p>TLS key logging can be enabled by setting the environment variable <b class="variable">SSLKEYLOGFILE</b> to the name of the file to log to. Then whenever TLS key material is generated or received it will be logged to the file. This is useful for logging key data for network logging tools to use to decrypt the data.</p> <p>The <b class="variable">tls::debug</b> variable provides some additional control over the debug logging in the <b class="cmd">tls::callback</b>, <b class="cmd">tls::password</b>, and <b class="cmd">tls::validate_command</b> default handlers in "<b class="file">tls.tcl</b>". The default value is 0 with higher values producing more diagnostic output, and will also force the verify method in <b class="cmd">tls::callback</b> to accept the certificate, even if it is invalid when the <b class="option">-validatecommand</b> option is set to <b class="cmd">tls::validate_command</b>.</p> <p><em>The use of the variable <b class="variable">tls::debug</b> is not recommended. It may be removed from future releases.</em></p> </div> <div id="section7" class="doctools_section"><h2><a name="section7">Examples</a></h2> <p>The following are example scripts to download a webpage and file using the http package. See <span class="sectref"><a href="#section4">Certificate Validation</a></span> for when the <b class="option">-cadir</b>, <b class="option">-cafile</b>, and <b class="option">-castore</b> options are also needed. See the "<b class="file">demos</b>" directory for more example scripts.</p> <p>Example #1: Download a web page</p> <pre class="doctools_example"> package require http package require tls set url "https://www.tcl.tk/" http::register https 443 [list ::tls::socket -autoservername 1 -require 1] # Get URL |
810 811 812 813 814 815 816 | puts [format "Error %s" [http::status $token]] } # Cleanup close $ch ::http::cleanup $token </pre> </div> | | | | 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 | puts [format "Error %s" [http::status $token]] } # Cleanup close $ch ::http::cleanup $token </pre> </div> <div id="section8" class="doctools_section"><h2><a name="section8">Special Considerations</a></h2> <p>The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc. Use the <b class="cmd">tls::protocols</b> command to obtain the supported protocol versions.</p> </div> <div id="see-also" class="doctools_section"><h2><a name="see-also">See Also</a></h2> <p><a href="https://www.openssl.org/">OpenSSL</a>, http, socket</p> </div> <div id="keywords" class="doctools_section"><h2><a name="keywords">Keywords</a></h2> <p>I/O, IP Address, OpenSSL, SSL, TCP, TLS, TclTLS, asynchronous I/O, bind, certificate, channel, connection, domain name, host, https, network, network address, socket, tls</p> |
Modified doc/tls.man
from [741f38b808]
to [3886359307].
1 2 3 4 5 | [comment {-*- tcl -*- doctools manpage}] [comment {To convert this to another documentation format use the dtplite script from tcllib: dtplite -o tls.n nroff tls.man dtplite -o tls.html html tls.man }] | | | | | | > > < | | | > > | | | | | > > | | | > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 | [comment {-*- tcl -*- doctools manpage}] [comment {To convert this to another documentation format use the dtplite script from tcllib: dtplite -o tls.n nroff tls.man dtplite -o tls.html html tls.man }] [manpage_begin tls n 2.0b1] [category tls] [copyright {1999 Matt Newman}] [copyright {2004 Starfish Systems}] [copyright {2024 Brian O'Hagan}] [keywords tls I/O "IP Address" OpenSSL SSL TCP TLS "asynchronous I/O" bind certificate channel connection "domain name" host "https" "network address" network socket TclTLS] [moddesc {Tcl TLS extension}] [see_also http socket [uri https://www.openssl.org/ OpenSSL]] [titledesc {binding to the OpenSSL library for encrypted socket and I/O channel communications}] [require Tcl 8.5-] [require tls 2.0b1] [description] This extension provides TCL script access to secure socket communications using the Transport Layer Security (TLS) protocol. It provides a generic binding to [uri "https://www.openssl.org/" OpenSSL], utilizing the [syscmd Tcl_StackChannel] API in TCL 8.4 or later. These sockets behave exactly the same as channels created using the built-in [syscmd socket] command, but provide additional options for controlling the SSL/TLS session. [section Compatibility] This extension is compatible with OpenSSL 1.1.1 or later. It requires Tcl version 8.5 or later and will work with Tcl 9.0. [section Commands] The following are the commands provided by the TcLTLS package. See the [sectref Examples] for example usage and the [file demos] directory for more example usage. [list_begin definitions] [call [cmd tls::init] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]]] Optional function to set the default options used by [cmd tls::socket]. If you call [cmd tls::import] directly, the values set by this command have no effect. This command supports all of the same options as the [cmd tls::socket] command, though you should limit your options to only the TLS related ones. [call [cmd tls::socket] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]] [arg host] [arg port]] This is a helper function that utilizes the underlying commands [syscmd socket] and [cmd tls::import] to create the connection. It behaves the same as the native TCL [syscmd socket] command, but also supports the [cmd tls::import] command options with one additional option. It returns the channel handle id for the new socket. [list_begin options] [opt_def -autoservername [arg bool]] If [const true], automatically set the [option -servername] argument to the [emph host] argument. Prior to TclTLS 2.0, the default is [const false]. Starting in TclTLS 2.0, the default is [const true] unless [option -servername] is also specified. [list_end] [call [cmd tls::socket] [option -server] [arg command] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]] [arg port]] Same as previous, but instead creates a server socket for clients to connect to just like the Tcl [syscmd "socket -server"] command. It returns the channel handle id for the new socket. [call [cmd tls::import] [arg channel] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]]] Start TLS encryption on TCL channel [arg channel] via a stacked channel. It need not be a socket, but must provide bi-directional flow. Also sets session parameters for SSL handshake. Valid options are: [list_begin options] [opt_def -alpn [arg list]] List of protocols to offer during Application-Layer Protocol Negotiation (ALPN). For example: [const h2] and [const http/1.1], but not [const h3] or [const quic]. This option is new for TclTLS 1.8. [opt_def -cadir [arg directory]] Specifies the directory where the Certificate Authority (CA) certificates are stored. The default is platform specific and can be set at compile time. The default location can be overridden by the [var SSL_CERT_DIR] environment variable. See [sectref "Certificate Validation"] for more details. [opt_def -cafile [arg filename]] Specifies the file with the Certificate Authority (CA) certificates to use in [const PEM] file format. The default is [file cert.pem], in the OpenSSL directory. The default file can be overridden by the [var SSL_CERT_FILE] environment variable. See [sectref "Certificate Validation"] for more details. [opt_def -castore [arg URI]] Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers. Starting with OpenSSL 3.2 on MS Windows, set to "[const "org.openssl.winstore://"]" to use the built-in MS Windows Certificate Store. See [sectref "Certificate Validation"] for more details. This option is new for TclTLS 1.8. [opt_def -certfile [arg filename]] Specifies the name of the file with the certificate to use in PEM format as the local (client or server) certificate. It also contains the public key. [opt_def -cert [arg string]] Specifies the certificate to use as a DER encoded string (X.509 DER). |
114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 | documentation for the full list of valid values. [opt_def -ciphersuites [arg string]] Specifies the list of cipher suites to use for TLS 1.3 as a colon "[const :]" separated list of cipher suite names. See the [uri "https://docs.openssl.org/master/man1/openssl-ciphers/#options" OpenSSL] documentation for the full list of valid values. [opt_def -command [arg callback]] Specifies the callback command to be invoked at several points during the handshake to pass errors, tracing information, and protocol messages. See [sectref "Callback Options"] for more info. [opt_def -dhparams [arg filename]] Specifies the Diffie-Hellman (DH) parameters file. [opt_def -keyfile [arg filename]] Specifies the private key file. The default is to use the file | > | | | | | > | > > | | | > > | | | | | | | | | | | | | > > | 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 | documentation for the full list of valid values. [opt_def -ciphersuites [arg string]] Specifies the list of cipher suites to use for TLS 1.3 as a colon "[const :]" separated list of cipher suite names. See the [uri "https://docs.openssl.org/master/man1/openssl-ciphers/#options" OpenSSL] documentation for the full list of valid values. This option is new for TclTLS 1.8. [opt_def -command [arg callback]] Specifies the callback command to be invoked at several points during the handshake to pass errors, tracing information, and protocol messages. See [sectref "Callback Options"] for more info. [opt_def -dhparams [arg filename]] Specifies the Diffie-Hellman (DH) parameters file. [opt_def -keyfile [arg filename]] Specifies the private key file. The default is to use the file specified by the [option -certfile] option. [opt_def -key [arg string]] Specifies the private key to use as a DER encoded string (PKCS#1 DER). [opt_def -model [arg channel]] Force this channel to share the same [term SSL_CTX] structure as the specified [arg channel], and therefore share config, callbacks, etc. [opt_def -password [arg callback]] Specifies the callback command to invoke when OpenSSL needs to obtain a password. This is typically used to unlock the private key of a certificate. The callback should return a password string. This option has changed for TclTLS 1.8. See [sectref "Callback Options"] for more info. [opt_def -post_handshake [arg bool]] Allow post-handshake session ticket updates. This option is new for TclTLS 1.8. [opt_def -request [arg bool]] Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is [const true]. Starting in TclTLS 2.0, if set to [const false] and [option -require] is [const true], then this will be overridden to [const true]. See [sectref "Certificate Validation"] for more details. [opt_def -require [arg bool]] Require a valid certificate from the peer during the SSL handshake. If this is set to true, then [option -request] must also be set to true and a either [option -cadir], [option -cafile], [option -castore], or a platform default must be provided in order to validate against. The default in TclTLS 1.8 and earlier versions is [const false] since not all platforms have certificates to validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0, the default is [const true]. See [sectref "Certificate Validation"] for more details. [opt_def -security_level [arg integer]] Specifies the security level (value from 0 to 5). The security level affects the allowed cipher suite encryption algorithms, supported ECC curves, supported signature algorithms, DH parameter sizes, certificate key sizes and signature algorithms. The default is 1 prior to OpenSSL 3.2 and 2 thereafter. Level 3 and higher disable support for session tickets and only accept cipher suites that provide forward secrecy. This option is new for TclTLS 1.8. [opt_def -server [arg bool]] Specifies whether to act as a server and respond with a server handshake when a client connects and provides a client handshake. The default is [const false]. [opt_def -servername [arg hostname]] Specify the peer's hostname. This is used to set the TLS Server Name Indication (SNI) extension. Set this to the expected servername in the server's certificate or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will default to the host for the [cmd tls::socket] command. [opt_def -session_id [arg binary_string]] Specifies the session id to resume a session. Not supported yet. This option is new for TclTLS 1.8. [opt_def -ssl2 [arg bool]] Enable use of SSL v2.The default is [const false]. OpenSSL 1.1+ no longer supports SSL v2, so this may not have any effect. See the [cmd tls::protocols] command for supported protocols. [opt_def -ssl3 [arg bool]] Enable use of SSL v3. The default is [const false]. Starting in TclTLS 1.8, use of SSL v3 if only available via a compile time option. See the [cmd tls::protocols] command for supported protocols. [opt_def -tls1 [arg bool]] Enable use of TLS v1. Starting in TclTLS 2.0, the default is [const false]. Note: TLS 1.0 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. See the [option -security_level] option. [opt_def -tls1.1 [arg bool]] Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is [const false]. Note: TLS 1.1 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. See the [option -security_level] option. [opt_def -tls1.2 [arg bool]] Enable use of TLS v1.2. The default is [const true]. [opt_def -tls1.3 [arg bool]] Enable use of TLS v1.3. The default is [const true]. This is only available starting with OpenSSL 1.1.1 and TclTLS 1.7. [opt_def -validatecommand [arg callback]] Specifies the callback command to invoke to validate the peer certificates and other config info during the protocol negotiation phase. This can be used by TCL scripts to perform their own Certificate Validation to supplement the default validation provided by OpenSSL. The script must return a boolean true to continue the negotiation. See [sectref "Callback Options"] for more info. This option is new for TclTLS 1.8. [list_end] [call [cmd tls::unimport] [arg channel]] Compliment to [cmd tls::import]. Used to remove the top level stacked channel from [arg channel]. This unstacks the encryption of a regular TCL channel. An |
241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 | SSL Status [list_begin definitions] [def "[var alpn] [arg protocol]"] The protocol selected after Application-Layer Protocol Negotiation (ALPN). [def "[var cipher] [arg cipher]"] The current cipher in use for the session. [def "[var peername] [arg name]"] The peername from the certificate. [def "[var protocol] [arg version]"] | > > | > > > > > > > > > > > > > > > > > > > > > > > > > > > | > | 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 | SSL Status [list_begin definitions] [def "[var alpn] [arg protocol]"] The protocol selected after Application-Layer Protocol Negotiation (ALPN). This value is new for TclTLS 1.8. [def "[var cipher] [arg cipher]"] The current cipher in use for the session. [def "[var peername] [arg name]"] The peername from the certificate. This value is new for TclTLS 1.8. [def "[var protocol] [arg version]"] The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown. This value is new for TclTLS 1.8. [def "[var sbits] [arg n]"] The number of bits used for the session key. [def "[var signatureHashAlgorithm] [arg algorithm]"] The signature hash algorithm. This value is new for TclTLS 1.8. [def "[var signatureType] [arg type]"] The signature type value. This value is new for TclTLS 1.8. [def "[var verifyDepth] [arg n]"] Maximum depth for the certificate chain verification. Default is -1, to check all. This value is new for TclTLS 1.8. [def "[var verifyMode] [arg list]"] List of certificate verification modes. This value is new for TclTLS 1.8. [def "[var verifyResult] [arg result]"] Certificate verification result. This value is new for TclTLS 1.8. [def "[var ca_names] [arg list]"] List of the Certificate Authorities used to create the certificate. This value is new for TclTLS 1.8. [list_end] Certificate Status [list_begin definitions] [def "[var all] [arg string]"] Dump of all certificate info. This value is new for TclTLS 1.8. [def "[var version] [arg value]"] The certificate version. [def "[var serialNumber] [arg string]"] The serial number of the certificate as a hex string. This value was changed from serial in TclTLS 1.8. [def "[var signature] [arg algorithm]"] Cipher algorithm used for certificate signature. This value is new for TclTLS 1.8. [def "[var issuer] [arg string]"] The distinguished name (DN) of the certificate issuer. [def "[var notBefore] [arg date]"] The beginning date of the certificate validity. [def "[var notAfter] [arg date]"] The expiration date of the certificate validity. [def "[var subject] [arg string]"] The distinguished name (DN) of the certificate subject. Fields include: Common Name (CN), Organization (O), Locality or City (L), State or Province (S), and Country Name (C). [def "[var issuerUniqueID] [arg string]"] The issuer unique id. This value is new for TclTLS 1.8. [def "[var subjectUniqueID] [arg string]"] The subject unique id. This value is new for TclTLS 1.8. [def "[var num_extensions] [arg n]"] Number of certificate extensions. This value is new for TclTLS 1.8. [def "[var extensions] [arg list]"] List of certificate extension names. This value is new for TclTLS 1.8. [def "[var authorityKeyIdentifier] [arg string]"] Authority Key Identifier (AKI) of the Issuing CA certificate that signed the SSL certificate as a hex string. This value matches the SKI value of the Intermediate CA certificate. This value is new for TclTLS 1.8. [def "[var subjectKeyIdentifier] [arg string]"] Subject Key Identifier (SKI) hash of the public key inside the certificate as a hex string. Used to identify certificates that contain a particular public key. This value is new for TclTLS 1.8. [def "[var subjectAltName] [arg list]"] List of all of the Subject Alternative Names (SAN) including domain names, sub domains, and IP addresses that are secured by the certificate. This value is new for TclTLS 1.8. [def "[var ocsp] [arg list]"] List of all Online Certificate Status Protocol (OCSP) URLs that can be used to check the validity of this certificate. This value is new for TclTLS 1.8. [def "[var certificate] [arg cert]"] The PEM encoded certificate. [def "[var signatureAlgorithm] [arg algorithm]"] Cipher algorithm used for the certificate signature. This value is new for TclTLS 1.8. [def "[var signatureValue] [arg string]"] Certificate signature as a hex string. This value is new for TclTLS 1.8. [def "[var signatureDigest] [arg version]"] Certificate signing digest as a hex string. This value is new for TclTLS 1.8. [def "[var publicKeyAlgorithm] [arg algorithm]"] Certificate signature public key algorithm. This value is new for TclTLS 1.8. [def "[var publicKey] [arg string]"] Certificate signature public key as a hex string. This value is new for TclTLS 1.8. [def "[var bits] [arg n]"] Number of bits used for certificate signature key. This value is new for TclTLS 1.8. [def "[var self_signed] [arg boolean]"] Whether the certificate signature is self signed. This value is new for TclTLS 1.8. [def "[var sha1_hash] [arg hash]"] The SHA1 hash of the certificate as a hex string. This value is new for TclTLS 1.8. [def "[var sha256_hash] [arg hash]"] The SHA256 hash of the certificate as a hex string. This value is new for TclTLS 1.8. [list_end] [call [cmd tls::connection] [arg channel]] Returns the current connection status of an SSL channel. The result is a list of key-value pairs describing the connection. This command is new for TclTLS 1.8. Returned values include: [para] SSL Status [list_begin definitions] |
479 480 481 482 483 484 485 | [def "[var session_cache_mode] [arg mode]"] Server cache mode (client, server, or both). [list_end] [call [cmd tls::ciphers] [opt [arg protocol]] [opt [arg verbose]] [opt [arg supported]]] | | > > | 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 | [def "[var session_cache_mode] [arg mode]"] Server cache mode (client, server, or both). [list_end] [call [cmd tls::ciphers] [opt [arg protocol]] [opt [arg verbose]] [opt [arg supported]]] Without any options, it returns a list of all symmetric ciphers for use with the [arg -cipher] option. With [arg protocol], only the ciphers supported for that protocol are returned. See the [cmd tls::protocols] command for the supported protocols. If [arg verbose] is specified as true then a verbose, human readable list is returned with additional information on the cipher. If [arg supported] is specified as true, then only the ciphers supported for protocol will be listed. The [arg supported] arg is new for TclTLS 1.8. [call [cmd tls::protocols]] Returns a list of the supported SSL/TLS protocols. Valid values are: [const ssl2], [const ssl3], [const tls1], [const tls1.1], [const tls1.2], and [const tls1.3]. Exact list depends on OpenSSL version and compile time flags. This command is new for TclTLS 1.8. [call [cmd tls::version]] Returns the OpenSSL version string. [list_end] |
520 521 522 523 524 525 526 | In order to provide authentication, i.e. ensuring someone is who they say they are, the public key and user identification info is stored in a X.509 certificate and that certificate is authenticated (i.e. signed) by a Certificate Authority (CA). Users can then exchange these certificates during the TLS initialization process and check them against the root CA certificates to ensure they are valid. This is handled by OpenSSL via the [option -request] and [option -require] options. See the [option -cadir], [option -cadir], and | | | | > | < > > | | | > > | | 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 | In order to provide authentication, i.e. ensuring someone is who they say they are, the public key and user identification info is stored in a X.509 certificate and that certificate is authenticated (i.e. signed) by a Certificate Authority (CA). Users can then exchange these certificates during the TLS initialization process and check them against the root CA certificates to ensure they are valid. This is handled by OpenSSL via the [option -request] and [option -require] options. See the [option -cadir], [option -cadir], and [option -castore] options for how to specify where to find the CA certificates. Optionally, in a future release, they can also be checked against the Certificate Revocation List (CRL) of revoked certificates. Certificates can also be self-signed, but they are by default not trusted unless you add them to your certificate store. [para] Typically when visiting web sites, only the client needs to check the server's certificate to ensure it is valid. The server doesn't need to check the client certificate unless you need to authenticate with them to login, etc. See the [option -cert] and [option -certfile] options if you need to provide a certificate. [subsection "Summary of command line options"] The following options are used for peer certificate validation: [list_begin options] [opt_def -cadir [arg directory]] Specifies the directory where the Certificate Authority (CA) certificates are stored. The default is platform specific, but is usually [file /etc/ssl/certs] on Linux/Unix systems. The default location can be overridden by the [var SSL_CERT_DIR] environment variable. [opt_def -cafile [arg filename]] Specifies the file with the Certificate Authority (CA) certificates to use in [const PEM] file format. The default is [file cert.pem], in the OpenSSL directory. On Linux/Unix systems, this is usually [file /etc/ssl/ca-bundle.pem]. The default file can be overridden by the [var SSL_CERT_FILE] environment variable. [opt_def -castore [arg URI]] Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers. Starting with OpenSSL 3.2 on MS Windows, set to "[const "org.openssl.winstore://"]" to use the built-in MS Windows Certificate Store. Starting in TclTLS 2.0, this is the default if [option -cadir], [option -cadir], and [option -castore] are not specified. This store only supports root certificate stores. [opt_def -request [arg bool]] Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is [const true]. Starting in TclTLS 2.0, if set to [const false] and [option -require] is [const true], then this will be overridden to [const true]. In addition, the client can manually inspect and accept or reject each certificate using the [option -validatecommand] option. [opt_def -require [arg bool]] Require a valid certificate from the peer during the SSL handshake. If this is set to true, then [option -request] must also be set to true and a either [option -cadir], [option -cafile], [option -castore], or a platform default must be provided in order to validate against. The default in TclTLS 1.8 and earlier versions is [const false] since not all platforms have certificates to validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0, the default is [const true]. [list_end] [subsection "When are command line options needed?"] In TclTLS 1.8 and earlier versions, certificate validation is [emph NOT] enabled by default. This limitation is due to the lack of a common cross platform database of Certificate Authority (CA) provided certificates to validate against. Many Linux systems natively support OpenSSL and thus have these certificates installed as part of the OS, but MacOS and MS Windows do not. Staring in TclTLS 2.0, this has been changed to require certificate validation by default. In order to use the [option -require] option, one of the following must be true: [list_begin itemized] [item] On Linux and Unix systems with OpenSSL already installed or if the CA certificates are available in PEM format, and if they are stored in the |
604 605 606 607 608 609 610 611 612 613 614 615 616 617 | [var SSL_CERT_FILE] environment variables or the one of the [option -cadir], [option -cadir], or [option -castore] options must be defined. [item] On MS Windows, starting in OpenSSL 3.2, it is now possible to access the built-in Windows Certificate Store from OpenSSL. This can utilized by setting the [option -castore] option to "[const org.openssl.winstore://]". [item] If OpenSSL is not installed or the CA certificates are not available in PEM format, the CA certificates must be downloaded and installed with the user software. The CURL team makes them available at [uri "https://curl.se/docs/caextract.html" "CA certificates extracted from Mozilla"] in the [file cacert.pem] file. You must then either set the | > > | 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 | [var SSL_CERT_FILE] environment variables or the one of the [option -cadir], [option -cadir], or [option -castore] options must be defined. [item] On MS Windows, starting in OpenSSL 3.2, it is now possible to access the built-in Windows Certificate Store from OpenSSL. This can utilized by setting the [option -castore] option to "[const org.openssl.winstore://]". In TclTLS 2.0, this is the default value if [option -cadir], [option -cadir], and [option -castore] are not specified. [item] If OpenSSL is not installed or the CA certificates are not available in PEM format, the CA certificates must be downloaded and installed with the user software. The CURL team makes them available at [uri "https://curl.se/docs/caextract.html" "CA certificates extracted from Mozilla"] in the [file cacert.pem] file. You must then either set the |
760 761 762 763 764 765 766 | [list_begin options] [opt_def alpn [arg "channelId protocol match"]] For servers, this form of callback is invoked when the client ALPN extension is received. If [arg match] is true, then [arg protocol] is the first [option -alpn] protocol option in common to both the client and server. If not, the first client specified protocol is used. This callback is called | | | | | 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 | [list_begin options] [opt_def alpn [arg "channelId protocol match"]] For servers, this form of callback is invoked when the client ALPN extension is received. If [arg match] is true, then [arg protocol] is the first [option -alpn] protocol option in common to both the client and server. If not, the first client specified protocol is used. This callback is called after the Hello and SNI callbacks. [opt_def hello [arg "channelId servername"]] For servers, this form of callback is invoked during client hello message processing. The purpose is so the server can select the appropriate certificate to present to the client, and to make other configuration adjustments relevant to that server name and its configuration. It is called before the SNI and ALPN callbacks. [opt_def sni [arg "channelId servername"]] For servers, this form of callback is invoked when the Server Name Indication (SNI) extension is received. The [arg servername] argument is the client provided server name specified in the [option -servername] option. The purpose is so when a server supports multiple names, the right certificate can be used. It is called after the Hello callback but before the ALPN callback. [opt_def verify [arg "channelId depth cert status error"]] This form of callback is invoked by OpenSSL when a new certificate is received from the peer. It allows the client to check the certificate verification results and choose whether to continue or not. It is called for each certificate in the certificate chain. This callback was moved from |
858 859 860 861 862 863 864 | option is set to [cmd tls::validate_command]. [para] [emph "The use of the variable [var tls::debug] is not recommended. It may be removed from future releases."] | | | | | 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 | option is set to [cmd tls::validate_command]. [para] [emph "The use of the variable [var tls::debug] is not recommended. It may be removed from future releases."] [section "Examples"] The following are example scripts to download a webpage and file using the http package. See [sectref "Certificate Validation"] for when the [option -cadir], [option -cafile], and [option -castore] options are also needed. See the [file demos] directory for more example scripts. [para] Example #1: Download a web page [example { |
926 927 928 929 930 931 932 | }] [section "Special Considerations"] The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc. | | | 978 979 980 981 982 983 984 985 986 987 988 | }] [section "Special Considerations"] The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc. Use the [cmd tls::protocols] command to obtain the supported protocol versions. [manpage_end] |
Modified doc/tls.n
from [1a60ba709a]
to [77aa310980].
1 2 3 4 5 6 | '\" '\" Generated from file 'tls\&.man' by tcllib/doctools with format 'nroff' '\" Copyright (c) 1999 Matt Newman '\" Copyright (c) 2004 Starfish Systems '\" Copyright (c) 2024 Brian O'Hagan '\" | | | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 | '\" '\" Generated from file 'tls\&.man' by tcllib/doctools with format 'nroff' '\" Copyright (c) 1999 Matt Newman '\" Copyright (c) 2004 Starfish Systems '\" Copyright (c) 2024 Brian O'Hagan '\" .TH "tls" n 2\&.0b1 tls "Tcl TLS extension" .\" The -*- nroff -*- definitions below are for supplemental macros used .\" in Tcl/Tk manual entries. .\" .\" .AP type name in/out ?indent? .\" Start paragraph describing an argument to a library procedure. .\" type is type of argument (int, etc.), in/out is either "in", "out", .\" or "in/out" to describe whether procedure reads or modifies arg, |
274 275 276 277 278 279 280 | .. .BS .SH NAME tls \- binding to the OpenSSL library for encrypted socket and I/O channel communications .SH SYNOPSIS package require \fBTcl 8\&.5-\fR .sp | | | 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 | .. .BS .SH NAME tls \- binding to the OpenSSL library for encrypted socket and I/O channel communications .SH SYNOPSIS package require \fBTcl 8\&.5-\fR .sp package require \fBtls 2\&.0b1\fR .sp \fBtls::init\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? .sp \fBtls::socket\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIhost\fR \fIport\fR .sp \fBtls::socket\fR \fB-server\fR \fIcommand\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIport\fR .sp |
303 304 305 306 307 308 309 | \fBtls::version\fR .sp .BE .SH DESCRIPTION This extension provides TCL script access to secure socket communications using the Transport Layer Security (TLS) protocol\&. It provides a generic binding to \fIOpenSSL\fR [https://www\&.openssl\&.org/], utilizing the | | | > > > < < < | > > | | | | | > > | | | > | 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 | \fBtls::version\fR .sp .BE .SH DESCRIPTION This extension provides TCL script access to secure socket communications using the Transport Layer Security (TLS) protocol\&. It provides a generic binding to \fIOpenSSL\fR [https://www\&.openssl\&.org/], utilizing the \fBTcl_StackChannel\fR API in TCL 8\&.4 or later\&. These sockets behave exactly the same as channels created using the built-in \fBsocket\fR command, but provide additional options for controlling the SSL/TLS session\&. .SH COMPATIBILITY This extension is compatible with OpenSSL 1\&.1\&.1 or later\&. It requires Tcl version 8\&.5 or later and will work with Tcl 9\&.0\&. .SH COMMANDS The following are the commands provided by the TcLTLS package\&. See the \fBExamples\fR for example usage and the "\fIdemos\fR" directory for more example usage\&. .TP \fBtls::init\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? Optional function to set the default options used by \fBtls::socket\fR\&. If you call \fBtls::import\fR directly, the values set by this command have no effect\&. This command supports all of the same options as the \fBtls::socket\fR command, though you should limit your options to only the TLS related ones\&. .TP \fBtls::socket\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIhost\fR \fIport\fR This is a helper function that utilizes the underlying commands \fBsocket\fR and \fBtls::import\fR to create the connection\&. It behaves the same as the native TCL \fBsocket\fR command, but also supports the \fBtls::import\fR command options with one additional option\&. It returns the channel handle id for the new socket\&. .RS .TP \fB-autoservername\fR \fIbool\fR If \fBtrue\fR, automatically set the \fB-servername\fR argument to the \fIhost\fR argument\&. Prior to TclTLS 2\&.0, the default is \fBfalse\fR\&. Starting in TclTLS 2\&.0, the default is \fBtrue\fR unless \fB-servername\fR is also specified\&. .RE .TP \fBtls::socket\fR \fB-server\fR \fIcommand\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIport\fR Same as previous, but instead creates a server socket for clients to connect to just like the Tcl \fBsocket -server\fR command\&. It returns the channel handle id for the new socket\&. .TP \fBtls::import\fR \fIchannel\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? Start TLS encryption on TCL channel \fIchannel\fR via a stacked channel\&. It need not be a socket, but must provide bi-directional flow\&. Also sets session parameters for SSL handshake\&. Valid options are: .RS .TP \fB-alpn\fR \fIlist\fR List of protocols to offer during Application-Layer Protocol Negotiation (ALPN)\&. For example: \fBh2\fR and \fBhttp/1\&.1\fR, but not \fBh3\fR or \fBquic\fR\&. This option is new for TclTLS 1\&.8\&. .TP \fB-cadir\fR \fIdirectory\fR Specifies the directory where the Certificate Authority (CA) certificates are stored\&. The default is platform specific and can be set at compile time\&. The default location can be overridden by the \fBSSL_CERT_DIR\fR environment variable\&. See \fBCertificate Validation\fR for more details\&. .TP \fB-cafile\fR \fIfilename\fR Specifies the file with the Certificate Authority (CA) certificates to use in \fBPEM\fR file format\&. The default is "\fIcert\&.pem\fR", in the OpenSSL directory\&. The default file can be overridden by the \fBSSL_CERT_FILE\fR environment variable\&. See \fBCertificate Validation\fR for more details\&. .TP \fB-castore\fR \fIURI\fR Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers\&. Starting with OpenSSL 3\&.2 on MS Windows, set to "\fBorg\&.openssl\&.winstore://\fR" to use the built-in MS Windows Certificate Store\&. See \fBCertificate Validation\fR for more details\&. This option is new for TclTLS 1\&.8\&. .TP \fB-certfile\fR \fIfilename\fR Specifies the name of the file with the certificate to use in PEM format as the local (client or server) certificate\&. It also contains the public key\&. .TP \fB-cert\fR \fIstring\fR Specifies the certificate to use as a DER encoded string (X\&.509 DER)\&. |
391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 | documentation for the full list of valid values\&. .TP \fB-ciphersuites\fR \fIstring\fR Specifies the list of cipher suites to use for TLS 1\&.3 as a colon "\fB:\fR" separated list of cipher suite names\&. See the \fIOpenSSL\fR [https://docs\&.openssl\&.org/master/man1/openssl-ciphers/#options] documentation for the full list of valid values\&. .TP \fB-command\fR \fIcallback\fR Specifies the callback command to be invoked at several points during the handshake to pass errors, tracing information, and protocol messages\&. See \fBCallback Options\fR for more info\&. .TP \fB-dhparams\fR \fIfilename\fR Specifies the Diffie-Hellman (DH) parameters file\&. .TP \fB-keyfile\fR \fIfilename\fR Specifies the private key file\&. The default is to use the file | > | | | | | > | > > | | | > > | | | | | | | | | | | | | > > | 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 | documentation for the full list of valid values\&. .TP \fB-ciphersuites\fR \fIstring\fR Specifies the list of cipher suites to use for TLS 1\&.3 as a colon "\fB:\fR" separated list of cipher suite names\&. See the \fIOpenSSL\fR [https://docs\&.openssl\&.org/master/man1/openssl-ciphers/#options] documentation for the full list of valid values\&. This option is new for TclTLS 1\&.8\&. .TP \fB-command\fR \fIcallback\fR Specifies the callback command to be invoked at several points during the handshake to pass errors, tracing information, and protocol messages\&. See \fBCallback Options\fR for more info\&. .TP \fB-dhparams\fR \fIfilename\fR Specifies the Diffie-Hellman (DH) parameters file\&. .TP \fB-keyfile\fR \fIfilename\fR Specifies the private key file\&. The default is to use the file specified by the \fB-certfile\fR option\&. .TP \fB-key\fR \fIstring\fR Specifies the private key to use as a DER encoded string (PKCS#1 DER)\&. .TP \fB-model\fR \fIchannel\fR Force this channel to share the same \fISSL_CTX\fR structure as the specified \fIchannel\fR, and therefore share config, callbacks, etc\&. .TP \fB-password\fR \fIcallback\fR Specifies the callback command to invoke when OpenSSL needs to obtain a password\&. This is typically used to unlock the private key of a certificate\&. The callback should return a password string\&. This option has changed for TclTLS 1\&.8\&. See \fBCallback Options\fR for more info\&. .TP \fB-post_handshake\fR \fIbool\fR Allow post-handshake session ticket updates\&. This option is new for TclTLS 1\&.8\&. .TP \fB-request\fR \fIbool\fR Request a certificate from the peer during the SSL handshake\&. This is needed to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is \fBtrue\fR\&. Starting in TclTLS 2\&.0, if set to \fBfalse\fR and \fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&. See \fBCertificate Validation\fR for more details\&. .TP \fB-require\fR \fIbool\fR Require a valid certificate from the peer during the SSL handshake\&. If this is set to true, then \fB-request\fR must also be set to true and a either \fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default must be provided in order to validate against\&. The default in TclTLS 1\&.8 and earlier versions is \fBfalse\fR since not all platforms have certificates to validate against in a form compatible with OpenSSL\&. Starting in TclTLS 2\&.0, the default is \fBtrue\fR\&. See \fBCertificate Validation\fR for more details\&. .TP \fB-security_level\fR \fIinteger\fR Specifies the security level (value from 0 to 5)\&. The security level affects the allowed cipher suite encryption algorithms, supported ECC curves, supported signature algorithms, DH parameter sizes, certificate key sizes and signature algorithms\&. The default is 1 prior to OpenSSL 3\&.2 and 2 thereafter\&. Level 3 and higher disable support for session tickets and only accept cipher suites that provide forward secrecy\&. This option is new for TclTLS 1\&.8\&. .TP \fB-server\fR \fIbool\fR Specifies whether to act as a server and respond with a server handshake when a client connects and provides a client handshake\&. The default is \fBfalse\fR\&. .TP \fB-servername\fR \fIhostname\fR Specify the peer's hostname\&. This is used to set the TLS Server Name Indication (SNI) extension\&. Set this to the expected servername in the server's certificate or one of the Subject Alternate Names (SAN)\&. Starting in TclTLS 2\&.0, this will default to the host for the \fBtls::socket\fR command\&. .TP \fB-session_id\fR \fIbinary_string\fR Specifies the session id to resume a session\&. Not supported yet\&. This option is new for TclTLS 1\&.8\&. .TP \fB-ssl2\fR \fIbool\fR Enable use of SSL v2\&.The default is \fBfalse\fR\&. OpenSSL 1\&.1+ no longer supports SSL v2, so this may not have any effect\&. See the \fBtls::protocols\fR command for supported protocols\&. .TP \fB-ssl3\fR \fIbool\fR Enable use of SSL v3\&. The default is \fBfalse\fR\&. Starting in TclTLS 1\&.8, use of SSL v3 if only available via a compile time option\&. See the \fBtls::protocols\fR command for supported protocols\&. .TP \fB-tls1\fR \fIbool\fR Enable use of TLS v1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&. Note: TLS 1\&.0 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&. See the \fB-security_level\fR option\&. .TP \fB-tls1\&.1\fR \fIbool\fR Enable use of TLS v1\&.1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&. Note: TLS 1\&.1 needs SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&. See the \fB-security_level\fR option\&. .TP \fB-tls1\&.2\fR \fIbool\fR Enable use of TLS v1\&.2\&. The default is \fBtrue\fR\&. .TP \fB-tls1\&.3\fR \fIbool\fR Enable use of TLS v1\&.3\&. The default is \fBtrue\fR\&. This is only available starting with OpenSSL 1\&.1\&.1 and TclTLS 1\&.7\&. .TP \fB-validatecommand\fR \fIcallback\fR Specifies the callback command to invoke to validate the peer certificates and other config info during the protocol negotiation phase\&. This can be used by TCL scripts to perform their own Certificate Validation to supplement the default validation provided by OpenSSL\&. The script must return a boolean true to continue the negotiation\&. See \fBCallback Options\fR for more info\&. This option is new for TclTLS 1\&.8\&. .RE .TP \fBtls::unimport\fR \fIchannel\fR Compliment to \fBtls::import\fR\&. Used to remove the top level stacked channel from \fIchannel\fR\&. This unstacks the encryption of a regular TCL channel\&. An error is thrown if TLS is not the top stacked channel type\&. .TP |
511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 | values include: .sp SSL Status .RS .TP \fBalpn\fR \fIprotocol\fR The protocol selected after Application-Layer Protocol Negotiation (ALPN)\&. .TP \fBcipher\fR \fIcipher\fR The current cipher in use for the session\&. .TP \fBpeername\fR \fIname\fR The peername from the certificate\&. .TP \fBprotocol\fR \fIversion\fR | > > | > > > > > > > > > > > > > > > > > > > > > > > > > > > | > | 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 | values include: .sp SSL Status .RS .TP \fBalpn\fR \fIprotocol\fR The protocol selected after Application-Layer Protocol Negotiation (ALPN)\&. This value is new for TclTLS 1\&.8\&. .TP \fBcipher\fR \fIcipher\fR The current cipher in use for the session\&. .TP \fBpeername\fR \fIname\fR The peername from the certificate\&. This value is new for TclTLS 1\&.8\&. .TP \fBprotocol\fR \fIversion\fR The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1\&.1, TLS1\&.2, TLS1\&.3, or unknown\&. This value is new for TclTLS 1\&.8\&. .TP \fBsbits\fR \fIn\fR The number of bits used for the session key\&. .TP \fBsignatureHashAlgorithm\fR \fIalgorithm\fR The signature hash algorithm\&. This value is new for TclTLS 1\&.8\&. .TP \fBsignatureType\fR \fItype\fR The signature type value\&. This value is new for TclTLS 1\&.8\&. .TP \fBverifyDepth\fR \fIn\fR Maximum depth for the certificate chain verification\&. Default is -1, to check all\&. This value is new for TclTLS 1\&.8\&. .TP \fBverifyMode\fR \fIlist\fR List of certificate verification modes\&. This value is new for TclTLS 1\&.8\&. .TP \fBverifyResult\fR \fIresult\fR Certificate verification result\&. This value is new for TclTLS 1\&.8\&. .TP \fBca_names\fR \fIlist\fR List of the Certificate Authorities used to create the certificate\&. This value is new for TclTLS 1\&.8\&. .RE .IP Certificate Status .RS .TP \fBall\fR \fIstring\fR Dump of all certificate info\&. This value is new for TclTLS 1\&.8\&. .TP \fBversion\fR \fIvalue\fR The certificate version\&. .TP \fBserialNumber\fR \fIstring\fR The serial number of the certificate as a hex string\&. This value was changed from serial in TclTLS 1\&.8\&. .TP \fBsignature\fR \fIalgorithm\fR Cipher algorithm used for certificate signature\&. This value is new for TclTLS 1\&.8\&. .TP \fBissuer\fR \fIstring\fR The distinguished name (DN) of the certificate issuer\&. .TP \fBnotBefore\fR \fIdate\fR The beginning date of the certificate validity\&. .TP \fBnotAfter\fR \fIdate\fR The expiration date of the certificate validity\&. .TP \fBsubject\fR \fIstring\fR The distinguished name (DN) of the certificate subject\&. Fields include: Common Name (CN), Organization (O), Locality or City (L), State or Province (S), and Country Name (C)\&. .TP \fBissuerUniqueID\fR \fIstring\fR The issuer unique id\&. This value is new for TclTLS 1\&.8\&. .TP \fBsubjectUniqueID\fR \fIstring\fR The subject unique id\&. This value is new for TclTLS 1\&.8\&. .TP \fBnum_extensions\fR \fIn\fR Number of certificate extensions\&. This value is new for TclTLS 1\&.8\&. .TP \fBextensions\fR \fIlist\fR List of certificate extension names\&. This value is new for TclTLS 1\&.8\&. .TP \fBauthorityKeyIdentifier\fR \fIstring\fR Authority Key Identifier (AKI) of the Issuing CA certificate that signed the SSL certificate as a hex string\&. This value matches the SKI value of the Intermediate CA certificate\&. This value is new for TclTLS 1\&.8\&. .TP \fBsubjectKeyIdentifier\fR \fIstring\fR Subject Key Identifier (SKI) hash of the public key inside the certificate as a hex string\&. Used to identify certificates that contain a particular public key\&. This value is new for TclTLS 1\&.8\&. .TP \fBsubjectAltName\fR \fIlist\fR List of all of the Subject Alternative Names (SAN) including domain names, sub domains, and IP addresses that are secured by the certificate\&. This value is new for TclTLS 1\&.8\&. .TP \fBocsp\fR \fIlist\fR List of all Online Certificate Status Protocol (OCSP) URLs that can be used to check the validity of this certificate\&. This value is new for TclTLS 1\&.8\&. .TP \fBcertificate\fR \fIcert\fR The PEM encoded certificate\&. .TP \fBsignatureAlgorithm\fR \fIalgorithm\fR Cipher algorithm used for the certificate signature\&. This value is new for TclTLS 1\&.8\&. .TP \fBsignatureValue\fR \fIstring\fR Certificate signature as a hex string\&. This value is new for TclTLS 1\&.8\&. .TP \fBsignatureDigest\fR \fIversion\fR Certificate signing digest as a hex string\&. This value is new for TclTLS 1\&.8\&. .TP \fBpublicKeyAlgorithm\fR \fIalgorithm\fR Certificate signature public key algorithm\&. This value is new for TclTLS 1\&.8\&. .TP \fBpublicKey\fR \fIstring\fR Certificate signature public key as a hex string\&. This value is new for TclTLS 1\&.8\&. .TP \fBbits\fR \fIn\fR Number of bits used for certificate signature key\&. This value is new for TclTLS 1\&.8\&. .TP \fBself_signed\fR \fIboolean\fR Whether the certificate signature is self signed\&. This value is new for TclTLS 1\&.8\&. .TP \fBsha1_hash\fR \fIhash\fR The SHA1 hash of the certificate as a hex string\&. This value is new for TclTLS 1\&.8\&. .TP \fBsha256_hash\fR \fIhash\fR The SHA256 hash of the certificate as a hex string\&. This value is new for TclTLS 1\&.8\&. .RE .TP \fBtls::connection\fR \fIchannel\fR Returns the current connection status of an SSL channel\&. The result is a list of key-value pairs describing the connection\&. This command is new for TclTLS 1\&.8\&. Returned values include: .sp SSL Status .RS .TP \fBstate\fR \fIstate\fR State of the connection\&. .TP |
736 737 738 739 740 741 742 | Unique session master key\&. .TP \fBsession_cache_mode\fR \fImode\fR Server cache mode (client, server, or both)\&. .RE .TP \fBtls::ciphers\fR ?\fIprotocol\fR? ?\fIverbose\fR? ?\fIsupported\fR? | | > > | 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 | Unique session master key\&. .TP \fBsession_cache_mode\fR \fImode\fR Server cache mode (client, server, or both)\&. .RE .TP \fBtls::ciphers\fR ?\fIprotocol\fR? ?\fIverbose\fR? ?\fIsupported\fR? Without any options, it returns a list of all symmetric ciphers for use with the \fI-cipher\fR option\&. With \fIprotocol\fR, only the ciphers supported for that protocol are returned\&. See the \fBtls::protocols\fR command for the supported protocols\&. If \fIverbose\fR is specified as true then a verbose, human readable list is returned with additional information on the cipher\&. If \fIsupported\fR is specified as true, then only the ciphers supported for protocol will be listed\&. The \fIsupported\fR arg is new for TclTLS 1\&.8\&. .TP \fBtls::protocols\fR Returns a list of the supported SSL/TLS protocols\&. Valid values are: \fBssl2\fR, \fBssl3\fR, \fBtls1\fR, \fBtls1\&.1\fR, \fBtls1\&.2\fR, and \fBtls1\&.3\fR\&. Exact list depends on OpenSSL version and compile time flags\&. This command is new for TclTLS 1\&.8\&. .TP \fBtls::version\fR Returns the OpenSSL version string\&. .PP .SH "CERTIFICATE VALIDATION" .SS "PKI AND CERTIFICATES" Using the Public Key Infrastructure (PKI), each user creates a private key that |
770 771 772 773 774 775 776 | In order to provide authentication, i\&.e\&. ensuring someone is who they say they are, the public key and user identification info is stored in a X\&.509 certificate and that certificate is authenticated (i\&.e\&. signed) by a Certificate Authority (CA)\&. Users can then exchange these certificates during the TLS initialization process and check them against the root CA certificates to ensure they are valid\&. This is handled by OpenSSL via the \fB-request\fR and \fB-require\fR options\&. See the \fB-cadir\fR, \fB-cadir\fR, and | | | 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 | In order to provide authentication, i\&.e\&. ensuring someone is who they say they are, the public key and user identification info is stored in a X\&.509 certificate and that certificate is authenticated (i\&.e\&. signed) by a Certificate Authority (CA)\&. Users can then exchange these certificates during the TLS initialization process and check them against the root CA certificates to ensure they are valid\&. This is handled by OpenSSL via the \fB-request\fR and \fB-require\fR options\&. See the \fB-cadir\fR, \fB-cadir\fR, and \fB-castore\fR options for how to specify where to find the CA certificates\&. Optionally, in a future release, they can also be checked against the Certificate Revocation List (CRL) of revoked certificates\&. Certificates can also be self-signed, but they are by default not trusted unless you add them to your certificate store\&. .PP Typically when visiting web sites, only the client needs to check the server's certificate to ensure it is valid\&. The server doesn't need to check the client |
800 801 802 803 804 805 806 | The default file can be overridden by the \fBSSL_CERT_FILE\fR environment variable\&. .TP \fB-castore\fR \fIURI\fR Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers\&. Starting with OpenSSL 3\&.2 on MS Windows, set to "\fBorg\&.openssl\&.winstore://\fR" | | > | < > > | | | > > | > > | 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 | The default file can be overridden by the \fBSSL_CERT_FILE\fR environment variable\&. .TP \fB-castore\fR \fIURI\fR Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers\&. Starting with OpenSSL 3\&.2 on MS Windows, set to "\fBorg\&.openssl\&.winstore://\fR" to use the built-in MS Windows Certificate Store\&. Starting in TclTLS 2\&.0, this is the default if \fB-cadir\fR, \fB-cadir\fR, and \fB-castore\fR are not specified\&. This store only supports root certificate stores\&. .TP \fB-request\fR \fIbool\fR Request a certificate from the peer during the SSL handshake\&. This is needed to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is \fBtrue\fR\&. Starting in TclTLS 2\&.0, if set to \fBfalse\fR and \fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&. In addition, the client can manually inspect and accept or reject each certificate using the \fB-validatecommand\fR option\&. .TP \fB-require\fR \fIbool\fR Require a valid certificate from the peer during the SSL handshake\&. If this is set to true, then \fB-request\fR must also be set to true and a either \fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default must be provided in order to validate against\&. The default in TclTLS 1\&.8 and earlier versions is \fBfalse\fR since not all platforms have certificates to validate against in a form compatible with OpenSSL\&. Starting in TclTLS 2\&.0, the default is \fBtrue\fR\&. .PP .SS "WHEN ARE COMMAND LINE OPTIONS NEEDED?" In TclTLS 1\&.8 and earlier versions, certificate validation is \fINOT\fR enabled by default\&. This limitation is due to the lack of a common cross platform database of Certificate Authority (CA) provided certificates to validate against\&. Many Linux systems natively support OpenSSL and thus have these certificates installed as part of the OS, but MacOS and MS Windows do not\&. Staring in TclTLS 2\&.0, this has been changed to require certificate validation by default\&. In order to use the \fB-require\fR option, one of the following must be true: .IP \(bu On Linux and Unix systems with OpenSSL already installed or if the CA certificates are available in PEM format, and if they are stored in the standard locations, or if the \fBSSL_CERT_DIR\fR or \fBSSL_CERT_FILE\fR environment variables are set, then \fB-cadir\fR, \fB-cadir\fR, and \fB-castore\fR aren't needed\&. .IP \(bu If OpenSSL is not installed in the default location, or when using Mac OS or MS Windows and OpenSSL is installed, the \fBSSL_CERT_DIR\fR and/or \fBSSL_CERT_FILE\fR environment variables or the one of the \fB-cadir\fR, \fB-cadir\fR, or \fB-castore\fR options must be defined\&. .IP \(bu On MS Windows, starting in OpenSSL 3\&.2, it is now possible to access the built-in Windows Certificate Store from OpenSSL\&. This can utilized by setting the \fB-castore\fR option to "\fBorg\&.openssl\&.winstore://\fR"\&. In TclTLS 2\&.0, this is the default value if \fB-cadir\fR, \fB-cadir\fR, and \fB-castore\fR are not specified\&. .IP \(bu If OpenSSL is not installed or the CA certificates are not available in PEM format, the CA certificates must be downloaded and installed with the user software\&. The CURL team makes them available at \fICA certificates extracted from Mozilla\fR [https://curl\&.se/docs/caextract\&.html] in the "\fIcacert\&.pem\fR" file\&. You must then either set the \fBSSL_CERT_DIR\fR and/or \fBSSL_CERT_FILE\fR environment variables or the |
971 972 973 974 975 976 977 | continue the connection, it should return 2\&. This callback is new for TclTLS 1\&.8\&. .TP \fBalpn\fR \fIchannelId protocol match\fR For servers, this form of callback is invoked when the client ALPN extension is received\&. If \fImatch\fR is true, then \fIprotocol\fR is the first \fB-alpn\fR protocol option in common to both the client and server\&. If not, the first client specified protocol is used\&. This callback is called | | | | | 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 | continue the connection, it should return 2\&. This callback is new for TclTLS 1\&.8\&. .TP \fBalpn\fR \fIchannelId protocol match\fR For servers, this form of callback is invoked when the client ALPN extension is received\&. If \fImatch\fR is true, then \fIprotocol\fR is the first \fB-alpn\fR protocol option in common to both the client and server\&. If not, the first client specified protocol is used\&. This callback is called after the Hello and SNI callbacks\&. .TP \fBhello\fR \fIchannelId servername\fR For servers, this form of callback is invoked during client hello message processing\&. The purpose is so the server can select the appropriate certificate to present to the client, and to make other configuration adjustments relevant to that server name and its configuration\&. It is called before the SNI and ALPN callbacks\&. .TP \fBsni\fR \fIchannelId servername\fR For servers, this form of callback is invoked when the Server Name Indication (SNI) extension is received\&. The \fIservername\fR argument is the client provided server name specified in the \fB-servername\fR option\&. The purpose is so when a server supports multiple names, the right certificate can be used\&. It is called after the Hello callback but before the ALPN callback\&. .TP \fBverify\fR \fIchannelId depth cert status error\fR This form of callback is invoked by OpenSSL when a new certificate is received from the peer\&. It allows the client to check the certificate verification results and choose whether to continue or not\&. It is called for each certificate in the certificate chain\&. This callback was moved from |
1052 1053 1054 1055 1056 1057 1058 | The default value is 0 with higher values producing more diagnostic output, and will also force the verify method in \fBtls::callback\fR to accept the certificate, even if it is invalid when the \fB-validatecommand\fR option is set to \fBtls::validate_command\fR\&. .PP \fIThe use of the variable \fBtls::debug\fR is not recommended\&. It may be removed from future releases\&.\fR | | | | | 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 | The default value is 0 with higher values producing more diagnostic output, and will also force the verify method in \fBtls::callback\fR to accept the certificate, even if it is invalid when the \fB-validatecommand\fR option is set to \fBtls::validate_command\fR\&. .PP \fIThe use of the variable \fBtls::debug\fR is not recommended\&. It may be removed from future releases\&.\fR .SH EXAMPLES The following are example scripts to download a webpage and file using the http package\&. See \fBCertificate Validation\fR for when the \fB-cadir\fR, \fB-cafile\fR, and \fB-castore\fR options are also needed\&. See the "\fIdemos\fR" directory for more example scripts\&. .PP Example #1: Download a web page .CS package require http |
1118 1119 1120 1121 1122 1123 1124 | ::http::cleanup $token .CE .SH "SPECIAL CONSIDERATIONS" The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built\&. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc\&. | | | 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 | ::http::cleanup $token .CE .SH "SPECIAL CONSIDERATIONS" The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built\&. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc\&. Use the \fBtls::protocols\fR command to obtain the supported protocol versions\&. .SH "SEE ALSO" \fIOpenSSL\fR [https://www\&.openssl\&.org/], http, socket .SH KEYWORDS I/O, IP Address, OpenSSL, SSL, TCP, TLS, TclTLS, asynchronous I/O, bind, certificate, channel, connection, domain name, host, https, network, network address, socket, tls .SH CATEGORY tls |
Modified generic/tls.c
from [9f3b154f0e]
to [3599afe66c].
80 81 82 83 84 85 86 | * 1 = Command returned success or eval returned TCL_OK * * Side effects: * Evaluates callback command * *------------------------------------------------------------------- */ | | | 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 | * 1 = Command returned success or eval returned TCL_OK * * Side effects: * Evaluates callback command * *------------------------------------------------------------------- */ static int EvalCallback( Tcl_Interp *interp, /* Tcl interpreter */ State *statePtr, /* Client state for TLS socket */ Tcl_Obj *cmdPtr) /* Command to eval as a Tcl object */ { int code, ok = 0; |
135 136 137 138 139 140 141 | * None * * Side effects: * Calls callback (if defined) * *------------------------------------------------------------------- */ | | | 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 | * None * * Side effects: * Calls callback (if defined) * *------------------------------------------------------------------- */ static void InfoCallback( const SSL *ssl, /* SSL context */ int where, /* Source of info */ int ret) /* message enum */ { State *statePtr = (State*)SSL_get_app_data((SSL *)ssl); |
212 213 214 215 216 217 218 | * None * * Side effects: * Calls callback (if defined) * *------------------------------------------------------------------- */ | | | 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 | * None * * Side effects: * Calls callback (if defined) * *------------------------------------------------------------------- */ #ifndef OPENSSL_NO_SSL_TRACE static void MessageCallback( int write_p, /* Message 0=received, 1=sent */ int version, /* TLS version */ int content_type, /* Protocol content type */ const void *buf, /* Protocol message */ |
362 363 364 365 366 367 368 | * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * *------------------------------------------------------------------- */ | | | 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 | * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * *------------------------------------------------------------------- */ static int VerifyCallback( int ok, /* Verify result */ X509_STORE_CTX *ctx) /* CTX context */ { Tcl_Obj *cmdPtr; SSL *ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
432 433 434 435 436 437 438 | * * Side effects: * The err field of the currently operative State is set to a * string describing the SSL negotiation failure reason * *------------------------------------------------------------------- */ | | | 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 | * * Side effects: * The err field of the currently operative State is set to a * string describing the SSL negotiation failure reason * *------------------------------------------------------------------- */ void Tls_Error( State *statePtr, /* Client state for TLS socket */ const char *msg) /* Error message */ { Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr, *listPtr; |
490 491 492 493 494 495 496 | * Write received key data to log file. * * Side effects: * none * *------------------------------------------------------------------- */ | | | 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 | * Write received key data to log file. * * Side effects: * none * *------------------------------------------------------------------- */ void KeyLogCallback( const SSL *ssl, /* Client state for TLS socket */ const char *line) /* Key data to be logged */ { char *str = getenv(SSLKEYLOGFILE); FILE *fd; |
527 528 529 530 531 532 533 | * Calls callback (if defined) * * Returns: * Password size in bytes or -1 for an error. * *------------------------------------------------------------------- */ | | | 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 | * Calls callback (if defined) * * Returns: * Password size in bytes or -1 for an error. * *------------------------------------------------------------------- */ static int PasswordCallback( char *buf, /* Pointer to buffer to store password in */ int size, /* Buffer length in bytes */ int rwflag, /* Whether password is needed for read or write */ void *udata) /* Client state for TLS socket */ { |
612 613 614 615 616 617 618 | * * Return codes: * 0 = error where session will be immediately removed from the internal cache. * 1 = success where app retains session in session cache, and must call SSL_SESSION_free() when done. * *------------------------------------------------------------------- */ | | | 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 | * * Return codes: * 0 = error where session will be immediately removed from the internal cache. * 1 = success where app retains session in session cache, and must call SSL_SESSION_free() when done. * *------------------------------------------------------------------- */ static int SessionCallback( SSL *ssl, /* SSL context */ SSL_SESSION *session) /* Session context */ { State *statePtr = (State*)SSL_get_app_data((SSL *)ssl); Tcl_Interp *interp = statePtr->interp; |
685 686 687 688 689 690 691 | * SSL_TLSEXT_ERR_ALERT_FATAL: There was no overlap between the client's * supplied list and the server configuration. The connection will be aborted. * SSL_TLSEXT_ERR_NOACK: ALPN protocol not selected, e.g., because no ALPN * protocols are configured for this connection. The connection continues. * *------------------------------------------------------------------- */ | | | 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 | * SSL_TLSEXT_ERR_ALERT_FATAL: There was no overlap between the client's * supplied list and the server configuration. The connection will be aborted. * SSL_TLSEXT_ERR_NOACK: ALPN protocol not selected, e.g., because no ALPN * protocols are configured for this connection. The connection continues. * *------------------------------------------------------------------- */ static int ALPNCallback( SSL *ssl, /* SSL context */ const unsigned char **out, /* Return buffer to store selected protocol */ unsigned char *outlen, /* Return buffer size */ const unsigned char *in, /* Peer provided protocols */ unsigned int inlen, /* Peer buffer size */ |
760 761 762 763 764 765 766 | * * Return codes: * SSL_TLSEXT_ERR_OK: NPN protocol selected. The connection continues. * SSL_TLSEXT_ERR_NOACK: NPN protocol not selected. The connection continues. * *------------------------------------------------------------------- */ | | | 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 | * * Return codes: * SSL_TLSEXT_ERR_OK: NPN protocol selected. The connection continues. * SSL_TLSEXT_ERR_NOACK: NPN protocol not selected. The connection continues. * *------------------------------------------------------------------- */ #ifdef USE_NPN static int NPNCallback( const SSL *ssl, /* SSL context */ const unsigned char **out, /* Return buffer to store selected protocol */ unsigned int *outlen, /* Return buffer size */ void *arg) /* Client state for TLS socket */ |
815 816 817 818 819 820 821 | * SSL_TLSEXT_ERR_ALERT_WARNING: SNI hostname is not accepted, warning alert * sent (not supported in TLSv1.3). The connection continues. * SSL_TLSEXT_ERR_NOACK: SNI hostname is not accepted and not acknowledged, * e.g. if SNI has not been configured. The connection continues. * *------------------------------------------------------------------- */ | | | 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 | * SSL_TLSEXT_ERR_ALERT_WARNING: SNI hostname is not accepted, warning alert * sent (not supported in TLSv1.3). The connection continues. * SSL_TLSEXT_ERR_NOACK: SNI hostname is not accepted and not acknowledged, * e.g. if SNI has not been configured. The connection continues. * *------------------------------------------------------------------- */ static int SNICallback( const SSL *ssl, /* SSL context */ int *alert, /* Returned alert message */ void *arg) /* Client state for TLS socket */ { State *statePtr = (State*)arg; |
892 893 894 895 896 897 898 | * Return codes: * SSL_CLIENT_HELLO_RETRY: suspend the handshake, and the handshake function will return immediately * SSL_CLIENT_HELLO_ERROR: failure, terminate connection. Set alert to error code. * SSL_CLIENT_HELLO_SUCCESS: success * *------------------------------------------------------------------- */ | | | 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 | * Return codes: * SSL_CLIENT_HELLO_RETRY: suspend the handshake, and the handshake function will return immediately * SSL_CLIENT_HELLO_ERROR: failure, terminate connection. Set alert to error code. * SSL_CLIENT_HELLO_SUCCESS: success * *------------------------------------------------------------------- */ static int HelloCallback( SSL *ssl, /* SSL context */ int *alert, /* Returned alert message */ void *arg) /* Client state for TLS socket */ { State *statePtr = (State*)arg; |
993 994 995 996 997 998 999 | * A standard Tcl result list. * * Side effects: * constructs and destroys SSL context (CTX) * *------------------------------------------------------------------- */ | | | 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 | * A standard Tcl result list. * * Side effects: * constructs and destroys SSL context (CTX) * *------------------------------------------------------------------- */ static const char *protocols[] = { "ssl2", "ssl3", "tls1", "tls1.1", "tls1.2", "tls1.3", NULL }; enum protocol { TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE }; |
1346 1347 1348 1349 1350 1351 1352 | char *CAstore = NULL; char *DHparams = NULL; char *model = NULL; char *servername = NULL; /* hostname for Server Name Indication */ char *session_id = NULL; Tcl_Obj *alpn = NULL; int ssl2 = 0, ssl3 = 0; | | | | 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 | char *CAstore = NULL; char *DHparams = NULL; char *model = NULL; char *servername = NULL; /* hostname for Server Name Indication */ char *session_id = NULL; Tcl_Obj *alpn = NULL; int ssl2 = 0, ssl3 = 0; int tls1 = 0, tls1_1 = 0, tls1_2 = 1, tls1_3 = 1; int proto = 0, level = -1; int verify = 0, require = 1, request = 1, post_handshake = 0; dprintf("Called"); #if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1) tls1 = 0; #endif #if defined(NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1) |
1421 1422 1423 1424 1425 1426 1427 1428 1429 | OPTOBJ("-validatecommand", vcmd); OPTOBJ("-vcmd", vcmd); OPTBAD("option", "-alpn, -cadir, -cafile, -castore, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | > | | 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 | OPTOBJ("-validatecommand", vcmd); OPTOBJ("-vcmd", vcmd); OPTBAD("option", "-alpn, -cadir, -cafile, -castore, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } if (require) request = 1; if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; if (request && post_handshake) verify |= SSL_VERIFY_POST_HANDSHAKE; if (verify == 0) verify = SSL_VERIFY_NONE; proto |= (ssl2 ? TLS_PROTO_SSL2 : 0); proto |= (ssl3 ? TLS_PROTO_SSL3 : 0); proto |= (tls1 ? TLS_PROTO_TLS1 : 0); proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0); proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0); |
1609 1610 1611 1612 1613 1614 1615 | } } /* Enable Application-Layer Protocol Negotiation. Examples are: http/1.0, http/1.1, h2, h3, ftp, imap, pop3, xmpp-client, xmpp-server, mqtt, irc, etc. */ if (alpn) { /* Convert a TCL list into a protocol-list in wire-format */ | | | < | > | | > > > > > > > > > > | > | 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 | } } /* Enable Application-Layer Protocol Negotiation. Examples are: http/1.0, http/1.1, h2, h3, ftp, imap, pop3, xmpp-client, xmpp-server, mqtt, irc, etc. */ if (alpn) { /* Convert a TCL list into a protocol-list in wire-format */ unsigned char *protos = NULL, *p; unsigned int protos_len = 0; Tcl_Size cnt, i; int res = TCL_OK; Tcl_Obj **list; if (Tcl_ListObjGetElements(interp, alpn, &cnt, &list) != TCL_OK) { Tls_Free((tls_free_type *) statePtr); return TCL_ERROR; } /* Determine the memory required for the protocol-list */ for (i = 0; i < cnt; i++) { Tcl_GetStringFromObj(list[i], &len); if (len > 255) { Tcl_AppendResult(interp, "ALPN protocol names too long", (char *)NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *)NULL); res = TCL_ERROR; goto done; } protos_len += 1 + (int) len; } /* Build the complete protocol-list */ protos = ckalloc(protos_len); /* protocol-lists consist of 8-bit length-prefixed, byte strings */ for (i = 0, p = protos; i < cnt; i++) { char *str = Tcl_GetStringFromObj(list[i], &len); *p++ = (unsigned char) len; memcpy(p, str, (size_t) len); p += len; } /* SSL_set_alpn_protos makes a copy of the protocol-list */ /* Note: This function reverses the return value convention */ if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char *)NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *)NULL); res = TCL_ERROR; } done: for (i = 0; i < cnt; i++) { Tcl_IncrRefCount(list[i]); Tcl_DecrRefCount(list[i]); } if (res != TCL_OK) { Tls_Free((tls_free_type *) statePtr); if (protos != NULL) { ckfree(protos); } return TCL_ERROR; } /* Store protocols list */ statePtr->protos = protos; statePtr->protos_len = protos_len; } else { |
1842 1843 1844 1845 1846 1847 1848 | * Number of certificates loaded or 0 for none. * * Side effects: * Loads CA certificates * *------------------------------------------------------------------- */ | | | 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 | * Number of certificates loaded or 0 for none. * * Side effects: * Loads CA certificates * *------------------------------------------------------------------- */ static int TlsLoadClientCAFileFromMemory( Tcl_Interp *interp, /* Tcl interpreter */ SSL_CTX *ctx, /* CTX context */ Tcl_Obj *file) /* CA certificates filename */ { BIO *bio = NULL; |
2338 2339 2340 2341 2342 2343 2344 2345 2346 | /* Set file of CA certificates in PEM format. */ if (CAfile != NULL) { Tcl_Obj *cafileobj = Tcl_NewStringObj(CAfile, -1); Tcl_IncrRefCount(cafileobj); Tcl_Obj *fsinfo = Tcl_FSFileSystemInfo(cafileobj); if (fsinfo) { Tcl_IncrRefCount(fsinfo); | > < > > | 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 | /* Set file of CA certificates in PEM format. */ if (CAfile != NULL) { Tcl_Obj *cafileobj = Tcl_NewStringObj(CAfile, -1); Tcl_IncrRefCount(cafileobj); Tcl_Obj *fsinfo = Tcl_FSFileSystemInfo(cafileobj); if (fsinfo) { Tcl_Obj *fstype = NULL; Tcl_IncrRefCount(fsinfo); Tcl_ListObjIndex(interp, fsinfo, 0, &fstype); Tcl_IncrRefCount(fstype); if (Tcl_StringMatch("native", Tcl_GetString(fstype))) { if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) { abort++; } Tcl_DStringFree(&ds); /* Set list of CAs to send to client when requesting a client certificate */ STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds)); if (certNames != NULL) { SSL_CTX_set_client_CA_list(ctx, certNames); } Tcl_DStringFree(&ds); } else { /* Load certificate into memory */ if (!TlsLoadClientCAFileFromMemory(interp, ctx, cafileobj)) { abort++; } } Tcl_DecrRefCount(fstype); Tcl_DecrRefCount(fsinfo); } else { abort++; /* Path is not recognized */ } Tcl_DecrRefCount(cafileobj); } |
2391 2392 2393 2394 2395 2396 2397 | * A standard Tcl result. * * Side effects: * None. * *------------------------------------------------------------------- */ | | | 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 | * A standard Tcl result. * * Side effects: * None. * *------------------------------------------------------------------- */ static int StatusObjCmd( TCL_UNUSED(ClientData), /* Client data */ Tcl_Interp *interp, /* Tcl interpreter */ int objc, /* Arg count */ Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ { |
2798 2799 2800 2801 2802 2803 2804 | * A standard Tcl result. * * Side effects: * None. * *------------------------------------------------------------------- */ | | | 2812 2813 2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 | * A standard Tcl result. * * Side effects: * None. * *------------------------------------------------------------------- */ static int VersionObjCmd( TCL_UNUSED(ClientData), /* Client data */ Tcl_Interp *interp, /* Tcl interpreter */ TCL_UNUSED(int), /* objc - Arg count */ TCL_UNUSED(Tcl_Obj *const *)) /* objv - Arguments as Tcl objects */ { |
2829 2830 2831 2832 2833 2834 2835 | * A standard Tcl result. * * Side effects: * None. * *------------------------------------------------------------------- */ | | > | 2843 2844 2845 2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 | * A standard Tcl result. * * Side effects: * None. * *------------------------------------------------------------------- */ static int MiscObjCmd( TCL_UNUSED(ClientData), /* Client data */ Tcl_Interp *interp, /* Tcl interpreter */ int objc, /* Arg count */ Tcl_Obj *const objv[]) /* Arguments as Tcl objects */ { static const char *commands [] = { "req", "strreq", NULL }; enum command { C_REQ, C_STRREQ, C_DUMMY }; int cmd, isStr; char buffer[16384]; int res = TCL_OK; dprintf("Called"); if (objc < 2) { Tcl_WrongNumArgs(interp, 1, objv, "subcommand ?args?"); return TCL_ERROR; } |
2866 2867 2868 2869 2870 2871 2872 | X509 *cert=NULL; X509_NAME *name=NULL; Tcl_Obj **listv; Tcl_Size listc, i; BIO *out=NULL; | | | 2881 2882 2883 2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894 2895 | X509 *cert=NULL; X509_NAME *name=NULL; Tcl_Obj **listv; Tcl_Size listc, i; BIO *out=NULL; Tcl_Obj *k_C=NULL,*k_ST=NULL,*k_L=NULL,*k_O=NULL,*k_OU=NULL,*k_CN=NULL,*k_Email=NULL; char *keyout,*pemout,*str; int keysize,serial=0,days=365; #if OPENSSL_VERSION_NUMBER < 0x30000000L BIGNUM *bne = NULL; RSA *rsa = NULL; #else |
2899 2900 2901 2902 2903 2904 2905 | if (objc>=6) { if (Tcl_ListObjGetElements(interp, objv[5], &listc, &listv) != TCL_OK) { return TCL_ERROR; } if ((listc%2) != 0) { Tcl_SetResult(interp,"Information list must have even number of arguments",NULL); | | | | > > | | > > | > | > | > | > | > | > | > | > > > > > > > > | 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 | if (objc>=6) { if (Tcl_ListObjGetElements(interp, objv[5], &listc, &listv) != TCL_OK) { return TCL_ERROR; } if ((listc%2) != 0) { Tcl_SetResult(interp,"Information list must have even number of arguments",NULL); res = TCL_ERROR; } for (i=0; i<listc; i+=2) { str=Tcl_GetString(listv[i]); if (strcmp(str,"days")==0) { if (Tcl_GetIntFromObj(interp,listv[i+1],&days)!=TCL_OK) { res = TCL_ERROR; break; } } else if (strcmp(str,"serial")==0) { if (Tcl_GetIntFromObj(interp,listv[i+1],&serial)!=TCL_OK) { res = TCL_ERROR; break; } } else if (strcmp(str,"C")==0) { k_C = listv[i+1]; Tcl_IncrRefCount(k_C); } else if (strcmp(str,"ST")==0) { k_ST = listv[i+1]; Tcl_IncrRefCount(k_ST); } else if (strcmp(str,"L")==0) { k_L = listv[i+1]; Tcl_IncrRefCount(k_L); } else if (strcmp(str,"O")==0) { k_O = listv[i+1]; Tcl_IncrRefCount(k_O); } else if (strcmp(str,"OU")==0) { k_OU = listv[i+1]; Tcl_IncrRefCount(k_OU); } else if (strcmp(str,"CN")==0) { k_CN = listv[i+1]; Tcl_IncrRefCount(k_CN); } else if (strcmp(str,"Email")==0) { k_Email = listv[i+1]; Tcl_IncrRefCount(k_Email); } else { Tcl_SetResult(interp,"Unknown parameter",NULL); res = TCL_ERROR; break; } } for (i=0; i<listc; i+=2) { Tcl_IncrRefCount(listv[i]); Tcl_DecrRefCount(listv[i]); } if (res != TCL_OK) { goto done; } } #if OPENSSL_VERSION_NUMBER < 0x30000000L bne = BN_new(); rsa = RSA_new(); pkey = EVP_PKEY_new(); |
2948 2949 2950 2951 2952 2953 2954 | ctx = EVP_PKEY_CTX_new(pkey,NULL); if (pkey == NULL || ctx == NULL || !EVP_PKEY_keygen_init(ctx) || !EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, keysize) || !EVP_PKEY_keygen(ctx, &pkey)) { EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(ctx); #endif Tcl_SetResult(interp,"Error generating private key",NULL); | | > > > > > | 2982 2983 2984 2985 2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 | ctx = EVP_PKEY_CTX_new(pkey,NULL); if (pkey == NULL || ctx == NULL || !EVP_PKEY_keygen_init(ctx) || !EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, keysize) || !EVP_PKEY_keygen(ctx, &pkey)) { EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(ctx); #endif Tcl_SetResult(interp,"Error generating private key",NULL); res = TCL_ERROR; goto done; } else { const unsigned char *string; Tcl_Size len; if (isStr) { out=BIO_new(BIO_s_mem()); PEM_write_bio_PrivateKey(out,pkey,NULL,NULL,0,NULL,NULL); i=BIO_read(out,buffer,sizeof(buffer)-1); i=(i<0) ? 0 : i; buffer[i]='\0'; Tcl_SetVar(interp,keyout,buffer,0); |
2973 2974 2975 2976 2977 2978 2979 | if ((cert=X509_new())==NULL) { Tcl_SetResult(interp,"Error generating certificate request",NULL); EVP_PKEY_free(pkey); #if OPENSSL_VERSION_NUMBER < 0x30000000L BN_free(bne); #endif | | > > > > > > > | > > > > > > > | > > > > > > > | > > > > > > > | > > > > > > > | > > > > > > > | > > > > > > > | | > | 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 | if ((cert=X509_new())==NULL) { Tcl_SetResult(interp,"Error generating certificate request",NULL); EVP_PKEY_free(pkey); #if OPENSSL_VERSION_NUMBER < 0x30000000L BN_free(bne); #endif res = TCL_ERROR; goto done; } X509_set_version(cert,2); ASN1_INTEGER_set(X509_get_serialNumber(cert),serial); X509_gmtime_adj(X509_getm_notBefore(cert),0); X509_gmtime_adj(X509_getm_notAfter(cert),(long)60*60*24*days); X509_set_pubkey(cert,pkey); name=X509_get_subject_name(cert); if (k_C != NULL) { string = (const unsigned char *) Tcl_GetStringFromObj(k_C, &len); } else { string = NULL; len = 0; } X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, string, (int) len, -1, 0); if (k_ST != NULL) { string = (const unsigned char *) Tcl_GetStringFromObj(k_ST, &len); } else { string = NULL; len = 0; } X509_NAME_add_entry_by_txt(name,"ST", MBSTRING_ASC, string, (int) len, -1, 0); if (k_L != NULL) { string = (const unsigned char *) Tcl_GetStringFromObj(k_L, &len); } else { string = NULL; len = 0; } X509_NAME_add_entry_by_txt(name,"L", MBSTRING_ASC, string, (int) len, -1, 0); if (k_O != NULL) { string = (const unsigned char *) Tcl_GetStringFromObj(k_O, &len); } else { string = NULL; len = 0; } X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, string, (int) len, -1, 0); if (k_OU != NULL) { string = (const unsigned char *) Tcl_GetStringFromObj(k_OU, &len); } else { string = NULL; len = 0; } X509_NAME_add_entry_by_txt(name,"OU", MBSTRING_ASC, string, (int) len, -1, 0); if (k_CN != NULL) { string = (const unsigned char *) Tcl_GetStringFromObj(k_CN, &len); } else { string = NULL; len = 0; } X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, string, (int) len, -1, 0); if (k_Email != NULL) { string = (const unsigned char *) Tcl_GetStringFromObj(k_Email, &len); } else { string = NULL; len = 0; } X509_NAME_add_entry_by_txt(name,"Email", MBSTRING_ASC, string, (int) len, -1, 0); X509_set_subject_name(cert,name); if (!X509_sign(cert,pkey,EVP_sha256())) { X509_free(cert); EVP_PKEY_free(pkey); #if OPENSSL_VERSION_NUMBER < 0x30000000L BN_free(bne); #endif Tcl_SetResult(interp,"Error signing certificate",NULL); res = TCL_ERROR; goto done; } if (isStr) { out=BIO_new(BIO_s_mem()); PEM_write_bio_X509(out,cert); i=BIO_read(out,buffer,sizeof(buffer)-1); i=(i<0) ? 0 : i; |
3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 | X509_free(cert); EVP_PKEY_free(pkey); #if OPENSSL_VERSION_NUMBER < 0x30000000L BN_free(bne); #endif } } break; default: break; } | > > > > > > > > > > > > > > > > > > > > > | | 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146 3147 3148 3149 3150 3151 3152 3153 3154 3155 | X509_free(cert); EVP_PKEY_free(pkey); #if OPENSSL_VERSION_NUMBER < 0x30000000L BN_free(bne); #endif } done: if (k_C != NULL) { Tcl_DecrRefCount(k_C); } if (k_ST != NULL) { Tcl_DecrRefCount(k_ST); } if (k_L != NULL) { Tcl_DecrRefCount(k_L); } if (k_O != NULL) { Tcl_DecrRefCount(k_O); } if (k_OU != NULL) { Tcl_DecrRefCount(k_OU); } if (k_CN != NULL) { Tcl_DecrRefCount(k_CN); } if (k_Email != NULL) { Tcl_DecrRefCount(k_Email); } } break; default: break; } return res; } /********************/ /* Init */ /********************/ /* |
3054 3055 3056 3057 3058 3059 3060 | * none * * Side effects: * Frees all the state * *------------------------------------------------------------------- */ | | | 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 | * none * * Side effects: * Frees all the state * *------------------------------------------------------------------- */ void Tls_Free( tls_free_type *blockPtr) /* Client state for TLS socket */ { State *statePtr = (State *)blockPtr; dprintf("Called"); |
3085 3086 3087 3088 3089 3090 3091 | * none * * Side effects: * Frees all the state * *------------------------------------------------------------------- */ | | | 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 | * none * * Side effects: * Frees all the state * *------------------------------------------------------------------- */ void Tls_Clean( State *statePtr) /* Client state for TLS socket */ { dprintf("Called"); /* * we're assuming here that we're single-threaded |
3244 3245 3246 3247 3248 3249 3250 | * A standard TCL result * * Side effects: * Shutdown SSL library * *------------------------------------------------------* */ | | | 3354 3355 3356 3357 3358 3359 3360 3361 3362 3363 3364 3365 3366 3367 3368 | * A standard TCL result * * Side effects: * Shutdown SSL library * *------------------------------------------------------* */ void TlsLibShutdown( ClientData clientData) /* Not used */ { dprintf("Called"); BIO_cleanup(); } |
3268 3269 3270 3271 3272 3273 3274 | * A standard Tcl result * * Side effects: * Initializes SSL library * *------------------------------------------------------* */ | | | 3378 3379 3380 3381 3382 3383 3384 3385 3386 3387 3388 3389 3390 3391 3392 | * A standard Tcl result * * Side effects: * Initializes SSL library * *------------------------------------------------------* */ static int TlsLibInit() { static int initialized = 0; dprintf("Called"); if (!initialized) { /* Initialize BOTH libcrypto and libssl. */ |
3376 3377 3378 3379 3380 3381 3382 | * Same as of 'Tls_Init' * * Side effects: * Same as of 'Tls_Init' * *------------------------------------------------------------------- */ | | | 3486 3487 3488 3489 3490 3491 3492 3493 3494 3495 3496 3497 3498 3499 | * Same as of 'Tls_Init' * * Side effects: * Same as of 'Tls_Init' * *------------------------------------------------------------------- */ DLLEXPORT int Tls_SafeInit( Tcl_Interp *interp) /* Tcl interpreter */ { dprintf("Called"); return Tls_Init(interp); } |
Modified generic/tlsInt.h
from [be5af53e3f]
to [02080990ee].
33 34 35 36 37 38 39 | #include <openssl/rand.h> #include <openssl/opensslv.h> /* Windows needs to know which symbols to export. */ #ifdef BUILD_tls #undef TCL_STORAGE_CLASS #define TCL_STORAGE_CLASS DLLEXPORT | | | 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | #include <openssl/rand.h> #include <openssl/opensslv.h> /* Windows needs to know which symbols to export. */ #ifdef BUILD_tls #undef TCL_STORAGE_CLASS #define TCL_STORAGE_CLASS DLLEXPORT #endif /* BUILD_tls */ /* Handle TCL 8.6 CONST changes */ #ifndef CONST86 # if TCL_MAJOR_VERSION > 8 # define CONST86 const # else # define CONST86 |
Modified library/tls.tcl
from [48423522ec]
to [829959ddc6].
261 262 263 264 265 266 267 268 269 270 271 272 273 274 | # If an "-autoservername" option is found, honor it if {[info exists argsArray(-autoservername)] && $argsArray(-autoservername)} { if {![info exists argsArray(-servername)]} { set argsArray(-servername) $host lappend iopts -servername $host } } lappend sopts $host $port } # # Create TCP/IP socket # set chan [eval $socketCmd $sopts] | > > > > > > > | 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 | # If an "-autoservername" option is found, honor it if {[info exists argsArray(-autoservername)] && $argsArray(-autoservername)} { if {![info exists argsArray(-servername)]} { set argsArray(-servername) $host lappend iopts -servername $host } } # Use host as SNI server name without -autoservername and -servername args if {![info exists argsArray(-autoservername)] && ![info exists argsArray(-servername)]} { set argsArray(-servername) $host lappend iopts -servername $host } lappend sopts $host $port } # # Create TCP/IP socket # set chan [eval $socketCmd $sopts] |