Check-in [4e75be42e6]
Overview
Comment:Added master key, is server, and ticket lifetime to connection status. Reordered connection status results for better grouping.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | status_x509
Files: files | file ages | folders
SHA3-256: 4e75be42e6e5ef2521b67f89d3a0aaf3f2eec8e43e3e11c0e2036945dea093d4
User & Date: bohagan on 2023-06-10 21:25:00
Other Links: branch diff | manifest | tags
Context
2023-06-11
02:27
Added more X509 certificate status info, show algorithm names, list used extensions, etc. check-in: 7265279af2 user: bohagan tags: status_x509
2023-06-10
21:25
Added master key, is server, and ticket lifetime to connection status. Reordered connection status results for better grouping. check-in: 4e75be42e6 user: bohagan tags: status_x509
20:33
Set protocol version method based on client or server option. check-in: 50c71137cb user: bohagan tags: status_x509
Changes

Modified doc/tls.html from [a8f4986247] to [4bc13cff59].

273
274
275
276
277
278
279
280

281
282
283
284
285
286
287
288
289
290
291
292




293
294
295
296
297
298
299
300
301
302


303
304
305
306
307
308


309
310

311
312
313
314
315
316










317
318
319
320
321
322
323
273
274
275
276
277
278
279

280
281
282
283
284
285
286
287



288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307




308
309


310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333







-
+







-
-
-


+
+
+
+










+
+


-
-
-
-
+
+
-
-
+






+
+
+
+
+
+
+
+
+
+







    <dd>Returns the current connection status of an SSL channel. The
        result is a list of key-value pairs describing the
        connected peer.</dd>

<blockquote>
    <dl>
        <dt><strong>state</strong> <em>state</em></dt>
        <dd>State of the connection: initializing, handshake, established</dd>
        <dd>State of the connection.</dd>
        <dt><strong>servername</strong> <em>name</em></dt>
        <dd>The name of the connected to server.</dd>
        <dt><strong>protocol</strong> <em>version</em></dt>
        <dd>The protocol version used for the connection:
	    SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.</dd>
        <dt><strong>renegotiation</strong> <em>state</em></dt>
        <dd>Whether protocol renegotiation is allowed or disallowed.</dd>
        <dt><strong>alpn</strong> <em>protocol</em></dt>
        <dd>The protocol selected after Application-Layer Protocol
	    Negotiation (ALPN).</dd>
        <dt><strong>securitylevel</strong> <em>level</em></dt>
        <dd>The security level used for selection of ciphers, key size, etc.</dd>
        <dt><strong>session_reused</strong> <em>boolean</em></dt>
        <dd>Whether the session has been reused or not.</dd>
        <dt><strong>is_server</strong> <em>boolean</em></dt>
        <dd>Whether the connection configured as a server or client (false).</dd>
        <dt><strong>cipher</strong> <em>cipher</em></dt>
        <dd>The current cipher in use for the connection.</dd>
        <dt><strong>standard_name</strong> <em>name</em></dt>
        <dd>The standard RFC name of cipher.</dd>
        <dt><strong>bits</strong> <em>n</em></dt>
        <dd>The number of processed bits used for cipher.</dd>
        <dt><strong>secret_bits</strong> <em>n</em></dt>
        <dd>The number of secret bits used for cipher.</dd>
        <dt><strong>min_version</strong> <em>version</em></dt>
        <dd>The minimum protocol version for cipher.</dd>
        <dt><strong>id</strong> <em>id</em></dt>
        <dd>The OpenSSL cipher id.</dd>
        <dt><strong>description</strong> <em>string</em></dt>
        <dd>A text description of the cipher.</dd>
        <dt><strong>session_reused</strong> <em>boolean</em></dt>
        <dd>Whether the session has been reused or not.</dd>
        <dt><strong>session_id</strong> <em>string</em></dt>
        <dd>Unique session id for use in resuming the session.</dd>
        <dt><strong>alpn</strong> <em>protocol</em></dt>
        <dd>The protocol selected after Application-Layer Protocol
        <dt><strong>session_ticket</strong> <em>string</em></dt>
        <dd>Unique session ticket for use in resuming the session.</dd>
	    Negotiation (ALPN).</dd>
        <dt><strong>resumable</strong> <em>boolean</em></dt>
        <dd>Can the session be resumed or not.</dd>
        <dt><strong>start_time</strong> <em>seconds</em></dt>
        <dd>Time since session started in seconds since epoch.</dd>
        <dt><strong>timeout</strong> <em>seconds</em></dt>
        <dd>Max duration of session in seconds before time-out.</dd>
        <dt><strong>lifetime</strong> <em>seconds</em></dt>
        <dd>Session ticket lifetime hint in seconds.</dd>
        <dt><strong>session_id</strong> <em>string</em></dt>
        <dd>Unique session id for use in resuming the session.</dd>
        <dt><strong>session_ticket</strong> <em>string</em></dt>
        <dd>Unique session ticket for use in resuming the session.</dd>
        <dt><strong>ticket_app_data</strong> <em>string</em></dt>
        <dd>Unique session ticket application data.</dd>
        <dt><strong>master_key</strong> <em>binary_string</em></dt>
        <dd>Unique session master key.</dd>
        <dt><strong>compression</strong> <em>mode</em></dt>
        <dd>Compression method.</dd>
        <dt><strong>expansion</strong> <em>mode</em></dt>
        <dd>Expansion method.</dd>
        <dt><strong>session_cache_mode</strong> <em>mode</em></dt>
        <dd>Server cache mode (client, server, or both).</dd>
    </dl>

Modified generic/tls.c from [a24507cd1f] to [34dae888de].

1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1778
1779
1780
1781
1782
1783
1784

1785
1786
1787
1788
1789
1790
1791







-







    X509 *peer;
    Tcl_Obj *objPtr;
    Tcl_Channel chan;
    char *channelName, *ciphers;
    int mode;
    const unsigned char *proto;
    unsigned int len;
    char *peername = NULL;

    dprintf("Called");

    switch (objc) {
	case 2:
	    channelName = Tcl_GetStringFromObj(objv[1], NULL);
	    break;
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843

1844
1845
1846
1847
1848
1849
1850
1831
1832
1833
1834
1835
1836
1837



1838

1839
1840
1841
1842
1843
1844
1845
1846







-
-
-

-
+







    /* Peer cert chain (client only) */
    STACK_OF(X509)* ssl_certs = SSL_get_peer_cert_chain(statePtr->ssl);
    if (!peer && (ssl_certs == NULL || sk_X509_num(ssl_certs) == 0)) {
	return TCL_ERROR;
    }

    /* Peer name from cert */
    if (SSL_get_verify_result(statePtr->ssl) == X509_V_OK) {
	peername = SSL_get0_peername(statePtr->ssl);
    }
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("peername", -1));
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(peername, -1));
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get0_peername(statePtr->ssl), -1));

    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("sbits", -1));
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_get_cipher_bits(statePtr->ssl, NULL)));

    ciphers = (char*)SSL_get_cipher(statePtr->ssl);
    if ((ciphers != NULL) && (strcmp(ciphers, "(NONE)") != 0)) {
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("cipher", -1));
1861
1862
1863
1864
1865
1866
1867
1868

1869
1870
1871
1872
1873
1874
1875
1857
1858
1859
1860
1861
1862
1863

1864
1865
1866
1867
1868
1869
1870
1871







-
+







    }
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(proto, -1));

    /* Report the selected protocol as a result of the negotiation */
    SSL_get0_alpn_selected(statePtr->ssl, &proto, &len);
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1));
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *)proto, (int)len));
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("version", -1));
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("protocol", -1));
    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1));

    Tcl_SetObjResult(interp, objPtr);
    return TCL_OK;
	clientData = clientData;
}

1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1884
1885
1886
1887
1888
1889
1890

1891
1892
1893
1894
1895
1896
1897







-







    Tcl_Channel chan;		/* The channel to set a mode on. */
    State *statePtr;		/* client state for ssl socket */
    Tcl_Obj *objPtr;
    const SSL *ssl;
    const SSL_CIPHER *cipher;
    const SSL_SESSION *session;
    const unsigned char *proto;
    unsigned int len;
    long mode;

    if (objc != 2) {
	Tcl_WrongNumArgs(interp, 1, objv, "channel");
	return(TCL_ERROR);
    }

1918
1919
1920
1921
1922
1923
1924
1925

1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945








1946
1947
1948
1949
1950
1951
1952
1913
1914
1915
1916
1917
1918
1919

1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932





1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950







-
+












-
-
-
-
-



+
+
+
+
+
+
+
+







    statePtr = (State *)Tcl_GetChannelInstanceData(chan);
    ssl = statePtr->ssl;
    if (ssl != NULL) {
	/* connection state */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("state", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_state_string_long(ssl), -1));

	/* Get server name */
	/* Get SNI requested server name */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("servername", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1));

	/* Get protocol */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("protocol", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_version(ssl), -1));

	/* Renegotiation allowed */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("renegotiation", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(
	    SSL_get_secure_renegotiation_support(ssl) ? "supported" : "not supported", -1));

	/* Report the selected protocol as a result of the ALPN negotiation */
	SSL_get0_alpn_selected(ssl, &proto, &len);
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *)proto, (int)len));

	/* Get security level */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("securitylevel", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_get_security_level(ssl)));

	/* Session info */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_reused", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewBooleanObj(SSL_session_reused(ssl)));

	/* Is server info */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("is_server", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewBooleanObj(SSL_is_server(ssl)));
    }

    /* Cipher info */
    cipher = SSL_get_current_cipher(ssl);
    if (cipher != NULL) {
	char buf[BUFSIZ] = {0};
	int bits, alg_bits;
1962
1963
1964
1965
1966
1967
1968




1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979

1980
1981

1982
1983
1984
1985

1986
1987


1988
1989

1990
1991

1992
1993
1994


1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
























2007
2008
2009
2010
2011
2012
2013
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983

1984



1985
1986


1987
1988


1989
1990

1991



1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036







+
+
+
+











+

-
+
-
-
-

+
-
-
+
+
-
-
+

-
+
-
-
-
+
+












+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+







	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("secret_bits", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(alg_bits));
	/* alg_bits is actual key secret bits. If use bits and secret (algorithm) bits differ,
           the rest of the bits are fixed, i.e. for limited export ciphers (bits < 56) */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("min_version", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_CIPHER_get_version(cipher), -1));

	/* Get OpenSSL-specific ID, not IANA ID */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("id", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj((int) SSL_CIPHER_get_id(cipher)));

	if (SSL_CIPHER_description(cipher, buf, sizeof(buf)) != NULL) {
	    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("description", -1));
	    Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(buf, -1));
	}
    }

    /* Session info */
    session = SSL_get_session(ssl);
    if (session != NULL) {
	const unsigned char *ticket;
	size_t len2;
	unsigned int ulen;
	const unsigned char *session_id;

	char buffer[SSL_MAX_MASTER_KEY_LENGTH];
	/* Session info */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_reused", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_session_reused(ssl)));

	/* Report the selected protocol as a result of the ALPN negotiation */
	/* Session id */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_id", -1));
	SSL_SESSION_get0_alpn_selected(session, &proto, &len);
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1));
	session_id = SSL_SESSION_get_id(session, &len);
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(session_id, (int)len));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *)proto, (int) len));

	/* Session ticket - client only */
	/* Peer */
	SSL_SESSION_get0_ticket(session, &ticket, &len2);
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_ticket", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(ticket, (int) len2));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("peer", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_SESSION_get0_peer(session), -1));

	/* Resumable session */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("resumable", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_SESSION_is_resumable(session)));

	/* Start time */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("start_time", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_time(session)));

	/* Timeout value */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("timeout", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_timeout(session)));

	/* Lifetime hint */
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("lifetime", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_ticket_lifetime_hint(session)));

	/* Session id */
	session_id = SSL_SESSION_get_id(session, &ulen);
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_id", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(session_id, (int) ulen));

	/* Session ticket - client only */
	SSL_SESSION_get0_ticket(session, &ticket, &len2);
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_ticket", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(ticket, (int) len2));

	/* Ticket app data */
	SSL_SESSION_get0_ticket_appdata(session, &ticket, &len2);
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("ticket_app_data", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(ticket, (int) len2));

	/* Get master key */
	len2 = SSL_SESSION_get_master_key(session, buffer, SSL_MAX_MASTER_KEY_LENGTH);
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("master_key", -1));
	Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(buffer, (int) len2));
    }

    /* Compression info */
    if (ssl != NULL) {
#ifdef HAVE_SSL_COMPRESSION
	const COMP_METHOD *comp, *expn;
	comp = SSL_get_current_compression(ssl);