Check-in [bfb516156c]
EuroTcl/OpenACS 11 - 12 JULY 2024, VIENNA
Overview
Comment:Merged changes from master
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | crypto
Files: files | file ages | folders
SHA3-256: bfb516156caa047beaa04fe9e5cb5b8e561366cd13f587a8fa8cfddfe63e9bf0
User & Date: bohagan on 2024-02-28 05:26:41
Other Links: branch diff | manifest | tags
Context
2024-02-28
05:48
Made TYPE_CMAC case into code block to allow variable definition check-in: 0d89817e1a user: bohagan tags: crypto
05:26
Merged changes from master check-in: bfb516156c user: bohagan tags: crypto
04:42
In password callback, added check for password > max size. Also added null terminator. check-in: 3866a025e0 user: bohagan tags: trunk
2024-02-24
21:19
Corrected error messages for provider test cases check-in: 4011675f4b user: bohagan tags: crypto
Changes

Modified README.txt from [14f61c93ef] to [767f622310].

46
47
48
49
50
51
52
53

54
55
56
57
58
59
60
46
47
48
49
50
51
52

53
54
55
56
57
58
59
60







-
+








UNIX and Linux
--------------

The standard TEA config, make and install process is supported.

	$ cd tcltls
	$ ./configure --enable-64bit --enable-deterministic --with-builtin-dh-params-size=2048
	$ ./configure --enable-64bit
	$ make
	$ make test
	$ make install

The supported configure options include all of the standard TEA configure script
options, plus:

Modified acinclude.m4 from [7f4a09fb4a] to [0103c1481a].

95
96
97
98
99
100
101


102
103
104
105
106
107
108
109
110
111






112
113
114
115
116
117
118
119
120
121

122
123
124
125
126
127
128
129
130


131
132
133
134
135
136
137
138
139
140

141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

156
157
158
159
160
161
162
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111


112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

127
128
129
130
131
132
133
134


135
136
137
138
139
140
141
142
143
144
145

146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

161
162
163
164
165
166
167
168







+
+








-
-
+
+
+
+
+
+









-
+







-
-
+
+









-
+














-
+







			[path to root directory of OpenSSL or LibreSSL installation]
		), [
			openssldir="$withval"
		], [
			openssldir=''
		]
	)
	AC_MSG_CHECKING([for OpenSSL directory])
	AC_MSG_RESULT($openssldir)

	dnl Set SSL include files path
	AC_ARG_WITH([openssl-includedir],
		AS_HELP_STRING([--with-openssl-includedir=<dir>],
			[path to include directory of OpenSSL or LibreSSL installation]
		), [
			opensslincludedir="$withval"
		], [
			if test -n "$openssldir"; then
				opensslincludedir="$openssldir/include/openssl"
			if test ! -z "$openssldir"; then
				if test -d "${openssldir}/include/openssl"; then
					opensslincludedir="${openssldir}/include/openssl"
				else
					opensslincludedir="${openssldir}/include"
				fi
			else
				opensslincludedir=''
			fi
		]
	)
	AC_MSG_CHECKING([for OpenSSL include directory])
	AC_MSG_RESULT($opensslincludedir)

	dnl Set SSL include vars
	if test -n "$opensslincludedir"; then
	if test ! -z "$opensslincludedir"; then
		if test -f "$opensslincludedir/ssl.h"; then
			TCLTLS_SSL_CFLAGS="-I$opensslincludedir"
			TCLTLS_SSL_INCLUDES="-I$opensslincludedir"
		else
			AC_MSG_ERROR([Unable to locate ssl.h])
		fi
	else
		TCLTLS_SSL_CFLAGS="-I$(includedir)/openssl"
		TCLTLS_SSL_INCLUDES="-I$(includedir)/openssl"
		TCLTLS_SSL_CFLAGS="-I${includedir}/openssl"
		TCLTLS_SSL_INCLUDES="-I${includedir}/openssl"
	fi

	dnl Set SSL lib files path
	AC_ARG_WITH([openssl-libdir],
		AS_HELP_STRING([--with-openssl-libdir=<dir>],
			[path to lib directory of OpenSSL or LibreSSL installation]
		), [
			openssllibdir="$withval"
		], [
			if test -n "$openssldir"; then
			if test ! -z "$openssldir"; then
				if test "$do64bit" == 'yes'; then
					openssllibdir="$openssldir/lib64"
				else
					openssllibdir="$openssldir/lib"
				fi
			else
				openssllibdir=''
			fi
		]
	)
	AC_MSG_CHECKING([for OpenSSL lib directory])
	AC_MSG_RESULT($openssllibdir)

	dnl Set SSL lib vars
	if test -n "$openssllibdir"; then
	if test ! -z "$openssllibdir"; then
		if test -f "$openssllibdir/libssl${SHLIB_SUFFIX}"; then
			if test "${TCLEXT_TLS_STATIC_SSL}" == 'no'; then
				TCLTLS_SSL_LIBS="-L$openssllibdir -lcrypto -lssl"
			else
				# Linux and Solaris
				TCLTLS_SSL_LIBS="-Wl,-Bstatic `$PKG_CONFIG --static --libs crypto ssl` -Wl,-Bdynamic"
				# HPUX

Modified configure from [11f1598819] to [1486a8223b].

9179
9180
9181
9182
9183
9184
9185




9186
9187
9188
9189
9190
9191
9192
9193
9194
9195
9196
9197






9198
9199
9200
9201
9202
9203
9204
9205
9206
9207
9208
9209
9210

9211
9212
9213
9214
9215
9216
9217
9218
9219


9220
9221
9222
9223
9224
9225
9226
9227
9228
9229
9230
9231

9232
9233
9234
9235
9236
9237
9238
9239
9240
9241
9242
9243
9244
9245
9246
9247
9248
9249

9250
9251
9252
9253
9254
9255
9256
9179
9180
9181
9182
9183
9184
9185
9186
9187
9188
9189
9190
9191
9192
9193
9194
9195
9196
9197
9198
9199


9200
9201
9202
9203
9204
9205
9206
9207
9208
9209
9210
9211
9212
9213
9214
9215
9216
9217

9218
9219
9220
9221
9222
9223
9224
9225


9226
9227
9228
9229
9230
9231
9232
9233
9234
9235
9236
9237
9238

9239
9240
9241
9242
9243
9244
9245
9246
9247
9248
9249
9250
9251
9252
9253
9254
9255
9256

9257
9258
9259
9260
9261
9262
9263
9264







+
+
+
+










-
-
+
+
+
+
+
+












-
+







-
-
+
+











-
+

















-
+







else $as_nop

			openssldir=''


fi

	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL directory" >&5
printf %s "checking for OpenSSL directory... " >&6; }
	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $openssldir" >&5
printf "%s\n" "$openssldir" >&6; }


# Check whether --with-openssl-includedir was given.
if test ${with_openssl_includedir+y}
then :
  withval=$with_openssl_includedir;
			opensslincludedir="$withval"

else $as_nop

			if test -n "$openssldir"; then
				opensslincludedir="$openssldir/include/openssl"
			if test ! -z "$openssldir"; then
				if test -d "${openssldir}/include/openssl"; then
					opensslincludedir="${openssldir}/include/openssl"
				else
					opensslincludedir="${openssldir}/include"
				fi
			else
				opensslincludedir=''
			fi


fi

	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL include directory" >&5
printf %s "checking for OpenSSL include directory... " >&6; }
	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $opensslincludedir" >&5
printf "%s\n" "$opensslincludedir" >&6; }

		if test -n "$opensslincludedir"; then
		if test ! -z "$opensslincludedir"; then
		if test -f "$opensslincludedir/ssl.h"; then
			TCLTLS_SSL_CFLAGS="-I$opensslincludedir"
			TCLTLS_SSL_INCLUDES="-I$opensslincludedir"
		else
			as_fn_error $? "Unable to locate ssl.h" "$LINENO" 5
		fi
	else
		TCLTLS_SSL_CFLAGS="-I$(includedir)/openssl"
		TCLTLS_SSL_INCLUDES="-I$(includedir)/openssl"
		TCLTLS_SSL_CFLAGS="-I${includedir}/openssl"
		TCLTLS_SSL_INCLUDES="-I${includedir}/openssl"
	fi


# Check whether --with-openssl-libdir was given.
if test ${with_openssl_libdir+y}
then :
  withval=$with_openssl_libdir;
			openssllibdir="$withval"

else $as_nop

			if test -n "$openssldir"; then
			if test ! -z "$openssldir"; then
				if test "$do64bit" == 'yes'; then
					openssllibdir="$openssldir/lib64"
				else
					openssllibdir="$openssldir/lib"
				fi
			else
				openssllibdir=''
			fi


fi

	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL lib directory" >&5
printf %s "checking for OpenSSL lib directory... " >&6; }
	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $openssllibdir" >&5
printf "%s\n" "$openssllibdir" >&6; }

		if test -n "$openssllibdir"; then
		if test ! -z "$openssllibdir"; then
		if test -f "$openssllibdir/libssl${SHLIB_SUFFIX}"; then
			if test "${TCLEXT_TLS_STATIC_SSL}" == 'no'; then
				TCLTLS_SSL_LIBS="-L$openssllibdir -lcrypto -lssl"
			else
				# Linux and Solaris
				TCLTLS_SSL_LIBS="-Wl,-Bstatic `$PKG_CONFIG --static --libs crypto ssl` -Wl,-Bdynamic"
				# HPUX

Modified generic/tls.c from [2435fc4bff] to [6611dfd0b6].

34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
34
35
36
37
38
39
40



41
42
43
44
45
46
47







-
-
-







#include <openssl/safestack.h>

/* Min OpenSSL version */
#if OPENSSL_VERSION_NUMBER < 0x10101000L
#error "Only OpenSSL v1.1.1 or later is supported"
#endif

/*
 * External functions
 */

/*
 * Forward declarations
 */

#define F2N(key, dsp) \
	(((key) == NULL) ? (char *) NULL : \
342
343
344
345
346
347
348
349

350
351
352
353
354
355
356
339
340
341
342
343
344
345

346
347
348
349
350
351
352
353







-
+







 *
 *	Monitors SSL certificate validation process. Used to control the
 *	behavior when the SSL_VERIFY_PEER flag is set. This is called
 *	whenever a certificate is inspected or decided invalid. Called for
 *	each certificate in the cert chain.
 *
 * Checks:
 *	certificate chain is checked starting with the deepest nesting level
 *	The certificate chain is checked starting with the deepest nesting level
 *	  (the root CA certificate) and worked upward to the peer's certificate.
 *	All signatures are valid, current time is within first and last validity time.
 *	Check that the certificate is issued by the issuer certificate issuer.
 *	Check the revocation status for each certificate.
 *	Check the validity of the given CRL and the cert revocation status.
 *	Check the policies of all the certificates
 *
422
423
424
425
426
427
428
429

430
431
432
433
434
435
436
419
420
421
422
423
424
425

426
427
428
429
430
431
432
433







-
+







}

/*
 *-------------------------------------------------------------------
 *
 * Tls_Error --
 *
 *	Calls callback with list of errors.
 *	Calls callback with error message.
 *
 * Side effects:
 *	The err field of the currently operative State is set
 *	  to a string describing the SSL negotiation failure reason
 *
 *-------------------------------------------------------------------
 */
497
498
499
500
501
502
503
504
505
506



507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524

525
526
527
528
529
530
531
532
533







534
535
536
537
538
539
540
494
495
496
497
498
499
500



501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528



529
530
531
532
533
534
535
536
537
538
539
540
541
542







-
-
-
+
+
+


















+






-
-
-
+
+
+
+
+
+
+







}

/*
 *-------------------------------------------------------------------
 *
 * Password Callback --
 *
 *	Called when a password for a private key loading/storing a PEM
 *	certificate with encryption. Evals callback script and returns
 *	the result as the password string in buf.
 *	Called when a password is needed for a private key when loading
 *	or storing a PEM certificate with encryption. Evals callback
 *	script and returns the result as the password string in buf.
 *
 * Results:
 *	None
 *
 * Side effects:
 *	Calls callback (if defined)
 *
 * Returns:
 *	Password size in bytes or -1 for an error.
 *
 *-------------------------------------------------------------------
 */
static int
PasswordCallback(char *buf, int size, int rwflag, void *udata) {
    State *statePtr	= (State *) udata;
    Tcl_Interp *interp	= statePtr->interp;
    Tcl_Obj *cmdPtr;
    int code;
    Tcl_Size len;

    dprintf("Called");

    /* If no callback, use default callback */
    if (statePtr->password == NULL) {
	if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL) == TCL_OK) {
	    char *ret = (char *) Tcl_GetStringResult(interp);
	    strncpy(buf, ret, (size_t) size);
	    return (int)strlen(ret);
	    char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len);
	    if (len > (Tcl_Size) size-1) {
		len = (Tcl_Size) size-1;
	    }
	    strncpy(buf, ret, (size_t) len);
	    buf[len] = '\0';
	    return (int) len;
	} else {
	    return -1;
	}
    }

    /* Create command to eval with fn, rwflag, and size args */
    cmdPtr = Tcl_DuplicateObj(statePtr->password);
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
559
560
561
562
563
564
565

566
567
568
569
570
571
572







-







    }
    Tcl_DecrRefCount(cmdPtr);

    Tcl_Release((ClientData) statePtr);

    /* If successful, pass back password string and truncate if too long */
    if (code == TCL_OK) {
	Tcl_Size len;
	char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len);
	if (len > (Tcl_Size) size-1) {
	    len = (Tcl_Size) size-1;
	}
	strncpy(buf, ret, (size_t) len);
	buf[len] = '\0';
	Tcl_Release((ClientData) interp);
633
634
635
636
637
638
639


640
641
642
643
644
645
646
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649







+
+







    Tcl_ListObjAppendElement(interp, cmdPtr,
	Tcl_NewLongObj((long) SSL_SESSION_get_ticket_lifetime_hint(session)));

    /* Eval callback command */
    Tcl_IncrRefCount(cmdPtr);
    EvalCallback(interp, statePtr, cmdPtr);
    Tcl_DecrRefCount(cmdPtr);

    /* Return 0 for now until session handling is complete */
    return 0;
}

/*
 *-------------------------------------------------------------------
 *
 * ALPN Callback for Servers and NPN Callback for Clients --
1416
1417
1418
1419
1420
1421
1422
1423

1424
1425
1426
1427
1428
1429
1430
1419
1420
1421
1422
1423
1424
1425

1426
1427
1428
1429
1430
1431
1432
1433







-
+







	    char *str = Tcl_GetStringFromObj(list[j], &len);
	    *p++ = (unsigned char) len;
	    memcpy(p, str, (size_t) len);
	    p += len;
	}

	/* SSL_set_alpn_protos makes a copy of the protocol-list */
	/* Note: This functions reverses the return value convention */
	/* Note: This function reverses the return value convention */
	if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) {
	    Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char *) NULL);
	    Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL);
	    Tls_Free((char *) statePtr);
	    ckfree(protos);
	    return TCL_ERROR;
	}
1750
1751
1752
1753
1754
1755
1756

1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772

1773
1774
1775
1776
1777
1778
1779







+












-







    }

    /* set some callbacks */
    SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback);
    SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr);

    /* read a Diffie-Hellman parameters file, or use the built-in one */
    Tcl_DStringInit(&ds);
#ifdef OPENSSL_NO_DH
    if (DHparams != NULL) {
	Tcl_AppendResult(interp, "DH parameter support not available", (char *) NULL);
	SSL_CTX_free(ctx);
	return NULL;
    }
#else
    {
	DH* dh;
	if (DHparams != NULL) {
	    BIO *bio;

	    Tcl_DStringInit(&ds);
	    bio = BIO_new_file(F2N(DHparams, &ds), "r");
	    if (!bio) {
		Tcl_DStringFree(&ds);
		Tcl_AppendResult(interp, "Could not find DH parameters file", (char *) NULL);
		SSL_CTX_free(ctx);
		return NULL;
	    }
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1801
1802
1803
1804
1805
1806
1807

1808
1809
1810
1811
1812
1813
1814







-







#endif

    /* set our certificate */
    load_private_key = 0;
    if (certfile != NULL) {
	load_private_key = 1;

	Tcl_DStringInit(&ds);
	if (SSL_CTX_use_certificate_file(ctx, F2N(certfile, &ds), SSL_FILETYPE_PEM) <= 0) {
	    Tcl_DStringFree(&ds);
	    Tcl_AppendResult(interp, "unable to set certificate file ", certfile, ": ",
		GET_ERR_REASON(), (char *) NULL);
	    SSL_CTX_free(ctx);
	    return NULL;
	}
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1844
1845
1846
1847
1848
1849
1850

1851
1852
1853
1854
1855
1856
1857







-








	if (keyfile != NULL) {
	    /* get the private key associated with this certificate */
	    if (keyfile == NULL) {
		keyfile = certfile;
	    }

	    Tcl_DStringInit(&ds);
	    if (SSL_CTX_use_PrivateKey_file(ctx, F2N(keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
		Tcl_DStringFree(&ds);
		/* flush the passphrase which might be left in the result */
		Tcl_SetResult(interp, NULL, TCL_STATIC);
		Tcl_AppendResult(interp, "unable to set public key file ", keyfile, " ",
		    GET_ERR_REASON(), (char *) NULL);
		SSL_CTX_free(ctx);
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1886
1887
1888
1889
1890
1891
1892

1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903

1904
1905
1906
1907
1908
1909
1910
1911
1912

1913
1914
1915
1916
1917
1918

1919
1920
1921
1922
1923
1924

1925
1926
1927
1928
1929
1930
1931







-











-









-






-






-







    }

    /* Overrides for the CA verify path and file */
    {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
	if (CApath != NULL || CAfile != NULL) {
	    Tcl_DString ds1;
	    Tcl_DStringInit(&ds);
	    Tcl_DStringInit(&ds1);

	    if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) {
		abort++;
	    }
	    Tcl_DStringFree(&ds);
	    Tcl_DStringFree(&ds1);

	    /* Set list of CAs to send to client when requesting a client certificate */
	    /* https://sourceforge.net/p/tls/bugs/57/ */
	    /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */
	    Tcl_DStringInit(&ds);
	    STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
	    if (certNames != NULL) {
		SSL_CTX_set_client_CA_list(ctx, certNames);
	    }
	    Tcl_DStringFree(&ds);
	}

#else
	if (CApath != NULL) {
	    Tcl_DStringInit(&ds);
	    if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) {
		abort++;
	    }
	    Tcl_DStringFree(&ds);
	}
	if (CAfile != NULL) {
	    Tcl_DStringInit(&ds);
	    if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) {
		abort++;
	    }
	    Tcl_DStringFree(&ds);

	    /* Set list of CAs to send to client when requesting a client certificate */
	    Tcl_DStringInit(&ds);
	    STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
	    if (certNames != NULL) {
		SSL_CTX_set_client_CA_list(ctx, certNames);
	    }
	    Tcl_DStringFree(&ds);
	}
#endif

Modified tests/badssl.csv from [0bcd6b3e35] to [f294744529].

1
2
3
4
5
6
7
8
9
10
11
12
13

14
15
16
17
18
19
20
21
22
23
24


25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

45
46
47
48
49


50
51
52
53
54
55
56
1
2
3
4
5
6
7
8
9
10
11
12

13
14
15
16
17
18
19
20
21
22
23

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

45
46
47
48


49
50
51
52
53
54
55
56
57












-
+










-
+
+



















-
+



-
-
+
+







# Group,Name,Constraints,Setup,Body,Cleanup,Match,Result,Output,Error Output,Return Codes
command,package require tls,,,,,,,,,
,,,,,,,,,,
command,# Constraints,,,,,,,,,
command,source [file join [file dirname [info script]] common.tcl],,,,,,,,,
,,,,,,,,,,
command,# Helper functions,,,,,,,,,
command,"proc badssl {url} {set port 443;lassign [split $url "":""] url port;if {$port eq """"} {set port 443};set cmd [list tls::socket -autoservername 1 -require 1];if {[info exists ::env(SSL_CERT_FILE)]} {lappend cmd -cafile $::env(SSL_CERT_FILE)};lappend cmd $url $port;set ch [eval $cmd];if {[catch {tls::handshake $ch} err]} {close $ch;return -code error $err} else {close $ch}}",,,,,,,,,
,,,,,,,,,,
command,# BadSSL.com Tests,,,,,,,,,
BadSSL,1000-sans,,,badssl 1000-sans.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,10000-sans,,,badssl 10000-sans.badssl.com,,,handshake failed: excessive message size,,,1
BadSSL,3des,,,badssl 3des.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1
BadSSL,3des,,,badssl 3des.badssl.com,,glob,handshake failed: * alert handshake failure,,,1
BadSSL,captive-portal,old_api,,badssl captive-portal.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1
BadSSL,captive-portal,new_api,,badssl captive-portal.badssl.com,,,"handshake failed: certificate verify failed due to ""hostname mismatch""",,,1
BadSSL,cbc,,,badssl cbc.badssl.com,,,,,,
BadSSL,client-cert-missing,,,badssl client-cert-missing.badssl.com,,,,,,
BadSSL,client,,,badssl client.badssl.com,,,,,,
BadSSL,dh-composite,old_api,,badssl dh-composite.badssl.com,,,,,,
BadSSL,dh-composite,new_api,,badssl dh-composite.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh-small-subgroup,,,badssl dh-small-subgroup.badssl.com,,,,,,
BadSSL,dh480,old_api,,badssl dh480.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh480,new_api,,badssl dh480.badssl.com,,,handshake failed: modulus too small,,,1
BadSSL,dh512,,,badssl dh512.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh512,old_api,,badssl dh512.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh512,mac,,badssl dh512.badssl.com,,,handshake failed: unknown security bits,,,1
BadSSL,dh1024,old_api,,badssl dh1024.badssl.com,,,,,,
BadSSL,dh1024,new_api,,badssl dh1024.badssl.com,,,handshake failed: dh key too small,,,1
BadSSL,dh2048,,,badssl dh2048.badssl.com,,,,,,
BadSSL,dsdtestprovider,,,badssl dsdtestprovider.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,ecc256,,,badssl ecc256.badssl.com,,,,,,
BadSSL,ecc384,,,badssl ecc384.badssl.com,,,,,,
BadSSL,edellroot,,,badssl edellroot.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,expired,,,badssl expired.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,extended-validation,,,badssl extended-validation.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,hsts,,,badssl hsts.badssl.com,,,,,,
BadSSL,https-everywhere,,,badssl https-everywhere.badssl.com,,,,,,
BadSSL,incomplete-chain,,,badssl incomplete-chain.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,invalid-expected-sct,,,badssl invalid-expected-sct.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,long-extended-subdomain-name-containing-many-letters-and-dashes,,,badssl long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com,,,,,,
BadSSL,longextendedsubdomainnamewithoutdashesinordertotestwordwrapping,,,badssl longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com,,,,,,
BadSSL,mitm-software,,,badssl mitm-software.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,no-common-name,,,badssl no-common-name.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,no-sct,,,badssl no-sct.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,no-subject,,,badssl no-subject.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,null,,,badssl null.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1
BadSSL,null,,,badssl null.badssl.com,,glob,handshake failed: * alert handshake failure,,,1
BadSSL,pinning-test,,,badssl pinning-test.badssl.com,,,,,,
BadSSL,preact-cli,,,badssl preact-cli.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1
BadSSL,preloaded-hsts,,,badssl preloaded-hsts.badssl.com,,,,,,
BadSSL,rc4-md5,,,badssl rc4-md5.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1
BadSSL,rc4,,,badssl rc4.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1
BadSSL,rc4-md5,,,badssl rc4-md5.badssl.com,,glob,handshake failed: * alert handshake failure,,,1
BadSSL,rc4,,,badssl rc4.badssl.com,,glob,handshake failed: * alert handshake failure,,,1
BadSSL,revoked,,,badssl revoked.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1
BadSSL,rsa2048,,,badssl rsa2048.badssl.com,,,,,,
BadSSL,rsa4096,,,badssl rsa4096.badssl.com,,,,,,
BadSSL,rsa8192,,,badssl rsa8192.badssl.com,,,,,,
BadSSL,self-signed,old_api,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self signed certificate""",,,1
BadSSL,self-signed,new_api,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self-signed certificate""",,,1
BadSSL,sha1-2016,,,badssl sha1-2016.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1

Modified tests/badssl.test from [4b748d171a] to [0bf5ddad0c].

25
26
27
28
29
30
31
32

33
34
35
36
37
38
39
25
26
27
28
29
30
31

32
33
34
35
36
37
38
39







-
+








test BadSSL-1.2 {10000-sans} -body {
	badssl 10000-sans.badssl.com
    } -result {handshake failed: excessive message size} -returnCodes {1}

test BadSSL-1.3 {3des} -body {
	badssl 3des.badssl.com
    } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1}
    } -match {glob} -result {handshake failed: * alert handshake failure} -returnCodes {1}

test BadSSL-1.4 {captive-portal} -constraints {old_api} -body {
	badssl captive-portal.badssl.com
    } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1}

test BadSSL-1.5 {captive-portal} -constraints {new_api} -body {
	badssl captive-portal.badssl.com
67
68
69
70
71
72
73
74

75
76
77




78

79
80
81
82

83
84
85
86

87
88
89
90

91
92
93
94

95
96
97
98

99
100
101
102

103
104
105
106

107
108
109
110

111
112
113
114

115
116
117
118

119
120
121
122

123
124
125
126

127
128
129
130

131
132
133
134

135
136
137
138

139
140
141
142

143
144
145
146

147
148
149
150

151
152
153
154

155
156

157
158

159
160
161
162

163
164
165
166

167
168
169
170

171
172

173
174

175
176

177
178

179
180
181
182

183
184
185
186

187
188
189
190

191
192
193
194

195
196
197
198

199
200
201
202

203
204
205
206

207
208
209
210

211
212
213
214

215
216
217
218

219
220
221
222

223
224
225
226

227
228
229
230

231
232
233
234

235
236
237
238

239
240
241
242

243
244
245
246

247
248
249
250

251
252
253
254

255
256
257
258

259
260
261
262

263
264
265
266

267
268
269
270

271
272
273
274

275
276
277
278

279
280
281
282

283
284
285
286

287
288
289
290

291
292
293
294
295
296
67
68
69
70
71
72
73

74
75
76
77
78
79
80
81

82
83
84
85

86
87
88
89

90
91
92
93

94
95
96
97

98
99
100
101

102
103
104
105

106
107
108
109

110
111
112
113

114
115
116
117

118
119
120
121

122
123
124
125

126
127
128
129

130
131
132
133

134
135
136
137

138
139
140
141

142
143
144
145

146
147
148
149

150
151
152
153

154
155
156
157

158
159

160
161

162
163
164
165

166
167
168
169

170
171
172
173

174
175

176
177

178
179

180
181

182
183
184
185

186
187
188
189

190
191
192
193

194
195
196
197

198
199
200
201

202
203
204
205

206
207
208
209

210
211
212
213

214
215
216
217

218
219
220
221

222
223
224
225

226
227
228
229

230
231
232
233

234
235
236
237

238
239
240
241

242
243
244
245

246
247
248
249

250
251
252
253

254
255
256
257

258
259
260
261

262
263
264
265

266
267
268
269

270
271
272
273

274
275
276
277

278
279
280
281

282
283
284
285

286
287
288
289

290
291
292
293

294
295
296
297
298
299
300







-
+



+
+
+
+
-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+

-
+

-
+



-
+



-
+



-
+

-
+

-
+

-
+

-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+



-
+






	badssl dh480.badssl.com
    } -result {handshake failed: dh key too small} -returnCodes {1}

test BadSSL-1.13 {dh480} -constraints {new_api} -body {
	badssl dh480.badssl.com
    } -result {handshake failed: modulus too small} -returnCodes {1}

test BadSSL-1.14 {dh512} -body {
test BadSSL-1.14 {dh512} -constraints {old_api} -body {
	badssl dh512.badssl.com
    } -result {handshake failed: dh key too small} -returnCodes {1}

test BadSSL-1.15 {dh512} -constraints {mac} -body {
	badssl dh512.badssl.com
    } -result {handshake failed: unknown security bits} -returnCodes {1}

test BadSSL-1.15 {dh1024} -constraints {old_api} -body {
test BadSSL-1.16 {dh1024} -constraints {old_api} -body {
	badssl dh1024.badssl.com
    }

test BadSSL-1.16 {dh1024} -constraints {new_api} -body {
test BadSSL-1.17 {dh1024} -constraints {new_api} -body {
	badssl dh1024.badssl.com
    } -result {handshake failed: dh key too small} -returnCodes {1}

test BadSSL-1.17 {dh2048} -body {
test BadSSL-1.18 {dh2048} -body {
	badssl dh2048.badssl.com
    }

test BadSSL-1.18 {dsdtestprovider} -body {
test BadSSL-1.19 {dsdtestprovider} -body {
	badssl dsdtestprovider.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.19 {ecc256} -body {
test BadSSL-1.20 {ecc256} -body {
	badssl ecc256.badssl.com
    }

test BadSSL-1.20 {ecc384} -body {
test BadSSL-1.21 {ecc384} -body {
	badssl ecc384.badssl.com
    }

test BadSSL-1.21 {edellroot} -body {
test BadSSL-1.22 {edellroot} -body {
	badssl edellroot.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.22 {expired} -body {
test BadSSL-1.23 {expired} -body {
	badssl expired.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.23 {extended-validation} -body {
test BadSSL-1.24 {extended-validation} -body {
	badssl extended-validation.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.24 {hsts} -body {
test BadSSL-1.25 {hsts} -body {
	badssl hsts.badssl.com
    }

test BadSSL-1.25 {https-everywhere} -body {
test BadSSL-1.26 {https-everywhere} -body {
	badssl https-everywhere.badssl.com
    }

test BadSSL-1.26 {incomplete-chain} -body {
test BadSSL-1.27 {incomplete-chain} -body {
	badssl incomplete-chain.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.27 {invalid-expected-sct} -body {
test BadSSL-1.28 {invalid-expected-sct} -body {
	badssl invalid-expected-sct.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.28 {long-extended-subdomain-name-containing-many-letters-and-dashes} -body {
test BadSSL-1.29 {long-extended-subdomain-name-containing-many-letters-and-dashes} -body {
	badssl long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com
    }

test BadSSL-1.29 {longextendedsubdomainnamewithoutdashesinordertotestwordwrapping} -body {
test BadSSL-1.30 {longextendedsubdomainnamewithoutdashesinordertotestwordwrapping} -body {
	badssl longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com
    }

test BadSSL-1.30 {mitm-software} -body {
test BadSSL-1.31 {mitm-software} -body {
	badssl mitm-software.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.31 {no-common-name} -body {
test BadSSL-1.32 {no-common-name} -body {
	badssl no-common-name.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.32 {no-sct} -body {
test BadSSL-1.33 {no-sct} -body {
	badssl no-sct.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.33 {no-subject} -body {
test BadSSL-1.34 {no-subject} -body {
	badssl no-subject.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.34 {null} -body {
test BadSSL-1.35 {null} -body {
	badssl null.badssl.com
    } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1}
    } -match {glob} -result {handshake failed: * alert handshake failure} -returnCodes {1}

test BadSSL-1.35 {pinning-test} -body {
test BadSSL-1.36 {pinning-test} -body {
	badssl pinning-test.badssl.com
    }

test BadSSL-1.36 {preact-cli} -body {
test BadSSL-1.37 {preact-cli} -body {
	badssl preact-cli.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.37 {preloaded-hsts} -body {
test BadSSL-1.38 {preloaded-hsts} -body {
	badssl preloaded-hsts.badssl.com
    }

test BadSSL-1.38 {rc4-md5} -body {
test BadSSL-1.39 {rc4-md5} -body {
	badssl rc4-md5.badssl.com
    } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1}
    } -match {glob} -result {handshake failed: * alert handshake failure} -returnCodes {1}

test BadSSL-1.39 {rc4} -body {
test BadSSL-1.40 {rc4} -body {
	badssl rc4.badssl.com
    } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1}
    } -match {glob} -result {handshake failed: * alert handshake failure} -returnCodes {1}

test BadSSL-1.40 {revoked} -body {
test BadSSL-1.41 {revoked} -body {
	badssl revoked.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.41 {rsa2048} -body {
test BadSSL-1.42 {rsa2048} -body {
	badssl rsa2048.badssl.com
    }

test BadSSL-1.42 {rsa4096} -body {
test BadSSL-1.43 {rsa4096} -body {
	badssl rsa4096.badssl.com
    }

test BadSSL-1.43 {rsa8192} -body {
test BadSSL-1.44 {rsa8192} -body {
	badssl rsa8192.badssl.com
    }

test BadSSL-1.44 {self-signed} -constraints {old_api} -body {
test BadSSL-1.45 {self-signed} -constraints {old_api} -body {
	badssl self-signed.badssl.com
    } -result {handshake failed: certificate verify failed due to "self signed certificate"} -returnCodes {1}

test BadSSL-1.45 {self-signed} -constraints {new_api} -body {
test BadSSL-1.46 {self-signed} -constraints {new_api} -body {
	badssl self-signed.badssl.com
    } -result {handshake failed: certificate verify failed due to "self-signed certificate"} -returnCodes {1}

test BadSSL-1.46 {sha1-2016} -body {
test BadSSL-1.47 {sha1-2016} -body {
	badssl sha1-2016.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.47 {sha1-2017} -constraints {old_api} -body {
test BadSSL-1.48 {sha1-2017} -constraints {old_api} -body {
	badssl sha1-2017.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.48 {sha1-2017} -constraints {new_api} -body {
test BadSSL-1.49 {sha1-2017} -constraints {new_api} -body {
	badssl sha1-2017.badssl.com
    } -result {handshake failed: certificate verify failed due to "CA signature digest algorithm too weak"} -returnCodes {1}

test BadSSL-1.49 {sha1-intermediate} -body {
test BadSSL-1.50 {sha1-intermediate} -body {
	badssl sha1-intermediate.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.50 {sha256} -body {
test BadSSL-1.51 {sha256} -body {
	badssl sha256.badssl.com
    }

test BadSSL-1.51 {sha384} -body {
test BadSSL-1.52 {sha384} -body {
	badssl sha384.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.52 {sha512} -body {
test BadSSL-1.53 {sha512} -body {
	badssl sha512.badssl.com
    } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1}

test BadSSL-1.53 {static-rsa} -body {
test BadSSL-1.54 {static-rsa} -body {
	badssl static-rsa.badssl.com
    }

test BadSSL-1.54 {subdomain.preloaded-hsts} -constraints {old_api} -body {
test BadSSL-1.55 {subdomain.preloaded-hsts} -constraints {old_api} -body {
	badssl subdomain.preloaded-hsts.badssl.com
    } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1}

test BadSSL-1.55 {subdomain.preloaded-hsts} -constraints {new_api} -body {
test BadSSL-1.56 {subdomain.preloaded-hsts} -constraints {new_api} -body {
	badssl subdomain.preloaded-hsts.badssl.com
    } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1}

test BadSSL-1.56 {superfish} -body {
test BadSSL-1.57 {superfish} -body {
	badssl superfish.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.57 {tls-v1-0:1010} -constraints {tls1 old_api} -body {
test BadSSL-1.58 {tls-v1-0:1010} -constraints {tls1 old_api} -body {
	badssl tls-v1-0.badssl.com:1010
    }

test BadSSL-1.58 {tls-v1-0:1010} -constraints {tls1 new_api} -body {
test BadSSL-1.59 {tls-v1-0:1010} -constraints {tls1 new_api} -body {
	badssl tls-v1-0.badssl.com:1010
    } -result {handshake failed: unsupported protocol} -returnCodes {1}

test BadSSL-1.59 {tls-v1-1:1011} -constraints {tls1.1 old_api} -body {
test BadSSL-1.60 {tls-v1-1:1011} -constraints {tls1.1 old_api} -body {
	badssl tls-v1-1.badssl.com:1011
    }

test BadSSL-1.60 {tls-v1-1:1011} -constraints {tls1.1 new_api} -body {
test BadSSL-1.61 {tls-v1-1:1011} -constraints {tls1.1 new_api} -body {
	badssl tls-v1-1.badssl.com:1011
    } -result {handshake failed: unsupported protocol} -returnCodes {1}

test BadSSL-1.61 {tls-v1-2:1012} -constraints {tls1.2} -body {
test BadSSL-1.62 {tls-v1-2:1012} -constraints {tls1.2} -body {
	badssl tls-v1-2.badssl.com:1012
    }

test BadSSL-1.62 {untrusted-root} -constraints {old_api} -body {
test BadSSL-1.63 {untrusted-root} -constraints {old_api} -body {
	badssl untrusted-root.badssl.com
    } -result {handshake failed: certificate verify failed due to "self signed certificate in certificate chain"} -returnCodes {1}

test BadSSL-1.63 {untrusted-root} -constraints {new_api} -body {
test BadSSL-1.64 {untrusted-root} -constraints {new_api} -body {
	badssl untrusted-root.badssl.com
    } -result {handshake failed: certificate verify failed due to "self-signed certificate in certificate chain"} -returnCodes {1}

test BadSSL-1.64 {upgrade} -body {
test BadSSL-1.65 {upgrade} -body {
	badssl upgrade.badssl.com
    }

test BadSSL-1.65 {webpack-dev-server} -body {
test BadSSL-1.66 {webpack-dev-server} -body {
	badssl webpack-dev-server.badssl.com
    } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1}

test BadSSL-1.66 {wrong.host} -constraints {old_api} -body {
test BadSSL-1.67 {wrong.host} -constraints {old_api} -body {
	badssl wrong.host.badssl.com
    } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1}

test BadSSL-1.67 {wrong.host} -constraints {new_api} -body {
test BadSSL-1.68 {wrong.host} -constraints {new_api} -body {
	badssl wrong.host.badssl.com
    } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1}

test BadSSL-1.68 {mozilla-modern} -body {
test BadSSL-1.69 {mozilla-modern} -body {
	badssl mozilla-modern.badssl.com
    }

# Cleanup
::tcltest::cleanupTests
return

Modified win/README.txt from [bce7b80fde] to [7588eb108e].

1
2
3
4
5
6
7
8
9

10
11
12
13
14
15
16
1
2
3
4
5
6
7
8

9
10
11
12
13
14
15
16








-
+







	Windows DLL Build instructions using nmake build system
	2020-10-15 [email protected]
	2023-04-23 Brian O'Hagan

Properties:
- 64 bit DLL
- VisualStudio 2015
Note: Visual C++ 6 does not build OpenSSL (long long syntax error)
- Cygwin32 (temporary helper, please help to replace by tclsh)
- Git MinGW or MS WSL shell to convert tls.tcl into .h file
- OpenSSL statically linked to TCLTLS DLL.
Note: Dynamic linking also works but results in a DLL dependency on OPENSSL DLL's

-----------------------------

1) Build OpenSSL static libraries:

34
35
36
37
38
39
40

41
42
43
44
45
46
47
48

49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64




65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

83
84
85
86
87
88
89
90
91
92
93
94
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64


65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

86
87
88
89
90
91
92
93
94
95
96
97
98







+








+














-
-
+
+
+
+

















-
+












  https://www.nasm.us/pub/nasm/releasebuilds/2.16.01/win64/nasm-2.16.01-installer-x64.exe
  Install to: C:\Program Files\NASM

(1d) Configure Open SSL 1.1.1

  At Visual Studio x64 native prompt:

  cd %SSLBUILD%
  set Path=%PATH%;C:\Program Files\NASM;C:\Strawberry\perl\bin
  perl ..\Configure VC-WIN64A no-shared no-filenames threads no-ssl2 no-ssl3 --api=1.1.0 --prefix="%SSLINSTALL%" --openssldir="%SSLCOMMON%" -DOPENSSL_NO_DEPRECATED
  # Not used options: no-asm no-zlib no-comp no-ui-console no-autoload-config

(1e) Configure Open SSL 3.0+

  At Visual Studio x64 native prompt:

  cd %SSLBUILD%
  set Path=%PATH%;C:\Program Files\NASM;C:\Strawberry\perl\bin
  perl ..\Configure VC-WIN64A no-shared no-filenames threads no-ssl2 no-ssl3 --prefix="%SSLINSTALL%" --openssldir="%SSLCOMMON%"
  # Not used options: no-asm no-zlib no-comp no-ui-console no-autoload-config

(1f) Build OpenSSL

  nmake
  nmake test
  nmake install

-----------------------------

2) Build TclTLS

  set BUILDDIR=\path\to\build\dir
  set TCLINSTALL=\path\to\tcl\dir
  set BUILDDIR=\path\to\build\tcltls
  set TCLINSTALL=\path\to\tcl
  set INSTALLDIR=%TCLINSTALL%\lib
  set SSLINSTALL=\path\to\openssl\dir

2a) Unzip distribution to %BUILDDIR%

2b) Start BASH shell (MinGW62 Git shell)

  cd %BUILDDIR%
  od -A n -v -t xC < 'library/tls.tcl' > tls.tcl.h.new.1
  sed 's@[^0-9A-Fa-f]@@g;s@..@0x&, @g' < tls.tcl.h.new.1 > generic/tls.tcl.h
  rm -f tls.tcl.h.new.1

2c) Start Visual Studio shell

  At Visual Studio x64 native prompt:

  cd %BUILDDIR%\win

  nmake -f makefile.vc TCLDIR=%TCLINSTALL% SSL_INSTALL_FOLDER=%SSLINSTALL%
  nmake -f makefile.vc install TCLDIR=c:\test\tcl8610 INSTALLDIR=%TCLINSTALL% SSL_INSTALL_FOLDER=%SSLINSTALL%
  nmake -f makefile.vc install TCLDIR=%TCLINSTALL% INSTALLDIR=%INSTALLDIR% SSL_INSTALL_FOLDER=%SSLINSTALL%

-----------------------------

3) Test

Start tclsh or wish

package require tls
package require http
http::register https 443 [list ::tls::socket -autoservername true]
set tok [http::data [http::geturl https://www.tcl-lang.org]]
::http::cleanup $tok