Check-in [e245d231ee]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Started adding support for TLSv1.3
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | enhancement/tls-1.3
Files: files | file ages | folders
SHA3-256:e245d231ee3734908e74c47d17a461aa26771b80538076440863de52a417a135
User & Date: rkeene 2018-11-07 23:27:43
Context
2018-11-07
23:51
Added missing TLSv1.3 support check-in: efc1e122f2 user: rkeene tags: enhancement/tls-1.3
23:27
Started adding support for TLSv1.3 check-in: e245d231ee user: rkeene tags: enhancement/tls-1.3
2018-10-30
14:20
Applied patch from Jinhu to address [94c6a431fee] Leaf check-in: afec51b85b user: rkeene tags: trunk
Changes

Changes to aclocal/tcltls_openssl.m4.

   156    156   	AC_LANG_POP([C])
   157    157   
   158    158   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl2], [SSLv2_method], [sslv2], [NO_SSL2])
   159    159   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3])
   160    160   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1])
   161    161   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1])
   162    162   	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2])
          163  +	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [TLSv1_3_method], [tlsv1.3], [NO_TLS1_3])
   163    164   
   164    165   	AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [
   165    166   		AC_LANG_PUSH(C)
   166    167   		AC_MSG_CHECKING([for SSL_set_tlsext_host_name])
   167    168   		AC_LINK_IFELSE([AC_LANG_PROGRAM([
   168    169   #include <openssl/ssl.h>
   169    170   #if (SSLEAY_VERSION_NUMBER >= 0x0907000L)

Changes to configure.ac.

   106    106   	if test "$enableval" = "yes"; then
   107    107   		tcltls_ssl_tls1_1='force'
   108    108   	else
   109    109   		tcltls_ssl_tls1_1='false'
   110    110   	fi
   111    111   ])
   112    112   
   113         -dnl ## TLSv1.1: Enabled by default
          113  +dnl ## TLSv1.2: Enabled by default
   114    114   tcltls_ssl_tls1_2='true'
   115    115   AC_ARG_ENABLE([tlsv1.2], AS_HELP_STRING([--disable-tlsv1.2], [disable TLSv1.2 protocol]), [
   116    116   	if test "$enableval" = "yes"; then
   117    117   		tcltls_ssl_tls1_2='force'
   118    118   	else
   119    119   		tcltls_ssl_tls1_2='false'
   120    120   	fi
   121    121   ])
          122  +
          123  +dnl ## TLSv1.3: Enabled by default
          124  +tcltls_ssl_tls1_3='true'
          125  +AC_ARG_ENABLE([tlsv1.3], AS_HELP_STRING([--disable-tlsv1.3], [disable TLSv1.3 protocol]), [
          126  +	if test "$enableval" = "yes"; then
          127  +		tcltls_ssl_tls1_3='force'
          128  +	else
          129  +		tcltls_ssl_tls1_3='false'
          130  +	fi
          131  +])
          132  +
   122    133   
   123    134   dnl Enable support for a debugging build
   124    135   tcltls_debug='false'
   125    136   AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [enable debugging parameters]), [
   126    137   	if test "$enableval" = "yes"; then
   127    138   		tcltls_debug='true'
   128    139   	fi

Changes to tls.c.

   494    494   CiphersObjCmd(clientData, interp, objc, objv)
   495    495       ClientData clientData;	/* Not used. */
   496    496       Tcl_Interp *interp;
   497    497       int objc;
   498    498       Tcl_Obj	*CONST objv[];
   499    499   {
   500    500       static CONST84 char *protocols[] = {
   501         -	"ssl2",	"ssl3",	"tls1",	"tls1.1", "tls1.2", NULL
          501  +	"ssl2",	"ssl3",	"tls1",	"tls1.1", "tls1.2", "tls1.3", NULL
   502    502       };
   503    503       enum protocol {
   504         -	TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_NONE
          504  +	TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE
   505    505       };
   506    506       Tcl_Obj *objPtr;
   507    507       SSL_CTX *ctx = NULL;
   508    508       SSL *ssl = NULL;
   509    509       STACK_OF(SSL_CIPHER) *sk;
   510    510       char *cp, buf[BUFSIZ];
   511    511       int index, verbose = 0;
................................................................................
   556    556       case TLS_TLS1_2:
   557    557   #if defined(NO_TLS1_2)
   558    558   		Tcl_AppendResult(interp, "protocol not supported", NULL);
   559    559   		return TCL_ERROR;
   560    560   #else
   561    561   		ctx = SSL_CTX_new(TLSv1_2_method()); break;
   562    562   #endif
          563  +    case TLS_TLS1_3:
          564  +#if defined(NO_TLS1_3)
          565  +		Tcl_AppendResult(interp, "protocol not supported", NULL);
          566  +		return TCL_ERROR;
          567  +#else
          568  +		ctx = SSL_CTX_new(TLSv1_3_method()); break;
          569  +#endif
   563    570       default:
   564    571   		break;
   565    572       }
   566    573       if (ctx == NULL) {
   567    574   	Tcl_AppendResult(interp, REASON(), (char *) NULL);
   568    575   	return TCL_ERROR;
   569    576       }

Changes to tls.htm.

   217    217           <dd>Enable use of SSL v3. (<strong>default</strong>: <em>false</em>)</dd>
   218    218           <dt>-<strong>tls1</strong> <em>bool</em></dt>
   219    219           <dd>Enable use of TLS v1. (<strong>default</strong>: <em>true</em>)</dd>
   220    220           <dt>-<strong>tls1.1</strong> <em>bool</em></dt>
   221    221           <dd>Enable use of TLS v1.1 (<strong>default</strong>: <em>true</em>)</dd>
   222    222           <dt>-<strong>tls1.2</strong> <em>bool</em></dt>
   223    223           <dd>Enable use of TLS v1.2 (<strong>default</strong>: <em>true</em>)</dd>
          224  +        <dt>-<strong>tls1.3</strong> <em>bool</em></dt>
          225  +        <dd>Enable use of TLS v1.3 (<strong>default</strong>: <em>true</em>)</dd>
   224    226       </dl>
   225    227   </blockquote>
   226    228   
   227    229   <dl>
   228    230       <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt>
   229    231       <dd>Provided for symmetry to <strong>tls::import</strong>, this
   230    232         unstacks the SSL-enabling of a regular Tcl channel.  An error

Changes to tls.tcl.

    45     45           {* -autoservername discardOpts 1}
    46     46           {* -servername iopts 1}
    47     47           {* -ssl2 iopts 1}
    48     48           {* -ssl3 iopts 1}
    49     49           {* -tls1 iopts 1}
    50     50           {* -tls1.1 iopts 1}
    51     51           {* -tls1.2 iopts 1}
           52  +        {* -tls1.3 iopts 1}
    52     53       }
    53     54   
    54     55       # tls::socket and tls::init options as a humane readable string
    55     56       variable socketOptionsNoServer
    56     57       variable socketOptionsServer
    57     58   
    58     59       # Internal [switch] body to validate options