Overview
| Comment: | Move tls.htm -> doc/tls.html. Start conversion to HTML5 |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk | main |
| Files: | files | file ages | folders |
| SHA3-256: |
f4edd2b33b6880ab01af02bf9b6f7f43 |
| User & Date: | jan.nijtmans on 2024-02-23 11:00:08 |
| Other Links: | branch diff | manifest | tags |
Context
|
2024-02-23
| ||
| 11:57 | Added set option support. Source: https://www.androwish.org/home/info/1af65d23b6962476 check-in: baec6798d6 user: jan.nijtmans tags: trunk, main | |
| 11:30 | Merge trunk check-in: faafc32731 user: jan.nijtmans tags: bohagan | |
| 11:00 | Move tls.htm -> doc/tls.html. Start conversion to HTML5 check-in: f4edd2b33b user: jan.nijtmans tags: trunk, main | |
| 10:19 | Fix ciphers.test testcases for OpenSSL 3.0. Remove files no longer needed check-in: b8d4646795 user: jan.nijtmans tags: trunk, main | |
Changes
Renamed and modified tls.htm [96f50e582d] to doc/tls.html [24b93a3706].
|
| < < | | | | | | | | < | | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=utf-8">
<meta name="Copyright" content="1999 Matt Newman / 2004 Starfish Systems">
<title>TLS (SSL) Tcl Commands</title>
</head>
<body bgcolor="#FFFFFF">
<dl>
<dd><a href="#NAME">NAME</a>
<dl>
<dd><b>tls</b> - binding to <b>OpenSSL</b> toolkit.</dd>
</dl>
</dd>
<dd><a href="#SYNOPSIS">SYNOPSIS</a> </dd>
<dd><dl>
<dd><b>package require Tcl</b> <em>?<b>8.5</b>?</em></dd>
<dd><b>package require tls </b><em>?@@VERS@@?</em></dd>
<dt> </dt>
<dd><b>tls::init</b> <em>?options?</em> </dd>
<dd><b>tls::socket </b><em>?options? host port</em></dd>
<dd><b>tls::socket</b> <em>?-server command? ?options? port</em></dd>
<dd><b>tls::handshake</b><em> channel</em></dd>
<dd><b>tls::status </b><em>?-local? channel</em></dd>
<dd><b>tls::import</b><em> channel ?options?</em></dd>
<dd><b>tls::unimport</b><em> channel</em></dd>
<dd><b>tls::ciphers </b><em>protocol ?verbose?</em></dd>
<dd><b>tls::version</b></dd>
</dl>
|
| ︙ | ︙ | |||
46 47 48 49 50 51 52 | <h3><a name="NAME">NAME</a></h3> <p><strong>tls</strong> - binding to <strong>OpenSSL</strong> toolkit.</p> <h3><a name="SYNOPSIS">SYNOPSIS</a></h3> | | | 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 | <h3><a name="NAME">NAME</a></h3> <p><strong>tls</strong> - binding to <strong>OpenSSL</strong> toolkit.</p> <h3><a name="SYNOPSIS">SYNOPSIS</a></h3> <p><b>package require Tcl 8.5</b><br> <b>package require tls @@VERS@@</b><br> <br> <a href="#tls::init"><b>tls::init </b><i>?options?</i><br> </a><a href="#tls::socket"><b>tls::socket </b><em>?options? host port</em><br> <b>tls::socket</b><em> ?-server command? ?options? port</em><br> </a><a href="#tls::status"><b>tls::status </b><em>?-local? channel</em><br> |
| ︙ | ︙ | |||
104 105 106 107 108 109 110 |
command except that the options can include any of the
applicable <a href="#tls::import"><strong>tls:import</strong></a>
options with one additional option:
<blockquote>
<dl>
<dt><strong>-autoservername</strong> <em>bool</em></dt>
<dd>Automatically send the -servername as the <em>host</em> argument
| | | 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
command except that the options can include any of the
applicable <a href="#tls::import"><strong>tls:import</strong></a>
options with one additional option:
<blockquote>
<dl>
<dt><strong>-autoservername</strong> <em>bool</em></dt>
<dd>Automatically send the -servername as the <em>host</em> argument
(default is <em>false</em>)</dd>
</dl>
</blockquote>
<dt> </dt>
<dt><a name="tls::handshake"><strong>tls::handshake</strong> <em>channel</em></a></dt>
<dd>Forces handshake to take place, and returns 0 if
handshake is still in progress (non-blocking), or 1 if
the handshake was successful. If the handshake failed
|
| ︙ | ︙ | |||
184 185 186 187 188 189 190 |
default validation provided by OpenSSL.
<br>
See <a href="#CALLBACK OPTIONS">CALLBACK OPTIONS</a> for
further discussion.</dd>
<dt><strong>-dhparams </strong><em>filename</em></dt>
<dd>Provide a Diffie-Hellman parameters file.</dd>
<dt><strong>-keyfile</strong> <em>filename</em></dt>
| | | | | | | | | | | | 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 |
default validation provided by OpenSSL.
<br>
See <a href="#CALLBACK OPTIONS">CALLBACK OPTIONS</a> for
further discussion.</dd>
<dt><strong>-dhparams </strong><em>filename</em></dt>
<dd>Provide a Diffie-Hellman parameters file.</dd>
<dt><strong>-keyfile</strong> <em>filename</em></dt>
<dd>Provide the private key file. (default is
value of -certfile)</dd>
<dt><strong>-key</strong> <em>filename</em></dt>
<dd>Provide the private key to use as a DER encoded value (PKCS#1 DER)</dd>
<dt><strong>-model</strong> <em>channel</em></dt>
<dd>This will force this channel to share the same <em><strong>SSL_CTX</strong></em>
structure as the specified <em>channel</em>, and
therefore share callbacks etc.</dd>
<dt><strong>-password</strong> <em>callback</em></dt>
<dd>If supplied, this callback will be invoked when OpenSSL needs
to obtain a password, typically to unlock the private key of
a certificate.
The callback should return a string which represents the
password to be used.
<br>
See <a href="#CALLBACK OPTIONS">CALLBACK OPTIONS</a> for
further discussion.</dd>
<dt><strong>-request </strong><em>bool</em></dt>
<dd>Request a certificate from peer during SSL handshake.
(default is <em>true</em>)</dd>
<dt><strong>-require</strong> <em>bool</em></dt>
<dd>Require a valid certificate from peer during SSL
handshake. If this is set to true then <strong>-request</strong>
must also be set to true. (default is <em>false</em>)</dd>
<dt><strong>-server</strong> <em>bool</em></dt>
<dd>Handshake as server if true, else handshake as
client.(default is <em>false</em>)</dd>
<dt><strong>-servername</strong> <em>host</em></dt>
<dd>Only available if the OpenSSL library the package is linked
against supports the TLS hostname extension for 'Server Name
Indication' (SNI). Use to name the logical host we are talking
to and expecting a certificate for</dd>
<dt><strong>-ssl2</strong> <em>bool</em></dt>
<dd>Enable use of SSL v2. (default is <em>false</em>)</dd>
<dt><strong>-ssl3 </strong><em>bool</em></dt>
<dd>Enable use of SSL v3. (default is <em>false</em>)</dd>
<dt>-<strong>tls1</strong> <em>bool</em></dt>
<dd>Enable use of TLS v1. (default is <em>true</em>)</dd>
<dt>-<strong>tls1.1</strong> <em>bool</em></dt>
<dd>Enable use of TLS v1.1 (default is <em>true</em>)</dd>
<dt>-<strong>tls1.2</strong> <em>bool</em></dt>
<dd>Enable use of TLS v1.2 (default is <em>true</em>)</dd>
<dt>-<strong>tls1.3</strong> <em>bool</em></dt>
<dd>Enable use of TLS v1.3 (default is <em>true</em>)</dd>
</dl>
</blockquote>
<dl>
<dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt>
<dd>Provided for symmetry to <strong>tls::import</strong>, this
unstacks the SSL-enabling of a regular Tcl channel. An error
|
| ︙ | ︙ | |||
416 417 418 419 420 421 422 | <pre><code> package require http package require tls http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs] | | | | 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 | <pre><code> package require http package require tls http::register https 443 [list ::tls::socket -autoservername true -require true -cadir /etc/ssl/certs] set tok [http::geturl https://core.tcl-lang.org/] </code></pre> <h3><a name="SPECIAL CONSIDERATIONS">SPECIAL CONSIDERATIONS</a></h3> <p>The capabilities of this package can vary enormously based upon how your OpenSSL library was configured and built. At the most macro-level OpenSSL supports a "no patents" build, which disables RSA, IDEA, RC(2,4,5) and SSL2 - if your OpenSSL is configured this way then you will need to build TLS with the -DNO_PATENTS option - and the resultant module will function correctly and also support ADH certificate-less encryption, however you will be unable to utilize this to speak to normal Web Servers, which typically require RSA support. Please see <a href="http://www.openssl.org/">http://www.openssl.org/</a> for more information on the whole issue of patents and US export restrictions. </p> <h3><a name="SEE ALSO">SEE ALSO</a></h3> <p><strong>socket</strong>, <strong>fileevent</strong>, <a href="http://www.openssl.org/"><strong>OpenSSL</strong></a></p> <hr> <pre> Copyright © 1999 Matt Newman. Copyright © 2004 Starfish Systems. </pre> </body> </html> |