Allow post-handshake session ticket updates.
Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is -true. +true. Starting in TclTLS 2.0, If set to false and +-require is true, then this will be overridden to true. See Certificate Validation for more details.
Require a valid certificate from the peer during the SSL handshake. If this is set to true, then -request must also be set to true and a either -cadir, -cafile, -castore, or a platform default must be provided in order to validate against. The default in TclTLS 1.8 and earlier versions is false since not all platforms have certificates to -validate against in a form compatible with OpenSSL. +validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0, +the default is true. See Certificate Validation for more details.
Specifies the security level (value from 0 to 5). The security level affects the allowed cipher suite encryption algorithms, supported ECC curves, supported signature algorithms, DH parameter sizes, certificate key sizes @@ -551,28 +553,32 @@ This store only supports root certificate stores. See Certificate Validation for more details.
Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is -true. In addition, the client can manually inspect and accept or reject +true. Starting in TclTLS 2.0, If set to false and +-require is true, then this will be overridden to true. +In addition, the client can manually inspect and accept or reject each certificate using the -validatecommand option.
Require a valid certificate from the peer during the SSL handshake. If this is set to true, then -request must also be set to true and a either -cadir, -cafile, -castore, or a platform default must be provided in order to validate against. The default in TclTLS 1.8 and earlier versions is false since not all platforms have certificates to -validate against in a form compatible with OpenSSL.
In TclTLS 1.8 and earlier versions, certificate validation is NOT enabled by default. This limitation is due to the lack of a common cross platform database of Certificate Authority (CA) provided certificates to validate against. Many Linux systems natively support OpenSSL and thus have these certificates installed as part of the OS, but MacOS and MS Windows do not. -In order to use the -require option, one of the following +Staring in TclTLS 2.0, this has been changed to require certificate validation +by default. In order to use the -require option, one of the following must be true:
On Linux and Unix systems with OpenSSL already installed or if the CA certificates are available in PEM format, and if they are stored in the standard locations, or if the SSL_CERT_DIR or SSL_CERT_FILE Index: doc/tls.man ================================================================== --- doc/tls.man +++ doc/tls.man @@ -150,20 +150,22 @@ Allow post-handshake session ticket updates. [opt_def -request [arg bool]] Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is -[const true]. +[const true]. Starting in TclTLS 2.0, If set to [const false] and +[option -require] is [const true], then this will be overridden to [const true]. See [sectref "Certificate Validation"] for more details. [opt_def -require [arg bool]] Require a valid certificate from the peer during the SSL handshake. If this is set to true, then [option -request] must also be set to true and a either [option -cadir], [option -cafile], [option -castore], or a platform default must be provided in order to validate against. The default in TclTLS 1.8 and earlier versions is [const false] since not all platforms have certificates to -validate against in a form compatible with OpenSSL. +validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0, +the default is [const true]. See [sectref "Certificate Validation"] for more details. [opt_def -security_level [arg integer]] Specifies the security level (value from 0 to 5). The security level affects the allowed cipher suite encryption algorithms, supported ECC curves, @@ -567,20 +569,23 @@ [sectref "Certificate Validation"] for more details. [opt_def -request [arg bool]] Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is -[const true]. In addition, the client can manually inspect and accept or reject +[const true]. Starting in TclTLS 2.0, If set to [const false] and +[option -require] is [const true], then this will be overridden to [const true]. +In addition, the client can manually inspect and accept or reject each certificate using the [arg -validatecommand] option. [opt_def -require [arg bool]] Require a valid certificate from the peer during the SSL handshake. If this is set to true, then [option -request] must also be set to true and a either [option -cadir], [option -cafile], [option -castore], or a platform default must be provided in order to validate against. The default in TclTLS 1.8 and earlier versions is [const false] since not all platforms have certificates to -validate against in a form compatible with OpenSSL. +validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0, +the default is [const true]. [list_end] [subsection "When are command line options needed?"] @@ -587,11 +592,12 @@ In TclTLS 1.8 and earlier versions, certificate validation is [emph NOT] enabled by default. This limitation is due to the lack of a common cross platform database of Certificate Authority (CA) provided certificates to validate against. Many Linux systems natively support OpenSSL and thus have these certificates installed as part of the OS, but MacOS and MS Windows do not. -In order to use the [option -require] option, one of the following +Staring in TclTLS 2.0, this has been changed to require certificate validation +by default. In order to use the [option -require] option, one of the following must be true: [list_begin itemized] [item] Index: doc/tls.n ================================================================== --- doc/tls.n +++ doc/tls.n @@ -427,20 +427,22 @@ Allow post-handshake session ticket updates\&. .TP \fB-request\fR \fIbool\fR Request a certificate from the peer during the SSL handshake\&. This is needed to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is -\fBtrue\fR\&. +\fBtrue\fR\&. Starting in TclTLS 2\&.0, If set to \fBfalse\fR and +\fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&. See \fBCertificate Validation\fR for more details\&. .TP \fB-require\fR \fIbool\fR Require a valid certificate from the peer during the SSL handshake\&. If this is set to true, then \fB-request\fR must also be set to true and a either \fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default must be provided in order to validate against\&. The default in TclTLS 1\&.8 and earlier versions is \fBfalse\fR since not all platforms have certificates to -validate against in a form compatible with OpenSSL\&. +validate against in a form compatible with OpenSSL\&. Starting in TclTLS 2\&.0, +the default is \fBtrue\fR\&. See \fBCertificate Validation\fR for more details\&. .TP \fB-security_level\fR \fIinteger\fR Specifies the security level (value from 0 to 5)\&. The security level affects the allowed cipher suite encryption algorithms, supported ECC curves, @@ -812,28 +814,32 @@ \fBCertificate Validation\fR for more details\&. .TP \fB-request\fR \fIbool\fR Request a certificate from the peer during the SSL handshake\&. This is needed to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is -\fBtrue\fR\&. In addition, the client can manually inspect and accept or reject +\fBtrue\fR\&. Starting in TclTLS 2\&.0, If set to \fBfalse\fR and +\fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&. +In addition, the client can manually inspect and accept or reject each certificate using the \fI-validatecommand\fR option\&. .TP \fB-require\fR \fIbool\fR Require a valid certificate from the peer during the SSL handshake\&. If this is set to true, then \fB-request\fR must also be set to true and a either \fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default must be provided in order to validate against\&. The default in TclTLS 1\&.8 and earlier versions is \fBfalse\fR since not all platforms have certificates to -validate against in a form compatible with OpenSSL\&. +validate against in a form compatible with OpenSSL\&. Starting in TclTLS 2\&.0, +the default is \fBtrue\fR\&. .PP .SS "WHEN ARE COMMAND LINE OPTIONS NEEDED?" In TclTLS 1\&.8 and earlier versions, certificate validation is \fINOT\fR enabled by default\&. This limitation is due to the lack of a common cross platform database of Certificate Authority (CA) provided certificates to validate against\&. Many Linux systems natively support OpenSSL and thus have these certificates installed as part of the OS, but MacOS and MS Windows do not\&. -In order to use the \fB-require\fR option, one of the following +Staring in TclTLS 2\&.0, this has been changed to require certificate validation +by default\&. In order to use the \fB-require\fR option, one of the following must be true: .IP \(bu On Linux and Unix systems with OpenSSL already installed or if the CA certificates are available in PEM format, and if they are stored in the standard locations, or if the \fBSSL_CERT_DIR\fR or \fBSSL_CERT_FILE\fR Index: generic/tls.c ================================================================== --- generic/tls.c +++ generic/tls.c @@ -1350,11 +1350,11 @@ char *session_id = NULL; Tcl_Obj *alpn = NULL; int ssl2 = 0, ssl3 = 0; int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; int proto = 0, level = -1; - int verify = 0, require = 0, request = 1, post_handshake = 0; + int verify = 0, require = 1, request = 1, post_handshake = 0; dprintf("Called"); #if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1) tls1 = 0; @@ -1423,13 +1423,14 @@ OPTBAD("option", "-alpn, -cadir, -cafile, -castore, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand"); return TCL_ERROR; } + if (require) request = 1; if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER; if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - if (request && post_handshake) verify |= SSL_VERIFY_POST_HANDSHAKE; + if (request && post_handshake) verify |= SSL_VERIFY_POST_HANDSHAKE; if (verify == 0) verify = SSL_VERIFY_NONE; proto |= (ssl2 ? TLS_PROTO_SSL2 : 0); proto |= (ssl3 ? TLS_PROTO_SSL3 : 0); proto |= (tls1 ? TLS_PROTO_TLS1 : 0); Index: generic/tlsInt.h ================================================================== --- generic/tlsInt.h +++ generic/tlsInt.h @@ -35,11 +35,11 @@ /* Windows needs to know which symbols to export. */ #ifdef BUILD_tls #undef TCL_STORAGE_CLASS #define TCL_STORAGE_CLASS DLLEXPORT -#endif /* BUILD_udp */ +#endif /* BUILD_tls */ /* Handle TCL 8.6 CONST changes */ #ifndef CONST86 # if TCL_MAJOR_VERSION > 8 # define CONST86 const