Index: README.txt ================================================================== --- README.txt +++ README.txt @@ -48,11 +48,11 @@ -------------- The standard TEA config, make and install process is supported. $ cd tcltls - $ ./configure --enable-64bit --enable-deterministic --with-builtin-dh-params-size=2048 + $ ./configure --enable-64bit $ make $ make test $ make install The supported configure options include all of the standard TEA configure script Index: acinclude.m4 ================================================================== --- acinclude.m4 +++ acinclude.m4 @@ -97,49 +97,55 @@ openssldir="$withval" ], [ openssldir='' ] ) + AC_MSG_CHECKING([for OpenSSL directory]) + AC_MSG_RESULT($openssldir) dnl Set SSL include files path AC_ARG_WITH([openssl-includedir], AS_HELP_STRING([--with-openssl-includedir=], [path to include directory of OpenSSL or LibreSSL installation] ), [ opensslincludedir="$withval" ], [ - if test -n "$openssldir"; then - opensslincludedir="$openssldir/include/openssl" + if test ! -z "$openssldir"; then + if test -d "${openssldir}/include/openssl"; then + opensslincludedir="${openssldir}/include/openssl" + else + opensslincludedir="${openssldir}/include" + fi else opensslincludedir='' fi ] ) AC_MSG_CHECKING([for OpenSSL include directory]) AC_MSG_RESULT($opensslincludedir) dnl Set SSL include vars - if test -n "$opensslincludedir"; then + if test ! -z "$opensslincludedir"; then if test -f "$opensslincludedir/ssl.h"; then TCLTLS_SSL_CFLAGS="-I$opensslincludedir" TCLTLS_SSL_INCLUDES="-I$opensslincludedir" else AC_MSG_ERROR([Unable to locate ssl.h]) fi else - TCLTLS_SSL_CFLAGS="-I$(includedir)/openssl" - TCLTLS_SSL_INCLUDES="-I$(includedir)/openssl" + TCLTLS_SSL_CFLAGS="-I${includedir}/openssl" + TCLTLS_SSL_INCLUDES="-I${includedir}/openssl" fi dnl Set SSL lib files path AC_ARG_WITH([openssl-libdir], AS_HELP_STRING([--with-openssl-libdir=], [path to lib directory of OpenSSL or LibreSSL installation] ), [ openssllibdir="$withval" ], [ - if test -n "$openssldir"; then + if test ! -z "$openssldir"; then if test "$do64bit" == 'yes'; then openssllibdir="$openssldir/lib64" else openssllibdir="$openssldir/lib" fi @@ -150,11 +156,11 @@ ) AC_MSG_CHECKING([for OpenSSL lib directory]) AC_MSG_RESULT($openssllibdir) dnl Set SSL lib vars - if test -n "$openssllibdir"; then + if test ! -z "$openssllibdir"; then if test -f "$openssllibdir/libssl${SHLIB_SUFFIX}"; then if test "${TCLEXT_TLS_STATIC_SSL}" == 'no'; then TCLTLS_SSL_LIBS="-L$openssllibdir -lcrypto -lssl" else # Linux and Solaris Index: configure ================================================================== --- configure +++ configure @@ -9181,10 +9181,14 @@ openssldir='' fi + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL directory" >&5 +printf %s "checking for OpenSSL directory... " >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $openssldir" >&5 +printf "%s\n" "$openssldir" >&6; } # Check whether --with-openssl-includedir was given. if test ${with_openssl_includedir+y} then : @@ -9191,12 +9195,16 @@ withval=$with_openssl_includedir; opensslincludedir="$withval" else $as_nop - if test -n "$openssldir"; then - opensslincludedir="$openssldir/include/openssl" + if test ! -z "$openssldir"; then + if test -d "${openssldir}/include/openssl"; then + opensslincludedir="${openssldir}/include/openssl" + else + opensslincludedir="${openssldir}/include" + fi else opensslincludedir='' fi @@ -9205,20 +9213,20 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL include directory" >&5 printf %s "checking for OpenSSL include directory... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $opensslincludedir" >&5 printf "%s\n" "$opensslincludedir" >&6; } - if test -n "$opensslincludedir"; then + if test ! -z "$opensslincludedir"; then if test -f "$opensslincludedir/ssl.h"; then TCLTLS_SSL_CFLAGS="-I$opensslincludedir" TCLTLS_SSL_INCLUDES="-I$opensslincludedir" else as_fn_error $? "Unable to locate ssl.h" "$LINENO" 5 fi else - TCLTLS_SSL_CFLAGS="-I$(includedir)/openssl" - TCLTLS_SSL_INCLUDES="-I$(includedir)/openssl" + TCLTLS_SSL_CFLAGS="-I${includedir}/openssl" + TCLTLS_SSL_INCLUDES="-I${includedir}/openssl" fi # Check whether --with-openssl-libdir was given. if test ${with_openssl_libdir+y} @@ -9226,11 +9234,11 @@ withval=$with_openssl_libdir; openssllibdir="$withval" else $as_nop - if test -n "$openssldir"; then + if test ! -z "$openssldir"; then if test "$do64bit" == 'yes'; then openssllibdir="$openssldir/lib64" else openssllibdir="$openssldir/lib" fi @@ -9244,11 +9252,11 @@ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for OpenSSL lib directory" >&5 printf %s "checking for OpenSSL lib directory... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $openssllibdir" >&5 printf "%s\n" "$openssllibdir" >&6; } - if test -n "$openssllibdir"; then + if test ! -z "$openssllibdir"; then if test -f "$openssllibdir/libssl${SHLIB_SUFFIX}"; then if test "${TCLEXT_TLS_STATIC_SSL}" == 'no'; then TCLTLS_SSL_LIBS="-L$openssllibdir -lcrypto -lssl" else # Linux and Solaris Index: generic/tls.c ================================================================== --- generic/tls.c +++ generic/tls.c @@ -36,13 +36,10 @@ /* Min OpenSSL version */ #if OPENSSL_VERSION_NUMBER < 0x10101000L #error "Only OpenSSL v1.1.1 or later is supported" #endif -/* - * External functions - */ /* * Forward declarations */ @@ -344,11 +341,11 @@ * behavior when the SSL_VERIFY_PEER flag is set. This is called * whenever a certificate is inspected or decided invalid. Called for * each certificate in the cert chain. * * Checks: - * certificate chain is checked starting with the deepest nesting level + * The certificate chain is checked starting with the deepest nesting level * (the root CA certificate) and worked upward to the peer's certificate. * All signatures are valid, current time is within first and last validity time. * Check that the certificate is issued by the issuer certificate issuer. * Check the revocation status for each certificate. * Check the validity of the given CRL and the cert revocation status. @@ -424,11 +421,11 @@ /* *------------------------------------------------------------------- * * Tls_Error -- * - * Calls callback with list of errors. + * Calls callback with error message. * * Side effects: * The err field of the currently operative State is set * to a string describing the SSL negotiation failure reason * @@ -499,13 +496,13 @@ /* *------------------------------------------------------------------- * * Password Callback -- * - * Called when a password for a private key loading/storing a PEM - * certificate with encryption. Evals callback script and returns - * the result as the password string in buf. + * Called when a password is needed for a private key when loading + * or storing a PEM certificate with encryption. Evals callback + * script and returns the result as the password string in buf. * * Results: * None * * Side effects: @@ -520,19 +517,24 @@ PasswordCallback(char *buf, int size, int rwflag, void *udata) { State *statePtr = (State *) udata; Tcl_Interp *interp = statePtr->interp; Tcl_Obj *cmdPtr; int code; + Tcl_Size len; dprintf("Called"); /* If no callback, use default callback */ if (statePtr->password == NULL) { if (Tcl_EvalEx(interp, "tls::password", -1, TCL_EVAL_GLOBAL) == TCL_OK) { - char *ret = (char *) Tcl_GetStringResult(interp); - strncpy(buf, ret, (size_t) size); - return (int)strlen(ret); + char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); + if (len > (Tcl_Size) size-1) { + len = (Tcl_Size) size-1; + } + strncpy(buf, ret, (size_t) len); + buf[len] = '\0'; + return (int) len; } else { return -1; } } @@ -559,11 +561,10 @@ Tcl_Release((ClientData) statePtr); /* If successful, pass back password string and truncate if too long */ if (code == TCL_OK) { - Tcl_Size len; char *ret = (char *) Tcl_GetStringFromObj(Tcl_GetObjResult(interp), &len); if (len > (Tcl_Size) size-1) { len = (Tcl_Size) size-1; } strncpy(buf, ret, (size_t) len); @@ -635,10 +636,12 @@ /* Eval callback command */ Tcl_IncrRefCount(cmdPtr); EvalCallback(interp, statePtr, cmdPtr); Tcl_DecrRefCount(cmdPtr); + + /* Return 0 for now until session handling is complete */ return 0; } /* *------------------------------------------------------------------- @@ -1418,11 +1421,11 @@ memcpy(p, str, (size_t) len); p += len; } /* SSL_set_alpn_protos makes a copy of the protocol-list */ - /* Note: This functions reverses the return value convention */ + /* Note: This function reverses the return value convention */ if (SSL_set_alpn_protos(statePtr->ssl, protos, protos_len)) { Tcl_AppendResult(interp, "Set ALPN protocols failed: ", GET_ERR_REASON(), (char *) NULL); Tcl_SetErrorCode(interp, "TLS", "IMPORT", "ALPN", "FAILED", (char *) NULL); Tls_Free((char *) statePtr); ckfree(protos); @@ -1752,10 +1755,11 @@ /* set some callbacks */ SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback); SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr); /* read a Diffie-Hellman parameters file, or use the built-in one */ + Tcl_DStringInit(&ds); #ifdef OPENSSL_NO_DH if (DHparams != NULL) { Tcl_AppendResult(interp, "DH parameter support not available", (char *) NULL); SSL_CTX_free(ctx); return NULL; @@ -1764,11 +1768,10 @@ { DH* dh; if (DHparams != NULL) { BIO *bio; - Tcl_DStringInit(&ds); bio = BIO_new_file(F2N(DHparams, &ds), "r"); if (!bio) { Tcl_DStringFree(&ds); Tcl_AppendResult(interp, "Could not find DH parameters file", (char *) NULL); SSL_CTX_free(ctx); @@ -1800,11 +1803,10 @@ /* set our certificate */ load_private_key = 0; if (certfile != NULL) { load_private_key = 1; - Tcl_DStringInit(&ds); if (SSL_CTX_use_certificate_file(ctx, F2N(certfile, &ds), SSL_FILETYPE_PEM) <= 0) { Tcl_DStringFree(&ds); Tcl_AppendResult(interp, "unable to set certificate file ", certfile, ": ", GET_ERR_REASON(), (char *) NULL); SSL_CTX_free(ctx); @@ -1844,11 +1846,10 @@ /* get the private key associated with this certificate */ if (keyfile == NULL) { keyfile = certfile; } - Tcl_DStringInit(&ds); if (SSL_CTX_use_PrivateKey_file(ctx, F2N(keyfile, &ds), SSL_FILETYPE_PEM) <= 0) { Tcl_DStringFree(&ds); /* flush the passphrase which might be left in the result */ Tcl_SetResult(interp, NULL, TCL_STATIC); Tcl_AppendResult(interp, "unable to set public key file ", keyfile, " ", @@ -1887,11 +1888,10 @@ /* Overrides for the CA verify path and file */ { #if OPENSSL_VERSION_NUMBER < 0x30000000L if (CApath != NULL || CAfile != NULL) { Tcl_DString ds1; - Tcl_DStringInit(&ds); Tcl_DStringInit(&ds1); if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) { abort++; } @@ -1899,35 +1899,31 @@ Tcl_DStringFree(&ds1); /* Set list of CAs to send to client when requesting a client certificate */ /* https://sourceforge.net/p/tls/bugs/57/ */ /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */ - Tcl_DStringInit(&ds); STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds)); if (certNames != NULL) { SSL_CTX_set_client_CA_list(ctx, certNames); } Tcl_DStringFree(&ds); } #else if (CApath != NULL) { - Tcl_DStringInit(&ds); if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) { abort++; } Tcl_DStringFree(&ds); } if (CAfile != NULL) { - Tcl_DStringInit(&ds); if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) { abort++; } Tcl_DStringFree(&ds); /* Set list of CAs to send to client when requesting a client certificate */ - Tcl_DStringInit(&ds); STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds)); if (certNames != NULL) { SSL_CTX_set_client_CA_list(ctx, certNames); } Tcl_DStringFree(&ds); Index: tests/badssl.csv ================================================================== --- tests/badssl.csv +++ tests/badssl.csv @@ -8,11 +8,11 @@ command,"proc badssl {url} {set port 443;lassign [split $url "":""] url port;if {$port eq """"} {set port 443};set cmd [list tls::socket -autoservername 1 -require 1];if {[info exists ::env(SSL_CERT_FILE)]} {lappend cmd -cafile $::env(SSL_CERT_FILE)};lappend cmd $url $port;set ch [eval $cmd];if {[catch {tls::handshake $ch} err]} {close $ch;return -code error $err} else {close $ch}}",,,,,,,,, ,,,,,,,,,, command,# BadSSL.com Tests,,,,,,,,, BadSSL,1000-sans,,,badssl 1000-sans.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,10000-sans,,,badssl 10000-sans.badssl.com,,,handshake failed: excessive message size,,,1 -BadSSL,3des,,,badssl 3des.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1 +BadSSL,3des,,,badssl 3des.badssl.com,,glob,handshake failed: * alert handshake failure,,,1 BadSSL,captive-portal,old_api,,badssl captive-portal.badssl.com,,,"handshake failed: certificate verify failed due to ""Hostname mismatch""",,,1 BadSSL,captive-portal,new_api,,badssl captive-portal.badssl.com,,,"handshake failed: certificate verify failed due to ""hostname mismatch""",,,1 BadSSL,cbc,,,badssl cbc.badssl.com,,,,,, BadSSL,client-cert-missing,,,badssl client-cert-missing.badssl.com,,,,,, BadSSL,client,,,badssl client.badssl.com,,,,,, @@ -19,11 +19,12 @@ BadSSL,dh-composite,old_api,,badssl dh-composite.badssl.com,,,,,, BadSSL,dh-composite,new_api,,badssl dh-composite.badssl.com,,,handshake failed: dh key too small,,,1 BadSSL,dh-small-subgroup,,,badssl dh-small-subgroup.badssl.com,,,,,, BadSSL,dh480,old_api,,badssl dh480.badssl.com,,,handshake failed: dh key too small,,,1 BadSSL,dh480,new_api,,badssl dh480.badssl.com,,,handshake failed: modulus too small,,,1 -BadSSL,dh512,,,badssl dh512.badssl.com,,,handshake failed: dh key too small,,,1 +BadSSL,dh512,old_api,,badssl dh512.badssl.com,,,handshake failed: dh key too small,,,1 +BadSSL,dh512,mac,,badssl dh512.badssl.com,,,handshake failed: unknown security bits,,,1 BadSSL,dh1024,old_api,,badssl dh1024.badssl.com,,,,,, BadSSL,dh1024,new_api,,badssl dh1024.badssl.com,,,handshake failed: dh key too small,,,1 BadSSL,dh2048,,,badssl dh2048.badssl.com,,,,,, BadSSL,dsdtestprovider,,,badssl dsdtestprovider.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,ecc256,,,badssl ecc256.badssl.com,,,,,, @@ -39,16 +40,16 @@ BadSSL,longextendedsubdomainnamewithoutdashesinordertotestwordwrapping,,,badssl longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com,,,,,, BadSSL,mitm-software,,,badssl mitm-software.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,no-common-name,,,badssl no-common-name.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,no-sct,,,badssl no-sct.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,no-subject,,,badssl no-subject.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 -BadSSL,null,,,badssl null.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1 +BadSSL,null,,,badssl null.badssl.com,,glob,handshake failed: * alert handshake failure,,,1 BadSSL,pinning-test,,,badssl pinning-test.badssl.com,,,,,, BadSSL,preact-cli,,,badssl preact-cli.badssl.com,,,"handshake failed: certificate verify failed due to ""unable to get local issuer certificate""",,,1 BadSSL,preloaded-hsts,,,badssl preloaded-hsts.badssl.com,,,,,, -BadSSL,rc4-md5,,,badssl rc4-md5.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1 -BadSSL,rc4,,,badssl rc4.badssl.com,,,handshake failed: sslv3 alert handshake failure,,,1 +BadSSL,rc4-md5,,,badssl rc4-md5.badssl.com,,glob,handshake failed: * alert handshake failure,,,1 +BadSSL,rc4,,,badssl rc4.badssl.com,,glob,handshake failed: * alert handshake failure,,,1 BadSSL,revoked,,,badssl revoked.badssl.com,,,"handshake failed: certificate verify failed due to ""certificate has expired""",,,1 BadSSL,rsa2048,,,badssl rsa2048.badssl.com,,,,,, BadSSL,rsa4096,,,badssl rsa4096.badssl.com,,,,,, BadSSL,rsa8192,,,badssl rsa8192.badssl.com,,,,,, BadSSL,self-signed,old_api,,badssl self-signed.badssl.com,,,"handshake failed: certificate verify failed due to ""self signed certificate""",,,1 Index: tests/badssl.test ================================================================== --- tests/badssl.test +++ tests/badssl.test @@ -27,11 +27,11 @@ badssl 10000-sans.badssl.com } -result {handshake failed: excessive message size} -returnCodes {1} test BadSSL-1.3 {3des} -body { badssl 3des.badssl.com - } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1} + } -match {glob} -result {handshake failed: * alert handshake failure} -returnCodes {1} test BadSSL-1.4 {captive-portal} -constraints {old_api} -body { badssl captive-portal.badssl.com } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1} @@ -69,228 +69,232 @@ test BadSSL-1.13 {dh480} -constraints {new_api} -body { badssl dh480.badssl.com } -result {handshake failed: modulus too small} -returnCodes {1} -test BadSSL-1.14 {dh512} -body { +test BadSSL-1.14 {dh512} -constraints {old_api} -body { badssl dh512.badssl.com } -result {handshake failed: dh key too small} -returnCodes {1} -test BadSSL-1.15 {dh1024} -constraints {old_api} -body { +test BadSSL-1.15 {dh512} -constraints {mac} -body { + badssl dh512.badssl.com + } -result {handshake failed: unknown security bits} -returnCodes {1} + +test BadSSL-1.16 {dh1024} -constraints {old_api} -body { badssl dh1024.badssl.com } -test BadSSL-1.16 {dh1024} -constraints {new_api} -body { +test BadSSL-1.17 {dh1024} -constraints {new_api} -body { badssl dh1024.badssl.com } -result {handshake failed: dh key too small} -returnCodes {1} -test BadSSL-1.17 {dh2048} -body { +test BadSSL-1.18 {dh2048} -body { badssl dh2048.badssl.com } -test BadSSL-1.18 {dsdtestprovider} -body { +test BadSSL-1.19 {dsdtestprovider} -body { badssl dsdtestprovider.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} -test BadSSL-1.19 {ecc256} -body { +test BadSSL-1.20 {ecc256} -body { badssl ecc256.badssl.com } -test BadSSL-1.20 {ecc384} -body { +test BadSSL-1.21 {ecc384} -body { badssl ecc384.badssl.com } -test BadSSL-1.21 {edellroot} -body { +test BadSSL-1.22 {edellroot} -body { badssl edellroot.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} -test BadSSL-1.22 {expired} -body { +test BadSSL-1.23 {expired} -body { badssl expired.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} -test BadSSL-1.23 {extended-validation} -body { +test BadSSL-1.24 {extended-validation} -body { badssl extended-validation.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} -test BadSSL-1.24 {hsts} -body { +test BadSSL-1.25 {hsts} -body { badssl hsts.badssl.com } -test BadSSL-1.25 {https-everywhere} -body { +test BadSSL-1.26 {https-everywhere} -body { badssl https-everywhere.badssl.com } -test BadSSL-1.26 {incomplete-chain} -body { +test BadSSL-1.27 {incomplete-chain} -body { badssl incomplete-chain.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} -test BadSSL-1.27 {invalid-expected-sct} -body { +test BadSSL-1.28 {invalid-expected-sct} -body { badssl invalid-expected-sct.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} -test BadSSL-1.28 {long-extended-subdomain-name-containing-many-letters-and-dashes} -body { +test BadSSL-1.29 {long-extended-subdomain-name-containing-many-letters-and-dashes} -body { badssl long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com } -test BadSSL-1.29 {longextendedsubdomainnamewithoutdashesinordertotestwordwrapping} -body { +test BadSSL-1.30 {longextendedsubdomainnamewithoutdashesinordertotestwordwrapping} -body { badssl longextendedsubdomainnamewithoutdashesinordertotestwordwrapping.badssl.com } -test BadSSL-1.30 {mitm-software} -body { +test BadSSL-1.31 {mitm-software} -body { badssl mitm-software.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} -test BadSSL-1.31 {no-common-name} -body { +test BadSSL-1.32 {no-common-name} -body { badssl no-common-name.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} -test BadSSL-1.32 {no-sct} -body { +test BadSSL-1.33 {no-sct} -body { badssl no-sct.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} -test BadSSL-1.33 {no-subject} -body { +test BadSSL-1.34 {no-subject} -body { badssl no-subject.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} -test BadSSL-1.34 {null} -body { +test BadSSL-1.35 {null} -body { badssl null.badssl.com - } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1} + } -match {glob} -result {handshake failed: * alert handshake failure} -returnCodes {1} -test BadSSL-1.35 {pinning-test} -body { +test BadSSL-1.36 {pinning-test} -body { badssl pinning-test.badssl.com } -test BadSSL-1.36 {preact-cli} -body { +test BadSSL-1.37 {preact-cli} -body { badssl preact-cli.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} -test BadSSL-1.37 {preloaded-hsts} -body { +test BadSSL-1.38 {preloaded-hsts} -body { badssl preloaded-hsts.badssl.com } -test BadSSL-1.38 {rc4-md5} -body { +test BadSSL-1.39 {rc4-md5} -body { badssl rc4-md5.badssl.com - } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1} + } -match {glob} -result {handshake failed: * alert handshake failure} -returnCodes {1} -test BadSSL-1.39 {rc4} -body { +test BadSSL-1.40 {rc4} -body { badssl rc4.badssl.com - } -result {handshake failed: sslv3 alert handshake failure} -returnCodes {1} + } -match {glob} -result {handshake failed: * alert handshake failure} -returnCodes {1} -test BadSSL-1.40 {revoked} -body { +test BadSSL-1.41 {revoked} -body { badssl revoked.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} -test BadSSL-1.41 {rsa2048} -body { +test BadSSL-1.42 {rsa2048} -body { badssl rsa2048.badssl.com } -test BadSSL-1.42 {rsa4096} -body { +test BadSSL-1.43 {rsa4096} -body { badssl rsa4096.badssl.com } -test BadSSL-1.43 {rsa8192} -body { +test BadSSL-1.44 {rsa8192} -body { badssl rsa8192.badssl.com } -test BadSSL-1.44 {self-signed} -constraints {old_api} -body { +test BadSSL-1.45 {self-signed} -constraints {old_api} -body { badssl self-signed.badssl.com } -result {handshake failed: certificate verify failed due to "self signed certificate"} -returnCodes {1} -test BadSSL-1.45 {self-signed} -constraints {new_api} -body { +test BadSSL-1.46 {self-signed} -constraints {new_api} -body { badssl self-signed.badssl.com } -result {handshake failed: certificate verify failed due to "self-signed certificate"} -returnCodes {1} -test BadSSL-1.46 {sha1-2016} -body { +test BadSSL-1.47 {sha1-2016} -body { badssl sha1-2016.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} -test BadSSL-1.47 {sha1-2017} -constraints {old_api} -body { +test BadSSL-1.48 {sha1-2017} -constraints {old_api} -body { badssl sha1-2017.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} -test BadSSL-1.48 {sha1-2017} -constraints {new_api} -body { +test BadSSL-1.49 {sha1-2017} -constraints {new_api} -body { badssl sha1-2017.badssl.com } -result {handshake failed: certificate verify failed due to "CA signature digest algorithm too weak"} -returnCodes {1} -test BadSSL-1.49 {sha1-intermediate} -body { +test BadSSL-1.50 {sha1-intermediate} -body { badssl sha1-intermediate.badssl.com } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} -test BadSSL-1.50 {sha256} -body { +test BadSSL-1.51 {sha256} -body { badssl sha256.badssl.com } -test BadSSL-1.51 {sha384} -body { +test BadSSL-1.52 {sha384} -body { badssl sha384.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} -test BadSSL-1.52 {sha512} -body { +test BadSSL-1.53 {sha512} -body { badssl sha512.badssl.com } -result {handshake failed: certificate verify failed due to "certificate has expired"} -returnCodes {1} -test BadSSL-1.53 {static-rsa} -body { +test BadSSL-1.54 {static-rsa} -body { badssl static-rsa.badssl.com } -test BadSSL-1.54 {subdomain.preloaded-hsts} -constraints {old_api} -body { - badssl subdomain.preloaded-hsts.badssl.com - } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1} - -test BadSSL-1.55 {subdomain.preloaded-hsts} -constraints {new_api} -body { - badssl subdomain.preloaded-hsts.badssl.com - } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1} - -test BadSSL-1.56 {superfish} -body { - badssl superfish.badssl.com - } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} - -test BadSSL-1.57 {tls-v1-0:1010} -constraints {tls1 old_api} -body { - badssl tls-v1-0.badssl.com:1010 - } - -test BadSSL-1.58 {tls-v1-0:1010} -constraints {tls1 new_api} -body { - badssl tls-v1-0.badssl.com:1010 - } -result {handshake failed: unsupported protocol} -returnCodes {1} - -test BadSSL-1.59 {tls-v1-1:1011} -constraints {tls1.1 old_api} -body { - badssl tls-v1-1.badssl.com:1011 - } - -test BadSSL-1.60 {tls-v1-1:1011} -constraints {tls1.1 new_api} -body { - badssl tls-v1-1.badssl.com:1011 - } -result {handshake failed: unsupported protocol} -returnCodes {1} - -test BadSSL-1.61 {tls-v1-2:1012} -constraints {tls1.2} -body { - badssl tls-v1-2.badssl.com:1012 - } - -test BadSSL-1.62 {untrusted-root} -constraints {old_api} -body { - badssl untrusted-root.badssl.com - } -result {handshake failed: certificate verify failed due to "self signed certificate in certificate chain"} -returnCodes {1} - -test BadSSL-1.63 {untrusted-root} -constraints {new_api} -body { - badssl untrusted-root.badssl.com - } -result {handshake failed: certificate verify failed due to "self-signed certificate in certificate chain"} -returnCodes {1} - -test BadSSL-1.64 {upgrade} -body { - badssl upgrade.badssl.com - } - -test BadSSL-1.65 {webpack-dev-server} -body { - badssl webpack-dev-server.badssl.com - } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} - -test BadSSL-1.66 {wrong.host} -constraints {old_api} -body { - badssl wrong.host.badssl.com - } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1} - -test BadSSL-1.67 {wrong.host} -constraints {new_api} -body { - badssl wrong.host.badssl.com - } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1} - -test BadSSL-1.68 {mozilla-modern} -body { +test BadSSL-1.55 {subdomain.preloaded-hsts} -constraints {old_api} -body { + badssl subdomain.preloaded-hsts.badssl.com + } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1} + +test BadSSL-1.56 {subdomain.preloaded-hsts} -constraints {new_api} -body { + badssl subdomain.preloaded-hsts.badssl.com + } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1} + +test BadSSL-1.57 {superfish} -body { + badssl superfish.badssl.com + } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} + +test BadSSL-1.58 {tls-v1-0:1010} -constraints {tls1 old_api} -body { + badssl tls-v1-0.badssl.com:1010 + } + +test BadSSL-1.59 {tls-v1-0:1010} -constraints {tls1 new_api} -body { + badssl tls-v1-0.badssl.com:1010 + } -result {handshake failed: unsupported protocol} -returnCodes {1} + +test BadSSL-1.60 {tls-v1-1:1011} -constraints {tls1.1 old_api} -body { + badssl tls-v1-1.badssl.com:1011 + } + +test BadSSL-1.61 {tls-v1-1:1011} -constraints {tls1.1 new_api} -body { + badssl tls-v1-1.badssl.com:1011 + } -result {handshake failed: unsupported protocol} -returnCodes {1} + +test BadSSL-1.62 {tls-v1-2:1012} -constraints {tls1.2} -body { + badssl tls-v1-2.badssl.com:1012 + } + +test BadSSL-1.63 {untrusted-root} -constraints {old_api} -body { + badssl untrusted-root.badssl.com + } -result {handshake failed: certificate verify failed due to "self signed certificate in certificate chain"} -returnCodes {1} + +test BadSSL-1.64 {untrusted-root} -constraints {new_api} -body { + badssl untrusted-root.badssl.com + } -result {handshake failed: certificate verify failed due to "self-signed certificate in certificate chain"} -returnCodes {1} + +test BadSSL-1.65 {upgrade} -body { + badssl upgrade.badssl.com + } + +test BadSSL-1.66 {webpack-dev-server} -body { + badssl webpack-dev-server.badssl.com + } -result {handshake failed: certificate verify failed due to "unable to get local issuer certificate"} -returnCodes {1} + +test BadSSL-1.67 {wrong.host} -constraints {old_api} -body { + badssl wrong.host.badssl.com + } -result {handshake failed: certificate verify failed due to "Hostname mismatch"} -returnCodes {1} + +test BadSSL-1.68 {wrong.host} -constraints {new_api} -body { + badssl wrong.host.badssl.com + } -result {handshake failed: certificate verify failed due to "hostname mismatch"} -returnCodes {1} + +test BadSSL-1.69 {mozilla-modern} -body { badssl mozilla-modern.badssl.com } # Cleanup ::tcltest::cleanupTests return Index: win/README.txt ================================================================== --- win/README.txt +++ win/README.txt @@ -4,11 +4,11 @@ Properties: - 64 bit DLL - VisualStudio 2015 Note: Visual C++ 6 does not build OpenSSL (long long syntax error) -- Cygwin32 (temporary helper, please help to replace by tclsh) +- Git MinGW or MS WSL shell to convert tls.tcl into .h file - OpenSSL statically linked to TCLTLS DLL. Note: Dynamic linking also works but results in a DLL dependency on OPENSSL DLL's ----------------------------- @@ -36,18 +36,20 @@ (1d) Configure Open SSL 1.1.1 At Visual Studio x64 native prompt: + cd %SSLBUILD% set Path=%PATH%;C:\Program Files\NASM;C:\Strawberry\perl\bin perl ..\Configure VC-WIN64A no-shared no-filenames threads no-ssl2 no-ssl3 --api=1.1.0 --prefix="%SSLINSTALL%" --openssldir="%SSLCOMMON%" -DOPENSSL_NO_DEPRECATED # Not used options: no-asm no-zlib no-comp no-ui-console no-autoload-config (1e) Configure Open SSL 3.0+ At Visual Studio x64 native prompt: + cd %SSLBUILD% set Path=%PATH%;C:\Program Files\NASM;C:\Strawberry\perl\bin perl ..\Configure VC-WIN64A no-shared no-filenames threads no-ssl2 no-ssl3 --prefix="%SSLINSTALL%" --openssldir="%SSLCOMMON%" # Not used options: no-asm no-zlib no-comp no-ui-console no-autoload-config (1f) Build OpenSSL @@ -58,12 +60,14 @@ ----------------------------- 2) Build TclTLS - set BUILDDIR=\path\to\build\dir - set TCLINSTALL=\path\to\tcl\dir + set BUILDDIR=\path\to\build\tcltls + set TCLINSTALL=\path\to\tcl + set INSTALLDIR=%TCLINSTALL%\lib + set SSLINSTALL=\path\to\openssl\dir 2a) Unzip distribution to %BUILDDIR% 2b) Start BASH shell (MinGW62 Git shell) @@ -77,11 +81,11 @@ At Visual Studio x64 native prompt: cd %BUILDDIR%\win nmake -f makefile.vc TCLDIR=%TCLINSTALL% SSL_INSTALL_FOLDER=%SSLINSTALL% - nmake -f makefile.vc install TCLDIR=c:\test\tcl8610 INSTALLDIR=%TCLINSTALL% SSL_INSTALL_FOLDER=%SSLINSTALL% + nmake -f makefile.vc install TCLDIR=%TCLINSTALL% INSTALLDIR=%INSTALLDIR% SSL_INSTALL_FOLDER=%SSLINSTALL% ----------------------------- 3) Test