Index: doc/tls.html ================================================================== --- doc/tls.html +++ doc/tls.html @@ -275,23 +275,24 @@ connected peer.
- state state
-- State of the connection: initializing, handshake, established
+- State of the connection.
- servername name
- The name of the connected to server.
- protocol version
- The protocol version used for the connection: SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.
- renegotiation state
- Whether protocol renegotiation is allowed or disallowed.
-- alpn protocol
-- The protocol selected after Application-Layer Protocol - Negotiation (ALPN).
- securitylevel level
- The security level used for selection of ciphers, key size, etc.
+- session_reused boolean
+- Whether the session has been reused or not.
+- is_server boolean
+- Whether the connection configured as a server or client (false).
- cipher cipher
- The current cipher in use for the connection.
- standard_name name
- The standard RFC name of cipher.
- bits n
@@ -298,24 +299,33 @@- The number of processed bits used for cipher.
- secret_bits n
- The number of secret bits used for cipher.
- min_version version
- The minimum protocol version for cipher.
+- id id
+- The OpenSSL cipher id.
- description string
- A text description of the cipher.
-- session_reused boolean
-- Whether the session has been reused or not.
-- session_id string
-- Unique session id for use in resuming the session.
-- session_ticket string
-- Unique session ticket for use in resuming the session.
+- alpn protocol
+- The protocol selected after Application-Layer Protocol + Negotiation (ALPN).
- resumable boolean
- Can the session be resumed or not.
- start_time seconds
- Time since session started in seconds since epoch.
- timeout seconds
- Max duration of session in seconds before time-out.
+- lifetime seconds
+- Session ticket lifetime hint in seconds.
+- session_id string
+- Unique session id for use in resuming the session.
+- session_ticket string
+- Unique session ticket for use in resuming the session.
+- ticket_app_data string
+- Unique session ticket application data.
+- master_key binary_string
+- Unique session master key.
- compression mode
- Compression method.
- expansion mode
- Expansion method.
- session_cache_mode mode
Index: generic/tls.c ================================================================== --- generic/tls.c +++ generic/tls.c @@ -1780,11 +1780,10 @@ Tcl_Channel chan; char *channelName, *ciphers; int mode; const unsigned char *proto; unsigned int len; - char *peername = NULL; dprintf("Called"); switch (objc) { case 2: @@ -1834,15 +1833,12 @@ if (!peer && (ssl_certs == NULL || sk_X509_num(ssl_certs) == 0)) { return TCL_ERROR; } /* Peer name from cert */ - if (SSL_get_verify_result(statePtr->ssl) == X509_V_OK) { - peername = SSL_get0_peername(statePtr->ssl); - } Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("peername", -1)); - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(peername, -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get0_peername(statePtr->ssl), -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("sbits", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_get_cipher_bits(statePtr->ssl, NULL))); ciphers = (char*)SSL_get_cipher(statePtr->ssl); @@ -1863,11 +1859,11 @@ /* Report the selected protocol as a result of the negotiation */ SSL_get0_alpn_selected(statePtr->ssl, &proto, &len); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *)proto, (int)len)); - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("version", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("protocol", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1)); Tcl_SetObjResult(interp, objPtr); return TCL_OK; clientData = clientData; @@ -1890,11 +1886,10 @@ Tcl_Obj *objPtr; const SSL *ssl; const SSL_CIPHER *cipher; const SSL_SESSION *session; const unsigned char *proto; - unsigned int len; long mode; if (objc != 2) { Tcl_WrongNumArgs(interp, 1, objv, "channel"); return(TCL_ERROR); @@ -1920,11 +1915,11 @@ if (ssl != NULL) { /* connection state */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("state", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_state_string_long(ssl), -1)); - /* Get server name */ + /* Get SNI requested server name */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("servername", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1)); /* Get protocol */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("protocol", -1)); @@ -1933,18 +1928,21 @@ /* Renegotiation allowed */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("renegotiation", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj( SSL_get_secure_renegotiation_support(ssl) ? "supported" : "not supported", -1)); - /* Report the selected protocol as a result of the ALPN negotiation */ - SSL_get0_alpn_selected(ssl, &proto, &len); - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1)); - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *)proto, (int)len)); - /* Get security level */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("securitylevel", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_get_security_level(ssl))); + + /* Session info */ + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_reused", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewBooleanObj(SSL_session_reused(ssl))); + + /* Is server info */ + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("is_server", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewBooleanObj(SSL_is_server(ssl))); } /* Cipher info */ cipher = SSL_get_current_cipher(ssl); if (cipher != NULL) { @@ -1964,10 +1962,14 @@ /* alg_bits is actual key secret bits. If use bits and secret (algorithm) bits differ, the rest of the bits are fixed, i.e. for limited export ciphers (bits < 56) */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("min_version", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_CIPHER_get_version(cipher), -1)); + /* Get OpenSSL-specific ID, not IANA ID */ + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("id", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj((int) SSL_CIPHER_get_id(cipher))); + if (SSL_CIPHER_description(cipher, buf, sizeof(buf)) != NULL) { Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("description", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(buf, -1)); } } @@ -1975,25 +1977,22 @@ /* Session info */ session = SSL_get_session(ssl); if (session != NULL) { const unsigned char *ticket; size_t len2; + unsigned int ulen; const unsigned char *session_id; - - /* Session info */ - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_reused", -1)); - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_session_reused(ssl))); - - /* Session id */ - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_id", -1)); - session_id = SSL_SESSION_get_id(session, &len); - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(session_id, (int)len)); - - /* Session ticket - client only */ - SSL_SESSION_get0_ticket(session, &ticket, &len2); - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_ticket", -1)); - Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(ticket, (int) len2)); + char buffer[SSL_MAX_MASTER_KEY_LENGTH]; + + /* Report the selected protocol as a result of the ALPN negotiation */ + SSL_SESSION_get0_alpn_selected(session, &proto, &len); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *)proto, (int) len)); + + /* Peer */ + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("peer", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_SESSION_get0_peer(session), -1)); /* Resumable session */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("resumable", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_SESSION_is_resumable(session))); @@ -2002,10 +2001,34 @@ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_time(session))); /* Timeout value */ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("timeout", -1)); Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_timeout(session))); + + /* Lifetime hint */ + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("lifetime", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_ticket_lifetime_hint(session))); + + /* Session id */ + session_id = SSL_SESSION_get_id(session, &ulen); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_id", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(session_id, (int) ulen)); + + /* Session ticket - client only */ + SSL_SESSION_get0_ticket(session, &ticket, &len2); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_ticket", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(ticket, (int) len2)); + + /* Ticket app data */ + SSL_SESSION_get0_ticket_appdata(session, &ticket, &len2); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("ticket_app_data", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(ticket, (int) len2)); + + /* Get master key */ + len2 = SSL_SESSION_get_master_key(session, buffer, SSL_MAX_MASTER_KEY_LENGTH); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("master_key", -1)); + Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(buffer, (int) len2)); } /* Compression info */ if (ssl != NULL) { #ifdef HAVE_SSL_COMPRESSION