Index: doc/tls.html
==================================================================
--- doc/tls.html
+++ doc/tls.html
@@ -275,23 +275,24 @@
connected peer.
- state state
- - State of the connection: initializing, handshake, established
+ - State of the connection.
- servername name
- The name of the connected to server.
- protocol version
- The protocol version used for the connection:
SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.
- renegotiation state
- Whether protocol renegotiation is allowed or disallowed.
- - alpn protocol
- - The protocol selected after Application-Layer Protocol
- Negotiation (ALPN).
- securitylevel level
- The security level used for selection of ciphers, key size, etc.
+ - session_reused boolean
+ - Whether the session has been reused or not.
+ - is_server boolean
+ - Whether the connection configured as a server or client (false).
- cipher cipher
- The current cipher in use for the connection.
- standard_name name
- The standard RFC name of cipher.
- bits n
@@ -298,24 +299,33 @@
- The number of processed bits used for cipher.
- secret_bits n
- The number of secret bits used for cipher.
- min_version version
- The minimum protocol version for cipher.
+ - id id
+ - The OpenSSL cipher id.
- description string
- A text description of the cipher.
- - session_reused boolean
- - Whether the session has been reused or not.
- - session_id string
- - Unique session id for use in resuming the session.
- - session_ticket string
- - Unique session ticket for use in resuming the session.
+ - alpn protocol
+ - The protocol selected after Application-Layer Protocol
+ Negotiation (ALPN).
- resumable boolean
- Can the session be resumed or not.
- start_time seconds
- Time since session started in seconds since epoch.
- timeout seconds
- Max duration of session in seconds before time-out.
+ - lifetime seconds
+ - Session ticket lifetime hint in seconds.
+ - session_id string
+ - Unique session id for use in resuming the session.
+ - session_ticket string
+ - Unique session ticket for use in resuming the session.
+ - ticket_app_data string
+ - Unique session ticket application data.
+ - master_key binary_string
+ - Unique session master key.
- compression mode
- Compression method.
- expansion mode
- Expansion method.
- session_cache_mode mode
Index: generic/tls.c
==================================================================
--- generic/tls.c
+++ generic/tls.c
@@ -1780,11 +1780,10 @@
Tcl_Channel chan;
char *channelName, *ciphers;
int mode;
const unsigned char *proto;
unsigned int len;
- char *peername = NULL;
dprintf("Called");
switch (objc) {
case 2:
@@ -1834,15 +1833,12 @@
if (!peer && (ssl_certs == NULL || sk_X509_num(ssl_certs) == 0)) {
return TCL_ERROR;
}
/* Peer name from cert */
- if (SSL_get_verify_result(statePtr->ssl) == X509_V_OK) {
- peername = SSL_get0_peername(statePtr->ssl);
- }
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("peername", -1));
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(peername, -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get0_peername(statePtr->ssl), -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("sbits", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_get_cipher_bits(statePtr->ssl, NULL)));
ciphers = (char*)SSL_get_cipher(statePtr->ssl);
@@ -1863,11 +1859,11 @@
/* Report the selected protocol as a result of the negotiation */
SSL_get0_alpn_selected(statePtr->ssl, &proto, &len);
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *)proto, (int)len));
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("version", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("protocol", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_version(statePtr->ssl), -1));
Tcl_SetObjResult(interp, objPtr);
return TCL_OK;
clientData = clientData;
@@ -1890,11 +1886,10 @@
Tcl_Obj *objPtr;
const SSL *ssl;
const SSL_CIPHER *cipher;
const SSL_SESSION *session;
const unsigned char *proto;
- unsigned int len;
long mode;
if (objc != 2) {
Tcl_WrongNumArgs(interp, 1, objv, "channel");
return(TCL_ERROR);
@@ -1920,11 +1915,11 @@
if (ssl != NULL) {
/* connection state */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("state", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_state_string_long(ssl), -1));
- /* Get server name */
+ /* Get SNI requested server name */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("servername", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name), -1));
/* Get protocol */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("protocol", -1));
@@ -1933,18 +1928,21 @@
/* Renegotiation allowed */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("renegotiation", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(
SSL_get_secure_renegotiation_support(ssl) ? "supported" : "not supported", -1));
- /* Report the selected protocol as a result of the ALPN negotiation */
- SSL_get0_alpn_selected(ssl, &proto, &len);
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1));
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *)proto, (int)len));
-
/* Get security level */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("securitylevel", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_get_security_level(ssl)));
+
+ /* Session info */
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_reused", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewBooleanObj(SSL_session_reused(ssl)));
+
+ /* Is server info */
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("is_server", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewBooleanObj(SSL_is_server(ssl)));
}
/* Cipher info */
cipher = SSL_get_current_cipher(ssl);
if (cipher != NULL) {
@@ -1964,10 +1962,14 @@
/* alg_bits is actual key secret bits. If use bits and secret (algorithm) bits differ,
the rest of the bits are fixed, i.e. for limited export ciphers (bits < 56) */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("min_version", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_CIPHER_get_version(cipher), -1));
+ /* Get OpenSSL-specific ID, not IANA ID */
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("id", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj((int) SSL_CIPHER_get_id(cipher)));
+
if (SSL_CIPHER_description(cipher, buf, sizeof(buf)) != NULL) {
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("description", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(buf, -1));
}
}
@@ -1975,25 +1977,22 @@
/* Session info */
session = SSL_get_session(ssl);
if (session != NULL) {
const unsigned char *ticket;
size_t len2;
+ unsigned int ulen;
const unsigned char *session_id;
-
- /* Session info */
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_reused", -1));
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_session_reused(ssl)));
-
- /* Session id */
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_id", -1));
- session_id = SSL_SESSION_get_id(session, &len);
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(session_id, (int)len));
-
- /* Session ticket - client only */
- SSL_SESSION_get0_ticket(session, &ticket, &len2);
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_ticket", -1));
- Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(ticket, (int) len2));
+ char buffer[SSL_MAX_MASTER_KEY_LENGTH];
+
+ /* Report the selected protocol as a result of the ALPN negotiation */
+ SSL_SESSION_get0_alpn_selected(session, &proto, &len);
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("alpn", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj((char *)proto, (int) len));
+
+ /* Peer */
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("peer", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj(SSL_SESSION_get0_peer(session), -1));
/* Resumable session */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("resumable", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewIntObj(SSL_SESSION_is_resumable(session)));
@@ -2002,10 +2001,34 @@
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_time(session)));
/* Timeout value */
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("timeout", -1));
Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_timeout(session)));
+
+ /* Lifetime hint */
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("lifetime", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewLongObj(SSL_SESSION_get_ticket_lifetime_hint(session)));
+
+ /* Session id */
+ session_id = SSL_SESSION_get_id(session, &ulen);
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_id", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(session_id, (int) ulen));
+
+ /* Session ticket - client only */
+ SSL_SESSION_get0_ticket(session, &ticket, &len2);
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("session_ticket", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(ticket, (int) len2));
+
+ /* Ticket app data */
+ SSL_SESSION_get0_ticket_appdata(session, &ticket, &len2);
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("ticket_app_data", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(ticket, (int) len2));
+
+ /* Get master key */
+ len2 = SSL_SESSION_get_master_key(session, buffer, SSL_MAX_MASTER_KEY_LENGTH);
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewStringObj("master_key", -1));
+ Tcl_ListObjAppendElement(interp, objPtr, Tcl_NewByteArrayObj(buffer, (int) len2));
}
/* Compression info */
if (ssl != NULL) {
#ifdef HAVE_SSL_COMPRESSION