Specifies the session id to resume a session. Not supported yet.
Enable use of SSL v2. The default is false. Note: Recent versions of -OpenSSL no longer support SSLv2, so this may not have any effect. See the -tls::protocols command for supported protocols.
Enable use of SSL v2.The default is false. +OpenSSL 1.1+ no longer supports SSL v2, so this may not have any effect. +See the tls::protocols command for supported protocols.
Enable use of SSL v3. The default is false. Note: Recent versions -of OpenSSL may have this disabled at compile time, so this may not have any -effect. See the tls::protocols command for supported protocols.
Enable use of SSL v3. The default is false. Starting in TclTLS 1.8, +use of SSL v3 if only available via a compile time option. +See the tls::protocols command for supported protocols.
Enable use of TLS v1. The default is true. Note: TLS 1.0 needs -SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. -See the -security_level option.
Enable use of TLS v1. Starting in TclTLS 2.0, the default is false. +Note: TLS 1.0 needs SHA1 to operate, which is only available in security level +0 for Open SSL 3.0+. See the -security_level option.
Enable use of TLS v1.1. The default is true. Note: TLS 1.1 needs -SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. -See the -security_level option.
Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is false. +Note: TLS 1.1 needs SHA1 to operate, which is only available in security level +0 for Open SSL 3.0+. See the -security_level option.
Enable use of TLS v1.2. The default is true.
Enable use of TLS v1.3. The default is true.
Enable use of TLS v1.3. The default is true. This is only available +starting with OpenSSL 1.1.1 and TclTLS 1.7.
Specifies the callback command to invoke to validate the peer certificates and other config info during the protocol negotiation phase. This can be used by TCL scripts to perform their own Certificate Validation to supplement the default validation provided by OpenSSL. The script must return a boolean true Index: doc/tls.man ================================================================== --- doc/tls.man +++ doc/tls.man @@ -186,34 +186,35 @@ [opt_def -session_id [arg binary_string]] Specifies the session id to resume a session. Not supported yet. [opt_def -ssl2 [arg bool]] -Enable use of SSL v2. The default is [const false]. Note: Recent versions of -OpenSSL no longer support SSLv2, so this may not have any effect. See the -[cmd tls::protocols] command for supported protocols. +Enable use of SSL v2.The default is [const false]. +OpenSSL 1.1+ no longer supports SSL v2, so this may not have any effect. +See the [cmd tls::protocols] command for supported protocols. [opt_def -ssl3 [arg bool]] -Enable use of SSL v3. The default is [const false]. Note: Recent versions -of OpenSSL may have this disabled at compile time, so this may not have any -effect. See the [cmd tls::protocols] command for supported protocols. +Enable use of SSL v3. The default is [const false]. Starting in TclTLS 1.8, +use of SSL v3 if only available via a compile time option. +See the [cmd tls::protocols] command for supported protocols. [opt_def -tls1 [arg bool]] -Enable use of TLS v1. The default is [const true]. Note: TLS 1.0 needs -SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. -See the [arg -security_level] option. +Enable use of TLS v1. Starting in TclTLS 2.0, the default is [const false]. +Note: TLS 1.0 needs SHA1 to operate, which is only available in security level +0 for Open SSL 3.0+. See the [arg -security_level] option. [opt_def -tls1.1 [arg bool]] -Enable use of TLS v1.1. The default is [const true]. Note: TLS 1.1 needs -SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+. -See the [arg -security_level] option. +Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is [const false]. +Note: TLS 1.1 needs SHA1 to operate, which is only available in security level +0 for Open SSL 3.0+. See the [arg -security_level] option. [opt_def -tls1.2 [arg bool]] Enable use of TLS v1.2. The default is [const true]. [opt_def -tls1.3 [arg bool]] -Enable use of TLS v1.3. The default is [const true]. +Enable use of TLS v1.3. The default is [const true]. This is only available +starting with OpenSSL 1.1.1 and TclTLS 1.7. [opt_def -validatecommand [arg callback]] Specifies the callback command to invoke to validate the peer certificates and other config info during the protocol negotiation phase. This can be used by TCL scripts to perform their own Certificate Validation to supplement the Index: doc/tls.n ================================================================== --- doc/tls.n +++ doc/tls.n @@ -463,34 +463,35 @@ .TP \fB-session_id\fR \fIbinary_string\fR Specifies the session id to resume a session\&. Not supported yet\&. .TP \fB-ssl2\fR \fIbool\fR -Enable use of SSL v2\&. The default is \fBfalse\fR\&. Note: Recent versions of -OpenSSL no longer support SSLv2, so this may not have any effect\&. See the -\fBtls::protocols\fR command for supported protocols\&. +Enable use of SSL v2\&.The default is \fBfalse\fR\&. +OpenSSL 1\&.1+ no longer supports SSL v2, so this may not have any effect\&. +See the \fBtls::protocols\fR command for supported protocols\&. .TP \fB-ssl3\fR \fIbool\fR -Enable use of SSL v3\&. The default is \fBfalse\fR\&. Note: Recent versions -of OpenSSL may have this disabled at compile time, so this may not have any -effect\&. See the \fBtls::protocols\fR command for supported protocols\&. +Enable use of SSL v3\&. The default is \fBfalse\fR\&. Starting in TclTLS 1\&.8, +use of SSL v3 if only available via a compile time option\&. +See the \fBtls::protocols\fR command for supported protocols\&. .TP \fB-tls1\fR \fIbool\fR -Enable use of TLS v1\&. The default is \fBtrue\fR\&. Note: TLS 1\&.0 needs -SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&. -See the \fI-security_level\fR option\&. +Enable use of TLS v1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&. +Note: TLS 1\&.0 needs SHA1 to operate, which is only available in security level +0 for Open SSL 3\&.0+\&. See the \fI-security_level\fR option\&. .TP \fB-tls1\&.1\fR \fIbool\fR -Enable use of TLS v1\&.1\&. The default is \fBtrue\fR\&. Note: TLS 1\&.1 needs -SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&. -See the \fI-security_level\fR option\&. +Enable use of TLS v1\&.1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&. +Note: TLS 1\&.1 needs SHA1 to operate, which is only available in security level +0 for Open SSL 3\&.0+\&. See the \fI-security_level\fR option\&. .TP \fB-tls1\&.2\fR \fIbool\fR Enable use of TLS v1\&.2\&. The default is \fBtrue\fR\&. .TP \fB-tls1\&.3\fR \fIbool\fR -Enable use of TLS v1\&.3\&. The default is \fBtrue\fR\&. +Enable use of TLS v1\&.3\&. The default is \fBtrue\fR\&. This is only available +starting with OpenSSL 1\&.1\&.1 and TclTLS 1\&.7\&. .TP \fB-validatecommand\fR \fIcallback\fR Specifies the callback command to invoke to validate the peer certificates and other config info during the protocol negotiation phase\&. This can be used by TCL scripts to perform their own Certificate Validation to supplement the Index: generic/tls.c ================================================================== --- generic/tls.c +++ generic/tls.c @@ -1348,11 +1348,11 @@ char *model = NULL; char *servername = NULL; /* hostname for Server Name Indication */ char *session_id = NULL; Tcl_Obj *alpn = NULL; int ssl2 = 0, ssl3 = 0; - int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1; + int tls1 = 0, tls1_1 = 0, tls1_2 = 1, tls1_3 = 1; int proto = 0, level = -1; int verify = 0, require = 1, request = 1, post_handshake = 0; dprintf("Called");