Index: doc/tls.html ================================================================== --- doc/tls.html +++ doc/tls.html @@ -157,11 +157,11 @@

Description

This extension provides TCL script access to secure socket communications using the Transport Layer Security (TLS) protocol. It provides a generic binding to OpenSSL, utilizing the -Tcl_StackChannel API in TCL 8.4 and higher. +Tcl_StackChannel API in TCL 8.4 or later. These sockets behave exactly the same as channels created using the built-in socket command, but provide additional options for controlling the SSL/TLS session.

Compatibility

@@ -175,15 +175,15 @@
tls::init ?-option? ?value? ?-option value ...?

Optional function to set the default options used by tls::socket. If you call tls::import directly, the values set by this command have no effect. This command supports all of the same options as the tls::socket command, -though you should limit your options to only TLS related ones.

+though you should limit your options to only the TLS related ones.

tls::socket ?-option? ?value? ?-option value ...? host port

This is a helper function that utilizes the underlying commands socket and tls::import to create the connection. It behaves the same as the -native TCL socket command, but also supports the tls:import +native TCL socket command, but also supports the tls::import command options with one additional option. It returns the channel handle id for the new socket.

-autoservername bool

If true, automatically set the -servername argument to the @@ -249,11 +249,11 @@ See Callback Options for more info.

-dhparams filename

Specifies the Diffie-Hellman (DH) parameters file.

-keyfile filename

Specifies the private key file. The default is to use the file -specified by the -certfile option.

+specified by the -certfile option.

-key string

Specifies the private key to use as a DER encoded string (PKCS#1 DER).

-model channel

Force this channel to share the same SSL_CTX structure as the specified channel, and therefore share config, callbacks, etc.

@@ -265,11 +265,11 @@
-post_handshake bool

Allow post-handshake session ticket updates. This option is new for TclTLS 1.8.

-request bool

Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is -true. Starting in TclTLS 2.0, If set to false and +true. Starting in TclTLS 2.0, if set to false and -require is true, then this will be overridden to true. See Certificate Validation for more details.

-require bool

Require a valid certificate from the peer during the SSL handshake. If this is set to true, then -request must also be set to true and a either @@ -307,15 +307,15 @@ use of SSL v3 if only available via a compile time option. See the tls::protocols command for supported protocols.

-tls1 bool

Enable use of TLS v1. Starting in TclTLS 2.0, the default is false. Note: TLS 1.0 needs SHA1 to operate, which is only available in security level -0 for Open SSL 3.0+. See the -security_level option.

+0 for Open SSL 3.0+. See the -security_level option.

-tls1.1 bool

Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is false. Note: TLS 1.1 needs SHA1 to operate, which is only available in security level -0 for Open SSL 3.0+. See the -security_level option.

+0 for Open SSL 3.0+. See the -security_level option.

-tls1.2 bool

Enable use of TLS v1.2. The default is true.

-tls1.3 bool

Enable use of TLS v1.3. The default is true. This is only available starting with OpenSSL 1.1.1 and TclTLS 1.7.

@@ -561,11 +561,11 @@ certificate and that certificate is authenticated (i.e. signed) by a Certificate Authority (CA). Users can then exchange these certificates during the TLS initialization process and check them against the root CA certificates to ensure they are valid. This is handled by OpenSSL via the -request and -require options. See the -cadir, -cadir, and --castore options for how tp specify where to find the CA certificates. +-castore options for how to specify where to find the CA certificates. Optionally, in a future release, they can also be checked against the Certificate Revocation List (CRL) of revoked certificates. Certificates can also be self-signed, but they are by default not trusted unless you add them to your certificate store.

Typically when visiting web sites, only the client needs to check the server's @@ -591,19 +591,18 @@

Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers. Starting with OpenSSL 3.2 on MS Windows, set to "org.openssl.winstore://" to use the built-in MS Windows Certificate Store. Starting in TclTLS 2.0, this is the default if -cadir, -cadir, and -castore are -not specified. This store only supports root certificate stores. See -Certificate Validation for more details.

+not specified. This store only supports root certificate stores.

-request bool

Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is -true. Starting in TclTLS 2.0, If set to false and +true. Starting in TclTLS 2.0, if set to false and -require is true, then this will be overridden to true. In addition, the client can manually inspect and accept or reject -each certificate using the -validatecommand option.

+each certificate using the -validatecommand option.

-require bool

Require a valid certificate from the peer during the SSL handshake. If this is set to true, then -request must also be set to true and a either -cadir, -cafile, -castore, or a platform default must be provided in order to validate against. The default in TclTLS 1.8 and @@ -750,23 +749,23 @@

alpn channelId protocol match

For servers, this form of callback is invoked when the client ALPN extension is received. If match is true, then protocol is the first -alpn protocol option in common to both the client and server. If not, the first client specified protocol is used. This callback is called -after the Hello and ALPN callbacks.

+after the Hello and SNI callbacks.

hello channelId servername

For servers, this form of callback is invoked during client hello message processing. The purpose is so the server can select the appropriate certificate to present to the client, and to make other configuration adjustments relevant to that server name and its configuration. It is called before the SNI and ALPN callbacks.

sni channelId servername

For servers, this form of callback is invoked when the Server Name Indication (SNI) extension is received. The servername argument is the client -provided server name specified in the -servername</b> option. The +provided server name specified in the -servername option. The purpose is so when a server supports multiple names, the right certificate -can be used. It is called after the hello callback but before the ALPN +can be used. It is called after the Hello callback but before the ALPN callback.

verify channelId depth cert status error

This form of callback is invoked by OpenSSL when a new certificate is received from the peer. It allows the client to check the certificate verification results and choose whether to continue or not. It is called for each @@ -870,11 +869,11 @@

Special Considerations

The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc. -Use the tls::protocols commands to obtain the supported +Use the tls::protocols command to obtain the supported protocol versions.

See Also

OpenSSL, http, socket

Index: doc/tls.man ================================================================== --- doc/tls.man +++ doc/tls.man @@ -17,11 +17,11 @@ [description] This extension provides TCL script access to secure socket communications using the Transport Layer Security (TLS) protocol. It provides a generic binding to [uri "https://www.openssl.org/" OpenSSL], utilizing the -[syscmd Tcl_StackChannel] API in TCL 8.4 and higher. +[syscmd Tcl_StackChannel] API in TCL 8.4 or later. These sockets behave exactly the same as channels created using the built-in [syscmd socket] command, but provide additional options for controlling the SSL/TLS session. [section Compatibility] @@ -39,17 +39,17 @@ [call [cmd tls::init] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]]] Optional function to set the default options used by [cmd tls::socket]. If you call [cmd tls::import] directly, the values set by this command have no effect. This command supports all of the same options as the [cmd tls::socket] command, -though you should limit your options to only TLS related ones. +though you should limit your options to only the TLS related ones. [call [cmd tls::socket] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]] [arg host] [arg port]] This is a helper function that utilizes the underlying commands [syscmd socket] and [cmd tls::import] to create the connection. It behaves the same as the -native TCL [syscmd socket] command, but also supports the [cmd tls:import] +native TCL [syscmd socket] command, but also supports the [cmd tls::import] command options with one additional option. It returns the channel handle id for the new socket. [list_begin options] @@ -134,11 +134,11 @@ [opt_def -dhparams [arg filename]] Specifies the Diffie-Hellman (DH) parameters file. [opt_def -keyfile [arg filename]] Specifies the private key file. The default is to use the file -specified by the [arg -certfile] option. +specified by the [option -certfile] option. [opt_def -key [arg string]] Specifies the private key to use as a DER encoded string (PKCS#1 DER). [opt_def -model [arg channel]] @@ -155,11 +155,11 @@ Allow post-handshake session ticket updates. This option is new for TclTLS 1.8. [opt_def -request [arg bool]] Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is -[const true]. Starting in TclTLS 2.0, If set to [const false] and +[const true]. Starting in TclTLS 2.0, if set to [const false] and [option -require] is [const true], then this will be overridden to [const true]. See [sectref "Certificate Validation"] for more details. [opt_def -require [arg bool]] Require a valid certificate from the peer during the SSL handshake. If this is @@ -205,16 +205,16 @@ See the [cmd tls::protocols] command for supported protocols. [opt_def -tls1 [arg bool]] Enable use of TLS v1. Starting in TclTLS 2.0, the default is [const false]. Note: TLS 1.0 needs SHA1 to operate, which is only available in security level -0 for Open SSL 3.0+. See the [arg -security_level] option. +0 for Open SSL 3.0+. See the [option -security_level] option. [opt_def -tls1.1 [arg bool]] Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is [const false]. Note: TLS 1.1 needs SHA1 to operate, which is only available in security level -0 for Open SSL 3.0+. See the [arg -security_level] option. +0 for Open SSL 3.0+. See the [option -security_level] option. [opt_def -tls1.2 [arg bool]] Enable use of TLS v1.2. The default is [const true]. [opt_def -tls1.3 [arg bool]] @@ -568,11 +568,11 @@ certificate and that certificate is authenticated (i.e. signed) by a Certificate Authority (CA). Users can then exchange these certificates during the TLS initialization process and check them against the root CA certificates to ensure they are valid. This is handled by OpenSSL via the [option -request] and [option -require] options. See the [option -cadir], [option -cadir], and -[option -castore] options for how tp specify where to find the CA certificates. +[option -castore] options for how to specify where to find the CA certificates. Optionally, in a future release, they can also be checked against the Certificate Revocation List (CRL) of revoked certificates. Certificates can also be self-signed, but they are by default not trusted unless you add them to your certificate store. [para] @@ -605,20 +605,19 @@ Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers. Starting with OpenSSL 3.2 on MS Windows, set to "[const "org.openssl.winstore://"]" to use the built-in MS Windows Certificate Store. Starting in TclTLS 2.0, this is the default if [option -cadir], [option -cadir], and [option -castore] are -not specified. This store only supports root certificate stores. See -[sectref "Certificate Validation"] for more details. +not specified. This store only supports root certificate stores. [opt_def -request [arg bool]] Request a certificate from the peer during the SSL handshake. This is needed to do Certificate Validation. Starting in TclTLS 1.8, the default is -[const true]. Starting in TclTLS 2.0, If set to [const false] and +[const true]. Starting in TclTLS 2.0, if set to [const false] and [option -require] is [const true], then this will be overridden to [const true]. In addition, the client can manually inspect and accept or reject -each certificate using the [arg -validatecommand] option. +each certificate using the [option -validatecommand] option. [opt_def -require [arg bool]] Require a valid certificate from the peer during the SSL handshake. If this is set to true, then [option -request] must also be set to true and a either [option -cadir], [option -cafile], [option -castore], or a platform default @@ -815,11 +814,11 @@ [opt_def alpn [arg "channelId protocol match"]] For servers, this form of callback is invoked when the client ALPN extension is received. If [arg match] is true, then [arg protocol] is the first [option -alpn] protocol option in common to both the client and server. If not, the first client specified protocol is used. This callback is called -after the Hello and ALPN callbacks. +after the Hello and SNI callbacks. [opt_def hello [arg "channelId servername"]] For servers, this form of callback is invoked during client hello message processing. The purpose is so the server can select the appropriate certificate to present to the client, and to make other configuration adjustments relevant @@ -827,13 +826,13 @@ callbacks. [opt_def sni [arg "channelId servername"]] For servers, this form of callback is invoked when the Server Name Indication (SNI) extension is received. The [arg servername] argument is the client -provided server name specified in the [option -servername] option. The +provided server name specified in the [option -servername] option. The purpose is so when a server supports multiple names, the right certificate -can be used. It is called after the hello callback but before the ALPN +can be used. It is called after the Hello callback but before the ALPN callback. [opt_def verify [arg "channelId depth cert status error"]] This form of callback is invoked by OpenSSL when a new certificate is received from the peer. It allows the client to check the certificate verification @@ -981,9 +980,9 @@ [section "Special Considerations"] The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc. -Use the [cmd tls::protocols] commands to obtain the supported +Use the [cmd tls::protocols] command to obtain the supported protocol versions. [manpage_end] Index: doc/tls.n ================================================================== --- doc/tls.n +++ doc/tls.n @@ -305,11 +305,11 @@ .BE .SH DESCRIPTION This extension provides TCL script access to secure socket communications using the Transport Layer Security (TLS) protocol\&. It provides a generic binding to \fIOpenSSL\fR [https://www\&.openssl\&.org/], utilizing the -\fBTcl_StackChannel\fR API in TCL 8\&.4 and higher\&. +\fBTcl_StackChannel\fR API in TCL 8\&.4 or later\&. These sockets behave exactly the same as channels created using the built-in \fBsocket\fR command, but provide additional options for controlling the SSL/TLS session\&. .SH COMPATIBILITY This extension is compatible with OpenSSL 1\&.1\&.1 or later\&. It requires Tcl @@ -321,16 +321,16 @@ .TP \fBtls::init\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? Optional function to set the default options used by \fBtls::socket\fR\&. If you call \fBtls::import\fR directly, the values set by this command have no effect\&. This command supports all of the same options as the \fBtls::socket\fR command, -though you should limit your options to only TLS related ones\&. +though you should limit your options to only the TLS related ones\&. .TP \fBtls::socket\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIhost\fR \fIport\fR This is a helper function that utilizes the underlying commands \fBsocket\fR and \fBtls::import\fR to create the connection\&. It behaves the same as the -native TCL \fBsocket\fR command, but also supports the \fBtls:import\fR +native TCL \fBsocket\fR command, but also supports the \fBtls::import\fR command options with one additional option\&. It returns the channel handle id for the new socket\&. .RS .TP \fB-autoservername\fR \fIbool\fR @@ -410,11 +410,11 @@ \fB-dhparams\fR \fIfilename\fR Specifies the Diffie-Hellman (DH) parameters file\&. .TP \fB-keyfile\fR \fIfilename\fR Specifies the private key file\&. The default is to use the file -specified by the \fI-certfile\fR option\&. +specified by the \fB-certfile\fR option\&. .TP \fB-key\fR \fIstring\fR Specifies the private key to use as a DER encoded string (PKCS#1 DER)\&. .TP \fB-model\fR \fIchannel\fR @@ -431,11 +431,11 @@ Allow post-handshake session ticket updates\&. This option is new for TclTLS 1\&.8\&. .TP \fB-request\fR \fIbool\fR Request a certificate from the peer during the SSL handshake\&. This is needed to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is -\fBtrue\fR\&. Starting in TclTLS 2\&.0, If set to \fBfalse\fR and +\fBtrue\fR\&. Starting in TclTLS 2\&.0, if set to \fBfalse\fR and \fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&. See \fBCertificate Validation\fR for more details\&. .TP \fB-require\fR \fIbool\fR Require a valid certificate from the peer during the SSL handshake\&. If this is @@ -481,16 +481,16 @@ See the \fBtls::protocols\fR command for supported protocols\&. .TP \fB-tls1\fR \fIbool\fR Enable use of TLS v1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&. Note: TLS 1\&.0 needs SHA1 to operate, which is only available in security level -0 for Open SSL 3\&.0+\&. See the \fI-security_level\fR option\&. +0 for Open SSL 3\&.0+\&. See the \fB-security_level\fR option\&. .TP \fB-tls1\&.1\fR \fIbool\fR Enable use of TLS v1\&.1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&. Note: TLS 1\&.1 needs SHA1 to operate, which is only available in security level -0 for Open SSL 3\&.0+\&. See the \fI-security_level\fR option\&. +0 for Open SSL 3\&.0+\&. See the \fB-security_level\fR option\&. .TP \fB-tls1\&.2\fR \fIbool\fR Enable use of TLS v1\&.2\&. The default is \fBtrue\fR\&. .TP \fB-tls1\&.3\fR \fIbool\fR @@ -817,11 +817,11 @@ certificate and that certificate is authenticated (i\&.e\&. signed) by a Certificate Authority (CA)\&. Users can then exchange these certificates during the TLS initialization process and check them against the root CA certificates to ensure they are valid\&. This is handled by OpenSSL via the \fB-request\fR and \fB-require\fR options\&. See the \fB-cadir\fR, \fB-cadir\fR, and -\fB-castore\fR options for how tp specify where to find the CA certificates\&. +\fB-castore\fR options for how to specify where to find the CA certificates\&. Optionally, in a future release, they can also be checked against the Certificate Revocation List (CRL) of revoked certificates\&. Certificates can also be self-signed, but they are by default not trusted unless you add them to your certificate store\&. .PP @@ -849,20 +849,19 @@ Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers\&. Starting with OpenSSL 3\&.2 on MS Windows, set to "\fBorg\&.openssl\&.winstore://\fR" to use the built-in MS Windows Certificate Store\&. Starting in TclTLS 2\&.0, this is the default if \fB-cadir\fR, \fB-cadir\fR, and \fB-castore\fR are -not specified\&. This store only supports root certificate stores\&. See -\fBCertificate Validation\fR for more details\&. +not specified\&. This store only supports root certificate stores\&. .TP \fB-request\fR \fIbool\fR Request a certificate from the peer during the SSL handshake\&. This is needed to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is -\fBtrue\fR\&. Starting in TclTLS 2\&.0, If set to \fBfalse\fR and +\fBtrue\fR\&. Starting in TclTLS 2\&.0, if set to \fBfalse\fR and \fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&. In addition, the client can manually inspect and accept or reject -each certificate using the \fI-validatecommand\fR option\&. +each certificate using the \fB-validatecommand\fR option\&. .TP \fB-require\fR \fIbool\fR Require a valid certificate from the peer during the SSL handshake\&. If this is set to true, then \fB-request\fR must also be set to true and a either \fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default @@ -1025,11 +1024,11 @@ \fBalpn\fR \fIchannelId protocol match\fR For servers, this form of callback is invoked when the client ALPN extension is received\&. If \fImatch\fR is true, then \fIprotocol\fR is the first \fB-alpn\fR protocol option in common to both the client and server\&. If not, the first client specified protocol is used\&. This callback is called -after the Hello and ALPN callbacks\&. +after the Hello and SNI callbacks\&. .TP \fBhello\fR \fIchannelId servername\fR For servers, this form of callback is invoked during client hello message processing\&. The purpose is so the server can select the appropriate certificate to present to the client, and to make other configuration adjustments relevant @@ -1037,13 +1036,13 @@ callbacks\&. .TP \fBsni\fR \fIchannelId servername\fR For servers, this form of callback is invoked when the Server Name Indication (SNI) extension is received\&. The \fIservername\fR argument is the client -provided server name specified in the \fB-servername\fR option\&. The +provided server name specified in the \fB-servername\fR option\&. The purpose is so when a server supports multiple names, the right certificate -can be used\&. It is called after the hello callback but before the ALPN +can be used\&. It is called after the Hello callback but before the ALPN callback\&. .TP \fBverify\fR \fIchannelId depth cert status error\fR This form of callback is invoked by OpenSSL when a new certificate is received from the peer\&. It allows the client to check the certificate verification @@ -1172,11 +1171,11 @@ .CE .SH "SPECIAL CONSIDERATIONS" The capabilities of this package can vary enormously based upon how the linked to OpenSSL library was configured and built\&. New versions may obsolete older protocol versions, add or remove ciphers, change default values, etc\&. -Use the \fBtls::protocols\fR commands to obtain the supported +Use the \fBtls::protocols\fR command to obtain the supported protocol versions\&. .SH "SEE ALSO" \fIOpenSSL\fR [https://www\&.openssl\&.org/], http, socket .SH KEYWORDS I/O, IP Address, OpenSSL, SSL, TCP, TLS, TclTLS, asynchronous I/O, bind, certificate, channel, connection, domain name, host, https, network, network address, socket, tls