Specifies the directory where the Certificate Authority (CA) certificates are stored. The default is platform specific and can be set at compile time. The default location can be overridden by the SSL_CERT_DIR environment variable. See Certificate Validation for more details.
Specifies the file with the Certificate Authority (CA) certificates to use. -The default is "cert.pem", in the OpenSSL directory. The default file can -be overridden by the SSL_CERT_FILE environment variable. See -Certificate Validation for more details.
Specifies the file with the Certificate Authority (CA) certificates to use in +PEM file format. The default is "cert.pem", in the OpenSSL +directory. The default file can be overridden by the SSL_CERT_FILE environment +variable. See Certificate Validation for more details.
Specifies the Uniform Resource Identifier (URI) for the Certificate Authority (CA) store, which may be a single container or a catalog of containers. -Starting with OpenSSL 3.2 on Windows, set to "org.openssl.winstore://" -to use the built-in Windows Certificate Store. This store only supports root -certificate stores. See Certificate Validation for more details.
Specifies the name of the file with the certificate in PEM format to use +
Specifies the name of the file with the certificate to use in PEM format as the local (client or server) certificate. It also contains the public key.
Specifies the certificate to use as a DER encoded string (X.509 DER).
Specifies the list of ciphers to use for TLS 1.2 and earlier connections. @@ -240,11 +241,11 @@ handshake to pass errors, tracing information, and protocol messages. See Callback Options for more info.
Specifies the Diffie-Hellman (DH) parameters file.
Specifies the private key file. The default value is to use the file +
Specifies the private key file. The default is to use the file specified by the -certfile option.
Specifies the private key to use as a DER encoded string (PKCS#1 DER).
Force this channel to share the same SSL_CTX structure as the @@ -255,19 +256,21 @@ The callback should return a password string. See Callback Options for more info.
Allow post-handshake session ticket updates.
Request a certificate from peer during the SSL handshake. This is needed to do -Certificate Validation. Default is true. +
Request a certificate from the peer during the SSL handshake. This is needed +to do Certificate Validation. Starting in TclTLS 1.8, the default is +true. See Certificate Validation for more details.
Require a valid certificate from peer during the SSL handshake. If this is set to -true, then -request must also be set to true and a either -cadir, --cafile, -castore, or a platform default must be provided in order to -validate against. The default is false since not all platforms have -certificates to validate against in a form compatible with OpenSSL. +
Require a valid certificate from the peer during the SSL handshake. If this is +set to true, then -request must also be set to true and a either +-cadir, -cafile, -castore, or a platform default +must be provided in order to validate against. The default in TclTLS 1.8 and +earlier versions is false since not all platforms have certificates to +validate against in a form compatible with OpenSSL. See Certificate Validation for more details.
Specifies the security level (value from 0 to 5). The security level affects the allowed cipher suite encryption algorithms, supported ECC curves, supported signature algorithms, DH parameter sizes, certificate key sizes @@ -495,64 +498,96 @@
Returns the OpenSSL version string.
The following options are used for peer Certificate Validation:
+Using the Public Key Infrastructure (PKI), each user creates a private key that +only they know about and a public key they can exchange with others for use in +encrypting and decrypting data. The process is the sender encrypts their data +using their private key and the receiver's public key. The data is then sent +to the receiver. In a similar manner, the receiver uses their private key and +the sender's public key to decrypt the data. This provides data integrity, to +ensure the data can't be viewed or altered during transport. See the +-key and -keyfile options for how to specify the private key. +Also see the -password option for how to provide the password.
+In order to provide authentication, i.e. ensuring someone is who they say they +are, the public key and user identification info is stored in a X.509 +certificate and that certificate is authenticated (i.e. signed) by a Certificate +Authority (CA). Users can then exchange these certificates during the TLS +initialization process and check them against the root CA certificates to ensure +they are valid. This is handled by OpenSSL via the -request and +-require options. See the -cadir, -cadir, and +-castore options for how tp specify where to find the CA certificates. +Optionally, in a future release, they can also be checked against the Certificate +Revocation List (CRL) of revoked certificates. Certificates can also be +self-signed, but they are by default not trusted unless you add them to your +certificate store.
+Typically when visiting web sites, only the client needs to check the server's +certificate to ensure it is valid. The server doesn't need to check the client +certificate unless you need to authenticate with them to login, etc. See the +-cert and -certfile options if you need to provide a certificate.
+The following options are used for peer certificate validation:
By default, a client TLS connection does NOT validate the server certificate -chain. This limitation is due to the lack of a common cross platform -database of Certificate Authority (CA) provided certificates to validate -against. Many Linux systems natively support OpenSSL and thus have these -certificates installed as part of the OS, but MacOS and Windows do not. In -order to use the -require option, one of the following must be true:
+In TclTLS 1.8 and earlier versions, certificate validation is +NOT enabled by default. This limitation is due to the lack of a common +cross platform database of Certificate Authority (CA) provided certificates to +validate against. Many Linux systems natively support OpenSSL and thus have +these certificates installed as part of the OS, but MacOS and MS Windows do not. +In order to use the -require option, one of the following +must be true:
On Linux and Unix systems with OpenSSL already installed, if the CA -certificates are stored in the standard locations, or if the SSL_CERT_DIR -or SSL_CERT_FILE environment variables are set, then -cadir, --cadir, and -castore aren't needed.
On Linux and Unix systems with OpenSSL already installed or if the CA +certificates are available in PEM format, and if they are stored in the +standard locations, or if the SSL_CERT_DIR or SSL_CERT_FILE +environment variables are set, then -cadir, -cadir, +and -castore aren't needed.
If OpenSSL is not installed in the default location, or when using Mac OS -or Windows and OpenSSL is installed, the SSL_CERT_DIR and/or +or MS Windows and OpenSSL is installed, the SSL_CERT_DIR and/or SSL_CERT_FILE environment variables or the one of the -cadir, -cadir, or -castore options must be defined.
On Windows, starting in OpenSSL 3.2, it is now possible to access the -built-in Windows Certificate Store from OpenSSL. This can be achieved by +
On MS Windows, starting in OpenSSL 3.2, it is now possible to access the +built-in Windows Certificate Store from OpenSSL. This can utilized by setting the -castore option to "org.openssl.winstore://".
If OpenSSL is not installed, the CA certificates must be downloaded and -installed with the user software. The CURL team makes them available at +
If OpenSSL is not installed or the CA certificates are not available in PEM +format, the CA certificates must be downloaded and installed with the user +software. The CURL team makes them available at CA certificates extracted from Mozilla in the "cacert.pem" file. You must then either set the SSL_CERT_DIR and/or SSL_CERT_FILE environment variables or the -cadir or -cafile options to the CA cert file's install location. It is your responsibility to keep this file up to date.
The callback for the -command option is invoked at several points during the OpenSSL handshake and during routine operations. See below for the possible arguments passed to the callback script. Values returned from the callback are ignored.
This callback was moved to -validatecommand in TclTLS 1.8.
The callback for the -password option is invoked by TclTLS whenever OpenSSL needs to obtain a password. See below for the possible arguments passed to the callback script. The user provided password is expected to be returned by the callback.
The callback for the -validatecommand option is invoked during the handshake
process in order for the application to validate the provided value(s). See
below for the possible arguments passed to the callback script. If not
specified, OpenSSL will accept all valid certificates and extensions. To reject
the value and abort the connection, the callback should return 0. To accept the
Index: doc/tls.man
==================================================================
--- doc/tls.man
+++ doc/tls.man
@@ -80,24 +80,24 @@
stored. The default is platform specific and can be set at compile time. The
default location can be overridden by the [var SSL_CERT_DIR] environment
variable. See [sectref "Certificate Validation"] for more details.
[opt_def -cafile [arg filename]]
-Specifies the file with the Certificate Authority (CA) certificates to use.
-The default is [file cert.pem], in the OpenSSL directory. The default file can
-be overridden by the [var SSL_CERT_FILE] environment variable. See
-[sectref "Certificate Validation"] for more details.
+Specifies the file with the Certificate Authority (CA) certificates to use in
+[const PEM] file format. The default is [file cert.pem], in the OpenSSL
+directory. The default file can be overridden by the [var SSL_CERT_FILE] environment
+variable. See [sectref "Certificate Validation"] for more details.
[opt_def -castore [arg URI]]
Specifies the Uniform Resource Identifier (URI) for the Certificate Authority
(CA) store, which may be a single container or a catalog of containers.
-Starting with OpenSSL 3.2 on Windows, set to "[const "org.openssl.winstore://"]"
-to use the built-in Windows Certificate Store. This store only supports root
-certificate stores. See [sectref "Certificate Validation"] for more details.
+Starting with OpenSSL 3.2 on MS Windows, set to "[const "org.openssl.winstore://"]"
+to use the built-in MS Windows Certificate Store. See
+[sectref "Certificate Validation"] for more details.
[opt_def -certfile [arg filename]]
-Specifies the name of the file with the certificate in PEM format to use
+Specifies the name of the file with the certificate to use in PEM format
as the local (client or server) certificate. It also contains the public key.
[opt_def -cert [arg string]]
Specifies the certificate to use as a DER encoded string (X.509 DER).
@@ -126,11 +126,11 @@
[opt_def -dhparams [arg filename]]
Specifies the Diffie-Hellman (DH) parameters file.
[opt_def -keyfile [arg filename]]
-Specifies the private key file. The default value is to use the file
+Specifies the private key file. The default is to use the file
specified by the [arg -certfile] option.
[opt_def -key [arg string]]
Specifies the private key to use as a DER encoded string (PKCS#1 DER).
@@ -146,20 +146,22 @@
[opt_def -post_handshake [arg bool]]
Allow post-handshake session ticket updates.
[opt_def -request [arg bool]]
-Request a certificate from peer during the SSL handshake. This is needed to do
-Certificate Validation. Default is [const true].
+Request a certificate from the peer during the SSL handshake. This is needed
+to do Certificate Validation. Starting in TclTLS 1.8, the default is
+[const true].
See [sectref "Certificate Validation"] for more details.
[opt_def -require [arg bool]]
-Require a valid certificate from peer during the SSL handshake. If this is set to
-true, then [option -request] must also be set to true and a either [option -cadir],
-[option -cafile], [option -castore], or a platform default must be provided in order to
-validate against. The default is [const false] since not all platforms have
-certificates to validate against in a form compatible with OpenSSL.
+Require a valid certificate from the peer during the SSL handshake. If this is
+set to true, then [option -request] must also be set to true and a either
+[option -cadir], [option -cafile], [option -castore], or a platform default
+must be provided in order to validate against. The default in TclTLS 1.8 and
+earlier versions is [const false] since not all platforms have certificates to
+validate against in a form compatible with OpenSSL.
See [sectref "Certificate Validation"] for more details.
[opt_def -security_level [arg integer]]
Specifies the security level (value from 0 to 5). The security level affects
the allowed cipher suite encryption algorithms, supported ECC curves,
@@ -500,14 +502,45 @@
[list_end]
[section "Certificate Validation"]
+
+[subsection "PKI and Certificates"]
+
+Using the Public Key Infrastructure (PKI), each user creates a private key that
+only they know about and a public key they can exchange with others for use in
+encrypting and decrypting data. The process is the sender encrypts their data
+using their private key and the receiver's public key. The data is then sent
+to the receiver. In a similar manner, the receiver uses their private key and
+the sender's public key to decrypt the data. This provides data integrity, to
+ensure the data can't be viewed or altered during transport. See the
+[option -key] and [option -keyfile] options for how to specify the private key.
+Also see the [option -password] option for how to provide the password.
+[para]
+In order to provide authentication, i.e. ensuring someone is who they say they
+are, the public key and user identification info is stored in a X.509
+certificate and that certificate is authenticated (i.e. signed) by a Certificate
+Authority (CA). Users can then exchange these certificates during the TLS
+initialization process and check them against the root CA certificates to ensure
+they are valid. This is handled by OpenSSL via the [option -request] and
+[option -require] options. See the [option -cadir], [option -cadir], and
+[option -castore] options for how tp specify where to find the CA certificates.
+Optionally, in a future release, they can also be checked against the Certificate
+Revocation List (CRL) of revoked certificates. Certificates can also be
+self-signed, but they are by default not trusted unless you add them to your
+certificate store.
+[para]
+Typically when visiting web sites, only the client needs to check the server's
+certificate to ensure it is valid. The server doesn't need to check the client
+certificate unless you need to authenticate with them to login, etc. See the
+[option -cert] and [option -certfile] options if you need to provide a certificate.
+
[subsection "Summary of command line options"]
-The following options are used for peer Certificate Validation:
+The following options are used for peer certificate validation:
[list_begin options]
[opt_def -cadir [arg directory]]
Specifies the directory where the Certificate Authority (CA) certificates are
@@ -515,68 +548,73 @@
Linux/Unix systems. The default location can be overridden by the
[var SSL_CERT_DIR] environment variable.
[opt_def -cafile [arg filename]]
Specifies the file with the Certificate Authority (CA) certificates to use in
-[const PEM] file format. The default is [file cert.pem], in the OpenSSL directory. On
-Linux/Unix systems, this is usually [file /etc/ssl/ca-bundle.pem]. The default file
-can be overridden by the [var SSL_CERT_FILE] environment variable.
+[const PEM] file format. The default is [file cert.pem], in the OpenSSL
+directory. On Linux/Unix systems, this is usually [file /etc/ssl/ca-bundle.pem].
+The default file can be overridden by the [var SSL_CERT_FILE] environment
+variable.
[opt_def -castore [arg URI]]
Specifies the Uniform Resource Identifier (URI) for the Certificate Authority
(CA) store, which may be a single container or a catalog of containers.
-Starting with OpenSSL 3.2 on Windows, set to "[const "org.openssl.winstore://"]"
-to use the built-in Windows Certificate Store. This store only supports root
-certificate stores.
+Starting with OpenSSL 3.2 on MS Windows, set to "[const "org.openssl.winstore://"]"
+to use the built-in MS Windows Certificate Store.
+This store only supports root certificate stores. See
+[sectref "Certificate Validation"] for more details.
[opt_def -request [arg bool]]
-Request a certificate from peer during the SSL handshake. This is needed to do
-Certificate Validation. Default is [const true]. In addition, the
-client can manually inspect and accept or reject each certificate using the
-[arg -validatecommand] option.
+Request a certificate from the peer during the SSL handshake. This is needed
+to do Certificate Validation. Starting in TclTLS 1.8, the default is
+[const true]. In addition, the client can manually inspect and accept or reject
+each certificate using the [arg -validatecommand] option.
[opt_def -require [arg bool]]
-Require a valid certificate from peer during the SSL handshake. If this is set
-to [const true], then [arg -request] must also be set to [const true] and either
-[arg -cadir], [arg -cafile], [arg -castore], or a platform default must be
-provided in order to validate against. The default is [const false] since not
-all platforms have certificates to validate against in a form compatible with
-OpenSSL. See [sectref "Certificate Validation"] for more details.
+Require a valid certificate from the peer during the SSL handshake. If this is
+set to true, then [option -request] must also be set to true and a either
+[option -cadir], [option -cafile], [option -castore], or a platform default
+must be provided in order to validate against. The default in TclTLS 1.8 and
+earlier versions is [const false] since not all platforms have certificates to
+validate against in a form compatible with OpenSSL.
[list_end]
[subsection "When are command line options needed?"]
-By default, a client TLS connection does [emph NOT] validate the server certificate
-chain. This limitation is due to the lack of a common cross platform
-database of Certificate Authority (CA) provided certificates to validate
-against. Many Linux systems natively support OpenSSL and thus have these
-certificates installed as part of the OS, but MacOS and Windows do not. In
-order to use the [option -require] option, one of the following must be true:
+In TclTLS 1.8 and earlier versions, certificate validation is
+[emph NOT] enabled by default. This limitation is due to the lack of a common
+cross platform database of Certificate Authority (CA) provided certificates to
+validate against. Many Linux systems natively support OpenSSL and thus have
+these certificates installed as part of the OS, but MacOS and MS Windows do not.
+In order to use the [option -require] option, one of the following
+must be true:
[list_begin itemized]
[item]
-On Linux and Unix systems with OpenSSL already installed, if the CA
-certificates are stored in the standard locations, or if the [var SSL_CERT_DIR]
-or [var SSL_CERT_FILE] environment variables are set, then [option -cadir],
-[option -cadir], and [option -castore] aren't needed.
+On Linux and Unix systems with OpenSSL already installed or if the CA
+certificates are available in PEM format, and if they are stored in the
+standard locations, or if the [var SSL_CERT_DIR] or [var SSL_CERT_FILE]
+environment variables are set, then [option -cadir], [option -cadir],
+and [option -castore] aren't needed.
[item]
If OpenSSL is not installed in the default location, or when using Mac OS
-or Windows and OpenSSL is installed, the [var SSL_CERT_DIR] and/or
+or MS Windows and OpenSSL is installed, the [var SSL_CERT_DIR] and/or
[var SSL_CERT_FILE] environment variables or the one of the [option -cadir],
[option -cadir], or [option -castore] options must be defined.
[item]
-On Windows, starting in OpenSSL 3.2, it is now possible to access the
-built-in Windows Certificate Store from OpenSSL. This can be achieved by
+On MS Windows, starting in OpenSSL 3.2, it is now possible to access the
+built-in Windows Certificate Store from OpenSSL. This can utilized by
setting the [option -castore] option to "[const org.openssl.winstore://]".
[item]
-If OpenSSL is not installed, the CA certificates must be downloaded and
-installed with the user software. The CURL team makes them available at
+If OpenSSL is not installed or the CA certificates are not available in PEM
+format, the CA certificates must be downloaded and installed with the user
+software. The CURL team makes them available at
[uri "https://curl.se/docs/caextract.html" "CA certificates extracted
from Mozilla"] in the [file cacert.pem] file. You must then either set the
[var SSL_CERT_DIR] and/or [var SSL_CERT_FILE] environment variables or the
[option -cadir] or [option -cafile] options to the CA cert file's install
location. It is your responsibility to keep this file up to date.
Index: doc/tls.n
==================================================================
--- doc/tls.n
+++ doc/tls.n
@@ -357,24 +357,24 @@
stored\&. The default is platform specific and can be set at compile time\&. The
default location can be overridden by the \fBSSL_CERT_DIR\fR environment
variable\&. See \fBCertificate Validation\fR for more details\&.
.TP
\fB-cafile\fR \fIfilename\fR
-Specifies the file with the Certificate Authority (CA) certificates to use\&.
-The default is "\fIcert\&.pem\fR", in the OpenSSL directory\&. The default file can
-be overridden by the \fBSSL_CERT_FILE\fR environment variable\&. See
-\fBCertificate Validation\fR for more details\&.
+Specifies the file with the Certificate Authority (CA) certificates to use in
+\fBPEM\fR file format\&. The default is "\fIcert\&.pem\fR", in the OpenSSL
+directory\&. The default file can be overridden by the \fBSSL_CERT_FILE\fR environment
+variable\&. See \fBCertificate Validation\fR for more details\&.
.TP
\fB-castore\fR \fIURI\fR
Specifies the Uniform Resource Identifier (URI) for the Certificate Authority
(CA) store, which may be a single container or a catalog of containers\&.
-Starting with OpenSSL 3\&.2 on Windows, set to "\fBorg\&.openssl\&.winstore://\fR"
-to use the built-in Windows Certificate Store\&. This store only supports root
-certificate stores\&. See \fBCertificate Validation\fR for more details\&.
+Starting with OpenSSL 3\&.2 on MS Windows, set to "\fBorg\&.openssl\&.winstore://\fR"
+to use the built-in MS Windows Certificate Store\&. See
+\fBCertificate Validation\fR for more details\&.
.TP
\fB-certfile\fR \fIfilename\fR
-Specifies the name of the file with the certificate in PEM format to use
+Specifies the name of the file with the certificate to use in PEM format
as the local (client or server) certificate\&. It also contains the public key\&.
.TP
\fB-cert\fR \fIstring\fR
Specifies the certificate to use as a DER encoded string (X\&.509 DER)\&.
.TP
@@ -403,11 +403,11 @@
.TP
\fB-dhparams\fR \fIfilename\fR
Specifies the Diffie-Hellman (DH) parameters file\&.
.TP
\fB-keyfile\fR \fIfilename\fR
-Specifies the private key file\&. The default value is to use the file
+Specifies the private key file\&. The default is to use the file
specified by the \fI-certfile\fR option\&.
.TP
\fB-key\fR \fIstring\fR
Specifies the private key to use as a DER encoded string (PKCS#1 DER)\&.
.TP
@@ -423,20 +423,22 @@
.TP
\fB-post_handshake\fR \fIbool\fR
Allow post-handshake session ticket updates\&.
.TP
\fB-request\fR \fIbool\fR
-Request a certificate from peer during the SSL handshake\&. This is needed to do
-Certificate Validation\&. Default is \fBtrue\fR\&.
+Request a certificate from the peer during the SSL handshake\&. This is needed
+to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is
+\fBtrue\fR\&.
See \fBCertificate Validation\fR for more details\&.
.TP
\fB-require\fR \fIbool\fR
-Require a valid certificate from peer during the SSL handshake\&. If this is set to
-true, then \fB-request\fR must also be set to true and a either \fB-cadir\fR,
-\fB-cafile\fR, \fB-castore\fR, or a platform default must be provided in order to
-validate against\&. The default is \fBfalse\fR since not all platforms have
-certificates to validate against in a form compatible with OpenSSL\&.
+Require a valid certificate from the peer during the SSL handshake\&. If this is
+set to true, then \fB-request\fR must also be set to true and a either
+\fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default
+must be provided in order to validate against\&. The default in TclTLS 1\&.8 and
+earlier versions is \fBfalse\fR since not all platforms have certificates to
+validate against in a form compatible with OpenSSL\&.
See \fBCertificate Validation\fR for more details\&.
.TP
\fB-security_level\fR \fIinteger\fR
Specifies the security level (value from 0 to 5)\&. The security level affects
the allowed cipher suite encryption algorithms, supported ECC curves,
@@ -752,70 +754,103 @@
.TP
\fBtls::version\fR
Returns the OpenSSL version string\&.
.PP
.SH "CERTIFICATE VALIDATION"
+.SS "PKI AND CERTIFICATES"
+Using the Public Key Infrastructure (PKI), each user creates a private key that
+only they know about and a public key they can exchange with others for use in
+encrypting and decrypting data\&. The process is the sender encrypts their data
+using their private key and the receiver's public key\&. The data is then sent
+to the receiver\&. In a similar manner, the receiver uses their private key and
+the sender's public key to decrypt the data\&. This provides data integrity, to
+ensure the data can't be viewed or altered during transport\&. See the
+\fB-key\fR and \fB-keyfile\fR options for how to specify the private key\&.
+Also see the \fB-password\fR option for how to provide the password\&.
+.PP
+In order to provide authentication, i\&.e\&. ensuring someone is who they say they
+are, the public key and user identification info is stored in a X\&.509
+certificate and that certificate is authenticated (i\&.e\&. signed) by a Certificate
+Authority (CA)\&. Users can then exchange these certificates during the TLS
+initialization process and check them against the root CA certificates to ensure
+they are valid\&. This is handled by OpenSSL via the \fB-request\fR and
+\fB-require\fR options\&. See the \fB-cadir\fR, \fB-cadir\fR, and
+\fB-castore\fR options for how tp specify where to find the CA certificates\&.
+Optionally, in a future release, they can also be checked against the Certificate
+Revocation List (CRL) of revoked certificates\&. Certificates can also be
+self-signed, but they are by default not trusted unless you add them to your
+certificate store\&.
+.PP
+Typically when visiting web sites, only the client needs to check the server's
+certificate to ensure it is valid\&. The server doesn't need to check the client
+certificate unless you need to authenticate with them to login, etc\&. See the
+\fB-cert\fR and \fB-certfile\fR options if you need to provide a certificate\&.
.SS "SUMMARY OF COMMAND LINE OPTIONS"
-The following options are used for peer Certificate Validation:
+The following options are used for peer certificate validation:
.TP
\fB-cadir\fR \fIdirectory\fR
Specifies the directory where the Certificate Authority (CA) certificates are
stored\&. The default is platform specific, but is usually "\fI/etc/ssl/certs\fR" on
Linux/Unix systems\&. The default location can be overridden by the
\fBSSL_CERT_DIR\fR environment variable\&.
.TP
\fB-cafile\fR \fIfilename\fR
Specifies the file with the Certificate Authority (CA) certificates to use in
-\fBPEM\fR file format\&. The default is "\fIcert\&.pem\fR", in the OpenSSL directory\&. On
-Linux/Unix systems, this is usually "\fI/etc/ssl/ca-bundle\&.pem\fR"\&. The default file
-can be overridden by the \fBSSL_CERT_FILE\fR environment variable\&.
+\fBPEM\fR file format\&. The default is "\fIcert\&.pem\fR", in the OpenSSL
+directory\&. On Linux/Unix systems, this is usually "\fI/etc/ssl/ca-bundle\&.pem\fR"\&.
+The default file can be overridden by the \fBSSL_CERT_FILE\fR environment
+variable\&.
.TP
\fB-castore\fR \fIURI\fR
Specifies the Uniform Resource Identifier (URI) for the Certificate Authority
(CA) store, which may be a single container or a catalog of containers\&.
-Starting with OpenSSL 3\&.2 on Windows, set to "\fBorg\&.openssl\&.winstore://\fR"
-to use the built-in Windows Certificate Store\&. This store only supports root
-certificate stores\&.
+Starting with OpenSSL 3\&.2 on MS Windows, set to "\fBorg\&.openssl\&.winstore://\fR"
+to use the built-in MS Windows Certificate Store\&.
+This store only supports root certificate stores\&. See
+\fBCertificate Validation\fR for more details\&.
.TP
\fB-request\fR \fIbool\fR
-Request a certificate from peer during the SSL handshake\&. This is needed to do
-Certificate Validation\&. Default is \fBtrue\fR\&. In addition, the
-client can manually inspect and accept or reject each certificate using the
-\fI-validatecommand\fR option\&.
+Request a certificate from the peer during the SSL handshake\&. This is needed
+to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is
+\fBtrue\fR\&. In addition, the client can manually inspect and accept or reject
+each certificate using the \fI-validatecommand\fR option\&.
.TP
\fB-require\fR \fIbool\fR
-Require a valid certificate from peer during the SSL handshake\&. If this is set
-to \fBtrue\fR, then \fI-request\fR must also be set to \fBtrue\fR and either
-\fI-cadir\fR, \fI-cafile\fR, \fI-castore\fR, or a platform default must be
-provided in order to validate against\&. The default is \fBfalse\fR since not
-all platforms have certificates to validate against in a form compatible with
-OpenSSL\&. See \fBCertificate Validation\fR for more details\&.
+Require a valid certificate from the peer during the SSL handshake\&. If this is
+set to true, then \fB-request\fR must also be set to true and a either
+\fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default
+must be provided in order to validate against\&. The default in TclTLS 1\&.8 and
+earlier versions is \fBfalse\fR since not all platforms have certificates to
+validate against in a form compatible with OpenSSL\&.
.PP
.SS "WHEN ARE COMMAND LINE OPTIONS NEEDED?"
-By default, a client TLS connection does \fINOT\fR validate the server certificate
-chain\&. This limitation is due to the lack of a common cross platform
-database of Certificate Authority (CA) provided certificates to validate
-against\&. Many Linux systems natively support OpenSSL and thus have these
-certificates installed as part of the OS, but MacOS and Windows do not\&. In
-order to use the \fB-require\fR option, one of the following must be true:
+In TclTLS 1\&.8 and earlier versions, certificate validation is
+\fINOT\fR enabled by default\&. This limitation is due to the lack of a common
+cross platform database of Certificate Authority (CA) provided certificates to
+validate against\&. Many Linux systems natively support OpenSSL and thus have
+these certificates installed as part of the OS, but MacOS and MS Windows do not\&.
+In order to use the \fB-require\fR option, one of the following
+must be true:
.IP \(bu
-On Linux and Unix systems with OpenSSL already installed, if the CA
-certificates are stored in the standard locations, or if the \fBSSL_CERT_DIR\fR
-or \fBSSL_CERT_FILE\fR environment variables are set, then \fB-cadir\fR,
-\fB-cadir\fR, and \fB-castore\fR aren't needed\&.
+On Linux and Unix systems with OpenSSL already installed or if the CA
+certificates are available in PEM format, and if they are stored in the
+standard locations, or if the \fBSSL_CERT_DIR\fR or \fBSSL_CERT_FILE\fR
+environment variables are set, then \fB-cadir\fR, \fB-cadir\fR,
+and \fB-castore\fR aren't needed\&.
.IP \(bu
If OpenSSL is not installed in the default location, or when using Mac OS
-or Windows and OpenSSL is installed, the \fBSSL_CERT_DIR\fR and/or
+or MS Windows and OpenSSL is installed, the \fBSSL_CERT_DIR\fR and/or
\fBSSL_CERT_FILE\fR environment variables or the one of the \fB-cadir\fR,
\fB-cadir\fR, or \fB-castore\fR options must be defined\&.
.IP \(bu
-On Windows, starting in OpenSSL 3\&.2, it is now possible to access the
-built-in Windows Certificate Store from OpenSSL\&. This can be achieved by
+On MS Windows, starting in OpenSSL 3\&.2, it is now possible to access the
+built-in Windows Certificate Store from OpenSSL\&. This can utilized by
setting the \fB-castore\fR option to "\fBorg\&.openssl\&.winstore://\fR"\&.
.IP \(bu
-If OpenSSL is not installed, the CA certificates must be downloaded and
-installed with the user software\&. The CURL team makes them available at
+If OpenSSL is not installed or the CA certificates are not available in PEM
+format, the CA certificates must be downloaded and installed with the user
+software\&. The CURL team makes them available at
\fICA certificates extracted
from Mozilla\fR [https://curl\&.se/docs/caextract\&.html] in the "\fIcacert\&.pem\fR" file\&. You must then either set the
\fBSSL_CERT_DIR\fR and/or \fBSSL_CERT_FILE\fR environment variables or the
\fB-cadir\fR or \fB-cafile\fR options to the CA cert file's install
location\&. It is your responsibility to keep this file up to date\&.
Index: generic/tls.c
==================================================================
--- generic/tls.c
+++ generic/tls.c
@@ -3096,29 +3096,34 @@
if (statePtr->vcmd) {
Tcl_DecrRefCount(statePtr->vcmd);
statePtr->vcmd = NULL;
}
+ /* Remove list of ALPN protocols */
if (statePtr->protos) {
ckfree(statePtr->protos);
statePtr->protos = NULL;
}
+ /* BIO_free_all() frees up an entire BIO chain */
if (statePtr->bio) {
/* This will call SSL_shutdown. Bug 1414045 */
- dprintf("BIO_free_all(%p)", statePtr->bio);
+ dprintf("BIO_free(%p)", statePtr->bio);
BIO_free_all(statePtr->bio);
statePtr->bio = NULL;
}
+ /* Free SSL context and statePtr->p_bio */
if (statePtr->ssl) {
- dprintf("SSL_free(%p)", statePtr->ssl);
+ dprintf("SSL_free(%p) and p_bio(%p)", statePtr->ssl, statePtr->p_bio);
SSL_free(statePtr->ssl);
statePtr->ssl = NULL;
}
+ /* Free CTX context */
if (statePtr->ctx) {
+ dprintf("SSL_CTX_free(%p)", statePtr->ctx);
SSL_CTX_free(statePtr->ctx);
statePtr->ctx = NULL;
}
dprintf("Returning");
Index: generic/tlsBIO.c
==================================================================
--- generic/tlsBIO.c
+++ generic/tlsBIO.c
@@ -7,15 +7,15 @@
*
*/
/*
tlsBIO.c tlsIO.c
- +------+ +-----+ +------+
- | |Tcl_WriteRaw <-- BioWrite| SSL |BIO_write <-- TlsOutputProc <-- Write| |
- |socket|