Index: doc/tls.html ================================================================== --- doc/tls.html +++ doc/tls.html @@ -541,11 +541,11 @@ <li><p>On Linux and Unix systems with OpenSSL already installed, if the CA certificates are stored in the standard locations, or if the <b class="variable">SSL_CERT_DIR</b> or <b class="variable">SSL_CERT_FILE</b> environment variables are set, then <b class="option">-cadir</b>, <b class="option">-cadir</b>, and <b class="option">-castore</b> aren't needed.</p></li> <li><p>If OpenSSL is not installed in the default location, or when using Mac OS -or Windows and OpenSSL is installed, the <b class="variable">SSL_CERT_DIR</b> and/or +or Windows and OpenSSL is installed, the <b class="variable">SSL_CERT_DIR</b> and/or <b class="variable">SSL_CERT_FILE</b> environment variables or the one of the <b class="option">-cadir</b>, <b class="option">-cadir</b>, or <b class="option">-castore</b> options must be defined.</p></li> <li><p>On Windows, starting in OpenSSL 3.2, it is now possible to access the built-in Windows Certificate Store from OpenSSL. This can be achieved by setting the <b class="option">-castore</b> option to "<b class="const">org.openssl.winstore://</b>".</p></li> Index: doc/tls.man ================================================================== --- doc/tls.man +++ doc/tls.man @@ -182,11 +182,11 @@ [opt_def -ssl2 [arg bool]] Enable use of SSL v2. The default is [const false]. Note: Recent versions of OpenSSL no longer support SSLv2, so this may not have any effect. See the [cmd tls::protocols] command for supported protocols. - + [opt_def -ssl3 [arg bool]] Enable use of SSL v3. The default is [const false]. Note: Recent versions of OpenSSL may have this disabled at compile time, so this may not have any effect. See the [cmd tls::protocols] command for supported protocols. @@ -561,11 +561,11 @@ or [var SSL_CERT_FILE] environment variables are set, then [option -cadir], [option -cadir], and [option -castore] aren't needed. [item] If OpenSSL is not installed in the default location, or when using Mac OS -or Windows and OpenSSL is installed, the [var SSL_CERT_DIR] and/or +or Windows and OpenSSL is installed, the [var SSL_CERT_DIR] and/or [var SSL_CERT_FILE] environment variables or the one of the [option -cadir], [option -cadir], or [option -castore] options must be defined. [item] On Windows, starting in OpenSSL 3.2, it is now possible to access the @@ -596,11 +596,11 @@ The callback for the [option -command] option is invoked at several points during the OpenSSL handshake and during routine operations. See below for the possible arguments passed to the callback script. Values returned from the callback are ignored. - + [list_begin options] [opt_def error [arg "channelId message"]] This form of callback is invoked whenever an error occurs during the initial connection, handshake, or I/O operations. The [arg message] argument can be @@ -628,11 +628,11 @@ depending on the context. [def [arg type]] For alerts, the possible values are: [const warning], [const fatal], and [const unknown]. For others, [const info] is used. -This argument is new for TclTLS 1.8. +This argument is new for TclTLS 1.8. [list_end] [opt_def message [arg "channelId direction version content_type message"]] This form of callback is invoked by the OpenSSL function @@ -686,11 +686,11 @@ The callback for the [option -password] option is invoked by TclTLS whenever OpenSSL needs to obtain a password. See below for the possible arguments passed to the callback script. The user provided password is expected to be returned by the callback. - + [list_begin options] [opt_def password [arg "rwflag size"]] Invoked when loading or storing an encrypted PEM certificate. The arguments are: @@ -716,11 +716,11 @@ below for the possible arguments passed to the callback script. If not specified, OpenSSL will accept all valid certificates and extensions. To reject the value and abort the connection, the callback should return 0. To accept the value and continue the connection, it should return 1. To reject the value, but continue the connection, it should return 2. This callback is new for TclTLS 1.8. - + [list_begin options] [opt_def alpn [arg "channelId protocol match"]] For servers, this form of callback is invoked when the client ALPN extension is received. If [arg match] is true, then [arg protocol] is the first Index: generic/tls.c ================================================================== --- generic/tls.c +++ generic/tls.c @@ -1444,36 +1444,43 @@ statePtr->interp = interp; statePtr->want = 0; statePtr->vflags = verify; statePtr->err = ""; - /* allocate script */ + /* Allocate callback script */ if (script) { (void) Tcl_GetStringFromObj(script, &len); if (len) { statePtr->callback = script; Tcl_IncrRefCount(statePtr->callback); } } - /* allocate password */ + /* Allocate password callback */ if (password) { (void) Tcl_GetStringFromObj(password, &len); if (len) { statePtr->password = password; Tcl_IncrRefCount(statePtr->password); } } - /* allocate validate command */ + /* Allocate validate callback */ if (vcmd) { (void) Tcl_GetStringFromObj(vcmd, &len); if (len) { statePtr->vcmd = vcmd; Tcl_IncrRefCount(statePtr->vcmd); } } + + /* Set default CA store on Windows */ +#if OPENSSL_VERSION_NUMBER >= 0x30200000L && (defined(_WIN32)) + if (CAstore == NULL && CAfile == NULL && CApath == NULL) { + CAstore = "org.openssl.winstore://"; + } +#endif if (model != NULL) { int mode; /* Get the "model" context */ chan = Tcl_GetChannel(interp, model, &mode);