Index: configure
==================================================================
--- configure
+++ configure
@@ -1,8 +1,8 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72 for tls 1.8.0.
+# Generated by GNU Autoconf 2.72 for tls 2.0b1.
#
#
# Copyright (C) 1992-1996, 1998-2017, 2020-2023 Free Software Foundation,
# Inc.
#
@@ -599,12 +599,12 @@
MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='tls'
PACKAGE_TARNAME='tls'
-PACKAGE_VERSION='1.8.0'
-PACKAGE_STRING='tls 1.8.0'
+PACKAGE_VERSION='2.0b1'
+PACKAGE_STRING='tls 2.0b1'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
# Factoring default headers for most tests.
ac_includes_default="\
@@ -1340,11 +1340,11 @@
#
if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-'configure' configures tls 1.8.0 to adapt to many kinds of systems.
+'configure' configures tls 2.0b1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
@@ -1402,11 +1402,11 @@
_ACEOF
fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of tls 1.8.0:";;
+ short | recursive ) echo "Configuration of tls 2.0b1:";;
esac
cat <<\_ACEOF
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
@@ -1528,11 +1528,11 @@
fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-tls configure 1.8.0
+tls configure 2.0b1
generated by GNU Autoconf 2.72
Copyright (C) 2023 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
@@ -1835,11 +1835,11 @@
cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by tls $as_me 1.8.0, which was
+It was created by tls $as_me 2.0b1, which was
generated by GNU Autoconf 2.72. Invocation command line was
$ $0$ac_configure_args_raw
_ACEOF
@@ -10291,11 +10291,11 @@
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# Save the log message, to keep $0 and so on meaningful, and to
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by tls $as_me 1.8.0, which was
+This file was extended by tls $as_me 2.0b1, which was
generated by GNU Autoconf 2.72. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
CONFIG_HEADERS = $CONFIG_HEADERS
CONFIG_LINKS = $CONFIG_LINKS
@@ -10346,11 +10346,11 @@
ac_cs_config=`printf "%s\n" "$ac_configure_args" | sed "$ac_safe_unquote"`
ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"`
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-tls config.status 1.8.0
+tls config.status 2.0b1
configured by $0, generated by GNU Autoconf 2.72,
with options \\"\$ac_cs_config\\"
Copyright (C) 2023 Free Software Foundation, Inc.
This config.status script is free software; the Free Software Foundation
Index: configure.ac
==================================================================
--- configure.ac
+++ configure.ac
@@ -14,11 +14,11 @@
# so you can encode the package version directly into the source files.
# This will also define a special symbol for Windows (BUILD_<PACKAGE_NAME>
# so that we create the export library with the dll.
#-----------------------------------------------------------------------
-AC_INIT([tls],[1.8.0])
+AC_INIT([tls],[2.0b1])
#--------------------------------------------------------------------
# Call TEA_INIT as the first TEA_ macro to set up initial vars.
# This will define a ${TEA_PLATFORM} variable == "unix" or "windows"
# as well as PKG_LIB_FILE and PKG_STUB_LIB_FILE.
Index: doc/tls.html
==================================================================
--- doc/tls.html
+++ doc/tls.html
@@ -98,11 +98,11 @@
<!-- Copyright &copy; 1999 Matt Newman -- Copyright &copy; 2004 Starfish Systems -- Copyright &copy; 2024 Brian O'Hagan
-->
<!-- tls.n
-->
<body><div class="doctools">
-<h1 class="doctools_title">tls(n) 1.8 tls "Tcl TLS extension"</h1>
+<h1 class="doctools_title">tls(n) 2.0b1 tls "Tcl TLS extension"</h1>
<div id="name" class="doctools_section"><h2><a name="name">Name</a></h2>
<p>tls - binding to the OpenSSL library for encrypted socket and I/O channel communications</p>
</div>
<div id="toc" class="doctools_section"><h2><a name="toc">Table Of Contents</a></h2>
<ul class="doctools_toc">
@@ -135,11 +135,11 @@
</div>
<div id="synopsis" class="doctools_section"><h2><a name="synopsis">Synopsis</a></h2>
<div class="doctools_synopsis">
<ul class="doctools_requirements">
<li>package require <b class="pkgname">Tcl 8.5-</b></li>
-<li>package require <b class="pkgname">tls 1.8</b></li>
+<li>package require <b class="pkgname">tls 2.0b1</b></li>
</ul>
<ul class="doctools_syntax">
<li><a href="#1"><b class="cmd">tls::init</b> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span></a></li>
<li><a href="#2"><b class="cmd">tls::socket</b> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">host</i> <i class="arg">port</i></a></li>
<li><a href="#3"><b class="cmd">tls::socket</b> <b class="option">-server</b> <i class="arg">command</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">port</i></a></li>
@@ -181,11 +181,13 @@
command options with one additional option. It returns the channel handle id
for the new socket.</p>
<dl class="doctools_options">
<dt><b class="option">-autoservername</b> <i class="arg">bool</i></dt>
<dd><p>If <b class="const">true</b>, automatically set the <b class="option">-servername</b> argument to the
-<em>host</em> argument. Default is <b class="const">false</b>.</p></dd>
+<em>host</em> argument. Prior to TclTLS 2.0, the default is <b class="const">false</b>.
+Starting in TclTLS 2.0, the default is <b class="const">true</b> unless <b class="option">-servername</b>
+is also specified.</p></dd>
</dl></dd>
<dt><a name="3"><b class="cmd">tls::socket</b> <b class="option">-server</b> <i class="arg">command</i> <span class="opt">?<i class="arg">-option</i>?</span> <span class="opt">?<i class="arg">value</i>?</span> <span class="opt">?<i class="arg">-option value ...</i>?</span> <i class="arg">port</i></a></dt>
<dd><p>Same as previous, but instead creates a server socket for clients to connect to
just like the Tcl <b class="syscmd">socket -server</b> command. It returns the channel
handle id for the new socket.</p></dd>
@@ -257,19 +259,21 @@
<dt><b class="option">-post_handshake</b> <i class="arg">bool</i></dt>
<dd><p>Allow post-handshake session ticket updates.</p></dd>
<dt><b class="option">-request</b> <i class="arg">bool</i></dt>
<dd><p>Request a certificate from the peer during the SSL handshake. This is needed
to do Certificate Validation. Starting in TclTLS 1.8, the default is
-<b class="const">true</b>.
+<b class="const">true</b>. Starting in TclTLS 2.0, If set to <b class="const">false</b> and
+<b class="option">-require</b> is <b class="const">true</b>, then this will be overridden to <b class="const">true</b>.
See <span class="sectref"><a href="#section3">Certificate Validation</a></span> for more details.</p></dd>
<dt><b class="option">-require</b> <i class="arg">bool</i></dt>
<dd><p>Require a valid certificate from the peer during the SSL handshake. If this is
set to true, then <b class="option">-request</b> must also be set to true and a either
<b class="option">-cadir</b>, <b class="option">-cafile</b>, <b class="option">-castore</b>, or a platform default
must be provided in order to validate against. The default in TclTLS 1.8 and
earlier versions is <b class="const">false</b> since not all platforms have certificates to
-validate against in a form compatible with OpenSSL.
+validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0,
+the default is <b class="const">true</b>.
See <span class="sectref"><a href="#section3">Certificate Validation</a></span> for more details.</p></dd>
<dt><b class="option">-security_level</b> <i class="arg">integer</i></dt>
<dd><p>Specifies the security level (value from 0 to 5). The security level affects
the allowed cipher suite encryption algorithms, supported ECC curves,
supported signature algorithms, DH parameter sizes, certificate key sizes
@@ -278,35 +282,37 @@
only accept cipher suites that provide forward secrecy.</p></dd>
<dt><b class="option">-server</b> <i class="arg">bool</i></dt>
<dd><p>Specifies whether to act as a server and respond with a server handshake when a
client connects and provides a client handshake. The default is <b class="const">false</b>.</p></dd>
<dt><b class="option">-servername</b> <i class="arg">hostname</i></dt>
-<dd><p>Specify the peer's hostname. This is used to set the TLS Server Name
-Indication (SNI) extension. Set this to the expected servername in the
-server's certificate or one of the Subject Alternate Names (SAN).</p></dd>
+<dd><p>Specify the peer's hostname. This is used to set the TLS Server Name Indication
+(SNI) extension. Set this to the expected servername in the server's certificate
+or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will
+default to the host for the <b class="cmd">tls::socket</b> command.</p></dd>
<dt><b class="option">-session_id</b> <i class="arg">binary_string</i></dt>
<dd><p>Specifies the session id to resume a session. Not supported yet.</p></dd>
<dt><b class="option">-ssl2</b> <i class="arg">bool</i></dt>
-<dd><p>Enable use of SSL v2. The default is <b class="const">false</b>. Note: Recent versions of
-OpenSSL no longer support SSLv2, so this may not have any effect. See the
-<b class="cmd">tls::protocols</b> command for supported protocols.</p></dd>
+<dd><p>Enable use of SSL v2.The default is <b class="const">false</b>.
+OpenSSL 1.1+ no longer supports SSL v2, so this may not have any effect.
+See the <b class="cmd">tls::protocols</b> command for supported protocols.</p></dd>
<dt><b class="option">-ssl3</b> <i class="arg">bool</i></dt>
-<dd><p>Enable use of SSL v3. The default is <b class="const">false</b>. Note: Recent versions
-of OpenSSL may have this disabled at compile time, so this may not have any
-effect. See the <b class="cmd">tls::protocols</b> command for supported protocols.</p></dd>
+<dd><p>Enable use of SSL v3. The default is <b class="const">false</b>. Starting in TclTLS 1.8,
+use of SSL v3 if only available via a compile time option.
+See the <b class="cmd">tls::protocols</b> command for supported protocols.</p></dd>
<dt><b class="option">-tls1</b> <i class="arg">bool</i></dt>
-<dd><p>Enable use of TLS v1. The default is <b class="const">true</b>. Note: TLS 1.0 needs
-SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+.
-See the <i class="arg">-security_level</i> option.</p></dd>
+<dd><p>Enable use of TLS v1. Starting in TclTLS 2.0, the default is <b class="const">false</b>.
+Note: TLS 1.0 needs SHA1 to operate, which is only available in security level
+0 for Open SSL 3.0+. See the <i class="arg">-security_level</i> option.</p></dd>
<dt><b class="option">-tls1.1</b> <i class="arg">bool</i></dt>
-<dd><p>Enable use of TLS v1.1. The default is <b class="const">true</b>. Note: TLS 1.1 needs
-SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+.
-See the <i class="arg">-security_level</i> option.</p></dd>
+<dd><p>Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is <b class="const">false</b>.
+Note: TLS 1.1 needs SHA1 to operate, which is only available in security level
+0 for Open SSL 3.0+. See the <i class="arg">-security_level</i> option.</p></dd>
<dt><b class="option">-tls1.2</b> <i class="arg">bool</i></dt>
<dd><p>Enable use of TLS v1.2. The default is <b class="const">true</b>.</p></dd>
<dt><b class="option">-tls1.3</b> <i class="arg">bool</i></dt>
-<dd><p>Enable use of TLS v1.3. The default is <b class="const">true</b>.</p></dd>
+<dd><p>Enable use of TLS v1.3. The default is <b class="const">true</b>. This is only available
+starting with OpenSSL 1.1.1 and TclTLS 1.7.</p></dd>
<dt><b class="option">-validatecommand</b> <i class="arg">callback</i></dt>
<dd><p>Specifies the callback command to invoke to validate the peer certificates
and other config info during the protocol negotiation phase. This can be used
by TCL scripts to perform their own Certificate Validation to supplement the
default validation provided by OpenSSL. The script must return a boolean true
@@ -548,28 +554,32 @@
This store only supports root certificate stores. See
<span class="sectref"><a href="#section3">Certificate Validation</a></span> for more details.</p></dd>
<dt><b class="option">-request</b> <i class="arg">bool</i></dt>
<dd><p>Request a certificate from the peer during the SSL handshake. This is needed
to do Certificate Validation. Starting in TclTLS 1.8, the default is
-<b class="const">true</b>. In addition, the client can manually inspect and accept or reject
+<b class="const">true</b>. Starting in TclTLS 2.0, If set to <b class="const">false</b> and
+<b class="option">-require</b> is <b class="const">true</b>, then this will be overridden to <b class="const">true</b>.
+In addition, the client can manually inspect and accept or reject
each certificate using the <i class="arg">-validatecommand</i> option.</p></dd>
<dt><b class="option">-require</b> <i class="arg">bool</i></dt>
<dd><p>Require a valid certificate from the peer during the SSL handshake. If this is
set to true, then <b class="option">-request</b> must also be set to true and a either
<b class="option">-cadir</b>, <b class="option">-cafile</b>, <b class="option">-castore</b>, or a platform default
must be provided in order to validate against. The default in TclTLS 1.8 and
earlier versions is <b class="const">false</b> since not all platforms have certificates to
-validate against in a form compatible with OpenSSL.</p></dd>
+validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0,
+the default is <b class="const">true</b>.</p></dd>
</dl>
</div>
<div id="subsection3" class="doctools_subsection"><h3><a name="subsection3">When are command line options needed?</a></h3>
<p>In TclTLS 1.8 and earlier versions, certificate validation is
<em>NOT</em> enabled by default. This limitation is due to the lack of a common
cross platform database of Certificate Authority (CA) provided certificates to
validate against. Many Linux systems natively support OpenSSL and thus have
these certificates installed as part of the OS, but MacOS and MS Windows do not.
-In order to use the <b class="option">-require</b> option, one of the following
+Staring in TclTLS 2.0, this has been changed to require certificate validation
+by default. In order to use the <b class="option">-require</b> option, one of the following
must be true:</p>
<ul class="doctools_itemized">
<li><p>On Linux and Unix systems with OpenSSL already installed or if the CA
certificates are available in PEM format, and if they are stored in the
standard locations, or if the <b class="variable">SSL_CERT_DIR</b> or <b class="variable">SSL_CERT_FILE</b>
Index: doc/tls.man
==================================================================
--- doc/tls.man
+++ doc/tls.man
@@ -1,21 +1,21 @@
[comment {-*- tcl -*- doctools manpage}]
[comment {To convert this to another documentation format use the dtplite
script from tcllib: dtplite -o tls.n nroff tls.man
dtplite -o tls.html html tls.man
}]
-[manpage_begin tls n 1.8]
+[manpage_begin tls n 2.0b1]
[category tls]
[copyright {1999 Matt Newman}]
[copyright {2004 Starfish Systems}]
[copyright {2024 Brian O'Hagan}]
[keywords tls I/O "IP Address" OpenSSL SSL TCP TLS "asynchronous I/O" bind certificate channel connection "domain name" host "https" "network address" network socket TclTLS]
[moddesc {Tcl TLS extension}]
[see_also http socket [uri https://www.openssl.org/ OpenSSL]]
[titledesc {binding to the OpenSSL library for encrypted socket and I/O channel communications}]
[require Tcl 8.5-]
-[require tls 1.8]
+[require tls 2.0b1]
[description]
This extension provides TCL script access to secure socket communications
using the Transport Layer Security (TLS) protocol. It provides a generic
binding to [uri "https://www.openssl.org/" OpenSSL], utilizing the
@@ -50,11 +50,13 @@
[list_begin options]
[opt_def -autoservername [arg bool]]
If [const true], automatically set the [option -servername] argument to the
-[emph host] argument. Default is [const false].
+[emph host] argument. Prior to TclTLS 2.0, the default is [const false].
+Starting in TclTLS 2.0, the default is [const true] unless [option -servername]
+is also specified.
[list_end]
[call [cmd tls::socket] [option -server] [arg command] [opt [arg -option]] [opt [arg value]] [opt [arg "-option value ..."]] [arg port]]
@@ -148,20 +150,22 @@
Allow post-handshake session ticket updates.
[opt_def -request [arg bool]]
Request a certificate from the peer during the SSL handshake. This is needed
to do Certificate Validation. Starting in TclTLS 1.8, the default is
-[const true].
+[const true]. Starting in TclTLS 2.0, If set to [const false] and
+[option -require] is [const true], then this will be overridden to [const true].
See [sectref "Certificate Validation"] for more details.
[opt_def -require [arg bool]]
Require a valid certificate from the peer during the SSL handshake. If this is
set to true, then [option -request] must also be set to true and a either
[option -cadir], [option -cafile], [option -castore], or a platform default
must be provided in order to validate against. The default in TclTLS 1.8 and
earlier versions is [const false] since not all platforms have certificates to
-validate against in a form compatible with OpenSSL.
+validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0,
+the default is [const true].
See [sectref "Certificate Validation"] for more details.
[opt_def -security_level [arg integer]]
Specifies the security level (value from 0 to 5). The security level affects
the allowed cipher suite encryption algorithms, supported ECC curves,
@@ -173,42 +177,44 @@
[opt_def -server [arg bool]]
Specifies whether to act as a server and respond with a server handshake when a
client connects and provides a client handshake. The default is [const false].
[opt_def -servername [arg hostname]]
-Specify the peer's hostname. This is used to set the TLS Server Name
-Indication (SNI) extension. Set this to the expected servername in the
-server's certificate or one of the Subject Alternate Names (SAN).
+Specify the peer's hostname. This is used to set the TLS Server Name Indication
+(SNI) extension. Set this to the expected servername in the server's certificate
+or one of the Subject Alternate Names (SAN). Starting in TclTLS 2.0, this will
+default to the host for the [cmd tls::socket] command.
[opt_def -session_id [arg binary_string]]
Specifies the session id to resume a session. Not supported yet.
[opt_def -ssl2 [arg bool]]
-Enable use of SSL v2. The default is [const false]. Note: Recent versions of
-OpenSSL no longer support SSLv2, so this may not have any effect. See the
-[cmd tls::protocols] command for supported protocols.
+Enable use of SSL v2.The default is [const false].
+OpenSSL 1.1+ no longer supports SSL v2, so this may not have any effect.
+See the [cmd tls::protocols] command for supported protocols.
[opt_def -ssl3 [arg bool]]
-Enable use of SSL v3. The default is [const false]. Note: Recent versions
-of OpenSSL may have this disabled at compile time, so this may not have any
-effect. See the [cmd tls::protocols] command for supported protocols.
+Enable use of SSL v3. The default is [const false]. Starting in TclTLS 1.8,
+use of SSL v3 if only available via a compile time option.
+See the [cmd tls::protocols] command for supported protocols.
[opt_def -tls1 [arg bool]]
-Enable use of TLS v1. The default is [const true]. Note: TLS 1.0 needs
-SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+.
-See the [arg -security_level] option.
+Enable use of TLS v1. Starting in TclTLS 2.0, the default is [const false].
+Note: TLS 1.0 needs SHA1 to operate, which is only available in security level
+0 for Open SSL 3.0+. See the [arg -security_level] option.
[opt_def -tls1.1 [arg bool]]
-Enable use of TLS v1.1. The default is [const true]. Note: TLS 1.1 needs
-SHA1 to operate, which is only available in security level 0 for Open SSL 3.0+.
-See the [arg -security_level] option.
+Enable use of TLS v1.1. Starting in TclTLS 2.0, the default is [const false].
+Note: TLS 1.1 needs SHA1 to operate, which is only available in security level
+0 for Open SSL 3.0+. See the [arg -security_level] option.
[opt_def -tls1.2 [arg bool]]
Enable use of TLS v1.2. The default is [const true].
[opt_def -tls1.3 [arg bool]]
-Enable use of TLS v1.3. The default is [const true].
+Enable use of TLS v1.3. The default is [const true]. This is only available
+starting with OpenSSL 1.1.1 and TclTLS 1.7.
[opt_def -validatecommand [arg callback]]
Specifies the callback command to invoke to validate the peer certificates
and other config info during the protocol negotiation phase. This can be used
by TCL scripts to perform their own Certificate Validation to supplement the
@@ -564,20 +570,23 @@
[sectref "Certificate Validation"] for more details.
[opt_def -request [arg bool]]
Request a certificate from the peer during the SSL handshake. This is needed
to do Certificate Validation. Starting in TclTLS 1.8, the default is
-[const true]. In addition, the client can manually inspect and accept or reject
+[const true]. Starting in TclTLS 2.0, If set to [const false] and
+[option -require] is [const true], then this will be overridden to [const true].
+In addition, the client can manually inspect and accept or reject
each certificate using the [arg -validatecommand] option.
[opt_def -require [arg bool]]
Require a valid certificate from the peer during the SSL handshake. If this is
set to true, then [option -request] must also be set to true and a either
[option -cadir], [option -cafile], [option -castore], or a platform default
must be provided in order to validate against. The default in TclTLS 1.8 and
earlier versions is [const false] since not all platforms have certificates to
-validate against in a form compatible with OpenSSL.
+validate against in a form compatible with OpenSSL. Starting in TclTLS 2.0,
+the default is [const true].
[list_end]
[subsection "When are command line options needed?"]
@@ -584,11 +593,12 @@
In TclTLS 1.8 and earlier versions, certificate validation is
[emph NOT] enabled by default. This limitation is due to the lack of a common
cross platform database of Certificate Authority (CA) provided certificates to
validate against. Many Linux systems natively support OpenSSL and thus have
these certificates installed as part of the OS, but MacOS and MS Windows do not.
-In order to use the [option -require] option, one of the following
+Staring in TclTLS 2.0, this has been changed to require certificate validation
+by default. In order to use the [option -require] option, one of the following
must be true:
[list_begin itemized]
[item]
Index: doc/tls.n
==================================================================
--- doc/tls.n
+++ doc/tls.n
@@ -2,11 +2,11 @@
'\" Generated from file 'tls\&.man' by tcllib/doctools with format 'nroff'
'\" Copyright (c) 1999 Matt Newman
'\" Copyright (c) 2004 Starfish Systems
'\" Copyright (c) 2024 Brian O'Hagan
'\"
-.TH "tls" n 1\&.8 tls "Tcl TLS extension"
+.TH "tls" n 2\&.0b1 tls "Tcl TLS extension"
.\" The -*- nroff -*- definitions below are for supplemental macros used
.\" in Tcl/Tk manual entries.
.\"
.\" .AP type name in/out ?indent?
.\" Start paragraph describing an argument to a library procedure.
@@ -276,11 +276,11 @@
.SH NAME
tls \- binding to the OpenSSL library for encrypted socket and I/O channel communications
.SH SYNOPSIS
package require \fBTcl 8\&.5-\fR
.sp
-package require \fBtls 1\&.8\fR
+package require \fBtls 2\&.0b1\fR
.sp
\fBtls::init\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR?
.sp
\fBtls::socket\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIhost\fR \fIport\fR
.sp
@@ -331,11 +331,13 @@
for the new socket\&.
.RS
.TP
\fB-autoservername\fR \fIbool\fR
If \fBtrue\fR, automatically set the \fB-servername\fR argument to the
-\fIhost\fR argument\&. Default is \fBfalse\fR\&.
+\fIhost\fR argument\&. Prior to TclTLS 2\&.0, the default is \fBfalse\fR\&.
+Starting in TclTLS 2\&.0, the default is \fBtrue\fR unless \fB-servername\fR
+is also specified\&.
.RE
.TP
\fBtls::socket\fR \fB-server\fR \fIcommand\fR ?\fI-option\fR? ?\fIvalue\fR? ?\fI-option value \&.\&.\&.\fR? \fIport\fR
Same as previous, but instead creates a server socket for clients to connect to
just like the Tcl \fBsocket -server\fR command\&. It returns the channel
@@ -425,20 +427,22 @@
Allow post-handshake session ticket updates\&.
.TP
\fB-request\fR \fIbool\fR
Request a certificate from the peer during the SSL handshake\&. This is needed
to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is
-\fBtrue\fR\&.
+\fBtrue\fR\&. Starting in TclTLS 2\&.0, If set to \fBfalse\fR and
+\fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&.
See \fBCertificate Validation\fR for more details\&.
.TP
\fB-require\fR \fIbool\fR
Require a valid certificate from the peer during the SSL handshake\&. If this is
set to true, then \fB-request\fR must also be set to true and a either
\fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default
must be provided in order to validate against\&. The default in TclTLS 1\&.8 and
earlier versions is \fBfalse\fR since not all platforms have certificates to
-validate against in a form compatible with OpenSSL\&.
+validate against in a form compatible with OpenSSL\&. Starting in TclTLS 2\&.0,
+the default is \fBtrue\fR\&.
See \fBCertificate Validation\fR for more details\&.
.TP
\fB-security_level\fR \fIinteger\fR
Specifies the security level (value from 0 to 5)\&. The security level affects
the allowed cipher suite encryption algorithms, supported ECC curves,
@@ -450,42 +454,44 @@
\fB-server\fR \fIbool\fR
Specifies whether to act as a server and respond with a server handshake when a
client connects and provides a client handshake\&. The default is \fBfalse\fR\&.
.TP
\fB-servername\fR \fIhostname\fR
-Specify the peer's hostname\&. This is used to set the TLS Server Name
-Indication (SNI) extension\&. Set this to the expected servername in the
-server's certificate or one of the Subject Alternate Names (SAN)\&.
+Specify the peer's hostname\&. This is used to set the TLS Server Name Indication
+(SNI) extension\&. Set this to the expected servername in the server's certificate
+or one of the Subject Alternate Names (SAN)\&. Starting in TclTLS 2\&.0, this will
+default to the host for the \fBtls::socket\fR command\&.
.TP
\fB-session_id\fR \fIbinary_string\fR
Specifies the session id to resume a session\&. Not supported yet\&.
.TP
\fB-ssl2\fR \fIbool\fR
-Enable use of SSL v2\&. The default is \fBfalse\fR\&. Note: Recent versions of
-OpenSSL no longer support SSLv2, so this may not have any effect\&. See the
-\fBtls::protocols\fR command for supported protocols\&.
+Enable use of SSL v2\&.The default is \fBfalse\fR\&.
+OpenSSL 1\&.1+ no longer supports SSL v2, so this may not have any effect\&.
+See the \fBtls::protocols\fR command for supported protocols\&.
.TP
\fB-ssl3\fR \fIbool\fR
-Enable use of SSL v3\&. The default is \fBfalse\fR\&. Note: Recent versions
-of OpenSSL may have this disabled at compile time, so this may not have any
-effect\&. See the \fBtls::protocols\fR command for supported protocols\&.
+Enable use of SSL v3\&. The default is \fBfalse\fR\&. Starting in TclTLS 1\&.8,
+use of SSL v3 if only available via a compile time option\&.
+See the \fBtls::protocols\fR command for supported protocols\&.
.TP
\fB-tls1\fR \fIbool\fR
-Enable use of TLS v1\&. The default is \fBtrue\fR\&. Note: TLS 1\&.0 needs
-SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&.
-See the \fI-security_level\fR option\&.
+Enable use of TLS v1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&.
+Note: TLS 1\&.0 needs SHA1 to operate, which is only available in security level
+0 for Open SSL 3\&.0+\&. See the \fI-security_level\fR option\&.
.TP
\fB-tls1\&.1\fR \fIbool\fR
-Enable use of TLS v1\&.1\&. The default is \fBtrue\fR\&. Note: TLS 1\&.1 needs
-SHA1 to operate, which is only available in security level 0 for Open SSL 3\&.0+\&.
-See the \fI-security_level\fR option\&.
+Enable use of TLS v1\&.1\&. Starting in TclTLS 2\&.0, the default is \fBfalse\fR\&.
+Note: TLS 1\&.1 needs SHA1 to operate, which is only available in security level
+0 for Open SSL 3\&.0+\&. See the \fI-security_level\fR option\&.
.TP
\fB-tls1\&.2\fR \fIbool\fR
Enable use of TLS v1\&.2\&. The default is \fBtrue\fR\&.
.TP
\fB-tls1\&.3\fR \fIbool\fR
-Enable use of TLS v1\&.3\&. The default is \fBtrue\fR\&.
+Enable use of TLS v1\&.3\&. The default is \fBtrue\fR\&. This is only available
+starting with OpenSSL 1\&.1\&.1 and TclTLS 1\&.7\&.
.TP
\fB-validatecommand\fR \fIcallback\fR
Specifies the callback command to invoke to validate the peer certificates
and other config info during the protocol negotiation phase\&. This can be used
by TCL scripts to perform their own Certificate Validation to supplement the
@@ -809,28 +815,32 @@
\fBCertificate Validation\fR for more details\&.
.TP
\fB-request\fR \fIbool\fR
Request a certificate from the peer during the SSL handshake\&. This is needed
to do Certificate Validation\&. Starting in TclTLS 1\&.8, the default is
-\fBtrue\fR\&. In addition, the client can manually inspect and accept or reject
+\fBtrue\fR\&. Starting in TclTLS 2\&.0, If set to \fBfalse\fR and
+\fB-require\fR is \fBtrue\fR, then this will be overridden to \fBtrue\fR\&.
+In addition, the client can manually inspect and accept or reject
each certificate using the \fI-validatecommand\fR option\&.
.TP
\fB-require\fR \fIbool\fR
Require a valid certificate from the peer during the SSL handshake\&. If this is
set to true, then \fB-request\fR must also be set to true and a either
\fB-cadir\fR, \fB-cafile\fR, \fB-castore\fR, or a platform default
must be provided in order to validate against\&. The default in TclTLS 1\&.8 and
earlier versions is \fBfalse\fR since not all platforms have certificates to
-validate against in a form compatible with OpenSSL\&.
+validate against in a form compatible with OpenSSL\&. Starting in TclTLS 2\&.0,
+the default is \fBtrue\fR\&.
.PP
.SS "WHEN ARE COMMAND LINE OPTIONS NEEDED?"
In TclTLS 1\&.8 and earlier versions, certificate validation is
\fINOT\fR enabled by default\&. This limitation is due to the lack of a common
cross platform database of Certificate Authority (CA) provided certificates to
validate against\&. Many Linux systems natively support OpenSSL and thus have
these certificates installed as part of the OS, but MacOS and MS Windows do not\&.
-In order to use the \fB-require\fR option, one of the following
+Staring in TclTLS 2\&.0, this has been changed to require certificate validation
+by default\&. In order to use the \fB-require\fR option, one of the following
must be true:
.IP \(bu
On Linux and Unix systems with OpenSSL already installed or if the CA
certificates are available in PEM format, and if they are stored in the
standard locations, or if the \fBSSL_CERT_DIR\fR or \fBSSL_CERT_FILE\fR
Index: generic/tls.c
==================================================================
--- generic/tls.c
+++ generic/tls.c
@@ -1348,13 +1348,13 @@
char *model = NULL;
char *servername = NULL; /* hostname for Server Name Indication */
char *session_id = NULL;
Tcl_Obj *alpn = NULL;
int ssl2 = 0, ssl3 = 0;
- int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1;
+ int tls1 = 0, tls1_1 = 0, tls1_2 = 1, tls1_3 = 1;
int proto = 0, level = -1;
- int verify = 0, require = 0, request = 1, post_handshake = 0;
+ int verify = 0, require = 1, request = 1, post_handshake = 0;
dprintf("Called");
#if defined(NO_TLS1) || defined(OPENSSL_NO_TLS1)
tls1 = 0;
@@ -1423,13 +1423,14 @@
OPTBAD("option", "-alpn, -cadir, -cafile, -castore, -cert, -certfile, -cipher, -ciphersuites, -command, -dhparams, -key, -keyfile, -model, -password, -post_handshake, -request, -require, -security_level, -server, -servername, -session_id, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, -tls1.3, or -validatecommand");
return TCL_ERROR;
}
+ if (require) request = 1;
if (request) verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
- if (request && post_handshake) verify |= SSL_VERIFY_POST_HANDSHAKE;
+ if (request && post_handshake) verify |= SSL_VERIFY_POST_HANDSHAKE;
if (verify == 0) verify = SSL_VERIFY_NONE;
proto |= (ssl2 ? TLS_PROTO_SSL2 : 0);
proto |= (ssl3 ? TLS_PROTO_SSL3 : 0);
proto |= (tls1 ? TLS_PROTO_TLS1 : 0);
Index: generic/tlsInt.h
==================================================================
--- generic/tlsInt.h
+++ generic/tlsInt.h
@@ -35,11 +35,11 @@
/* Windows needs to know which symbols to export. */
#ifdef BUILD_tls
#undef TCL_STORAGE_CLASS
#define TCL_STORAGE_CLASS DLLEXPORT
-#endif /* BUILD_udp */
+#endif /* BUILD_tls */
/* Handle TCL 8.6 CONST changes */
#ifndef CONST86
# if TCL_MAJOR_VERSION > 8
# define CONST86 const
Index: library/tls.tcl
==================================================================
--- library/tls.tcl
+++ library/tls.tcl
@@ -263,10 +263,17 @@
if {![info exists argsArray(-servername)]} {
set argsArray(-servername) $host
lappend iopts -servername $host
}
}
+
+ # Use host as SNI server name without -autoservername and -servername args
+ if {![info exists argsArray(-autoservername)] &&
+ ![info exists argsArray(-servername)]} {
+ set argsArray(-servername) $host
+ lappend iopts -servername $host
+ }
lappend sopts $host $port
}
#
# Create TCP/IP socket